Re: VISA/Mastercard PCI Vendor Scanning requirements

From: Derek Nash (ddnash@gmail.com)
Date: Fri Mar 03 2006 - 17:51:39 EST


Although you are correct in that it doesn't state a blind test. The
sample environment you are required to scan for certification is a
remote environment which precludes an onsite visit and normal data
information gathering phases that would be performed during a full
security assessment.

PCI testing is narrow in scope and specific in its requirements. I am
simply trying to determine what others are doing to meet the minimum
requirements to perform a PCI scan under the industry requirements.

Please do not confuse this with a PCI audit which is a much larger
undertaking and more closely matches a "full on" security assessment.

On 3/3/06, Craig Wright <cwright@bdosyd.com.au> wrote:
>
> Hello,
> Real testing. Nothing in the VISA statement of terms includes BLIND. Never is the word mentioned. It is ONLYmentioned when vendors seek an excuse (ie Cable and Wireless and last years little incident).
>
> How do we get to the idea that an external test must be blind?
>
> This is just the please tie my hands behind my back type of thinking that leaves holes. The issue is NOT "what will a average hacker see". The issue is to ensure that the site is configured to a statndard and that all KNOWN vulnerabilities are patched/mitigated. VISA does not want to test the site as iut may be seen from the internet by hackers, this is just wrong for all those who believe this.
>
> For all those companies doing this. Think liability. Force of law comes into effect this year in Australia to the auditing standards and has already in the US and UK. This means that there are criminal sanctions for conducting audits without following approved process.
>
> So to what we do.
>
> We get copies of the system config. The firewall config. The firmware versions. Dumps of the OS. Rules. Logs. Basically everything that you could possibly consider.
>
> This information is analysed. A combination of Spectral analysis for systems design and Time Series analysis for the logs is used amongst other things.
>
> A pen Test is used to verify findings.
>
> Regards
> Craig
>
> -----Original Message-----
> From: Derek Nash [mailto:ddnash@gmail.com]
> Sent: Fri 3/03/2006 1:52 PM
> To: pen-test@securityfocus.com
> Cc:
> Subject: VISA/Mastercard PCI Vendor Scanning requirements
>
>
>
> For those of you who are providing PCI certified scanning how are you
> complying with the requirement that "The vendor should ensure that it
> has an unfiltered communication path to the customer's environment."
> in order to avoid "Internet Service Provider Blocked Ports" that could
> "result in misleading report conclusions."
>
> Mastercard eludes to scanning over a VPN tunnel, but that seems
> excessive and a potential logistical nightmare depending on volume of
> business and technical know-how at the client's end.
>
> I am just wonder what other providers are doing to comply. Thanks in
> advance for your posts.
>
>
> --
> Best Regards,
>
> ddnash
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Lancope
>
> "Discover the Security Benefits of Cisco NetFlow"
> Learn how Cisco NetFlow enables cost-effective security across distributed
> enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
> and Response solution, leverages Cisco NetFlow to provide scalable,
> internal network security.
> Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
> Systems in the Enterprise."
>
> http://www.lancope.com/resource/
> ------------------------------------------------------------------------------
>
>
>
>
> Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
>
> DISCLAIMER
> The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
>
> Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
>
> BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
>

--
Best Regards,
Derek Nash
------------------------------------------------------------------------------
This List Sponsored by: Lancope
"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed 
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) 
and Response solution, leverages Cisco NetFlow to provide scalable, 
internal network security. 
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response 
Systems in the Enterprise."
http://www.lancope.com/resource/
------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:36 EDT