Question about PCI audit results and reality....

[NSweaney at tulsacash.com (Nathan Sweaney)]

It sounds like you've got a good start already.  To expound on your
second point, be sure to clarify that the QSA audit is ONLY intended to
be a general check to make sure you're trying.  That audit is only based
on what you tell them or show them, and in many cases they just have to
believe you.  Unless you can pay to have them literally check
everything, they have to accept what you say as fact.  After all, it's
your security, not theirs.  It's like cheating on your counting when
you're working out.  It doesn't hurt anyone but yourself.  

 

The reason PCI requires audits is to make sure you're trying.  The
reason it requires regular ASV scans & pen-tests is to ensure that
you're actually secure.  Those are completely different things.  So
think about how you can present the concerns in terms of business risk
to security.  Detail how likely the threat is to be successfully
exploited and exactly what impact that would have on the business.  Also
be sure to explain how it can be fixed.  Management doesn't want to hear
about problems, they want solutions. 

 

The most important thing you can do above all is to document, document,
document.  Don't get mean-spirited and do it as an act of defiance
against management, but be intentional about documenting your concerns
and make sure they understand that you're documenting it.  Sometimes
just seeing an employee care enough to respectfully object to a decision
can have a huge impact.  But be willing to deal with the consequences
otherwise.  

 

-- nathan

 

________________________________

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Jason Wood
Sent: Wednesday, August 12, 2009 12:24 PM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Question about PCI audit results and reality....

 

So I have a "hypothetical" situation that I'd like some ideas on.

Say you go through a PCI audit and certain things that you know are a
problem are not marked as such by the auditor.  (we can get into getting
a new QSA later)  To make up a completely fake scenario, lets say that
item 15.3 requires all squirrels to wear helmets when running the credit
card numbers from the web server to the database server.  (squirrelNet
anyone?)  The QSA says that there are no problems and that the squirrels
are wearing helmets properly.  The issue is that the helmets are made of
newspaper and don't look like a helmet from anything beyond a passing
glance.

As the admin/squirrel handler, I want to justify getting proper helmets
on the squirrels.  However, here's this audit report which states that
there's no problem here.  How do you go about justifying "real" squirrel
helmets when the QSA says everything is good.  Chances are good
management is going to look at the report and tell you to leave the
newspaper hats in place because it is good enough for the QSA.

Short of calling up the QSA and asking him WTF (and getting in hot water
for doing so), how do you deal with this?  

Here's some of the ideas that have occurred to me:

*       Explain to management what squirrel helmets really are supposed
to be and that not every QSA is going to be so... casual about them.
*       Explain that PCI is a minimum set of requirements and doesn't
insure actual security.
*       Club a squirrel on the head and demonstrate that newspaper isn't
an adequate helmet.

How do you deal with justifying security improvements when an audit
report says that everything is blue skies and happy days?

Thanks,
Jason

P.S.  SquirrelNet was inspired by @beaker and no actual squirrels were
used to run credit card numbers or were clubbed on the head while
writing this email.

-- 

irc: Tadaka
Twitter:  Jason_Wood
jwnetworkconsulting.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090812/e25476e9/attachment.htm