RE: DSS (Passing an audit is NOT compliance!)

[Craig Wright <Craig.Wright () bdo com au>]

"Simplified and all. Since access to a shared administrative account can be tracked down to the actual who. Why add 
multiple accounts to one of the first systems likely to be compromised?"

You are adding non-privileged accounts and then requiring escalation. The log will record the initial user for tracking 
and the capture of the account (keystrokes etc) will only compromise a single user account where triggers may be set on 
the system.

So you log in as "bob" and SUDO to a root equivalent account. This can and should vary by users and the escalation 
account should be set to not be allowed to log in directly.

Craig



Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au.

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved 
under Professional Standards Legislation.
-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej
Sent: Wednesday, 28 May 2008 12:33 AM
To: security-basics () securityfocus com
Subject: RE: DSS (Passing an audit is NOT compliance!)

Craig,

First off I have to say I agree fully with your post.
But there is a big gap between a current environment and the environment
(I think we all can agree that) we ought to manage.
It's like having a 30 year old tell a six year old what person the six
year old is supposed to be when he/she turns 60.

One of the hot topic FAQ items on pcisecuritystandards.org was the
following:

"Are administrators allowed to share passwords?
PCI DSS requirement 8.5 (and the associated sub-requirements) applies to
administrators. As such, administrators are not allowed to share
passwords. The intent of requirements for unique user IDs and complex
passwords is to ensure each user is uniquely identified-instead of using
one ID and password for several employees-so that an organization can
maintain individual accountability for actions and an effective audit
trail per employee. This will help speed issue resolution and
containment when misuse or malicious use occurs. Often, this requirement
for unique IDs and complex passwords is met within administrative
functions by using, for example, "su" or SSH such that the administrator
initially logs on with their own unique ID and password, and then
connects to the administrator account via "su" or SSH. Often direct root
logins are disabled to prevent use of this shared administrative
account. This way, individual accountability and audit trails are
maintained. However, even with use of tools such as "su" and SSH, the
actual administrator IDs and passwords should also meet PCI DSS
requirements (if such accounts are not disabled) to prevent them from
being misused."

This is one of the areas I think makes a lot of sense....... most of the
time.
How many administrator accounts do we really want on DMZ's for example?
I would argue that since getting to the DMZ requires access through a
locked door with your unique access card, or remote access through a
firewall logging the access, logging mechanism in place to see who was
logged on to the client system at the time the connection was logged by
the firewall to the DMZ.
Simplified and all. Since access to a shared administrative account can
be tracked down to the actual who. Why add multiple accounts to one of
the first systems likely to be compromised?

Perhaps it's mostly a hypothetical question. Depends on who your auditor
is and how they interpret my post ;)
Perhaps it's just the result of allowing a group of highly opinionated
people (IT staff) a say so.

Have a great day.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."


