View Single Post
  #3   (View Single Post)  
Old 21st July 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default

I find myself in the exact same role as the OP (I'm network and security admin for an e-commerce webhosting company), but the scans themselves aren't what I have a problem with. The scans (especially on shared servers we directly admin) reveal weaknesses our support personnel have tacked on (in the form of applications running with open sockets that clearly shouldn't be running on said machine) or firewall ports that were open and shouldn't have been (both of which I quickly pounce on.)

The Hackersafe scans to me aren't the problem (and before responding that we have cleaned up the mess, I scan from outside with a free copy of Nessus just to be sure)... the real problem are the questionnaires that they submit to us that we have to fill out on behalf of a customer. The questions are obvious and thus suggest the correct response to be had (like, "do you have a wireless router that is not secured?" or something similar), and they can be easliy lied about. Why even submit these to be filled out? It's like asking "Are you in compliance before we suggest that you are in compliance?" Who's going to say "No, we are wide open and ready for a massive exploit, now please give us your approval"?

If these silly questionnaires pass for some security check, then PCI compliance as I see it is a joke, at least at that level.
__________________
Network Firefighter
Reply With Quote