Security Basics mailing list archives
RE: Opinions on vulnerability scanning practice?
From: "Jeffrey Wei" <jeffrey.wei () cubic com>
Date: Thu, 3 Aug 2006 16:12:51 -0700
They are correct in stating that they need to scan your system for vulnerability in order for them to link their system with yours, in order to protect themselves as it is mandated by VISA / Mastercard association (see http://www.visa.com/cisp)... This is required on a yearly basis at the very least, depending on what merchant level Beanstream falls under. Jeffrey Wei -----Original Message----- From: rgutter () gmail com [mailto:rgutter () gmail com] Sent: Wednesday, August 02, 2006 3:20 PM To: security-basics () securityfocus com Subject: Opinions on vulnerability scanning practice? I'd like to get a community opinion on this. We're a union that provides free web hosting to a number of related non-profit organizations. Some of them have gone to a third-party provider for e-commerce functionality, and obviously want to link to that provider from their sites on our server. Wanting to set up merchant accounts for these organizations, that provider's e-commerce service (Beanstream) had a risk management firm run a vulnerability scan on our server, stating that Visa requires AIS end-to-end compliance within the Visa payment system. Now, I recognize the desire to prevent pharming and similar attacks that could occur were my system to be compromised, but my first response was: "Who the ^*$$* do you think you are to run a scan on my system without permission?" What's the deal here? Am I out of line? Is this normal practice? ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --- [This E-mail scanned for Spam and Viruses by http://www.innovationnetworks.ca] --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Opinions on vulnerability scanning practice? rgutter (Aug 03)
- RE: Opinions on vulnerability scanning practice? David Gillett (Aug 04)
- Re: Opinions on vulnerability scanning practice? Mitch Pope (Aug 04)
- Re: Opinions on vulnerability scanning practice? Ansgar -59cobalt- Wiechers (Aug 05)
- Re: Opinions on vulnerability scanning practice? Eric Furman (Aug 05)
- Re: Opinions on vulnerability scanning practice? Irwan Ismail (Aug 04)
- <Possible follow-ups>
- RE: Opinions on vulnerability scanning practice? Jeffrey Wei (Aug 04)
- Re: Opinions on vulnerability scanning practice? krymson (Aug 04)
- RE: Opinions on vulnerability scanning practice? Krpata, Tyler (Aug 04)
- Re: Opinions on vulnerability scanning practice? knox . justin (Aug 04)
- Re: Opinions on vulnerability scanning practice? benjaminz (Aug 04)
- Re: Opinions on vulnerability scanning practice? gazwj (Aug 04)
- Re: Opinions on vulnerability scanning practice? simonis (Aug 04)