On Wed, Jun 30, 2010, Frank Cox wrote:
On Wed, 2010-06-30 at 15:14 -0400, m.roth@5-cent.us wrote:
Sorry, you lost me here. I turned off all access to the h/d/ramdisk on the printers, and left it off. This, of course, slows things down a lot, but it's "Secure".
The point is that the security scan is supposed to be verifying that your setup is, in fact, secure. If you change your setup before running the scan, and then change it back immediately afterward, how is that verifying that your setup is, in fact, secure? What you scanned != what you are actually using.
There are fundamental problems with the PCI compliance checking that I've seen. I've had them say that sites accept SSLv2 when they explicitly don't as a real test shows (e.d. use openssl in client mode to attempt to connect using that protocol).
The one that really frosts me is that the systems we support use a combination of tcp_wrappers, swatch, and software I've written that automatically blocks IP addresses which exhibit malicious behaviour, similar to fail2ban, but using a DNSRBL to automatically block sites have been identified as attackers.
The PCI testers get blocked because of what appear to be cracking attempts, then have the gall to say that the site fails because it appears to have active firewalls. Well DUH!
Bill