funsec mailing list archives
Re: The PCI sky *isn't* falling!
From: Amrit Williams <johndoe321 () gmail com>
Date: Mon, 23 Mar 2009 22:13:59 -0700
I think the point he was making about you being from a vendor that offers PCI oriented solutions for a fee is that your view is somewhat tainted and not objective, not that there's anythign wrong with having a biased view, but it is what it is...
: I'd say that PCI DSS did more to information security than *anything : else* since Windows added automated updates.
2 years ago you might have said...
: I'd say that "Log management" did more to information security than
*anything
: else* since Windows added automated updates.
I can see a POV that states that PCI has helped organizations that lack even a base level of security to find a path towards a base level of things they could check for like whether or not they have updated their AV - not that it makes them more or less secure or more less prone to a breach, just a set of things they can check for, but to say that "PCI DSS did more to information security than anything else since..." is bordering on ridiculous at best . Of course no offense Anton =) Amrit On Mon, Mar 23, 2009 at 9:50 PM, Anton Chuvakin <anton () chuvakin org> wrote:
: I'd say that PCI DSS did more to information security than *anything : else* since Windows added automated updates.Care to back that up in any way? I think the customers of Heartland, RBS and other compromises would disagree.Sorry, but this is kinda of what I was talking about :-) What I am hearing in the above is that PCI was somehow supposed to guarantee their un-hackability. Is that what you are implying? What about a simpler explanation: they were breached DESPITE PCI DSS?: Now, some might say that my argument is of the type "Why do 99% of : lawyers give the rest a bad name?", but it is not. I am pretty surethat: even companies that "do it just the auditor" or, worse, deceive their : PCI assessor still gain a tiny fraction of risk reduction, both for : themselves - and for the rest of us. Is that "tiny fraction of risk reduction" evident in Heartland / RBS? Is that fraction worth the trade-off for an entirely inflated false sense of security?This supposed reduction of risk was NOT in any way evident in case of Hland/RBS, at least not in the way it was reported publicly. In addition, it is entirely possible that their security staff was "under the influence" of false sense of security and, as a result, made made decisions that lead to their compromise. However! PCI did drive many small organization to think about: a) have we updated our AV since 2004 (BTW, their answer was 'no' and not it is "yes' [debate about AV efficiency is a separate story]) b) what on Earth is a firewall? c) changing password is maybe a good idea. That is where I think it is useful.You forgot one part of your sig: Director of PCI Compliance Solutions at QualysWas that remark intended to invalidate my arguments in any way? I hope you are not implying they people working for vendor are not allowed - gasp! - their own opinion... -- Anton Chuvakin, Ph.D http://www.chuvakin.org http://chuvakin.blogspot.com http://www.info-secure.org _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Todd Parker (Mar 23)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Alex Eckelberry (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Amrit Williams (Mar 23)
- Re: The PCI sky *isn't* falling! Paul Ferguson (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 24)
- Re: The PCI sky *isn't* falling! Todd Parker (Mar 23)
- Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)