From: Craig Wright (cwright@bdosyd.com.au)
Date: Fri Mar 03 2006 - 16:05:46 EST
Hello,
Real testing. Nothing in the VISA statement of terms includes BLIND. Never is the word mentioned. It is ONLYmentioned when vendors seek an excuse (ie Cable and Wireless and last years little incident).
How do we get to the idea that an external test must be blind?
This is just the please tie my hands behind my back type of thinking that leaves holes. The issue is NOT "what will a average hacker see". The issue is to ensure that the site is configured to a statndard and that all KNOWN vulnerabilities are patched/mitigated. VISA does not want to test the site as iut may be seen from the internet by hackers, this is just wrong for all those who believe this.
For all those companies doing this. Think liability. Force of law comes into effect this year in Australia to the auditing standards and has already in the US and UK. This means that there are criminal sanctions for conducting audits without following approved process.
So to what we do.
We get copies of the system config. The firewall config. The firmware versions. Dumps of the OS. Rules. Logs. Basically everything that you could possibly consider.
This information is analysed. A combination of Spectral analysis for systems design and Time Series analysis for the logs is used amongst other things.
A pen Test is used to verify findings.
Regards
Craig
-----Original Message-----
From: Derek Nash [mailto:ddnash@gmail.com]
Sent: Fri 3/03/2006 1:52 PM
To: pen-test@securityfocus.com
Cc:
Subject: VISA/Mastercard PCI Vendor Scanning requirements
For those of you who are providing PCI certified scanning how are you
complying with the requirement that "The vendor should ensure that it
has an unfiltered communication path to the customer's environment."
in order to avoid "Internet Service Provider Blocked Ports" that could
"result in misleading report conclusions."
Mastercard eludes to scanning over a VPN tunnel, but that seems
excessive and a potential logistical nightmare depending on volume of
business and technical know-how at the client's end.
I am just wonder what other providers are doing to comply. Thanks in
advance for your posts.
--
Best Regards,
ddnash
------------------------------------------------------------------------------
This List Sponsored by: Lancope
"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."
http://www.lancope.com/resource/
------------------------------------------------------------------------------
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:36 EDT