Re: PCI Compliance (Vulnerability Scans)

From: David M. Zendzian (dmz@dmzs.com)
Date: Mon Dec 18 2006 - 00:35:30 EST

• Next message: David M. Zendzian: "Re: "Digital" War Dialing"
• Previous message: Champ Clark [Vistech]: "Re: "Digital" War Dialing"
• In reply to: 09sparky@gmail.com: "Re: RE: PCI Compliance (Vulnerability Scans)"
• Next in thread: Vivek Chudgar: "Re: PCI Compliance (Vulnerability Scans)"
• Reply: Vivek Chudgar: "Re: PCI Compliance (Vulnerability Scans)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

First, why are you looking for a PCI compliant tool?

Second there are only 2 reasons to do vulnerability scanning. If you are
level 1 (merchant, service provider or hacked entity:) then you are
required to have external vulnerability scans by one of the authorized
scanning providers. There is no need here for software as the service
provider does all the work and provides you results.

If you are looking to do your scans internally, there is no specific
needs outlined by PCI for internal vulnerability scans. PCI only says
you need to perform vulnerability scans. With that in mind, Nessus scans
work internally :)

What are you trying to accomplish?

David (Visa-QDSP)

09sparky@gmail.com wrote:
> Thanks for all the great information (all). I am now wondering though, if you use an automated tool (VA Scanner that claims to be PCI compliant), does that mean whatever it finds and whatever it rates it (i.e. HIGH), is the final word, and the company fails? I guess what I am asking, I was under the impression that PCI scans could be much automated and very little to no user intervention was required (unlike a Vulnerability Assessment/Penetration test). However, many automated tools have false positives. Doesn't a company fail if they have any "HIGH" findings? With that said, are you required to go through each finding and validate? If so, then you have just turned it into a Vulnerability Assessment.
>
> Also, The Automated Tool I have been evaluating claims to be PCI compliant. However, for its discovery phase, it only uses ports 22,23,25,80 and 445. Upon finding any Host with these ports open, it will then run a common port scan. Is this way off? What do most of you do for host discovery (i.e. nmap scans of what ports? or different tools?
>
> Any thoughts?
> Thanks,
> Sparky
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: David M. Zendzian: "Re: "Digital" War Dialing"
• Previous message: Champ Clark [Vistech]: "Re: "Digital" War Dialing"
• In reply to: 09sparky@gmail.com: "Re: RE: PCI Compliance (Vulnerability Scans)"
• Next in thread: Vivek Chudgar: "Re: PCI Compliance (Vulnerability Scans)"
• Reply: Vivek Chudgar: "Re: PCI Compliance (Vulnerability Scans)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:28 EDT