> -->-----Original Message-----
> -->From: listbounce () securityfocus com
> -->[mailto:listbounce () securityfocus com] On Behalf Of Craig Wright
> -->Sent: Friday, May 23, 2008 5:58 PM
> -->To: Adriel Desautels; Nick Vaernhoej
> -->Cc: Hill, Pete; security-basics () securityfocus com
> -->Subject: RE: DSS (Passing an audit is NOT compliance!)
> -->
> -->
> -->"Just out of curiosity, how many people here thinks that PCI does
> -->anything to protect you from the real world threat?"
> -->
> -->This depends.
> -->Are you "REALLY" compliant. Or is the organisation doing just enough
> -->to fool the auditors.
> -->
> -->From experience, I see 80-90% in the latter. Most auditors are not
> -->experienced enough to know when they are being BS'd.
> -->
> -->As for the question, I have not seen a compromise of a truly
> -->compliant organisation. Every single organisation that has been
> -->compromised has actually also had a flaw that should have failed
> -->them.
> -->
> -->In some instances, the testing was completed on an alternate system
> -->that was given to the auditor in place of the real one. In others,
> -->they pointed out the good systems and missed many.
> -->
> -->I guess that people do not understand that in this case less than
> -->full disclosure is actually criminal fraud. In Australia in Corps
act
> -->provisions (similar to the SEC provisions in the US) make it a
> -->criminal offence to mislead the auditor.
> -->
> -->To answer the question, yes. I think that getting to this (truly
this
> -->level) would help. The issue is that which companies are?
> -->
> -->Take for instance a validated firewall. What does this mean?
> -->
> -->A validated firewall is one that is tested. This is you use hping or
> -->a similar crafting tool to fire packets through ALL interfaces of
the
> -->firewall and you validate the firewall policy.
> -->
> -->When you read these standards, think how a lawyer will read them,
not
> -->an IT person. This is because it is a lawyer who is the judge and
> -->prosecutor.
> -->
> -->Many QSA's even following their wham bam thank you mam intro to
audit
> -->and now you are a QSA process are not ready to audit systems. Those
> -->same who do not know the systems they audit. An example being "how
do
> -->I copy a directory on Unix":... being a real quote from the
principle
> -->at a MAJOR PCI specialty firm.
> -->
> -->Passing an audit is NOT compliance!
> -->
> -->Let me say that again...
> -->
> -->Passing an audit is NOT compliance!
> -->
> -->The fun of having just completed my LLM in commercial law is
> -->understanding these issues a little better. An audit is a risk
report
> -->to management. It does nothing to stop the lawyers rolling over you
> -->if you are not compliant. The issue where people try to BS the
> -->auditors is BS. The auditors are NOT the enemy, they are the ones
> -->stopping the courts roll over you.
> -->
> -->You are either compliant 100% to the standards you need to meet, or
> -->you (both the individual AND the organisation) are at risk.
> -->
> -->I do not think that many on the list understand the issues. On
> -->another compliance topic, SOX, you tell management and the auditors
> -->that a system is compliant. The auditors are a little clueless (as
> -->many are) and do not (as by law they are required to) test the
> -->system.
> -->
> -->Who is to blame when the system is compromised?
> -->You are and management is - both.
> -->
> -->In fact, your ignorance as to the system security is not a good
> -->defence. You have defrauded the auditors and the worst case is 20
> -->years with a new hubby called bubba... (or the equivalent for the
> -->female of bubba).
> -->
> -->To demonstrate this. I have a SOX client who is stating that they do
> -->not need logs, they have never been compromised.
> -->
> -->I have another (who has for 4 years received a clean bill of health
> -->from a Big 4 firm) who has more services running on the finance
> -->database than come out of the box. They have the Archie filesystem
as
> -->a consultant though it would be cool. They have also not patched it
> -->for the last 113 remote root level exploits.
> -->
> -->In Australia, not securing payroll and finance information (eg tax
> -->file numbers of employees) is a criminal offence.
> -->
> -->I will say it again.
> -->
> -->Passing an audit is NOT compliance!
> -->
> -->Choosing a firm who will pass you is dumb. This is economic false
