Firewall Wizards mailing list archives

Re: PCI DSS & Firewalls

From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 2 Apr 2009 14:21:42 -0500 (EST)

On Thu, 2 Apr 2009, Potter, Albert (Al) wrote:

</lurk>

Chris hits the nail on the head. The DSS is about helping the clewless
make measureable progress in a better direction and giving management (C
and board level) the motivation and justificatio to spen money on
security and to induce their staffs to get moving.


No- the fine is what does that, the DSS is just the artifact with which to 
do it.  However as a "Standard" it's worse than ICSA Firewall testing 
criteria! ;-P

Is it perfect?  No, but it is regularly revised (the DSS) and has a
mechanism to get better.


Not only is it not perfect, it's frankly about as bad as a document can 
get and claim to be a "Security Standard."  It *has* to have the mechanism 
to get better, it really would have to try to get any worse...  Are two 
revisions really "regularly revised?"

Heck, the license to download it is more clear and to the point than the 
document itself.

Here are some examples from the current "Standard" with my comments in 
brackets.

PCI DSS Requirement:

6.5.8  Insecure cryptographic storage
[Really?  They require insecure storage?]

Testing Procedure:
6.5.8 Insecure cryptographic storage (Prevent cryptographic flaws.)

PCI DSS Requirement:

5.1.1 Ensure that all anti-virus programs are capable of detecting, 
removing and protecting against all known types of malicious software.

[Honestly?  All TYPES?  Every time?]

1.3.5 Restrict outbound traffic from the cardholder data environment to 
the Internet such that outbound traffic can only access IP addresses 
within the DMZ.

1.3.5 Verify that outbound traffic from the cardholder data environment to 
the Internet can only access IP addresses within the DMZ.

[Really?  No Web browsing from a PC from a call center?  No hitting an 
internal proxy server that's not on the DMZ?...]

Seriously, I'd be embarrassed to release "criteria" like the above (and 
it's just a small sampling for educational purposes...)

AL
<Lurk>


*cough*
Isn't Verizon a QSA?
*cough*

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: PCI DSS & Firewalls, (continued)
- - - Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
    - Re: PCI DSS & Firewalls AMuse (Apr 02)
    - Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
    - Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
    - Re: PCI DSS & Firewalls Chris Myers (Apr 02)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
  - Re: PCI DSS & Firewalls R. DuFresne (Apr 02)
- Re: PCI DSS & Firewalls Potter, Albert (Al) (Apr 02)
  - Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
    - Re: PCI DSS & Firewalls lordchariot (Apr 02)
    - Re: PCI DSS & Firewalls Jim Seymour (Apr 03)
    - Re: PCI DSS & Firewalls Chris Blask (Apr 02)
    - Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
    - Re: PCI DSS & Firewalls Dotzero (Apr 03)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
    - Re: PCI DSS & Firewalls Chris Blask (Apr 03)
    - Re: PCI DSS & Firewalls Bill McGee (Apr 03)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
    - Re: PCI DSS & Firewalls Chris Blask (Apr 05)

(Thread continues...)