BreachExchange mailing list archives
Re: Best Western Response
From: "Michael Hill, CITRMS" <mhill () idtexperts com>
Date: Tue, 26 Aug 2008 17:28:01 -0400
No matter what anybody or any government or industry puts together, there is no perfect system/solution. But taking reasonable steps to safeguard the data compared to NOT doing anything should count for something. Michael Hill Certified Identity Theft Risk Management Specialist www.idtheft101.net 404-216-3751 INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS | TRAINING "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. ----- Original Message ----- From: "Jamie C. Pole" <jpole () jcpa com> To: "Harris, Michael C." <HarrisMC () health missouri edu> Cc: <dataloss () attrition org> Sent: Tuesday, August 26, 2008 4:21 PM Subject: Re: [Dataloss] Best Western Response
The PCI DSS program is a joke. Pure & simple. Definitely broken, sometimes ignored. I teach a LOT of public and private classes on auditing and ethical hacking/penetration analysys, and it never ceases to amaze me how little the people with the QSA designation actually know. Most of them seem to be former IT auditors - that particular bar (QSA) is set W-A-Y too low. Think about it - when was the last time you heard about a security breach involving credit card processing where the target was NOT PCI- compliant? All of the good ones I've worked on recently have had PCI certification in place. That certification has meant precisely zilch in the overall scheme of things. The fact is that the PCI DSS program itself is flawed, and provides nothing more than a false sense of security. When certain "security" companies commoditize "network scanning" to the point that it is an entirely automated effort, the buyer deserves what they are going to get. The number of breaches involving PCI-compliant entities should speak for itself... Jamie
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Best Western Response jkouns (Aug 24)
- Re: Best Western Response Domonick T. Weaver (Aug 25)
- <Possible follow-ups>
- Re: Best Western Response *Hobbit* (Aug 25)
- Re: Best Western Response Tom Mahoney (Aug 25)
- Re: Best Western Response macwheel99 (Aug 26)
- Re: Best Western Response Harris, Michael C. (Aug 26)
- Re: Best Western Response DAIL, WILLARD A (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Michael Hill, CITRMS (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response Daniel Clemens (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Jeffrey Walton (Aug 26)