> -->economy. It is buying a broken umbrella in case it rains.
> -->
> -->Regards,
> -->Craig Wright (GSE-Compliance) LLM
> -->
> -->
> -->Craig Wright
> -->Manager, Risk Advisory Services
> -->
> -->Direct : +61 2 9286 5497
> -->Craig.Wright () bdo com au
> -->+61 417 683 914
> -->
> -->BDO Kendalls (NSW-VIC) Pty. Ltd.
> -->Level 19, 2 Market Street Sydney NSW 2000
> -->GPO BOX 2551 Sydney NSW 2001
> -->Fax +61 2 9993 9497
> -->http://www.bdo.com.au/
> -->
> -->The information in this email and any attachments is confidential.
If
> -->you are not the named addressee you must not read, print, copy,
> -->distribute, or use in any way this transmission or any information
it
> -->contains. If you have received this message in error, please notify
> -->the sender by return email, destroy all copies and delete it from
> -->your system.
> -->
> -->Any views expressed in this message are those of the individual
> -->sender and not necessarily endorsed by BDO Kendalls. You may not
rely
> -->on this message as advice unless subsequently confirmed by fax or
> -->letter signed by a Partner or Director of BDO Kendalls. It is your
> -->responsibility to scan this communication and any files attached for
> -->computer viruses and other defects. BDO Kendalls does not accept
> -->liability for any loss or damage however caused which may result
from
> -->this communication or any files attached. A full version of the BDO
> -->Kendalls disclaimer, and our Privacy statement, can be found on the
> -->BDO Kendalls website at http://www.bdo.com.au/ or by emailing
> -->mailto:administrator () bdo com au.
> -->
> -->BDO Kendalls is a national association of separate partnerships and
> -->entities. Liability limited by a scheme approved under Professional
> -->Standards Legislation.
> -->-----Original Message-----
> -->
> -->From: listbounce () securityfocus com
> -->[mailto:listbounce () securityfocus com] On Behalf Of Adriel Desautels
> -->Sent: Saturday, 24 May 2008 1:26 AM
> -->To: Nick Vaernhoej
> -->Cc: Hill, Pete; security-basics () securityfocus com
> -->Subject: Re: DSS
> -->
> -->Just out of curiosity, how many people here thinks that PCI does
> -->anything to protect you from the real world threat?
> -->
> -->Regards,
> -->        Adriel T. Desautels
> -->        Chief Technology Officer
> -->        Netragard, LLC.
> -->        Office : 617-934-0269
> -->        Mobile : 617-633-3821
> -->        http://www.linkedin.com/pub/1/118/a45
> -->
> -->        Join the Netragard, LLC. Linked In Group:
> -->        http://www.linkedin.com/e/gis/48683/0B98E1705142
> -->
> -->---------------------------------------------------------------
> -->Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> -->Penetration Testing, Vulnerability Assessments, Website Security
> -->
> -->Netragard Whitepaper Downloads:
> -->-------------------------------
> -->Choosing the right provider : http://tinyurl.com/2ahk3j
> -->Three Things you must know  : http://tinyurl.com/26pjsn
> -->
> -->
> -->Nick Vaernhoej wrote:
> -->> Good morning,
> -->>
> -->> Have you scanned through the supplemental information regarding
> -->6.6?
> -->>
> -->https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfi
r
> -->ewa
> -->> lls_codereviews.pdf
> -->>
> -->> You have two options, code review or web application firewall.
> -->> You state that you already have custom code reviewed so I would
> -->think
> -->> you are in good shape.
> -->> What makes you think you need to do both? (It is a good idea to do
> -->so of
> -->> course, but not necessary to satisfy PCI).
> -->>
> -->> Have a great day.
> -->>
> -->> Nick Vaernhoej
> -->> "Quidquid latine dictum sit, altum sonatur."
> -->>
> -->>> -->-----Original Message-----
> -->>> -->From: listbounce () securityfocus com
> -->>> -->[mailto:listbounce () securityfocus com] On Behalf Of Hill, Pete
> -->>> -->Sent: Friday, May 23, 2008 8:53 AM
> -->>> -->To: security-basics () securityfocus com
> -->>> -->Subject: PCI: DSS
> -->>> -->
> -->>> -->
> -->>> -->Hi all,
> -->>> -->
> -->>> -->Can anyone confirm for me what sort of workarounds there are
> -->>> -->concerning
> -->>> -->PCI:DSS and application layer firewalls?
> -->>> -->
> -->>> -->Requirement 6.6 of the standard states this:
> -->>> -->
> -->>> -->6.6 Ensure that all web-facing applications are protected
> -->against
> -->>> -->known
> -->>> -->attacks by applying either of
> -->>> -->the following methods:
> -->>> -->* Having all custom application code reviewed for common
