PaulDotCom mailing list archives

Question about PCI audit results and reality....

From: cmerkel at gmail.com (Chris Merkel)
Date: Wed, 12 Aug 2009 19:56:55 -0500

Keep in mind that, unfortunately, there is an ignorance is bliss
attitude with some people. They know that they should remain ignorant,
because otherwise they would be compelled to act, which costs money.
So you could show up with a bag of dead squirrels, force their hand to
act, and still get the smackdown one way or another.

On Wed, Aug 12, 2009 at 3:39 PM, Jason Wood<tadaka at gmail.com> wrote:

It seems like everyone has similar thoughts to mine.? My concern is that the
most likely way to get traction is something painful.? Either dead squirrels
from penetration testing or someone else kills the squirrels.? The last one
hurting the most and probably getting a flurry of activity going.? It's also
the one I want least, since things tend to roll down hill.? I also don't
want to get too adversarial since I need folks cooperation, not grudging,
minimal effort.

Another thought that occurs to me is to point to findings from other
standards, audits, etc that would buttress the argument that further
improvements are needed.

Has anyone following the list found themselves in this position?? Did
anything NOT work and would be something that you wouldn't recommend.? Did
you get really lucky and find something that did work?

Poor squirrels.? It seems like they are destined for blunt object trauma to
the head or death.? ;)

Jason



On Wed, Aug 12, 2009 at 12:56 PM, Vincent Lape <vlape at me.com> wrote:


in this economy good luck. its hard to justify spending money if the
helmets are "good enough to pass". i have found in the past that if a brick
fell down and hit a squirrel in the head, and the squirrel died, something
was done at a quick pace. OR if the squirrel helmets experienced a
catastrophic failure they would need to be replaced.


On Aug 12, 2009, at 10:23 AM, Jason Wood wrote:

So I have a "hypothetical" situation that I'd like some ideas on.

Say you go through a PCI audit and certain things that you know are a
problem are not marked as such by the auditor.? (we can get into getting a
new QSA later)? To make up a completely fake scenario, lets say that item
15.3 requires all squirrels to wear helmets when running the credit card
numbers from the web server to the database server.? (squirrelNet anyone?)
The QSA says that there are no problems and that the squirrels are wearing
helmets properly.? The issue is that the helmets are made of newspaper and
don't look like a helmet from anything beyond a passing glance.

As the admin/squirrel handler, I want to justify getting proper helmets on
the squirrels.? However, here's this audit report which states that there's
no problem here.? How do you go about justifying "real" squirrel helmets
when the QSA says everything is good.? Chances are good management is going
to look at the report and tell you to leave the newspaper hats in place
because it is good enough for the QSA.

Short of calling up the QSA and asking him WTF (and getting in hot water
for doing so), how do you deal with this?

Here's some of the ideas that have occurred to me:

Explain to management what squirrel helmets really are supposed to be and
that not every QSA is going to be so... casual about them.
Explain that PCI is a minimum set of requirements and doesn't insure
actual security.
Club a squirrel on the head and demonstrate that newspaper isn't an
adequate helmet.

How do you deal with justifying security improvements when an audit report
says that everything is blue skies and happy days?

Thanks,
Jason

P.S.? SquirrelNet was inspired by @beaker and no actual squirrels were
used to run credit card numbers or were clubbed on the head while writing
this email.

--

irc: Tadaka
Twitter: ?Jason_Wood
jwnetworkconsulting.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
- Chris Merkel

Current thread:

Question about PCI audit results and reality.... Jason Wood (Aug 12)
- Question about PCI audit results and reality.... Vincent Lape (Aug 12)
  - Question about PCI audit results and reality.... Jason Wood (Aug 12)
    - Question about PCI audit results and reality.... Chris Merkel (Aug 12)
- Question about PCI audit results and reality.... Paul Asadoorian (Aug 12)
  - Question about PCI audit results and reality.... Shawn Bernard (Aug 12)
- Question about PCI audit results and reality.... Joel Folkerts (Aug 12)
  - Question about PCI audit results and reality.... Mike Patterson (Aug 12)
- Question about PCI audit results and reality.... Jack Daniel (Aug 12)
  - Question about PCI audit results and reality.... Ron Gula (Aug 13)
    - Question about PCI audit results and reality.... Robert Portvliet (Aug 13)
    - Question about PCI audit results and reality.... Jason Wood (Aug 13)
    - Question about PCI audit results and reality.... Nathan Sweaney (Aug 14)
    - Question about PCI audit results and reality.... Robert Miller (Aug 20)

(Thread continues...)