Security Basics mailing list archives
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Fri, 23 Apr 2010 14:17:54 -0400
Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes.
So what's the problem? .. if you have done it according to (or exceeding) the spec .. check the box, buy a box of donuts for the auditor .. let them look it over, and be done with it.
Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization.
If VISA (et.al.) could define "real security" and write it down, they would. What is "real security" exactly? .. I'd argue the only "secure" computer is one that's still sealed in the factory carton. Break the seal, game over .. just like it says on a box of Band-Aids "Sterility guaranteed until opened".
As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem.
The thinking goes .. that if you implement the PCI standards and aim to actually do as it suggests (meaning doing what the documents suggests *correctly* .. not just having a blinkinlight in place so you can check a box) .. you're already down the right path. Even so .. the problem with securing networks/systems is there's millions of "them" and only a few of "you". Also .. you have to be right 100% of the time, and "they" only have to get lucky once. My $10.02 ($10 minimum purchase on all credit cards). ** Cheers, Michael Holstein Cleveland State University ** : yes, I know this goes against the merchant agreement .. sarcasm. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds, (continued)
- Message not available
- Message not available
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Tracy Reed (Apr 12)
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 12)
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 26)
- Message not available
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Mike Hale (Apr 26)
- Message not available
- Message not available
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Mike Hale (Apr 26)
- Message not available
- Message not available
- Message not available
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Stephen Mullins (Apr 26)
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Mike Hale (Apr 26)
- Message not available
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Mike Hale (Apr 26)