Re: How does a customer get PCI audited?

[Adriel Desautels <adriel () netragard com>]

Hi Dan,
        Comments embedded below.

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Dan Anderson wrote:
> On Wed, Jun 4, 2008 at 11:08 AM, Adriel Desautels <adriel () netragard com> wrote:
> >        In order to properly defend a network you must first know what you
> > need to defend it against. You must have a strong understanding of the
> > threat and how the threat might align with your risk and exposure profile.
> > The only way to do that is to either have good threat intelligence, or work
> > with a qualified penetration testing team that has REAL threat intelligence.
>
> Are you suggesting that you should hire a pen-tester to do your risk-analysis?

No.

In my opinion, the job of a penetration testing company is to test the 
security of an existing IT Infrastructure and the effectiveness of 
policies and procedures to a degree. For example, some of our customers 
have very specific incident response policies in place. Those customers 
hire us to launch unannounced penetration tests against their 
infrastructure as a means to test how well their personnel follow the 
incident response policies.

Another example. Many of our customers have managed security providers 
that monitor their networks for unauthorized access (IDS/IPS monitoring 
etc.). Those customers bring us in to perform unannounced 
stealth/evasive penetration testing to see how effective their managed 
security providers are.

That said, penetration tests and vulnerability assessments do not 
perform complete reviews of a businesses controls, but they can 
challenge them to a degree.

> It's a novel idea, but don't you normally do risk analysis with your
>  and a consultant or two?

Why are you assuming that I was talking about a risk-analysis?

> >        Once you've identified such a firm your IT Infrastructure, personnel,
> > policies, etc. need to be tested at the same or higher threat level as you'd
> > face in the real world. That will identify your risks and help you to build
> > the proper CONTROLS to counter those risks. Suggesting that anyone build
> > controls without first having a GOOD and REAL assessment is horrible advice.
> > That would be akin to building defenses against Russia during the cold war
> > with no intelligence about their capabilities.

Never mind, I see why. What I wrote there came out like total horse 
shit. Penetration Tests and vulnerability assessments help to test some 
existing controls to make certain that they are working properly. New 
controls can be created from the results of a penetration test, but 
penetration testing is not the tool for creating all controls.

> Isn't it more cost effective to use pen-testing to validate your
> preventative controls?
>
> I mean - if you have no controls in place what value are you getting
> from letting the "hackers" break in?
>
> Isn't architecting your controls based on pen-test results kind of
> like building your entire security program based on audit findings?
> (and a bad idea for the same reasons?)
>
> >        With respect to your paper, I still need to go read it. That said,
> > even if Penetration Testing is 30% of the total solution, it is clearly the
> > foundation to building the solution. Else you are building a blind defense
> > that most probably won't work.
>
> I still don't get it...Is NetraGard a pen-test outfit?
>
> The foundation to building a secure solution is more about risk
> analysis, sound policies, procedures, methodologies, training and
> frameworks - not hiring pen-testers.

Penetration testing is a part of *maintaining* a secure foundation.

> Certainly there is a point to pen-testing to validate controls, but
> it's not the "foundation" of any security effort.
>
> >        Its common sense Craig, know your enemy, know yourself, and then you
> > can build a good defense.
>
> Isn't this called a "risk analysis"?  Nobody needs to penetrate
> anything to do a risk analysis.
>
> There is an old saying, "When all you have is a hammer, everything
> looks like a nail."
>
> On the other hand - I guess you would sell a lot more pen-tests if you
> convince anyone that you are right.

Well, under any other circumstance I'd be insulted, but what I wrote 
before was not at all what I intended to write, please accept my apologies.

> Analogies usually suck, mine more then most, but here goes:
>
> Imagine you need to protect a valuable object from theft or destruction.
>
> So, you do no risk analysis, and just put it on a vacant lot...Then
> you hire pen-testers to see if they can get it.
>
> They walk onto the lot and take it.
>
> So, you realize that maybe a fence would be a good idea...you install
> it, Then you hire pen-testers to see if they can still get it.
>
> They climb the fence and take it.
>
> So, you realize a building might be a neat idea...
>
> Is this really the "common sense" approach?
>
> Wouldn't you be better off getting a few people who know about the
> object, a few people who know about protecting objects, and even a few
> people who know about stealing objects together in a room and
> analyzing the risks and then designing controls to mitigate those
> risks?
>
> Dan