Re: PCI DSS & Firewalls

["miedaner" <miedaner () twcny rr com>]

Interesting thread.

The reality is that companies have not followed best practices in terms of
network and internet services.

Over and over in my 17 years in security people whining for the next unsafe
app, protocol, etc have won out over sound security.

Not to mention poor design practices that put ring 0 devices on the edge
rather than in a tiered design.

How many companies have the payroll and money transfer machines located so
any user can touch them, both physically and logically.

How many bandaids has the so called security industry come up with to
compensate for poor practices.  E.G. The clueless demand a PIX so we need an
IDS and whatever other protocol aware device.

Good design and having the balz to say no goes a long way in keeping
environment simple and secure.

As far as testing, some is needed but the ill informed would assume that a
successful PT means you are OK.  Not to mention 9 times out of 10 the
testers exploit low hanging fruit - lets be real here we are dealing with
the soft chewy core of M$.  Add distributed offices and physical security
weakneses into the mix and successful attacks, for the determined, becomes a
cake walk.

Also as far as PCI standards and all other regulations is, I believe, the
anount of interpretation that is allowed.  Try defining scope under PCI,
very ambiguous.

Tony Miedaner
eroc emit eno

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of
Brian Loe
Sent: Sunday, April 05, 2009 1:50 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] PCI DSS & Firewalls


On Fri, Apr 3, 2009 at 3:36 PM, Paul Melson <pmelson () gmail com> wrote:


> At the end of the day, offensive security (scanning, pen-testing,
auditing,
> etc.) is testing.  And some testing is ALWAYS better than no testing.
 Show
> me a company that doesn't require testing before moving a system into
> production and I'll show you a company that can afford lots of downtime.

And I'll show you every company I've ever worked for - including the
one that's handling your prescriptions and likely the one handling
your 401k.

Then again, I guess it depends on what you call testing. If it means
"it turns on, given expected input it returns expected output" then
never mind - you're "safe". Otherwise you're living as big of a make
believe world as Marcus. And as everyone knows I'm quite the realist!

Then again I'm also the manager who, while trying to get an updated
security program approved by the "IT Steering Committee", removed the
part about certification and accreditation for new systems because,
frankly, if you're our size it's stupid and overly costly. What I
would VERY MUCH LIKE is a "checklist" like the first set of
instructions I got for (well, it's late and I can't remember the
acronym - and it's since been changed anyway - DoD crap)....

I prefer a standard tell me EXACTLY what it want as a minimum and then
my midldle management idiot self can busy myself doing BETTER than
that standard...
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards