BreachExchange mailing list archives
Re: Best Western Response
From: "Jamie C. Pole" <jpole () jcpa com>
Date: Tue, 26 Aug 2008 18:22:01 -0400
Sounds great to me... I encounter the same problem in the Defense space. They are very much beholden to STIGs and checklists - and I have never caught a hacker in possession of either. This is the difference between security assessment and automated compliance testing. Automated compliance testing (seemingly the majority of PCI DSS at this point) can only measure compliance with an arbitrary (and outdated, outmoded, obsolete, etc.) baseline. Security assessment SHOULD throw convention to the wind in favor of adopting the same mindset as the hacker community. Any truly competent security consultant should be able to do this. I agree that some "lowest common denominator" can be helpful, but not at the expense of and actual security program. Too many processors take their PCI certificate "to the bank", and don't seem to bother doing anything else. That is the fatal flaw in the program. In addition, the way the PCI QSA program is structured ensures that competent security consultants will stay out of it. Why would anyone want to sign on to a program where you have essentially unlimited liability, but are forced to base your certification decisions on a ridiculous standard? AND you have to pay them $20,000 initially, and $10,000 per year afterward... Where does that money go??? Your comment about breaching other environments compliant with applicable standards is right on the mark. A rigid standard is not the answer to this problem. Jamie On Aug 26, 2008, at 6:02 PM, Daniel Clemens wrote:
Better yet, when have you done any penetration testing engagement where the client was 'Compliant with x and y regulation and or standard' and you still gained access? (Probably almost every time or at worst 85% of the time) This is the exact reason why penetration testing and hacking will almost always win over an institutionalized process and or standard. Penetration testing (or whatever you want to call it now days) does not equate to a 'completely formal audit' which I think the PCI (PCI Scanning companies) standards and all the 'certified ethical hacker mindsets' seem to confuse. They are similar , but they are not the same. What I think the real complaint is about, - is the fact that there is a watered down Carolyn Meinel / JP happy hacker mindset which has successfully infected all that follow the logic that security equates to an exact science when fighting against creative minds. So there , I said it. :P | Daniel Uriah Clemens | http://bits.packetninjas.org "Imagination is more important than knowledge."-- Albert Einstein
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Re: Best Western Response, (continued)
- Re: Best Western Response *Hobbit* (Aug 25)
- Re: Best Western Response Tom Mahoney (Aug 25)
- Re: Best Western Response macwheel99 (Aug 26)
- Re: Best Western Response Harris, Michael C. (Aug 26)
- Re: Best Western Response DAIL, WILLARD A (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Michael Hill, CITRMS (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response Daniel Clemens (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response *Hobbit* (Aug 25)
- Re: Best Western Response Jeffrey Walton (Aug 26)