Hi,
Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification).
I got a free scan from https://www.hackerguardian.com/ and their scan reported a number of "Fail" results. I haven't checked them all yet but most seem to be things for which fixes were backported looong ago by The Upstream Vendor.
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
Thanks, Mike
We use Qualys for PCI vulnerability scanning.
Josh
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Michael B Allen Sent: Friday, February 18, 2011 1:20 PM To: centos@centos.org Subject: [CentOS] Recommendation for a Good Vulnerability Scanning Service?
Hi,
Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification).
I got a free scan from https://www.hackerguardian.com/ and their scan reported a number of "Fail" results. I haven't checked them all yet but most seem to be things for which fixes were backported looong ago by The Upstream Vendor.
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
Thanks, Mike _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi, there,
Michael B Allen wrote:
Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification).
"Sort of"? ROTFL. You need a *serious* scan, commercially done AFAIK. The *minimum* qualifications, I believe, are a 60 or 63 item questionaire; for full PCI-DSS, it's something like 243 questions, and you need a full IT dept.
I would *very* strongly recommmend that you talk to the bank or agency that's asking you for this, and ask them for recommendations. <snip> mark, who worked on a short term contract for Trustwave, who does that (and is a root CA, as well)
On Fri, Feb 18, 2011 at 2:36 PM, m.roth@5-cent.us wrote:
Hi, there,
Michael B Allen wrote:
Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification).
"Sort of"? ROTFL. You need a *serious* scan, commercially done AFAIK.
Hi Mark,
Hackerguiardian is a commercial service (it's actually "COMODO CA Limited"). Their scan looks thorough. Obviously they're just matching up version numbers with CVE notices but I have a feeling most of these guys are going to be doing the same thing. I was just hoping one would be more sophisticated about the fact that ALL of their "Fail" items I've checked so far are things that were backported or fixed by Redhat.
The *minimum* qualifications, I believe, are a 60 or 63 item questionaire; for full PCI-DSS, it's something like 243 questions, and you need a full IT dept.
Are you talking about the SAQC? I run all CC transactions through one CentOS VPS webserver (actually I have two servers that I periodically wipe out and alternate between every year or two). So I don't have POS terminals or any Windows PCs in the mix. We don't save any card holder data at all. So my SAQC was a breeze. I just had to add N/A for questions like the "do you run anti-virus software" and explain that everything goes through the one Linux machine for which no anti-virus software exists or is necessary.
I would *very* strongly recommmend that you talk to the bank or agency that's asking you for this, and ask them for recommendations.
If you mean my merchant account service, they claim to be the largest Authorized.Net reseller, they sanity checked my SAQC and thought I would be ready for approval as soon as I get a good scan.
So trustwave and Qualys ... I'll check them out.
Thanks, Mike
On 02/18/2011 03:09 PM, Michael B Allen wrote:
Hackerguiardian is a commercial service (it's actually "COMODO CA Limited"). Their scan looks thorough. Obviously they're just matching up version numbers with CVE notices but I have a feeling most of these guys are going to be doing the same thing. I was just hoping one would be more sophisticated about the fact that ALL of their "Fail" items I've checked so far are things that were backported or fixed by Redhat.
Probably not. I've yet to see any vulnerability scanning service that does much above running nessus in safe mode (which only does banner grabs).
If you're prepared to monkey around with the scanner people, you can request waivers, false positives, etc from the various companies, proving that you're patched against the CVEs they're looking for.
If there is a really competent vendor out there, and if you're comfortable with it, ask them to run a more thorough scan against your box.
I just had to add N/A for questions like the "do you run anti-virus software" and explain that everything goes through the one Linux machine for which no anti-virus software exists or is necessary.
I would have marked that "other than satisfactory" in an audit. There are AV products for Linux, and on a personal level, rootkit checks and file integrity checks on a public CC handling server are a good idea.
