RE: PCI DSS Compliance

["Craig Wright" <cwright () bdosyd com au>]

Read the document

You have to verify the port - this is one section of the document. When
you read all the requirements than judge.

Craig

-----Original Message-----
From: Pete Herzog [mailto:lists () isecom org]
Sent: 17 December 2005 6:51
To: syedma () microland net
Cc: mjohnso6 () optonline net; 'Ademar Gonzalez';
webappsec () securityfocus com
Subject: Re: PCI DSS Compliance


Syed Mohamed A wrote:
> Exactly.... I agree with Bill .. This is not penetration test .. The
> objective is to find ALL vulnerabilities inside ur environment....
> This is something "Die safe" kind of setup.. Even if your IDS,
> Firewall, IPS go wrong... Your servers or application should stand
safe...

And really how does identifying all known vulnerabilities alone make you
safe?  It's a scanner.  It doesn't even verify for false positives and
false negatives.

Shouldn't the entire security of an organization be taken into
consideration?  I mean to assume that on 1 day the IDS, Firewall, and
IPS go belly-up and the rest of your network is still humming sounds
like better odds than a day that maybe just your web server goes down.
Additionally, there are stateful firewalls that even if you white-list
the tester's IPs, there will still be implemented syn flood protection
which you can't disable.

So do they also tell you that you have to run all your services on the
expected, registered service ports too?  Would I not be testable if my
SSH is on port 33333? Why is my security dependent on my apps and
services with possible vulnerabilities unverified by a scanner rather
than the security and integrity of the system itself as a whole?

I disagree. This is not even a vulnerability test if conducted in this
manner. It's a scam and it's mostly worthless.  It follows the myth of
patching to be safe and it appears the tester doesn't want to waste
their time actually testing and verifying other than an automated
scanner.  Nice "take the money and run" business!

Sincerely,
-pete.

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.