BreachExchange mailing list archives
Re: Best Western Response
From: Daniel Clemens <daniel.clemens () packetninjas net>
Date: Tue, 26 Aug 2008 17:02:53 -0500
On Aug 26, 2008, at 3:21 PM, Jamie C. Pole wrote:
The PCI DSS program is a joke. Pure & simple. Definitely broken, sometimes ignored. I teach a LOT of public and private classes on auditing and ethical hacking/penetration analysys, and it never ceases to amaze me how little the people with the QSA designation actually know. Most of them seem to be former IT auditors - that particular bar (QSA) is set W-A-Y too low. Think about it - when was the last time you heard about a security breach involving credit card processing where the target was NOT PCI- compliant?
Better yet, when have you done any penetration testing engagement where the client was 'Compliant with x and y regulation and or standard' and you still gained access? (Probably almost every time or at worst 85% of the time) This is the exact reason why penetration testing and hacking will almost always win over an institutionalized process and or standard. Penetration testing (or whatever you want to call it now days) does not equate to a 'completely formal audit' which I think the PCI (PCI Scanning companies) standards and all the 'certified ethical hacker mindsets' seem to confuse. They are similar , but they are not the same. What I think the real complaint is about, - is the fact that there is a watered down Carolyn Meinel / JP happy hacker mindset which has successfully infected all that follow the logic that security equates to an exact science when fighting against creative minds. So there , I said it. :P | Daniel Uriah Clemens | http://bits.packetninjas.org "Imagination is more important than knowledge."-- Albert Einstein _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Re: Best Western Response, (continued)
- Re: Best Western Response Domonick T. Weaver (Aug 25)
- Re: Best Western Response *Hobbit* (Aug 25)
- Re: Best Western Response Tom Mahoney (Aug 25)
- Re: Best Western Response macwheel99 (Aug 26)
- Re: Best Western Response Harris, Michael C. (Aug 26)
- Re: Best Western Response DAIL, WILLARD A (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Michael Hill, CITRMS (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response Daniel Clemens (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Jeffrey Walton (Aug 26)