> -->>> -->vulnerabilities
> -->>> -->by an organization
> -->>> -->that specializes in application security
> -->>> -->* Installing an application layer firewall in front of web-
> -->facing
> -->>> -->applications.
> -->>> -->Note: This method is considered a best practice until June 30,
> -->2008,
> -->>> -->after which it becomes a
> -->>> -->requirement.
> -->>> -->
> -->>> -->We already have our custom code reviewed, but Im wondering if
I
> -->>> -->absolutely must sort out an application layer firewall or if
> -->there
> -->> is
> -->>> -->a
> -->>> -->workaround that would be acceptable for a level 1 merchant.
> -->>> -->
> -->>> -->If there are any knowledgeable auditors (qsa etc) out there
I'd
> -->>> -->really
> -->>> -->appreciate your help on this one.
> -->>> -->
> -->>> -->Many thanks
> -->>> -->Pete
> -->>> -->
> -->>> -->
> -->>> -->A number of bogus e-mails are currently circulating in the UK
> -->>> -->encouraging customers to visit fraudulent websites where
> -->personal or
> -->>> -->Internet security details are requested. Bid tv/Price-drop
> -->tv/Speed
> -->>> -->auction tv would never send e-mails that ask for confidential,
> -->>> -->personal security information or details regarding your
account
> -->>> -->status.
> -->>> -->
> -->>> -->The content of this e-mail does not constitute a contract and
> -->any
> -->>> -->matters discussed herein remain subject to contract.
> -->>> -->
> -->>> -->The contents of this message and all attachments have been
sent
> -->in
> -->>> -->confidence for the attention of the addressee only.  If you
are
> -->not
> -->>> -->the intended recipient you are kindly requested to preserve
> -->this
> -->>> -->confidentiality and to advise the sender immediately of the
> -->error in
> -->>> -->transmission.
> -->>> -->
> -->>> -->"sit-up ltd, registered in England No: 03877786.
> -->>> -->Registered Office: Sit-Up House, 179-181 The Vale, London W3
> -->7RW.
> -->>> -->Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."
> -->>
> -->>
> -->> This electronic transmission is intended for the addressee (s)
> -->named above. It contains information that is privileged,
> -->confidential, or otherwise protected from use and disclosure. If you
> -->are not the intended recipient you are hereby notified that any
> -->review, disclosure, copy, or dissemination of this transmission or
> -->the taking of any action in reliance on its contents, or other use
is
> -->strictly prohibited. If you have received this transmission in
error,
> -->please notify the sender that this message was received in error and
> -->then delete this message.
> -->> Thank you.
> -->
> -->r use in any way this transmission or any information it contains.
If
> -->you have received this message in error, please notify the sender by
> -->return email, destroy all copies and delete it from your system.\par
> -->\par Any views expressed in this message are those of the individual
> -->sender and not necessarily endorsed by BDO Kendalls. You may not
rely
> -->on this message as advice unless subsequently confirmed by fax or
> -->letter signed by a Partner or Director of BDO Kendalls. It is your
> -->responsibility to scan this communication and any files attached for
> -->computer viruses and other defects. BDO Kendalls does not accept
> -->liability for any loss or damage however caused which may result
from
> -->this communication or any files attached. A full version of the BDO
> -->Kendalls disclaimer, and our Privacy statement, can be found on the
> -->BDO Kendalls website at http://www.bdo.com.au/ or by emailing
> -->mailto:administrator () bdo com au.\par  \par BDO Kendalls is a
national
> -->association of separate partnerships and entities. Liability limited
> -->by a scheme approved under Professional Standards Legislation.\par
--
> -->---Original Message-----\par\par From: scott.carmody () au pwc com
> -->[mailto:scott.carmody () au pwc com] \par Sent: Friday, 23 May 2008
> -->12:46 PM\par To: Pam Menzies\par Subject: Re: \par\par thats great -
> -->well done !\par\par I cooked a big meat pie and chips and watched
Law
> -->& Order - good comfort\par food !\par\par Hope the day is going
> -->well\par\par\par\par Scott Carmody\par Senior Consultant\par
> -->PricewaterhouseCoopers Australia\par Office: +61 (2) 8266 0855\par
> -->Mobile: 0419 126 122\par Fax: +61 (2) 8286 0855\par
> -->scott.carmody () au pwc com\par http://www.p?

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.