PaulDotCom mailing list archives

Question about PCI audit results and reality....

From: paul at pauldotcom.com (Paul Asadoorian)
Date: Wed, 12 Aug 2009 15:01:17 -0400

Simple, hit each of the squirrels on the head with a baseball bat.  Note
which squirrels die, and which ones live.  Send report to management.

I think we call this a penetration test ;)

Cheers,
Paul

Jason Wood wrote:

So I have a "hypothetical" situation that I'd like some ideas on.

Say you go through a PCI audit and certain things that you know are a
problem are not marked as such by the auditor.  (we can get into getting
a new QSA later)  To make up a completely fake scenario, lets say that
item 15.3 requires all squirrels to wear helmets when running the credit
card numbers from the web server to the database server.  (squirrelNet
anyone?)  The QSA says that there are no problems and that the squirrels
are wearing helmets properly.  The issue is that the helmets are made of
newspaper and don't look like a helmet from anything beyond a passing
glance.

As the admin/squirrel handler, I want to justify getting proper helmets
on the squirrels.  However, here's this audit report which states that
there's no problem here.  How do you go about justifying "real" squirrel
helmets when the QSA says everything is good.  Chances are good
management is going to look at the report and tell you to leave the
newspaper hats in place because it is good enough for the QSA.

Short of calling up the QSA and asking him WTF (and getting in hot water
for doing so), how do you deal with this? 

Here's some of the ideas that have occurred to me:

    * Explain to management what squirrel helmets really are supposed to
      be and that not every QSA is going to be so... casual about them.
    * Explain that PCI is a minimum set of requirements and doesn't
      insure actual security.
    * Club a squirrel on the head and demonstrate that newspaper isn't
      an adequate helmet.

How do you deal with justifying security improvements when an audit
report says that everything is blue skies and happy days?

Thanks,
Jason

P.S.  SquirrelNet was inspired by @beaker and no actual squirrels were
used to run credit card numbers or were clubbed on the head while
writing this email.

-- 

irc: Tadaka
Twitter:  Jason_Wood
jwnetworkconsulting.com <http://jwnetworkconsulting.com>


------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552

Current thread:

Question about PCI audit results and reality.... Jason Wood (Aug 12)
- Question about PCI audit results and reality.... Vincent Lape (Aug 12)
  - Question about PCI audit results and reality.... Jason Wood (Aug 12)
    - Question about PCI audit results and reality.... Chris Merkel (Aug 12)
- Question about PCI audit results and reality.... Paul Asadoorian (Aug 12)
  - Question about PCI audit results and reality.... Shawn Bernard (Aug 12)
- Question about PCI audit results and reality.... Joel Folkerts (Aug 12)
  - Question about PCI audit results and reality.... Mike Patterson (Aug 12)
- Question about PCI audit results and reality.... Jack Daniel (Aug 12)
  - Question about PCI audit results and reality.... Ron Gula (Aug 13)
    - Question about PCI audit results and reality.... Robert Portvliet (Aug 13)
    - Question about PCI audit results and reality.... Jason Wood (Aug 13)
    - Question about PCI audit results and reality.... Nathan Sweaney (Aug 14)
    - Question about PCI audit results and reality.... Robert Miller (Aug 20)
    - Question about PCI audit results and reality.... Edward Frye (Aug 21)

(Thread continues...)