Re: PCI Compliance (Vulnerability Scans)

From: David M. Zendzian (dmz@dmzs.com)
Date: Thu Dec 21 2006 - 15:37:37 EST


Also for your internal scanning, for anyone who is not already familiar
with inprotect, it is a nice open-source web interface for running and
reporting on nmap & nessus scans, and they are even getting some decent
trending reports too. (http://inprotect.sourceforge.net)

David

bf wrote:
> As others have stated there are two needs that must be met, internal
> and external scans.
>
> We use Control Scan for an external scan vendor (www.controlscan.com),
> it's cost effective and they really help you resolve any false
> positives that may occur. We dropped our initial external scan vendor
> because they insisted on arguing the point on a series of false
> positives (even after we provided documentation and proof confirming
> the false positives). The FP were causing our scans to have a status
> of "Failed" which screws your PCI compliance an audit time. (note: I
> don't care whether you use them or not I'm just relating my experience
> with them.)
>
> For internal scanning I use a scheduled nmap scan (cron job from a
> Linux machine). It's free and it works for me. I don't need a full
> blown "vulnerability scanner" on the LAN as I have other layered
> controls in place and a lot of that information would be redundant.
>
> YMMV.
>
> On 12/18/06, David M. Zendzian <dmz@dmzs.com> wrote:
>> Your right, I'm so use to dealing with Level 1 people that I forgot all
>> the others needed approved scanning vendors
>> http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html?it=l2|%2Fbusiness%2Faccepting_visa%2Fops_risk_management%2Fcisp%2Ehtml|Merchants#anchor_2
>>
>>
>>
>> But back to my original question, why are you looking for pci scanning
>> software? The process of becoming an approved vendor usually takes
>> multiple tools as well as the "human factor". I don't think you will
>> find 1 solution for scanning that you can buy and say "we're done".
>>
>> David
>>
>> Vivek Chudgar wrote:
>> > Correction - Level 2 and 3 merchants are also required to have
>> > external vuln scans by an ASV. Level 4 merchants are exempt but their
>> > acquirer can still require them to be scanned by an ASV.
>> >
>> > If a tool is just looking for ports 22,23,25,80 and 445 for service
>> > discovery, I highly doubt if it can pass the certification
>> > requirement.
>> >
>> > You are also right about the level of automation possible. Manual
>> > verification is necessary to eleminate false positives.
>> >
>> > - Vivek
>> >
>> > On 12/17/06, David M. Zendzian <dmz@dmzs.com> wrote:
>> >> First, why are you looking for a PCI compliant tool?
>> >>
>> >> Second there are only 2 reasons to do vulnerability scanning. If
>> you are
>> >> level 1 (merchant, service provider or hacked entity:) then you are
>> >> required to have external vulnerability scans by one of the authorized
>> >> scanning providers. There is no need here for software as the service
>> >> provider does all the work and provides you results.
>> >>
>> >> If you are looking to do your scans internally, there is no specific
>> >> needs outlined by PCI for internal vulnerability scans. PCI only says
>> >> you need to perform vulnerability scans. With that in mind, Nessus
>> scans
>> >> work internally :)
>> >>
>> >> What are you trying to accomplish?
>> >>
>> >> David (Visa-QDSP)
>> >>
>> >> 09sparky@gmail.com wrote:
>> >> > Thanks for all the great information (all). I am now wondering
>> >> though, if you use an automated tool (VA Scanner that claims to be PCI
>> >> compliant), does that mean whatever it finds and whatever it rates it
>> >> (i.e. HIGH), is the final word, and the company fails? I guess what I
>> >> am asking, I was under the impression that PCI scans could be much
>> >> automated and very little to no user intervention was required (unlike
>> >> a Vulnerability Assessment/Penetration test). However, many automated
>> >> tools have false positives. Doesn't a company fail if they have any
>> >> "HIGH" findings? With that said, are you required to go through each
>> >> finding and validate? If so, then you have just turned it into a
>> >> Vulnerability Assessment.
>> >> >
>> >> > Also, The Automated Tool I have been evaluating claims to be PCI
>> >> compliant. However, for its discovery phase, it only uses ports
>> >> 22,23,25,80 and 445. Upon finding any Host with these ports open, it
>> >> will then run a common port scan. Is this way off? What do most of
>> >> you do for host discovery (i.e. nmap scans of what ports? or different
>> >> tools?
>> >> >
>> >> > Any thoughts?
>> >> > Thanks,
>> >> > Sparky
>> >> >
>> >> >
>> >>
>> ------------------------------------------------------------------------
>> >> > This List Sponsored by: Cenzic
>> >> >
>> >> > Need to secure your web apps?
>> >> > Cenzic Hailstorm finds vulnerabilities fast.
>> >> > Click the link to buy it, try it or download Hailstorm for FREE.
>> >> >
>> >>
>> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>>
>> >>
>> >> >
>> >>
>> ------------------------------------------------------------------------
>> >> >
>> >> >
>> >>
>> >>
>> ------------------------------------------------------------------------
>> >> This List Sponsored by: Cenzic
>> >>
>> >> Need to secure your web apps?
>> >> Cenzic Hailstorm finds vulnerabilities fast.
>> >> Click the link to buy it, try it or download Hailstorm for FREE.
>> >>
>> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>>
>> >>
>> >>
>> ------------------------------------------------------------------------
>> >>
>> >>
>> >
>>
>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:29 EDT