Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

PCI complaince scanner

  • 09-04-2009 2:01pm
    #1
    biko
    Registered Users, Registered Users 2 Posts: 81,220 ✭✭✭✭


    Anyone using one? I'm looking at the Comodo HackerGuardian, at least they give you a free trial of 90 days.


Comments

  • #2
    syklops
    Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    I audit mainly looking for compliance with ISO 27001, but from what I know about PCI compliance, there is very little you can scan for for PCI.

    Below I have summarised the main requirements PCI requires, and whether you can scan for them or not.

    1. Install and maintain a firewall configuration to protect cardholder data - does the scanner check if a firewall is in place? Easy to do with nmap or firewalk
    2. Do not use vendor-supplied defaults for system passwords and other security parameters - Common sense really. Cant really scan for it though
    3. Protect stored cardholder data - er, how? With a firewall? See point one.
    4. Encrypt transmission of cardholder data across open, public networks - Cant scan for that.

    5. Use and regularly update anti-virus software on all systems commonly affected by malware - Cant scan for that.
    6. Develop and maintain secure systems and applications - Cant scan for that.
    7. Restrict access to cardholder data by business need-to-know - Cant scan for that.
    8. Assign a unique ID to each person with computer access - Cant scan for that.
    9. Restrict physical access to cardholder data - Cant scan for that.
    10. Track and monitor all access to network resources and cardholder data - Cant scan for that.
    11. Regularly test security systems and processes - Cant scan for that.
    12. Maintain a policy that addresses information security - Cant scan for that.

    What does this scanner actually do?

    PCI compliance, like ISO 27001 is more procedural rather than actual technical checks. I really dont think a canned scanner will do what you want.

    Personally I use nmap, nessus/OpenVAS and netcat for technical checks, and guidelines and common sense for the rest.


  • #3
    voodoo
    Registered Users, Registered Users 2 Posts: 786 ✭✭✭voodoo


    Hi there,

    I agree to disagree on some of your points about being able to scan for some of the requirements. I have used a good tool called Foundstone from McAfee that has tools built in to scan for most of the requirements including password strenghts etc.

    1 Yes, of course it can check for a firewall
    2 You can scan for password strenghts etc with these scanners
    3 This is around data protection so scanning to see if there are any tools in place to protect data
    4 Of course they scan for presence of AV - In fact most scan for pressence of any type of application!
    10 Isnt this NAC? Again, of course it can scan for pressence of NAC
    11 Again of course you can
    12 Most scanners will have PCI templates so again easy to scan against!

    The benefit of these scanners is that they create reports which can be scheduled on a weekly, monthly basis and stored for audit purposes if required


  • #4
    biko
    Registered Users, Registered Users 2 Posts: 81,220 ✭✭✭✭biko


    PCI Security Standards Council has a list of ASV so they apparently think you can scan. I think it's a mix of vulnerability checks and procedure checks that does the trick.


  • #5
    Screaming Monkey
    Registered Users, Registered Users 2 Posts: 218 ✭✭Screaming Monkey


    saw this the other day on the Nessus blog.

    "PCI-DSS Auditing Linux, Apache, PHP, & MySQL With Nessus 4"
    http://blog.tenablesecurity.com/2009/04/pci-dss-auditing-linux-apache-php-mysql-with-nessus-4.html


Advertisement