Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help with PCI compliance


  • Please log in to reply
7 replies to this topic

#1 ToddAndMargo

ToddAndMargo

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 28 June 2013 - 05:01 PM

Dear Bleepingcomputers and friends,

 

I need you guys' help!

 

Have a  customer that need help getting PCI complaint [1] at five of her facilities.   So far I only have two thing left to figure out.  I only have available Window XP Pro sp3 machines to do this on. 

 

1)  I need to set up an internal IDS/IPS [2] scanner.   Antivirus doesn't count (PCI's insistence).  Wireshark?

 

2)  I need to set up an FIM [3] system on each computer with credit card information (PCI's doesn't care that the information is encrypted).  Again, Antivirus doesn't count (PCI insistence). 

 

 

 

Many thanks,

-T

 

1)  http://www.pcicomplianceguide.org/pcifaqs.php

 

2) Intrusion Detection System, Intrusion Preventions System

 

3) File Integrity Monitoring

 

 

 

 



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:10:39 PM

Posted 01 July 2013 - 09:05 PM

price is everything in this question... Establish that and you can pretty much just Google it.

 

Also establishing training and user outlines/ skill-sets would be beneficial... As those XP machines could be nixxed and you could do it very cheap/free if they have decent users...



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 PM

Posted 02 July 2013 - 01:53 PM

Wireshark is not an IDS. Take a look at Snort: https://en.wikipedia.org/wiki/Snort_%28software%29

 

I don't know of any free FIM. Take a look at Tripwire for a paid solution.

 

I'm certain using Windows XP is PCI compliant.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 ToddAndMargo

ToddAndMargo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 03 July 2013 - 07:47 PM

Hi All,

 

A new question, not related to the two above,  on PCI compliance.

Help!

I have a customer that is trying to jump through Trustwave's
questionnaire on PCI compliance (credit cards).  This is
their explanation of one of the required tests:  they
want both "vulnerability" and "penetration testing".  Now I don't
see the difference, but they do:

       Vulnerability scanning uses automated tools to attempt
       to discover vulnerabilities in the cardholder data
       environment.  Penetration testing goes further by
       having personnel *manually* attempt to exploit
       vulnerabilities and gaps in security the same way a
       criminal would.  Without penetration testing, you may
       know where vulnerabilities may be, but you won't know
       how deep an attacker can get or what he may be able to
       steal.

"Manually"?  How is the world does one do that?  Try to log in
with telnet?  Call the local federal prison and ask to borrow
a hacker for the day?  What can I do manually that the
"automated tools" can't?

Now I an see trying to seal the hole and retesting, but
that is not what they are asking for.  They want me
to sit down and try to breaking into the thing *the same

way a criminal would*!

AAAAAAAAAHHHHHHHHHHHHHHHHHHH!!!!!

 

What would you do in this instance?

 

Edit: I have since found that there are service that will log into your network and try to hack it for PCI compliance.  Makes me feel a bit squirrel.  Anyone know of a service like this that they "trust"?

-T


Edited by ToddAndMargo, 03 July 2013 - 08:26 PM.


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 PM

Posted 04 July 2013 - 01:39 PM

Penetration testing is a paid service that many security companies offer.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 ToddAndMargo

ToddAndMargo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 04 July 2013 - 02:32 PM

Hi Didier,

 

Any you trust?

 

-T



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 PM

Posted 04 July 2013 - 04:18 PM

I've a friend in the UK, he is a free-lance pentester and I trust him: Robin Wood.

http://www.digininja.org/contact.php

 

He is CHECK certified.

http://www.cesg.gov.uk/servicecatalogue/CHECK/Pages/WhatisCHECK.aspx


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 ToddAndMargo

ToddAndMargo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 04 July 2013 - 05:38 PM

Thank you!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users