Re: Compliance Is Wasted Money, Study Finds

["Lyal Collins" <lyalc () swiftdsl com au>]

It appears that the content of the security audit procedures (the PDF
download-able from
https://www.pcisecuritystandards.org/security_standards/pci_dss_download_agr
eement.html) still has not crept into this discussion by some who consider
PCI a waste of effort, merely a comment on the 12 section headings of PCI
DSS.
 
 
Judging anything by responding to key words, without considering context,
usually leads to expensive and potentially non-compliant outcomes in my
experience.  This is particularly true of PCI DSS compliance efforts among
many companies I've worked with.
 
Just on anti-malware solutions per PCI DSS, to take one example.
Take a piece of paper and list the ways in which malware controls can be
implemented, then see how many are point solutions from vendors.
Here's a start, using mechanisms that can be PCI DSS compliant:

*       

        Most Anti-virus software products (the easy route in some platforms.
Particularly good when non-Windows platforms exchange complex content with
Windows platforms e.g  mail relays, web servers etc)
*       

        Application whitelisting (hard to tune, but good in some scenarios,
esspecially servers)
*       

        File integrity controls (good, once tuned and applied
comprehensively to the target servers)
*       

        Using an operating system that is not commonly suspcetibale to
malware (rare, but does happen)

Some of the options listed above can be free, other than some labour time to
implement the necessary changes. 
Although a product is marketed as an anti-virus product, it may not meet all
PCI DSS expectations e.g. detecting malware is one criteria on which some
solutions fail.
The above ignores the update, logging, monitoring and reponses processes
behind the above options, for simplicity in this discussion.
 
 
lyal
 
 
 


  _____  

From: Christian Sciberras [mailto:uuf6429 () gmail com] 
Sent: Tuesday, 27 April 2010 11:33 PM
To: Lyal Collins
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds


Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org
<http://www.pcisecuritystandards.org/> .

Were you even following the thread? There's been at least 4 times were
different people cited different parts of the standard.
But I would suppose that there's always the possibility of someone imagining
the standard, who knows!

AV is about 4 requirements out of over 230 requirements

Actually, it's the 5th out of 12...
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Many views in this thread sound like drowning people who reject a lifeboat
because it doesn't match their eye colour.

And I take it the lifeboat matched your eye-colour?
By your comparison, it doesn't match my eye colour and neither the amount of
holes in the lifeboat as I would deem "safe".
Sure, some people would evacuate on a handkerchief if it means less money
more compliance.

I don't think you grasped the point either, so I won't argue with the rest
of your message.



On Tue, Apr 27, 2010 at 12:34 AM, Lyal Collins <lyalc () swiftdsl com au>
wrote:


Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.

AV is about 4 requirements out of over 230 requirements, covering secure
coding/development, patching, network security, hardening systems, least
privilege, robust authenticaiton, staff probity, physical security,
obligations on third parties, annual risk assessments and improvements,
pluss annually re validating all of these security control areas.

Many views in this thread sound like drowning people who reject a lifeboat
because it doesn't match their eye colour.

PCI DSS isn't perfect, but it is fairly comprehensive about confidentiality.
In terms of all organisational information security threats, PCI DSS lacks a
focus on DR/BCP and integrity of data and system (other than that subset of
threats affecting protection of card data).  I posit that DR and data
integrity are as much a commercial decision as a information security goals,
for which simple, repeatable processes are already available and resonably
well known amongst IT professionals.

Anti-virus and anti-malware products are not perfect either, but they are
better than the alternative of 'doing nothing until a perfect solution is
found", an undertone I see so often in this list and among many
well-intentioned but unsuccessful security professionals at sites I visit.

Implementing any halfway decent solution is almost always better than doing
nothing, when it comes to reducing risk and increasing assurance.
Implementing ongoing improvements is cost effective spend of scarce
security/IT dollars.
Building the "perfect' security solution is too expensive and takes too long
- by the time it's delviered, security threats have moved on, and you remain
vulnerable.

There are some dreadful compliance programs out there.  There are some
excellent compliance standards.
The


lyal


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/