Security Basics mailing list archives
RE: [Full-disclosure] Compliance Is Wasted Money, Study Finds
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Fri, 23 Apr 2010 18:31:58 +0000
Three things: 1) I am one of those people, as many of us are. 2) I disagree - compliance with the standard, as put forth by the body developing the standard, certainly implies a real security benefit. Does PCI=Security? No, but it certainly helps. There is a huge difference between "ensure" and "imply." Using them together like that as if they are synonymous is a red herring. Think about what you just said: "it doesn't imply real security." THAT doesn't define ANYTHING actionable. Nothing. What the standard does IS to define at least measures to be taken that can increase security - it has specifics and action items. It is tangible. And, it is far more likely to provide a real benefit than not. It *certainly* does more than having some policy say "You must imply real security." If you are one of those people that care about security, and if your takeaway from PCI is that "it doesn't imply real security" but you fail to tell us what does, then I would have to say you are not really providing any benefit. 3) "Apparently not a cost of doing business" how? What did I say that makes that statement apparent? I fail to see how you can connect what the OP stated as "Compliance is Wasted Money" with "apparently having a secure network is not a cost of doing business." They are two different things. If you want to process credit cards in your business to make more money, and the credit card industry says, up front, "ok, you can play if you follow these rules," then that is a cost of doing business. If you actually do enough business to justify PCI audits, and you as a security person implement a system that passes all PCI audit requirements as written, but still FAIL to have a system where no security is implied, then YOU have not done your job. No amount a blaming PCI's inadequacies is going to make up for people not taking responsibility for doing their jobs. Period. t -----Original Message----- From: Stephen Mullins [mailto:steve.mullins.work () gmail com] Sent: Friday, April 23, 2010 10:40 AM To: Thor (Hammer of God) Cc: Christian Sciberras; security-basics () securityfocus com; full-disclosure Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
I don't see what the hubbub is
Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) <Thor () hammerofgod com> wrote:
How can you say it is "wasted"? It doesn't matter if you are a "fan" of it or not, in the same way that it doesn't matter if you are a "fan" of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is "wasted money," and might bring into question the "value" of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can't "handle" credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can "self audit." If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don't like PCI, then don't process credit cards, or come up with your own. I still don't really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6429 () gmail com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-basics () securityfocus com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) <Thor () hammerofgod com> wrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don't know why people get all emotional about it and throw up their hands with all the "this is wasted money" positioning - it's not wasted at all; it is simply part of the cost of doing business in that market. t From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Christopher Gilbert Sent: Thursday, April 22, 2010 4:48 PM To: Mike Hale Cc: full-disclosure; security-basics () securityfocus com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <eyeronic.design () gmail com> wrote: I find the findings completely flawed. Am I missing something? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds, (continued)
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 12)
- Re: Compliance Is Wasted Money, Study Finds Mike Hale (Apr 26)
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 26)
- Message not available
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Mike Hale (Apr 26)
- Message not available
- Message not available
- Message not available
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Mike Hale (Apr 26)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Stephen Mullins (Apr 26)
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Mike Hale (Apr 26)
- Message not available
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Mike Hale (Apr 26)
- Message not available
- Message not available
- Message not available
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds BMF (Apr 26)
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Michael Holstein (Apr 26)
- RE: [Full-disclosure] Compliance Is Wasted Money, Study Finds Thor (Hammer of God) (Apr 26)
- RE: [Full-disclosure] Compliance Is Wasted Money, Study Finds Lyal Collins (Apr 26)