RE: Vulnerability scanner/appliance

[Vijay K <globevk () yahoo com>]

Hello Derek Nash,

Two cents of advise ;)
Short and simple answer would be the following:

1. Check products that are CVE Mitre compliant
vulnerability standards:
http://cve.mitre.org/compatible/compatible.html

You can do an evaluation yourself or contact these
companies directly

2. I can suggest Qualys a good vulnerability product
company that complies with or used in conjunction with
payment card industry standards.

Moreover PCI standards focus is on encryption,
confidentiality, audit compliance mechanisms such as
sarbnes oxley, graham leech etc Ofcourse
authentication and non-repudiation should be added.

Hope it helps,
Cheers
Vijay Kakumanu





--- David Bonvillain <DBonvillain () accuvant com> wrote:

> So, I didn't mean to get into a big discussion on
> PCI controls and flaws
> in the process or anything, cause overall I think
> it's a good program
> that is getting people that wouldn't have otherwise
> thought about
> properly securing their environment to do so...but
> allow me to clarify.
>
> When I say there are scanners that will pass the PCI
> requirements, I am
> referring to their quarterly scan requirements for
> perimeter
> environments. When MasterCard set up that
> environment to qualify
> 'approved' scanning vendors they used some very
> specific metrics for
> gauging a 'successful' test of that environment.
> They set up those
> metrics using specific scanning engines and some of
> those scanning
> engines will in fact pass the PCI quarterly scan
> requirements that
> MasterCard and now PCI uses to gauge a 'passing'
> scan vendor. Now that
> being said I am sure there are vendors out there
> that use whatever
> techniques necessary to pass their requirements and
> may well not use
> those same techniques to actually execute the
> testing that they perform
> as part of their quarterly scanning service (in fact
> on our first time
> through several years ago when me and Broome were
> doing the testing we
> did in fact use a lot of techniques and implemented
> all of those in our
> process (much to our difficulty and probably loss of
> revenue overall)
> until we found a easier solution that would both
> meet the requirements
> without requiring deep testing skills)...but I
> wasn't responding to this
> as a vendor of those services (that is actually
> handled by a different
> practice from my team these days) but just as my 2
> cents, and certainly
> not to bash anyone else's skills/offering/etc. And
> to answer your point
> specifically Derek, we certainly use the same
> process to qualify as we
> do to deliver...but again, not really the point.
>
> When talking Level 1 assessments, PABP, etc. that's
> a whole different
> story that I will spare the list of going into :-)
>
> Specifically to the comment that started this thread
> though: If your
> employer is about to get a full PCI audit performed,
> then Derek (and
> Brian too...hey how are ya man :-))is spot on, there
> is no scanner that
> is going to do anything close to getting you
> compliant as there are a
> lot of components that go into ensuring your overall
> environment is
> compliant with the controls in the PCI standard. But
> if you are trying
> to ensure you are diligent with whatever control
> that is that states you
> should be performing ongoing internal vulnerability
> scanning...pretty
> much anything will work to say you've "done
> it"...but I will echo Derek
> in saying that if you want one that will help you
> actually secure your
> environment better, then you should identify one
> "that identifies,
> prioritizes, escalates, and finally closes the
> vulnerabilities
> throughout the remediation process.". Best bet is to
> determine if there
> is a budget for such a solution (if you have been
> using Nessus in the
> past, there may be an uphill battle there) and eval
> a few different ones
> in your environment. Different scanners have
> different strengths and
> weaknesses and you should find out what will not
> only identify the
> broadest range of issues in your environment with
> the highest level of
> accuracy, but also which will fit within your
> security management
> processes best.
>
> BTW - its kinda cool that the first thread on this
> list I respond to in
> forever, I know some of the folks that participated
> :-) (hope you guys
> are doing well Derek and Brian).
>
> I'll go back to work now.
>
> --d_villain
>
> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com]
> On Behalf Of Derek Nash
> Sent: Friday, August 31, 2007 8:33 PM
> To: David Bonvillain
> Cc: kocherk () knology net;
> security-basics () securityfocus com
> Subject: Re: Vulnerability scanner/appliance
>
> Dave,
>
> Let's not kid ourselves or add to the existing FUD
> in the market
> place. There are no PCI certified vulnerability
> scanners. The truth is
> that although certain vulnerability scanner vendors
> offer ASV services
> you and I both know that there is a difference
> between the
> methodologies they used to pass their PCI ASV
> examination and simply
> running their given solution against test
> environment and spitting out
> a report. The second method simply won't cut it.
>
> This was evident during an exam I was involve in.
> The protors of the
> exam don't necesarily do a very good job of
> scrubbing the environment
> between exams. We happen to stumble across some logs
> in the test
> environment from passed exams and it was quite
> evident that certain
> scan vendors who were getting certified were
> performing a manual
> assessments and did not simply run their tool
> against test environment
> and spit out a report.
>
> With that being said I have no doubt that the ASV
> services sold by
> these vendors are simple scans from their tools
> which of course is a
> violation of their agreement with the PCI Security
> Council as it is a
> departure from the methodology they used during
> certification, but who
> is going to take the time and go to the trouble of
> trying to prove
> that. This probably one of the biggest problems
> facing the ASV program
> today.
>
> Now if you as a provider of ASV services simply
> point Qualys at your
> clients' infrastructure and spit out a custom
> templated report to them
> well then best of luck to you. I just hope you
> follow the same
> process/methodology during your next PCI Security
> Standards Council
> ASV Annual Maintenance Test. I know you guys have
> the skill sets to do
> this right and hope you are choosing to do so.
>
> Best regards,
>
> Derek Nash
>
>
>
> On 8/31/07, David Bonvillain
> <DBonvillain () accuvant com> wrote:
> > I wouldn't say that's exactly true. There are
> scanners that you can
> > point at an environment that will run through and
> find all the things
> > that are within the PCI required benchmark and
> then there are ones
> that
> > won't....just ask anyone who has been through the
> PCI process as a
> > scanning provider or level 1 auditor. Sure, if you
> understand all the
> > controls and how to identify all that stuff, you
> can use whatever
> > scanner and a bunch of manual techniques to make
> sure you aren't
> > vulnerable, but if you want a scanner that will
> straight up pass the
> PCI
> > benchmark requirements - Qualys is one of them for
> sure. I think
> Rapid7
> > as well.
> > That being said, if we are talking about the
> self-questionnaire thing,
> > you are right, if you have hit yourself with any
> kind of vulnerability
> > scanning/management tool, you should be fine.
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com]
> > On Behalf Of Derek Nash
> > Sent: Friday, August 31, 2007 6:31 AM
> > To: kocherk () knology net
> > Cc: security-basics () securityfocus com
> > Subject: Re: Vulnerability scanner/appliance
> >
> > There is no such thing as PCI Approved. Any
> vulnerability scanner will
> > do to get the auditors check mark. However the
> diligent security
> > professional should be looking for a solution that
> address the entire
> > vulnerability management lifecycle. Love those
> buzz words, but its
> > true. You need something that identifies,
> prioritizes, escalates, and
> > finally closes the vulnerabilities throughout the
> remediation process.
> > On 30 Aug 2007 14:40:21 -0000, kocherk () knology net
> <kocherk () knology net>
> > wrote:
> > > My employer is about to be assessed for PCI
> compliance.  One of the
> > requirements that we've not yet met is a quarterly
> internal network
> > vulnerability scan.  I've used Nessus for these
> scans in the past, but
> > does anyone know of a PCI-approved scanning
> utility/appliance?
> > > Keith
> >
> >
> > --
> > Best Regards,
> >
> > Derek Nash



       
____________________________________________________________________________________
Got a little couch potato? 
Check out fun summer activities for kids.
http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz