AnsweredAssumed Answered

Scanning internal assets with PCI profile uses password bruteforce?

Question asked by Andrey Bezverkhiy on May 13, 2011
Latest reply on May 13, 2011 by Scott Havlak

Hello!

 

We ran into interesting question during one of PoCs. We launched a PCI scan for internal assets. Since it is a PCI profile it is not possible to edit it or see what's inside. However scan menu does show some of parameters (such as TCP ports: full, UDP ports: standard and so on). It also shows Password bruteforcing: medium.

Based on QualysGuard online help we see that medium password bruteforcing can make up to 60 login attempts per account.

 

Is this how things work with PCI scanning? If so, there is a high risk of locking out accounts on systems we are scanning (and those are PCI scope systems = critical systems). How should one proceed?

Outcomes