Re: Vendors for PCI Compliance Scanning

["HALL, NATHANIEL D." <halln () OTC EDU>]

1) I think it was inappropriate because it didn't even get close to
answering the question.  Tripwire is not an approved scanning vendor,
merely an auditing tool used to check various settings.

2) We currently use Security Metrics to scan our outside presence.  I
haven't been real thrilled with them because it appears they are simply
running a Nessus scan.  I have also had several false positives that I
have had to contact them about that were not even close to an actual
problem.

3) We originally used Fishnet Security to do our scans.  They were very
thorough and they actually validated the results.  They actually use a
Qualys system to do their scans and it does it very well.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking
(417) 447-7535


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brett Bartow
Sent: Wednesday, May 28, 2008 2:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vendors for PCI Compliance Scanning

Whoops! I sincerely apologize to all who found my response a misuse of
the list. My intention was to simply respond to a request for
information. I have no interest in sending unsolicited information.
Thank you for your feedback and this will not happen again.

Sincerely,


Brett Bartow  Account Manager - Education/Nonprofit

Direct:  503.276.7651
Fax:     425.963.4652 

TRIPWIRE | The Leader in Configuration Audit & Control
Check out the latest Tripwire news! 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Conor McGrath
Sent: Wednesday, May 28, 2008 12:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vendors for PCI Compliance Scanning

Roger Safian wrote the following, on 5/28/08 1:57 PM:
> Is this an appropriate use of this list?  Personally I don't mind
> vendor participation, as long as said participation isn't just
> a transparent ploy to drum up business.  This seems to be a most
> egregious violation.  Am I the only one who feels that way?

You are not the only one who feels this way.  Add my 2 cents to the
pile.

-Conor

> At 01:35 PM 5/28/2008, Brett Bartow put fingers to keyboard and wrote:
> > Chuck,
> >
> > We have a very strong solution for automating compliance. Seven out
of
> > the top ten retailers use Tripwire. Please see the following link and
> > give me a call if you would like to discuss further.
> >
> > http://www.tripwire.com/solutions/regulations/pci.cfm 
> >
> > Thanks,
> >
> > Brett Bartow  Account Manager - Education/Nonprofit
> >
> > Direct:  503.276.7651
> > Fax:     425.963.4652 
> >
> > TRIPWIRE | The Leader in Configuration Audit & Control
> > Check out the latest Tripwire news! 
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chuck McCants
> > Sent: Wednesday, May 28, 2008 10:58 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Vendors for PCI Compliance Scanning
> >
> > Hello,
> > A question came up in a meeting this morning, that leads me to ask -
> > "What company are you using to do your PCI compliance scanning?"
> >
> > All responses and opinions of your experiences would be helpful (good
or
> > bad).
> >
> >
> > -- 
> >
> > Chuck McCants
> > Lead Security Specialist
> > C&IT Security and Access Mgmt
> > Wayne State University
> > 313.577.3455


-- 
Conor McGrath                                           Phone:
(773)702-7611
Manager for Network Security                            Fax:
(773)834-8444
Network Security Center, The University of Chicago      NetSec:
(773)702-2378
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml