PaulDotCom mailing list archives
Question about PCI audit results and reality....
From: tadaka at gmail.com (Jason Wood)
Date: Thu, 13 Aug 2009 11:44:40 -0600
Ron and Robert, Thanks for both links. The interview on CSOonline.com spurred some interesting thoughts about other ways of presenting presenting the issue of unhelmeted squirrels. I also saw Rich's comments yesterday on Twitter about his letter, but didn't have a chance to read it. I've done that and like what he said. Here's some of the thoughts I have from both of these documents. Here's a very public example of a PCI "compliant" company who was massively breached. Both the CSOonline article and Rich's letter make the point that PCI compliant does not mean you are secure. Sure the CEO of Heartland is trying to avoid blame, but even he makes the comment that PCI is not bad for a minimal standard, but doesn't reflect real security. Rich takes it a lot further and really hammers that idea home by comparing it to the role of financial audits. People don't like getting attention for negative or embarrassing events. You can bet the CEO of Heartland would rather to not be in the position of giving interviews of what went wrong and what they are doing to improve. Who wants to spend their time remediating their company's image? It might be a powerful visual to take some articles about Heartland's breach and replace the names with company and manager names associated with the my/your company. It gets that emotional reaction going. Use Heartland to illustrate the point that PCI isn't the solution to all security woes. This idea is a bit heavy on the Fear in FUD so I need to think about it some, but I think it deserves some consideration. George SantaYana is credited with saying, "Those who cannot learn from history are doomed to repeat it." Here's a very recent, very relevant event that begs to be learned from. The question I'm thinking about now is how to present these lessons so that it is meaningful to the audience and the end result (dead squirrels and a data breach) can be avoided. Good food for thought. Jason On Thu, Aug 13, 2009 at 7:02 AM, Robert Portvliet < robert.portvliet at gmail.com> wrote:
Rich Mogull had a few things to say about that yesterday (very good read) http://securosis.com/blog On Thu, Aug 13, 2009 at 6:21 AM, Ron Gula<rgula at tenablesecurity.com> wrote:All great points .... and now from a CEO who says their QSA's let them down:http://www.csoonline.com/article/499527/Heartland_CEO_on_Data_Breach_QSAs_Let_Us_Down?page=1Heartland CEO on Data Breach: QSAs Let Us Down Heartland Payment Systems Inc. CEO Robert Carr opens up about his company's data security breach, how compliance auditors failed to flag key attack vectors and what the big lessons are for other companies. ... -- Ron Gula, CEO Tenable Network Security _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- irc: Tadaka Twitter: Jason_Wood jwnetworkconsulting.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090813/8dce62e1/attachment.htm
Current thread:
- Question about PCI audit results and reality...., (continued)
- Question about PCI audit results and reality.... Vincent Lape (Aug 12)
- Question about PCI audit results and reality.... Jason Wood (Aug 12)
- Question about PCI audit results and reality.... Chris Merkel (Aug 12)
- Question about PCI audit results and reality.... Jason Wood (Aug 12)
- Question about PCI audit results and reality.... Paul Asadoorian (Aug 12)
- Question about PCI audit results and reality.... Shawn Bernard (Aug 12)
- Question about PCI audit results and reality.... Joel Folkerts (Aug 12)
- Question about PCI audit results and reality.... Mike Patterson (Aug 12)
- Question about PCI audit results and reality.... Jack Daniel (Aug 12)
- Question about PCI audit results and reality.... Ron Gula (Aug 13)
- Question about PCI audit results and reality.... Robert Portvliet (Aug 13)
- Question about PCI audit results and reality.... Jason Wood (Aug 13)
- Question about PCI audit results and reality.... Nathan Sweaney (Aug 14)
- Question about PCI audit results and reality.... Robert Miller (Aug 20)
- Question about PCI audit results and reality.... Edward Frye (Aug 21)
- Question about PCI audit results and reality.... Ron Gula (Aug 13)
- Question about PCI audit results and reality.... Vincent Lape (Aug 12)