Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 2 Apr 2009 14:21:42 -0500 (EST)
On Thu, 2 Apr 2009, Potter, Albert (Al) wrote:
</lurk> Chris hits the nail on the head. The DSS is about helping the clewless make measureable progress in a better direction and giving management (C and board level) the motivation and justificatio to spen money on security and to induce their staffs to get moving.
No- the fine is what does that, the DSS is just the artifact with which to do it. However as a "Standard" it's worse than ICSA Firewall testing criteria! ;-P
Is it perfect? No, but it is regularly revised (the DSS) and has a mechanism to get better.
Not only is it not perfect, it's frankly about as bad as a document can get and claim to be a "Security Standard." It *has* to have the mechanism to get better, it really would have to try to get any worse... Are two revisions really "regularly revised?" Heck, the license to download it is more clear and to the point than the document itself. Here are some examples from the current "Standard" with my comments in brackets. PCI DSS Requirement: 6.5.8 Insecure cryptographic storage [Really? They require insecure storage?] Testing Procedure: 6.5.8 Insecure cryptographic storage (Prevent cryptographic flaws.) PCI DSS Requirement: 5.1.1 Ensure that all anti-virus programs are capable of detecting, removing and protecting against all known types of malicious software. [Honestly? All TYPES? Every time?] 1.3.5 Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ. 1.3.5 Verify that outbound traffic from the cardholder data environment to the Internet can only access IP addresses within the DMZ. [Really? No Web browsing from a PC from a call center? No hitting an internal proxy server that's not on the DMZ?...] Seriously, I'd be embarrassed to release "criteria" like the above (and it's just a small sampling for educational purposes...)
AL <Lurk>
*cough* Isn't Verizon a QSA? *cough* Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls AMuse (Apr 02)
- Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Chris Myers (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls R. DuFresne (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls lordchariot (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Dotzero (Apr 03)