Security Basics mailing list archives

RE: Opinions on vulnerability scanning practice?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 3 Aug 2006 17:18:30 -0700

  Do they understand that the clients who have contacted 
them do not own the servers from which they want to link?
Maybe that wasn't clearly communicated to them.

Dave Gillett

-----Original Message-----
From: rgutter () gmail com [mailto:rgutter () gmail com] 
Sent: Wednesday, August 02, 2006 3:20 PM
To: security-basics () securityfocus com
Subject: Opinions on vulnerability scanning practice?

I'd like to get a community opinion on this. We're a union 
that provides free web hosting to a number of related 
non-profit organizations. Some of them have gone to a 
third-party provider for e-commerce functionality, and 
obviously want to link to that provider from their sites on 
our server.

Wanting to set up merchant accounts for these organizations, 
that provider's e-commerce service (Beanstream) had a risk 
management firm run a vulnerability scan on our server, 
stating that Visa requires AIS end-to-end compliance within 
the Visa payment system.

Now, I recognize the desire to prevent pharming and similar 
attacks that could occur were my system to be compromised, 
but my first response was: "Who the ^*$$* do you think you 
are to run a scan on my system without permission?"

What's the deal here? Am I out of line? Is this normal practice? 

--------------------------------------------------------------
-------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE 
The NSA has designated Norwich University a center of 
Academic Excellence in Information Security. Our program 
offers unparalleled Infosec management education and the case 
study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this 
esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Opinions on vulnerability scanning practice? rgutter (Aug 03)
- RE: Opinions on vulnerability scanning practice? David Gillett (Aug 04)
- Re: Opinions on vulnerability scanning practice? Mitch Pope (Aug 04)
  - Re: Opinions on vulnerability scanning practice? Ansgar -59cobalt- Wiechers (Aug 05)
  - Re: Opinions on vulnerability scanning practice? Eric Furman (Aug 05)
- Re: Opinions on vulnerability scanning practice? Irwan Ismail (Aug 04)
- <Possible follow-ups>
- RE: Opinions on vulnerability scanning practice? Jeffrey Wei (Aug 04)
- Re: Opinions on vulnerability scanning practice? krymson (Aug 04)
- RE: Opinions on vulnerability scanning practice? Krpata, Tyler (Aug 04)
- Re: Opinions on vulnerability scanning practice? knox . justin (Aug 04)
- Re: Opinions on vulnerability scanning practice? benjaminz (Aug 04)
- Re: Opinions on vulnerability scanning practice? gazwj (Aug 04)

(Thread continues...)