Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: VISA/Mastercard PCI Vendor Scanning requirements

From: "Craig Wright" <cwright () bdosyd com au>
Date: Sat, 4 Mar 2006 08:05:46 +1100

Hello,
Real testing. Nothing in the VISA statement of terms includes BLIND. Never is the word mentioned. It is ONLYmentioned 
when vendors seek an excuse (ie Cable and Wireless and last years little incident).
 
How do we get to the idea that an external test must be blind?
 
This is just the please tie my hands behind my back type of thinking that leaves holes. The issue is NOT "what will a 
average hacker see". The issue is to ensure that the site is configured to a statndard and that all KNOWN 
vulnerabilities are patched/mitigated. VISA does not want to test the site as iut may be seen from the internet by 
hackers, this is just wrong for all those who believe this.
 
For all those companies doing this. Think liability. Force of law comes into effect this year in Australia to the 
auditing standards and has already in the US and UK. This means that there are criminal sanctions for conducting audits 
without following approved process.
 
So to what we do.
 
We get copies of the system config. The firewall config. The firmware versions. Dumps of the OS. Rules. Logs. Basically 
everything that you could possibly consider.
 
This information is analysed. A combination of Spectral analysis  for systems design and Time Series analysis for the 
logs is used amongst other things.
 
A pen Test is used to verify findings.
 
Regards
Craig

        -----Original Message----- 
        From: Derek Nash [mailto:ddnash () gmail com] 
        Sent: Fri 3/03/2006 1:52 PM 
        To: pen-test () securityfocus com 
        Cc: 
        Subject: VISA/Mastercard PCI Vendor Scanning requirements
        
        

        For those of you who are providing PCI certified scanning how are you
        complying with the requirement that "The vendor should ensure that it
        has an unfiltered communication path to the customer's environment."
        in order to avoid "Internet Service Provider Blocked Ports" that could
        "result in misleading report conclusions."
        
        Mastercard eludes to scanning over a VPN tunnel, but that seems
        excessive and a potential logistical nightmare depending on volume of
        business and technical know-how at the client's end.
        
        I am just wonder what other providers are doing to comply. Thanks in
        advance for your posts.
        
        
        --
        Best Regards,
        
        ddnash
        
        ------------------------------------------------------------------------------
        This List Sponsored by: Lancope
        
        "Discover the Security Benefits of Cisco NetFlow"
        Learn how Cisco NetFlow enables cost-effective security across distributed
        enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
        and Response solution, leverages Cisco NetFlow to provide scalable,
        internal network security.
        Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
        Systems in the Enterprise."
        
        http://www.lancope.com/resource/
        ------------------------------------------------------------------------------
        
        


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.
Previous By Date Next
Previous By Thread Next

Current thread: