Comments on: “Passing” Vulnerability Scans http://pciguru.wordpress.com/2010/02/14/%e2%80%9cpassing%e2%80%9d-vulnerability-scans/ A common sense approach to achieving PCI compliance and retaining your sanity Sat, 18 May 2013 17:32:57 +0000 hourly 1 http://wordpress.com/ By: Troy http://pciguru.wordpress.com/2010/02/14/%e2%80%9cpassing%e2%80%9d-vulnerability-scans/#comment-499 Wed, 15 Sep 2010 21:17:32 +0000 http://pciguru.wordpress.com/?p=377#comment-499 Your approach is a good one… but 6.1.b addresses critical security patches within 30 days. Most of the vulnerabilities that I see are not due to a critical security patch, several are due to ssl key encryption strength and/or expiry date and mis-configuration issues. With these types of issues, merchants can setup plans to remediate through their change management process without affecting production and have up to the quarter to address.

Furthermore, a merchant would have a finding if they do have a quarterly scan (before remediation) that has a vulnerability present for a critical patch that was released more than 30 days ago; as they would not be meeting 6.1.b.

Also with the new standard being released in a few months, merchants will be able to perform a risk analysis on each vulnerability and will be able to potentially accept risks. What are your thoughts on this one guru?

]]> By: PCI DSS and PA-DSS 2.0 Are Here – Almost « PCI Guru http://pciguru.wordpress.com/2010/02/14/%e2%80%9cpassing%e2%80%9d-vulnerability-scans/#comment-390 Fri, 13 Aug 2010 02:07:33 +0000 http://pciguru.wordpress.com/?p=377#comment-390 [...] ranking are addressed first versus just patching everything within a 30 day time period.  In my book this is just going to give organizations what they think is more wiggle room on patching.  It will [...]

]]> By: What Is Penetration Testing? « itsec http://pciguru.wordpress.com/2010/02/14/%e2%80%9cpassing%e2%80%9d-vulnerability-scans/#comment-246 Wed, 03 Mar 2010 20:18:30 +0000 http://pciguru.wordpress.com/?p=377#comment-246 [...] I would like so it is probably a good discussion topic.  And it pairs up nicely with my previous post regarding passing vulnerability [...]

]]> By: What Is Penetration Testing? « ITSecurity http://pciguru.wordpress.com/2010/02/14/%e2%80%9cpassing%e2%80%9d-vulnerability-scans/#comment-234 Tue, 23 Feb 2010 15:00:39 +0000 http://pciguru.wordpress.com/?p=377#comment-234 [...] I would like so it is probably a good discussion topic.  And it pairs up nicely with my previous post regarding passing vulnerability [...]

]]> By: PCIGuru http://pciguru.wordpress.com/2010/02/14/%e2%80%9cpassing%e2%80%9d-vulnerability-scans/#comment-229 Mon, 22 Feb 2010 11:19:19 +0000 http://pciguru.wordpress.com/?p=377#comment-229 What you recommend we conduct as part of our vulnerability scanning process. Our methodology has us conduct our reconnaissance work of MySpace, Facebook, LinkedIn, etc. then not as part of our penetration testing. This approach allows our penetration testing to be strictly focused on compromising the network and systems. We believe this approach is more like the real world.

]]> By: What Is Penetration Testing? « PCI Guru http://pciguru.wordpress.com/2010/02/14/%e2%80%9cpassing%e2%80%9d-vulnerability-scans/#comment-224 Sun, 21 Feb 2010 15:30:32 +0000 http://pciguru.wordpress.com/?p=377#comment-224 [...] I would like so it is probably a good discussion topic.  And it pairs up nicely with my previous post regarding passing vulnerability [...]

]]> By: dgonzalez_IT http://pciguru.wordpress.com/2010/02/14/%e2%80%9cpassing%e2%80%9d-vulnerability-scans/#comment-220 Thu, 18 Feb 2010 19:56:21 +0000 http://pciguru.wordpress.com/?p=377#comment-220 Patch Management was one of the most difficult things I had to deal with when I went through the PCI process with a past employer and I can’t remember how many times I was questions why I had so many scans setup to run. Reason being was because I had my vulnerability scanner set to scan daily for production servers, then a weekly for servers plus the rest of the critical network components, then a monthly scan of everything. It might have seemed like over kill to upper management, but it really gave me clear visibility of the state my patching and vulnerability management was in. It painted a clear picture of how my systems where yesterday, or a week ago compared to the current day and why and what vulnerabilities surfaced if any.

So many organizations forget how important patching systems are. Great read as always!

]]> By: PCIGuru http://pciguru.wordpress.com/2010/02/14/%e2%80%9cpassing%e2%80%9d-vulnerability-scans/#comment-214 Mon, 15 Feb 2010 21:37:44 +0000 http://pciguru.wordpress.com/?p=377#comment-214 Michael:

I think you are referring to the card brands’ Web site, not the PCI SSC Web site. The card brands, in particular Visa, list service providers that are PCI compliant. However, those are service providers that actually provide card processing services. In order to be on that list, you must pay Visa a fee as well as register as a card processing entity.

I am not aware of any list of certified managed service providers that is maintained by the PCI SSC.

PCI Guru

]]> By: Michael http://pciguru.wordpress.com/2010/02/14/%e2%80%9cpassing%e2%80%9d-vulnerability-scans/#comment-212 Mon, 15 Feb 2010 05:44:27 +0000 http://pciguru.wordpress.com/?p=377#comment-212 Hi PCI Guru,

I have a question, I asked the PCI Council and got no answer maybe you can help, sorry if its too left field.

As a reseller of Level 1 PCI DSS certified manged services, could the company be listed on the PCI councils website as PCI compliant? despite the fact that we dont actually touch / store / process credit cards ourselves, but rather sell certified managed services (this function is provided by our supplier).

Regards,

Michael

]]>