Re: PCI DSS & Firewalls

["Paul D. Robertson" <paul () compuwar net>]

> I just wanted to say that this is not an "industry standard" in
> terms of laying out specific details that can be followed to the letter 
> to be compliant. It's also not a checkbox-type checklist to magically 
> make you compliant (or secure). Rather, it is a guide to help QSAs  
> assess the security of entities having to be PCI compliant. It provides
> a minimal baseline in my opinion, and assessors should always strive to 
> use common sense while reviewing networks and systems, and apply best
> practices in order to achieve maximum security.

Maximum security comes from product selection, trained staff and regular 
audits, not from blind scans, blind pen-tests and third party analysts who 
don't have real-world experience.  I get what you're saying, I'm just 
saying that the Kool-Aid isn't all that good here.  It's done a further 
disservice by not having clear, operable and well-written standards that 
the operational people can use to evaluate and understand what practices 
they need to comply with and how.  The QSAs are all making money- because 
they're all mandated, but frankly the fact that we've seen three of them 
go on probation recently is a sign that the underlying fundamentals here 
aren't strong.

I find it highly ironic that the only technical training mandated is in 
Incident Response- isn't the message there "don't worry about learning 
about security, just learn how to clean up the mess?"

> The standard is not the leading instrument here, it's the experience and    
> common sense of the assessors. The PCI doc merely serves as a checklist     
> to demonstrate to the PCI council that requirements have been fulfilled.    
> Either verbatim, or in any other shape or form that still fulfills the  
> desired goal. 

The banks, CEOs and IT workers I've all talked to see it as a checklist to 
compliance, or more importantly a checklist to not getting sued.  Avoiding 
the stick is the goal- and those who actually want the carrot look at the 
standard and say "This doesn't help me."  That's bad, because the people 
most likely to know what's wrong in an environment are those who're most 
familiar with it.  The desired goal is not getting sued...

Also, we all know that businesses like efficiency and that time costs 
money- so are you going to check the box or are you going to write out an 
exception and justify it?

> If you have to be compliant and look at the PCI requirements document,    
> and say "this is sad" or "that is not defined", talk to a decent QSA. He
> can help make this a less confusing and painful experience.  

That doesn't make them any less sad or more defined.  This is the best the 
multi-billion dollar payment card industry can do?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards