Security Basics mailing list archives

Re: DSS

From: Adriel Desautels <adriel () netragard com>
Date: Fri, 23 May 2008 13:15:59 -0400

Nick,

Well said. Something that I read once and always found interesting was"The ROI of good security is equal to the cost of one successfulcompromise." Which translates to, the cost of quality security serviceswill always be a fraction of the cost of a single malicious penetration.

I think that most businesses need to be educated about what the threatactually is and what quality security services really are. The fact ofthe matter is, to defend against a particular threat you must first haveusable intelligence about that threat. Once you have that intelligenceyou must then test your defenses against an accurate reproduction ofthat threat in a controlled manner. Not many companies can re-create thethreat in a realistic way.

Failing to be compliant will result in fines. Failing to be securecould put you out of business. Think about how much money TJX orCardSystems could have saved had they actually focused more on "quality"security.


        

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Nick Vaernhoej wrote:

Adriel,

I think the intention is good.
The implementation is still flawed due to the quantity of the material
coming down to individual interpretation, from auditor to auditor even.
Over three years of passing the experience here has been that what is
great one year is a disaster waiting to happen the next, finally the
third year no one even checks.

Maybe some hefty fines for losing data in the first place would spark
the sort of environments PCI is trying to enforce?
If companies had the risk of going down in flames due to a breach maybe
they would change their view on a secure environment.
Maybe then a PCI equivalent requirement would never be needed.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

-->-----Original Message-----
-->From: Adriel Desautels [mailto:adriel () netragard com]
-->Sent: Friday, May 23, 2008 10:26 AM
-->To: Nick Vaernhoej
-->Cc: Hill, Pete; security-basics () securityfocus com
-->Subject: Re: DSS
-->
-->Just out of curiosity, how many people here thinks that PCI does
-->anything to protect you from the real world threat?
-->
-->Regards,
-->  Adriel T. Desautels
-->  Chief Technology Officer
-->  Netragard, LLC.
-->  Office : 617-934-0269
-->  Mobile : 617-633-3821
-->  http://www.linkedin.com/pub/1/118/a45
-->
-->  Join the Netragard, LLC. Linked In Group:
-->  http://www.linkedin.com/e/gis/48683/0B98E1705142
-->
-->---------------------------------------------------------------
-->Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
-->Penetration Testing, Vulnerability Assessments, Website Security
-->
-->Netragard Whitepaper Downloads:
-->-------------------------------
-->Choosing the right provider : http://tinyurl.com/2ahk3j Three Things
-->you must know  : http://tinyurl.com/26pjsn


This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.

Current thread:

PCI: DSS Hill, Pete (May 23)
- Re: PCI: DSS Adriel Desautels (May 23)
- RE: DSS Nick Vaernhoej (May 23)
  - Re: DSS Adriel Desautels (May 23)
    - RE: DSS Nick Vaernhoej (May 23)
    - Re: DSS Adriel Desautels (May 23)
    - RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 24)
    - Re: DSS (Passing an audit is NOT compliance!) Adriel Desautels (May 24)
    - Re: DSS (Passing an audit is NOT compliance!) Mike Hale (May 25)
    - RE: DSS (Passing an audit is NOT compliance!) Nick Vaernhoej (May 27)
    - RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 27)
- RE: DSS Bassill, Peter (May 23)
- Re: PCI: DSS Jason (May 23)
- RE: DSS Craig Wright (May 24)
- RE: DSS Craig Wright (May 24)
- <Possible follow-ups>
- RE: PCI: DSS Hill, Pete (May 23)

(Thread continues...)