RE: Opinions on vulnerability scanning practice?

["Jeffrey Wei" <jeffrey.wei () cubic com>]

They are correct in stating that they need to scan your system for
vulnerability in order for them to link their system with yours, in
order to protect themselves as it is mandated by VISA / Mastercard
association (see http://www.visa.com/cisp)...

This is required on a yearly basis at the very least, depending on what
merchant level Beanstream falls under.


Jeffrey Wei

-----Original Message-----
From: rgutter () gmail com [mailto:rgutter () gmail com] 
Sent: Wednesday, August 02, 2006 3:20 PM
To: security-basics () securityfocus com
Subject: Opinions on vulnerability scanning practice?

I'd like to get a community opinion on this. We're a union that provides
free web hosting to a number of related non-profit organizations. Some
of them have gone to a third-party provider for e-commerce
functionality, and obviously want to link to that provider from their
sites on our server.

Wanting to set up merchant accounts for these organizations, that
provider's e-commerce service (Beanstream) had a risk management firm
run a vulnerability scan on our server, stating that Visa requires AIS
end-to-end compliance within the Visa payment system.

Now, I recognize the desire to prevent pharming and similar attacks that
could occur were my system to be compromised, but my first response was:
"Who the ^*$$* do you think you are to run a scan on my system without
permission?"

What's the deal here? Am I out of line? Is this normal practice? 

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

---
[This E-mail scanned for Spam and Viruses by
http://www.innovationnetworks.ca]


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------