Firewall Wizards mailing list archives

Re: PCI DSS & Firewalls

From: hermit <hermit921 () yahoo com>
Date: Fri, 3 Apr 2009 08:27:48 -0700 (PDT)


I suspect my company is similar to many - a penetration test that succeeds in getting to sensitive information is the 
only way to get management's attention.  Otherwise, "of course we are secure.  No one has broken in" is the honest 
belief of managers at all levels.  No, they don't do log analysis.  Yes, that makes pen testing a political tool rather 
than a technical tool, but it sure does help those of us who see security as more than an assertion by people with no 
security training or experience.  Nothing else works.

hermit921

--- On Thu, 4/2/09, Darden, Patrick S. <darden () armc org> wrote:

From: Darden, Patrick S. <darden () armc org>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: "Firewall Wizards Security Mailing List" <firewall-wizards () listserv icsalabs com>
Date: Thursday, April 2, 2009, 12:30 PM

Hmmm, no I don't think so.

Network auditor would take care of regular stuff (e.g. your
example of
an open telnet service).  Nessus, nmap, etc. 
Irregular stuff will be
there no matter what, if someone knowledgeable enough
spends enough time
looking.

Pen Testing has no real purpose that I can see.... Other
than as a scare
tactic to put someone in their place, get more money for
security from
admin, shame your IT department, or etc.  It is more
of a
social/political tool than a security instrument.

--Patrick Darden

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]
On Behalf Of
AMuse
Sent: Thursday, April 02, 2009 2:59 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] PCI DSS & Firewalls

Isn't the point of pen-testing to take up an attackers'
perspective and
hit all your defenses to see if you missed something or
misconfigured
something?  I mean, unless you're the only person who
set up 100% of
your infrastructure, how are you to know that someone
didn't
accidentally leave telnet open?  If you didn't write
100% of the webapps
your company is using, how are you to know they don't have
SQL injection
flaws?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



      
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: PCI DSS & Firewalls, (continued)
- - - Re: PCI DSS & Firewalls Chris Blask (Apr 02)
    - Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
    - Re: PCI DSS & Firewalls Dotzero (Apr 03)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
    - Re: PCI DSS & Firewalls Chris Blask (Apr 03)
    - Re: PCI DSS & Firewalls Bill McGee (Apr 03)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
    - Re: PCI DSS & Firewalls Chris Blask (Apr 05)
    - Re: PCI DSS & Firewalls Jim Seymour (Apr 06)
    - Re: PCI DSS & Firewalls Chris Blask (Apr 06)
- Re: PCI DSS & Firewalls hermit (Apr 03)