Firewall Wizards mailing list archives

Re: PCI DSS & Firewalls

From: Chris Myers <clmmacunix () charter net>
Date: Thu, 2 Apr 2009 16:49:00 -0500

Great Discussion, too long to recall all I would like to respond to.

I only have to say that it is not the law, so a standard is a guide.Although some politicians have found glory from the constituency bymaking it a states right. The most ignorant of which could not tellyou why PCI is important at all. Three-Fourths of the standard can beleft unread and done away with through good engineering, and the lastquarter of which is to bring layman's terms to the real culprit in thesecurity breach, the executive.

1. Anyone in charge of a companies security should know thearchitecture and every project going on from development and testingto install. Why pay a CSO if he and his team of underlings does not?

2. Any hole that is not base upon that architecture, development andinstall should be closed, regardless of anyones opinion or preferredhabits.

3. Anyone who is installing or developing something that shows up on apen test that is legitimately revealed by a pen test should call theunemployment office, if it is not on the radar of a process andcompany security plan. Which is why I am in some favor of a full blownpen test, but agree it should be unnecessary and targeted, I referback to item one.

4. QSA's should get their ring of fame, but are misappropriatedbecause of the depravity of man. If an audit shows the same breach dueto the executive who refuses to close the hole because of hispreferred ignorance, the Security team should retain their budgetednumber for the cost of the QSA and the cost should come out of theoperational budget/executive fun fund.

5. Standards that are forced, like PCI has been so egregiously forcedby law of the ignorant, as if it were a law, are doomed to fail whenthe intent is only to give self regulation and a standard, before thefederal dupes in Washington get their professional lawyer hands on ourcompliance. So I try to take it easy on the PCI DSS, but agree it isnot the Declaration of Independence.






Chris Myers
clmmacunix () charter net

John 1:17

For the Law was given through Moses; grace and truth were realizedthrough Jesus Christ.

   Go Vols!!!!

On Apr 2, 2009, at 2:29 PM, Paul D. Robertson wrote:

On Thu, 2 Apr 2009, AMuse wrote:
Isn't the point of pen-testing to take up an attackers' perspectiveand
hit all your defenses to see if you missed something or misconfigured
something?  I mean, unless you're the only person who set up 100% of
No, it's to scare the customer into buying security.
your infrastructure, how are you to know that someone didn't
accidentally leave telnet open? If you didn't write 100% of thewebappsyour company is using, how are you to know they don't have SQLinjection
flaws?
If you do a configuration audit, and code audits and buildapplications
using proper design standards, then a pen test will give you no
incremental value.
Let's take a common and costly example: Your last administrator hasthefirewall set up to allow him to SSH into your main database server-but
only from his home IP address.  He was laid off last week and is
disgruntled.

Now answer these questions:

What will a remote pen test show?
What will an on-site pen test show?
What will a configuration revew show?
Given all of the above, what additional value does a pen test bringto the
table?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personalopinions
paul () compuwar net       which may have no basis whatsoever in fact."
          Moderator: Firewall-Wizards mailing list
          Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: PCI DSS & Firewalls, (continued)
- - - Re: PCI DSS & Firewalls Mark (Apr 06)
    - Re: PCI DSS & Firewalls Brian Loe (Apr 06)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
    - Re: PCI DSS & Firewalls Chris Blask (Apr 02)
    - Re: PCI DSS & Firewalls ArkanoiD (Apr 10)
    - Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
    - Re: PCI DSS & Firewalls AMuse (Apr 02)
    - Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
    - Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
    - Re: PCI DSS & Firewalls Chris Myers (Apr 02)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
  - Re: PCI DSS & Firewalls R. DuFresne (Apr 02)
- Re: PCI DSS & Firewalls Potter, Albert (Al) (Apr 02)
  - Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
    - Re: PCI DSS & Firewalls lordchariot (Apr 02)
    - Re: PCI DSS & Firewalls Jim Seymour (Apr 03)
    - Re: PCI DSS & Firewalls Chris Blask (Apr 02)
    - Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
    - Re: PCI DSS & Firewalls Dotzero (Apr 03)

(Thread continues...)