Re: PCI Compliance (Vulnerability Scans)

Your right, I'm so use to dealing with Level 1 people that I forgot all
the others needed approved scanning vendors
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html?it=l2|%2Fbusiness%2Faccepting_visa%2Fops_risk_management%2Fcisp%2Ehtml|Merchants#anchor_2


But back to my original question, why are you looking for pci scanning
software? The process of becoming an approved vendor usually takes
multiple tools as well as the "human factor". I don't think you will
find 1 solution for scanning that you can buy and say "we're done".

David

Vivek Chudgar wrote:
Correction - Level 2 and 3 merchants are also required to have
external vuln scans by an ASV. Level 4 merchants are exempt but their
acquirer can still require them to be scanned by an ASV.

If a tool is just looking for ports 22,23,25,80 and 445 for service
discovery, I highly doubt if it can pass the certification
requirement.

You are also right about the level of automation possible. Manual
verification is necessary to eleminate false positives.

- Vivek

On 12/17/06, David M. Zendzian <dmz@xxxxxxxx> wrote:
First, why are you looking for a PCI compliant tool?

Second there are only 2 reasons to do vulnerability scanning. If you are
level 1 (merchant, service provider or hacked entity:) then you are
required to have external vulnerability scans by one of the authorized
scanning providers. There is no need here for software as the service
provider does all the work and provides you results.

If you are looking to do your scans internally, there is no specific
needs outlined by PCI for internal vulnerability scans. PCI only says
you need to perform vulnerability scans. With that in mind, Nessus scans
work internally :)

What are you trying to accomplish?

David (Visa-QDSP)

09sparky@xxxxxxxxx wrote:
Thanks for all the great information (all). I am now wondering
though, if you use an automated tool (VA Scanner that claims to be PCI
compliant), does that mean whatever it finds and whatever it rates it
(i.e. HIGH), is the final word, and the company fails? I guess what I
am asking, I was under the impression that PCI scans could be much
automated and very little to no user intervention was required (unlike
a Vulnerability Assessment/Penetration test). However, many automated
tools have false positives. Doesn't a company fail if they have any
"HIGH" findings? With that said, are you required to go through each
finding and validate? If so, then you have just turned it into a
Vulnerability Assessment.

Also, The Automated Tool I have been evaluating claims to be PCI
compliant. However, for its discovery phase, it only uses ports
22,23,25,80 and 445. Upon finding any Host with these ports open, it
will then run a common port scan. Is this way off? What do most of
you do for host discovery (i.e. nmap scans of what ports? or different
tools?

Any thoughts?
Thanks,
Sparky


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW


------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW

------------------------------------------------------------------------




Relevant Pages

  • Re: PCI Compliance (Vulnerability Scans)
    ... We use Control Scan for an external scan vendor, ... the others needed approved scanning vendors ... But back to my original question, why are you looking for pci scanning ... >> Second there are only 2 reasons to do vulnerability scanning. ...
    (Pen-Test)
  • Re: PCI Compliance (Vulnerability Scans)
    ... Also for your internal scanning, for anyone who is not already familiar ... But back to my original question, why are you looking for pci scanning ... Second there are only 2 reasons to do vulnerability scanning. ...
    (Pen-Test)
  • RE: Business justification for pentesting
    ... Run internal and external network vulnerability scans at least ... I would love to see any Pen test which could blindly test #8.5.12... ... Clean results being "The results of each scan satisfy the PCI Security ... >Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • Re: PROBLEM: Devices behind PCI Express-to-PCI bridge not mapped
    ... Scanning NUMA topology in Northbridge 24 ... Ignoring ACPI timer override. ... PCI: Using configuration type 1 ... PCI: Calling quirk ffffffff802907d0 for 0000:00:00.0 ...
    (Linux-Kernel)
  • RE: Vulnerability scanner/appliance
    ... I can suggest Qualys a good vulnerability product ... Moreover PCI standards focus is on encryption, ... properly securing their environment to do so...but ... When I say there are scanners that will pass the PCI ...
    (Security-Basics)