Security Basics mailing list archives
Re: DSS
From: Adriel Desautels <adriel () netragard com>
Date: Fri, 23 May 2008 13:15:59 -0400
Nick,Well said. Something that I read once and always found interesting was "The ROI of good security is equal to the cost of one successful compromise." Which translates to, the cost of quality security services will always be a fraction of the cost of a single malicious penetration.
I think that most businesses need to be educated about what the threat actually is and what quality security services really are. The fact of the matter is, to defend against a particular threat you must first have usable intelligence about that threat. Once you have that intelligence you must then test your defenses against an accurate reproduction of that threat in a controlled manner. Not many companies can re-create the threat in a realistic way.
Failing to be compliant will result in fines. Failing to be secure could put you out of business. Think about how much money TJX or CardSystems could have saved had they actually focused more on "quality" security.
Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Nick Vaernhoej wrote:
Adriel, I think the intention is good. The implementation is still flawed due to the quantity of the material coming down to individual interpretation, from auditor to auditor even. Over three years of passing the experience here has been that what is great one year is a disaster waiting to happen the next, finally the third year no one even checks. Maybe some hefty fines for losing data in the first place would spark the sort of environments PCI is trying to enforce? If companies had the risk of going down in flames due to a breach maybe they would change their view on a secure environment. Maybe then a PCI equivalent requirement would never be needed. Nick Vaernhoej "Quidquid latine dictum sit, altum sonatur."-->-----Original Message----- -->From: Adriel Desautels [mailto:adriel () netragard com] -->Sent: Friday, May 23, 2008 10:26 AM -->To: Nick Vaernhoej -->Cc: Hill, Pete; security-basics () securityfocus com -->Subject: Re: DSS --> -->Just out of curiosity, how many people here thinks that PCI does -->anything to protect you from the real world threat? --> -->Regards, --> Adriel T. Desautels --> Chief Technology Officer --> Netragard, LLC. --> Office : 617-934-0269 --> Mobile : 617-633-3821 --> http://www.linkedin.com/pub/1/118/a45 --> --> Join the Netragard, LLC. Linked In Group: --> http://www.linkedin.com/e/gis/48683/0B98E1705142 --> -->--------------------------------------------------------------- -->Netragard, LLC - http://www.netragard.com - "We make IT Safe" -->Penetration Testing, Vulnerability Assessments, Website Security --> -->Netragard Whitepaper Downloads: -->------------------------------- -->Choosing the right provider : http://tinyurl.com/2ahk3j Three Things -->you must know : http://tinyurl.com/26pjsnThis electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message. Thank you.
Current thread:
- PCI: DSS Hill, Pete (May 23)
- Re: PCI: DSS Adriel Desautels (May 23)
- RE: DSS Nick Vaernhoej (May 23)
- Re: DSS Adriel Desautels (May 23)
- RE: DSS Nick Vaernhoej (May 23)
- Re: DSS Adriel Desautels (May 23)
- RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 24)
- Re: DSS (Passing an audit is NOT compliance!) Adriel Desautels (May 24)
- Re: DSS (Passing an audit is NOT compliance!) Mike Hale (May 25)
- Re: DSS Adriel Desautels (May 23)
- RE: DSS (Passing an audit is NOT compliance!) Nick Vaernhoej (May 27)
- RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 27)
- <Possible follow-ups>
- RE: PCI: DSS Hill, Pete (May 23)