Penetration Testing mailing list archives
Re: PCI Compliance Scope
From: Tracy Reed <treed () ultraviolet org>
Date: Thu, 12 Nov 2009 13:30:46 -0800
On Thu, Nov 12, 2009 at 12:42:35PM -0800, Eric Milam spake thusly:
Basically the fear are base camps from which to launch an attack. As Erin stated below, if there are measures in place (not just vlans) to prevent access from the log machine to the Card Holder data environment then it may be that the device will be out of scope.
Why not just VLANs? Do we not trust VLANs or are we worried about VLAN misconfiguration? Or switch compromise? Cisco commissioned a study by @Stake (IIRC) which made a pretty good case for VLAN security. Of course, that may just be Cisco getting the results it paid for. But it seemed reasonable to me. -- Tracy Reed http://tracyreed.org
Attachment:
_bin
Description:
Current thread:
- PCI Compliance Scope Danux (Nov 12)
- RE: PCI Compliance Scope Gary Everekyan (Nov 12)
- RE: PCI Compliance Scope Erin Carroll (Nov 12)
- Re: PCI Compliance Scope Eric Milam (Nov 12)
- Re: PCI Compliance Scope Tracy Reed (Nov 12)
- Re: PCI Compliance Scope Eric Milam (Nov 12)
- Re: PCI Compliance Scope Danux (Nov 12)
- Message not available
- re: PCI Compliance Scope Timothy Shea (Nov 13)
- Re: PCI Compliance Scope Mohamed Farid (Nov 13)
- Re: PCI Compliance Scope Gary E. Miller (Nov 13)
- Re: PCI Compliance Scope rajat swarup (Nov 13)
- Re: PCI Compliance Scope David M. Zendzian (Nov 13)
- RE: PCI Compliance Scope Jason Hurst (Nov 13)
- Re: PCI Compliance Scope Danux (Nov 16)
- Re: PCI Compliance Scope Eric Milam (Nov 12)