|
|
#1
02-11-2009, 10:24 AM
|
|||
|
|||
Submission of documents with IP addresses
My organization is getting ready to send to our acquirer the necessary documents: SAQ, Attestation of Compliance, and evidence of a clean vulnerability scan.
My problem is that the scan report from our external scan vendor includes the IP addresses of our network that was scanned and I really do not want to be sending these to our acquirer, you know – a security issue. Have any of you had the same concern and how did you address it? Thanks in advance of replies. 
|
|
#2
02-11-2009, 12:28 PM
|
|||
|
|||
|
Your external IP addresses are public knowledge already, so I don't understand the concern about information leakage.
There are multiple tools and techniques to determine essentially your public-facing IPs from just your domain name. Secondly, if there was a future problem, you may need the evidence in the scan results that reflects those IP addresses that were considered compliant at the time of the scan. Thirdly, I can't see too many ASVs issuing a report saying 'we tested company XYZ but we won't tell anyone what IP addresses we scanned.' i.e. it is not unheard of for ASV clients to provide fake IP address details so as to get a 'clean' report without having to do any vulnerability fixes. just my view lyalc
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
