DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th July 2008
dk_netsvil dk_netsvil is offline
Real Name: Devon
Fdisk Soldier
 
Join Date: May 2008
Location: New York
Posts: 75
Thanked 7 Times in 7 Posts
Default Payment Card Industry compliance scanning

Payment Card Industry (PCI) scans are something I get to deal with every day where I am responsible for a data center with a high concentration of e-commerce webservers. For those who have yet to experience this phenomena allow me to explain a little about PCI scans. For an online retailer using, for example, Visa services it is a requirement to submit your website to periodic PCI evaluations or else risk falling out of favor with, in this example, Visa. So you sign up with a service, there are many available, and your website is analyzed on many different levels to determine potential security vulnerabilities. These range from known weaknesses in different versions of apache, mysql, php, openSSH, openSSL, Java, etc. Some of these scans return relatively simple information - your apache version has a known vulnerability, solution: upgrade to version X.

Other scans are so generalized as to be useless - better to send me an email telling me I might as well just spin a wheel and guess.

From a practical administration perspective I appreciate that card companies are attempting, through the mechanism of the PCI scan, to reduce fraud and ultimately improve the name of online credit card processing. And, as an admin, I am well aware that one means of ensuring a high level of compliance is periodically scanning these servers to ensure they are secure. On the other hand, when I get these useless vague scan reports I wonder if it's not also kind of a scam, especially when I call and they are either unwilling to discuss how the scan result came to be determined or if it's something they can't repeat.

Any thoughts?
Reply With Quote
  #2   (View Single Post)  
Old 10th July 2008
Darwimy Darwimy is offline
Port Guard
 
Join Date: Jun 2008
Location: Germany
Posts: 36
Thanked 2 Times in 2 Posts
Default

Collegues of me are working in the PCI area as well. The bad thing about these checks is that anyone can run a 'tool' and present it's report. Taking such a report apart to tell the real problems requires in-depth knowledge and time. Both is expensive and therefore omitted in many cases.

But as a collegue said: 'Compliance check are not intended to make you happy, but to make the auditors happy.'
Reply With Quote
  #3   (View Single Post)  
Old 21st July 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

I find myself in the exact same role as the OP (I'm network and security admin for an e-commerce webhosting company), but the scans themselves aren't what I have a problem with. The scans (especially on shared servers we directly admin) reveal weaknesses our support personnel have tacked on (in the form of applications running with open sockets that clearly shouldn't be running on said machine) or firewall ports that were open and shouldn't have been (both of which I quickly pounce on.)

The Hackersafe scans to me aren't the problem (and before responding that we have cleaned up the mess, I scan from outside with a free copy of Nessus just to be sure)... the real problem are the questionnaires that they submit to us that we have to fill out on behalf of a customer. The questions are obvious and thus suggest the correct response to be had (like, "do you have a wireless router that is not secured?" or something similar), and they can be easliy lied about. Why even submit these to be filled out? It's like asking "Are you in compliance before we suggest that you are in compliance?" Who's going to say "No, we are wide open and ready for a massive exploit, now please give us your approval"?

If these silly questionnaires pass for some security check, then PCI compliance as I see it is a joke, at least at that level.
__________________
Network Firefighter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
A PDP-11 program card TerryP Programming 0 10th April 2009 05:54 AM
C F Card and fstab terryd FreeBSD General 1 3rd December 2008 05:26 PM
PCI DSS Compliance ddekok General software and network 0 19th November 2008 03:56 AM
Torvalds attacks IT industry 'security circus' roddierod Off-Topic 17 6th September 2008 02:03 PM
Wireless Card on T61 disappearedng FreeBSD General 1 13th July 2008 12:54 AM


All times are GMT. The time now is 05:46 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick