Re: PCI DSS Compliance

[Pete Herzog <lists () isecom org>]

Syed Mohamed A wrote:
> Exactly.... I agree with Bill .. This is not penetration test .. The
> objective is to find ALL vulnerabilities inside ur environment.... This is
> something "Die safe" kind of setup.. Even if your IDS, Firewall, IPS go
> wrong... Your servers or application should stand safe... 

And really how does identifying all known vulnerabilities alone make you 
safe?  It's a scanner.  It doesn't even verify for false positives and 
false negatives.

Shouldn't the entire security of an organization be taken into 
consideration?  I mean to assume that on 1 day the IDS, Firewall, and 
IPS go belly-up and the rest of your network is still humming sounds 
like better odds than a day that maybe just your web server goes down. 
Additionally, there are stateful firewalls that even if you white-list 
the tester's IPs, there will still be implemented syn flood protection 
which you can't disable.

So do they also tell you that you have to run all your services on the 
expected, registered service ports too?  Would I not be testable if my 
SSH is on port 33333? Why is my security dependent on my apps and 
services with possible vulnerabilities unverified by a scanner rather 
than the security and integrity of the system itself as a whole?

I disagree. This is not even a vulnerability test if conducted in this 
manner. It's a scam and it's mostly worthless.  It follows the myth of 
patching to be safe and it appears the tester doesn't want to waste 
their time actually testing and verifying other than an automated 
scanner.  Nice "take the money and run" business!

Sincerely,
-pete.