RE: PCI DSS Compliance

["Craig Wright" <cwright () bdosyd com au>]

First I have done a dissertation on vulnerability testing and have shown it to be 25-35% as effective as a full audit 
done by competant and unhindered staff, so I have no issues with arguing that automated scans are ineffective.
 
The PCI DSS does not just require a scan for patches. This is the error in your comments. 
 
Further, obscurity is less than no defence and usually makes a site less secure. 
 
You are commenting on the accurace of a document you have not read in full. This is not a good practice and definately 
not scientific. There are issues in that many companies are doing "scans" that do not meet the PCI DSS requirements - 
this is a separate issue. There are a few issues here:
1   is the company autorised to do the work (ie on the PCI DSS approved list)
2   are they approved at the required level
 
If they are, and they do not do the tests correctly and fully they should be removed from the pannel
 
If they are not on the pannel they can not do the work. (full stop)
 
What the hosted company is doing comes into the level of assessment as well. The company conducting the "scan" has to 
be assured to a material level (as defined in audit terms) that the site complies with the standards. This is a 
compliance issue. Further securtiy measures are a separate issue. The company seeking the test is seeking compliance 
not necessary security. These are very different things.
 
The "scanning" company has to for example be assured to a material level that the hosts are all single purpose and not 
"virtual" servers. Thus this is more than a simple scan.
 
Craig

        -----Original Message----- 
        From: Pete Herzog [mailto:lists () isecom org] 
        Sent: Tue 20/12/2005 2:03 AM 
        To: Craig Wright 
        Cc: syedma () microland net; mjohnso6 () optonline net; Ademar Gonzalez; webappsec () securityfocus com 
        Subject: Re: PCI DSS Compliance
        
        

        Craig Wright wrote:
        > An automated, not verified process does not meet the scaning/testing
         > requirements. It is thus entirely irrelivant to the discussion as it
         > will not help you be compliant.
        
        The question was about whether assuring all known vulns are patched by
        disabling all security controls is correct.  That was the question which
        prompted my discussion about PCI.  For me, vuln scanning an entire
        network is very wrong and a pointless task.  And I think it's important
        we challenge notions we suspect to be wrong either to fix them or
        correct ourselves.  I am proud of you for reading the whole PCI document
        and all associated pages but what good does it do you if it isn't correct?
        
        -pete.
        
        


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.