Re: PCI DSS & Firewalls

["Darden, Patrick S." <darden () armc org>]

Hmmm, no I don't think so.

Network auditor would take care of regular stuff (e.g. your example of
an open telnet service).  Nessus, nmap, etc.  Irregular stuff will be
there no matter what, if someone knowledgeable enough spends enough time
looking.

Pen Testing has no real purpose that I can see.... Other than as a scare
tactic to put someone in their place, get more money for security from
admin, shame your IT department, or etc.  It is more of a
social/political tool than a security instrument.

--Patrick Darden


-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
AMuse
Sent: Thursday, April 02, 2009 2:59 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] PCI DSS & Firewalls

Isn't the point of pen-testing to take up an attackers' perspective and
hit all your defenses to see if you missed something or misconfigured
something?  I mean, unless you're the only person who set up 100% of
your infrastructure, how are you to know that someone didn't
accidentally leave telnet open?  If you didn't write 100% of the webapps
your company is using, how are you to know they don't have SQL injection
flaws?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards