Chattanooga
Unix
Gnu
Android
Linux
Users
Group

 

Hot Topics:

Sponsoring:

Prepping a Linux server for PCI Compliance..

From: Mike Harrison 
------------------------------------------------------

I know there are some security nutcases on the list.. so I am asking:

I'm setting up a system to host a simple,
yet carefully created applications and submit it for PCI Compliance (SAQ C 
and maybe even SAQ D (service provider)) and am wondering what tools were 
available that would simulate the scans that they will be going for..

Or should I just load up Backtrack and such and fire away?

Which I should do anyway.. but I am looking first to emulate what they 
would be doing.

Anyone out there specialize in such things (even for money)?

--Mike--







=============================================================== From: Know Juan ------------------------------------------------------ Nessus is the standard as far as I know. I'd fire up BT, enable all plugins, and pull the trigger.

=============================================================== From: David White ------------------------------------------------------ You should hire Stephen Haywood (fairly active on the 'Lug). He's a Pent Tester, and as far as I know, good at what he does.

=============================================================== From: Mike Harrison ------------------------------------------------------ Pent Tester, and as far as I know, good at what he does. He was one of the several people I thought about as I sent that to the = list.. I also know he is sometimes swamped.=20

=============================================================== From: AverageSecurityGuy ------------------------------------------------------ Do you have a link to the specific requirements of the SAQ C and D = testing. If not Nessus has a lot of PCI compliance checks. You will need = to give the Nessus scanner root access to the box to be most effective. = Nessus also has a number of builtin web application checks which will be = useful. You can also use BurpSuite to scan the web site. Nessus has a = free home edition which will let you test up to 10 devices. A full = license will cost you $1500. BurpSuite is $299 unless you know someone = that has a copy and is willing to scan the site for you. :) -- Stephen Haywood Owner, ASG Consulting CISSP, OSCP 423.305.3700 asgconsulting.co (SAQ C and maybe even SAQ D (service provider)) and am wondering what = tools were available that would simulate the scans that they will be = going for.. would be doing.

=============================================================== From: Christopher Rimondi ------------------------------------------------------ If money isn't an option I would pick Nessus any day over nearly every other vulnerability scanner. However, if you want to go the free route: http://www.openvas.org/. Like Stephen said give it root creds so it is thorough.

=============================================================== From: Mike Harrison ------------------------------------------------------ On Mar 14, 2014, at 8:27 AM, Christopher Rimondi = wrote: other vulnerability scanner. However, if you want to go the free route: = http://www.openvas.org/. Like Stephen said give it root creds so it is = thorough. Thanks, had not seen that one. I wish I had more time to dive into the = security world again, but then, I have to admit, through ignorance, I = sleep much better.=20 =97Mike--

=============================================================== From: AverageSecurityGuy ------------------------------------------------------ On Mar 14, 2014, at 8:27 AM, Christopher Rimondi = wrote: other vulnerability scanner. However, if you want to go the free route: = http://www.openvas.org/. Like Stephen said give it root creds so it is = thorough. OpenVAS sucks. If you have no other choice, then use it. By the time you = figure out how to get it all installed and configured you will have paid = for Nessus with your time and effort. Sorry to be so harsh but I=92ve = not had good luck with OpenVAS. -- Stephen Haywood Owner, ASG Consulting CISSP, OSCP 423.305.3700 asgconsulting.co

=============================================================== From: Christopher Rimondi ------------------------------------------------------ Ouch! Completely agree it is a pain to get setup and going. Using their VM isn't toooooo bad. But you should have a disclaimer about your current employer with all statements made on vulnerability scanners :) Mike, you may also want to try Nikto. "Good enough" for finding web vulnerability low hanging fruit.