PCI Compliance (Vulnerability Scans)

From: 09sparky@gmail.com
Date: Sat Dec 16 2006 - 14:09:51 EST


('binary' encoding is not supported, stored as-is) Group,

Have any of you performed simply PCI compliant Vulnerability Scans? if so, I am looking for a few things:

1. Did you use an automated Scanner (only)? If so, which one (or which one do you think is the best)?
2. What are your recommendations for performing a simple PCI compliant Scan? Is an automated tool the best solution for a simple scan? I assume it is, since I don't believe much manual time/effort should be devoted to them, as opposed to a real Vulnerability Assessment (manual verification)/Penetration Test.

3. Could someone also guide me in the right direction for finding out more about PCI compliment vulnerability scanning (i.e. websites, books, whitepapers, etc)?
 - I am wondering specifically while doing discovery scanning do you only focus on ports 22,23,25,80 and 443 and if found "alive" perform a full 65k+ scan on those hosts. Also, do you only perform scans on hosts that provide sensitive information like servers? Would routers, etc that connect these servers count as well?

Anyway, Thanks allot for any information anyone can provide.

Sparky

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT