funsec mailing list archives
Re: The PCI sky *isn't* falling!
From: Jon Kibler <Jon.Kibler () aset com>
Date: Tue, 24 Mar 2009 06:33:32 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kaegler, Mike wrote:
Alone, PCI can't do a lot; one needs a competent and interested security professional. Likewise, said professional can't do a lot without a business mandate (which PCI provides). PCI is not a magic bullet, but it isn't useless theatre either (provided its routed to the IT department instead of the marketing department).
Mike, You recognized the problem and then just ignore it! "Alone, PCI can't do a lot" -- I agree 1,000%! "one needs a competent and interested security professional" -- and there is the problem! In the overwhelming majority of organizations I see that want the "PCI Stamp of Approval", there is NO security professional involved! It is just the "web site guys" saying "we need PCI DSS, what is the minimum we can do to get that stamp of approval?" In reality, they could care less about security. Security is an added cost to a business with already tight margins. "We don't want security, its too much of a hassle -- just get us 'approved'." "can't do a lot without a business mandate (which PCI provides)" -- I disagree that PCI DSS even provides a mandate for security. It mandates only certain minimum practices that give the APPEARANCE of security, but in reality do not actually REQUIRE security. Anyone can put a firewall in place, not really configure it, and declare "I have a firewall, so therefore I am secure!" (We call that "M&M Security" -- just like the candy -- hard a crunchy on the outside [maybe], soft and chewy on the inside!) Worse, most organizations that put a firewall in place actually think that they are now secure!! I know organizations with minimal to no firewalls, but have good security practices, that are far more secure than organizations with firewalls that are security clueless. "provided its routed to the IT department" -- most IT departments are the first to fight security in small organizations. They want to do only the minimum they can get by with; they are too busy with day-to-day operations to care about passing some auditor's check list. So, what do they do? The absolute minimum they can to get the auditor to "give them a 'pass' and go away." Even if it means lying or deception to get the 'pass', it is only the 'pass' they care about, not anything to do with improving security. Worse, most corporate management has the exact same view: "Do the absolute minimum possible to get us that certification." I stand by my statement: PCI DSS is security theater of the worst kind! Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknItvwACgkQUVxQRc85QlPlDQCbB4BtZAi14xnbRup/7xZ8oXgQ HbgAn0zWB8gDwSbjzwnd04rjI1sPej14 =zohM -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The PCI sky *isn't* falling!, (continued)
- Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)
- Re: The PCI sky *isn't* falling! David Harley (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- why is certification useful anyway? [was: PCI] Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Gadi Evron (Mar 24)