I would *very* strongly recommmend that you talk to the bank or agency that's asking you for this, and ask them for recommendations.
If you mean my merchant account service, they claim to be the largest Authorized.Net reseller, they sanity checked my SAQC and thought I would be ready for approval as soon as I get a good scan.
So trustwave and Qualys ... I'll check them out.
Thanks,
I'm faintly surprised they aren't in the scam racket of mandating you use a certain vendor, or one of a select few.
On Fri, 2011-02-18 at 15:09 -0500, Michael B Allen wrote:
Are you talking about the SAQC? I run all CC transactions through one CentOS VPS webserver (actually I have two servers that I periodically wipe out and alternate between every year or two). So I don't have POS terminals or any Windows PCs in the mix. We don't save any card holder data at all. So my SAQC was a breeze. I just had to add N/A for questions like the "do you run anti-virus software" and explain that everything goes through the one Linux machine for which no anti-virus software exists or is necessary.
You're going to want to go to www.pcisecuritystandards.org for the full scoop. I'd advise you to have your counsel examine the PCI DSS documents. IANAL, but I recall from version 2.0 of the doc found at https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (click-through agreement required) that, and I quote from page 7: "PCI DSS applies wherever account data is stored, processed or transmitted".
So it's not about saving data per se. Just the act of having it transmitted to your systems may (again, IANAL) make PCI DSS apply.
I've been dealing with PCI Compliance at work for a few years. It's not really something you want to skimp through, as the fines can be quite severe when things go wrong. As I said, you may want to talk to your lawyer...
-I
On Sun, Feb 20, 2011 at 6:58 PM, Ian Forde ianforde@gmail.com wrote:
On Fri, 2011-02-18 at 15:09 -0500, Michael B Allen wrote:
Are you talking about the SAQC? I run all CC transactions through one CentOS VPS webserver (actually I have two servers that I periodically wipe out and alternate between every year or two). So I don't have POS terminals or any Windows PCs in the mix. We don't save any card holder data at all. So my SAQC was a breeze. I just had to add N/A for questions like the "do you run anti-virus software" and explain that everything goes through the one Linux machine for which no anti-virus software exists or is necessary.
You're going to want to go to www.pcisecuritystandards.org for the full scoop. I'd advise you to have your counsel examine the PCI DSS documents. IANAL, but I recall from version 2.0 of the doc found at https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf (click-through agreement required) that, and I quote from page 7: "PCI DSS applies wherever account data is stored, processed or transmitted".
So it's not about saving data per se. Just the act of having it transmitted to your systems may (again, IANAL) make PCI DSS apply.
Hi Ian,
Right. But a lot of the questions in the SAQC are like "9.7.a Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data?". But if you don't save cardholder data, this simply does not apply to me. I think a lot of retailers probably have many employees using PCs to look at transaction details like names, the last 4 digits of the card number and so on. In this case, the methods for doing so need to be secured and the PCs being used need anti-virus updated regularly, etc. Since my webserver only sees CC data for the few seconds it takes for Authorize.Net to respond to the POST to their server, none of section 9 does even applies. If you're a retailer with 10 stores and 30 POS terminals, yeah, PCI compliance is a bigger job. If my CC transactions go through one webserver and no data is stored, I don't suspect this will be too difficult to handle myself.
Although I'm not compliant yet. We'll see. I have to pass the scan first and right now it's complaining about things like SMTP listening on 2525, ssl cipher strength and blah, blah, blah. Presumably I just have to go through each and explain that something was backported, that running on 2525 is quite deliberate and fix things like permitted ciphers.
Mike
on 14:20 Fri 18 Feb, Michael B Allen (ioplex@gmail.com) wrote:
Hi,
Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification).
First: if you're headed down the compliance / certification route, you're going to want to go with a certified vendor / service provider for this.
I got a free scan from https://www.hackerguardian.com/ and their scan reported a number of "Fail" results. I haven't checked them all yet but most seem to be things for which fixes were backported looong ago by The Upstream Vendor.
You can also run your own scans as a preemptive measure -- nessus is probably the baseline tool, though I'd also be interested in what others people would recommend.
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments.
I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment.
Dr. Ed Morbius wrote:
on 14:20 Fri 18 Feb, Michael B Allen (ioplex@gmail.com) wrote:
Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification).
<snip>
I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments.
I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment.
This is true: depending on how far you're going, the bank/agency will want human pen testing, too.
mark
On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments.
I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment.
Very good information, Ed. And yes, you will almost certainly be fighting with the compliance company, as I have not yet seen any who recognized CentOS. RHEL, yes. CentOS however does not hold the same 'trusted standard' or clout as the major 'name brand' providers. Yes, the trouble is the versioning numbers used by RH. If the system 'is' RH, most of the time those 'exceptions' are noted by the scanner but you may find yourself trying to 'teach them' a lot. Hopefully they have improved on this front.
I really think much of this is no more than smoking mirrors. For instance they do not ask about username/password policies and obviously do not scan for such. So this scanning leaves a lot to be desired. After I met all scan problems, my affected clients discovered they just answered a question wrong and found that since CC processing was not actually happening on my systems, but instead through other processors, this all went away and ended the need to address the same issues (backports) for the same applications, sometimes still under the same version, just due to a new scan. Basically a huge waste of my time. But I must admit, I did learn of just a couple of areas which I did tighten up. The rest was just red tape and I started feeling one particular compliance company was more into self promotion of their service by showing these non-existent flaws. I suppose one could compare it to the AV companies that allow broken virus sigs to set off alarms. "We just saved your computer <!--from this item that had no potential of harming your computer-->."
But, if you must, I did find the Nessus output was fairly close to what the compliance companies found and gave me a bit of time to tune systems before the real scan. It has been a while, but I think Nessus found some things I thought more important, which the commercial scanner did not mention.
And hey, if you do breeze through with CentOS being recognized as a RHEL clone, I would love to hear about that back to this list.
John Hinton wrote:
On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments.
I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment.
Very good information, Ed. And yes, you will almost certainly be fighting with the compliance company, as I have not yet seen any who recognized CentOS. RHEL, yes. CentOS however does not hold the same 'trusted standard' or clout as the major 'name brand' providers. Yes,
If you do talk to Trustwave, and they're not too expensive, they *use* CentOS.
I really think much of this is no more than smoking mirrors. For
"smoke and mirrors" <snip>
up. The rest was just red tape and I started feeling one particular compliance company was more into self promotion of their service by showing these non-existent flaws. I suppose one could compare it to the
They're all that way. <snip>
mark
2011/2/18 John Hinton webmaster@ew3d.com:
On 2/18/2011 3:09 PM, Dr. Ed Morbius wrote:
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
I'd suggest you educate yourself on the PCI compliance issue, and query your prospective vendor(s) on what specific scans they run and/or how these are tuned to specific operating environments.
I'd tend to suspect that vuln/pen testing is going to be based more on known vulnerabilities than your environment.
Very good information, Ed. And yes, you will almost certainly be fighting with the compliance company, as I have not yet seen any who recognized CentOS. RHEL, yes. CentOS however does not hold the same 'trusted standard' or clout as the major 'name brand' providers. Yes, the trouble is the versioning numbers used by RH. If the system 'is' RH, most of the time those 'exceptions' are noted by the scanner but you may find yourself trying to 'teach them' a lot. Hopefully they have improved on this front.
I really think much of this is no more than smoking mirrors. For instance they do not ask about username/password policies and obviously do not scan for such. So this scanning leaves a lot to be desired. After I met all scan problems, my affected clients discovered they just answered a question wrong and found that since CC processing was not actually happening on my systems, but instead through other processors, this all went away and ended the need to address the same issues (backports) for the same applications, sometimes still under the same version, just due to a new scan. Basically a huge waste of my time. But I must admit, I did learn of just a couple of areas which I did tighten up. The rest was just red tape and I started feeling one particular compliance company was more into self promotion of their service by showing these non-existent flaws. I suppose one could compare it to the AV companies that allow broken virus sigs to set off alarms. "We just saved your computer <!--from this item that had no potential of harming your computer-->."
But, if you must, I did find the Nessus output was fairly close to what the compliance companies found and gave me a bit of time to tune systems before the real scan. It has been a while, but I think Nessus found some things I thought more important, which the commercial scanner did not mention.
Buy nessus professional feed and download pci compliancy checks for nessus. It gives you the good "baseline" for configurations and things that need to fixed..
-- Eero
On Fri, 2011-02-18 at 15:51 -0500, John Hinton wrote:
Very good information, Ed. And yes, you will almost certainly be fighting with the compliance company, as I have not yet seen any who recognized CentOS. RHEL, yes. CentOS however does not hold the same 'trusted standard' or clout as the major 'name brand' providers. Yes, the trouble is the versioning numbers used by RH. If the system 'is' RH, most of the time those 'exceptions' are noted by the scanner but you may find yourself trying to 'teach them' a lot. Hopefully they have improved on this front.
McAfee (after they acquired HackerSafe) Secure recognizes the backported fixes. Even on CentOS...
I really think much of this is no more than smoking mirrors. For instance they do not ask about username/password policies and obviously do not scan for such. So this scanning leaves a lot to be desired. After I met all scan problems, my affected clients discovered they just answered a question wrong and found that since CC processing was not actually happening on my systems, but instead through other processors, this all went away and ended the need to address the same issues (backports) for the same applications, sometimes still under the same version, just due to a new scan. Basically a huge waste of my time. But I must admit, I did learn of just a couple of areas which I did tighten up. The rest was just red tape and I started feeling one particular compliance company was more into self promotion of their service by showing these non-existent flaws. I suppose one could compare it to the AV companies that allow broken virus sigs to set off alarms. "We just saved your computer <!--from this item that had no potential of harming your computer-->."
Regarding CC processing, check version 2.0 of the DSS. On page 7, referring to the scope, I found the term, "processed, stored or transmitted", so that may (or may not) change how you approach it.
But, if you must, I did find the Nessus output was fairly close to what the compliance companies found and gave me a bit of time to tune systems before the real scan. It has been a while, but I think Nessus found some things I thought more important, which the commercial scanner did not mention.
And hey, if you do breeze through with CentOS being recognized as a RHEL clone, I would love to hear about that back to this list.
Yep - McAfee is just fine with it...
-I
On Fri, Feb 18, 2011 at 2:20 PM, Michael B Allen ioplex@gmail.com wrote:
Hi,
Can someone recommend a good vulnerability scanning service? I just need the minimum for PCI compliance (it's a sort of credit card processing certification).
I got a free scan from https://www.hackerguardian.com/ and their scan reported a number of "Fail" results. I haven't checked them all yet but most seem to be things for which fixes were backported looong ago by The Upstream Vendor.
I haven't spoken with the hackerguardian people yet but it would be nice if I could just say "I'm using CentOS 5.5" and have them factor that into their report so that I can focus on any real issues. Are there vulnerability scanning services that are more or less sophisticated about this?
Thanks, Mike
I have used Applied Trust (http://www.appliedtrust.com/) and they are smart about their scans. They don't just check version numbers. I'm not sure if they do PCI compliance testing, so you'll have to do further research. They do use Nessus as part of the testing, but the goal of testing is not for you to find the holes and patch them, it's to have a report from someone else that says you did.
-
Baird, Josh -
Brian Mathis -
Dr. Ed Morbius -
Eero Volotinen -
Ian Forde -
John Hinton -
John Jasen -
m.roth@5-cent.us -
Michael B Allen