Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: Chris Myers <clmmacunix () charter net>
Date: Thu, 2 Apr 2009 16:49:00 -0500
Great Discussion, too long to recall all I would like to respond to.I only have to say that it is not the law, so a standard is a guide. Although some politicians have found glory from the constituency by making it a states right. The most ignorant of which could not tell you why PCI is important at all. Three-Fourths of the standard can be left unread and done away with through good engineering, and the last quarter of which is to bring layman's terms to the real culprit in the security breach, the executive.
1. Anyone in charge of a companies security should know the architecture and every project going on from development and testing to install. Why pay a CSO if he and his team of underlings does not?
2. Any hole that is not base upon that architecture, development and install should be closed, regardless of anyones opinion or preferred habits.
3. Anyone who is installing or developing something that shows up on a pen test that is legitimately revealed by a pen test should call the unemployment office, if it is not on the radar of a process and company security plan. Which is why I am in some favor of a full blown pen test, but agree it should be unnecessary and targeted, I refer back to item one.
4. QSA's should get their ring of fame, but are misappropriated because of the depravity of man. If an audit shows the same breach due to the executive who refuses to close the hole because of his preferred ignorance, the Security team should retain their budgeted number for the cost of the QSA and the cost should come out of the operational budget/executive fun fund.
5. Standards that are forced, like PCI has been so egregiously forced by law of the ignorant, as if it were a law, are doomed to fail when the intent is only to give self regulation and a standard, before the federal dupes in Washington get their professional lawyer hands on our compliance. So I try to take it easy on the PCI DSS, but agree it is not the Declaration of Independence.
Chris Myers clmmacunix () charter net John 1:17For the Law was given through Moses; grace and truth were realized through Jesus Christ.
Go Vols!!!! On Apr 2, 2009, at 2:29 PM, Paul D. Robertson wrote:
On Thu, 2 Apr 2009, AMuse wrote:Isn't the point of pen-testing to take up an attackers' perspective andhit all your defenses to see if you missed something or misconfigured something? I mean, unless you're the only person who set up 100% ofNo, it's to scare the customer into buying security.your infrastructure, how are you to know that someone didn'taccidentally leave telnet open? If you didn't write 100% of the webapps your company is using, how are you to know they don't have SQL injectionflaws?If you do a configuration audit, and code audits and build applicationsusing proper design standards, then a pen test will give you no incremental value.Let's take a common and costly example: Your last administrator has the firewall set up to allow him to SSH into your main database server- butonly from his home IP address. He was laid off last week and is disgruntled. Now answer these questions: What will a remote pen test show? What will an on-site pen test show? What will a configuration revew show?Given all of the above, what additional value does a pen test bring to thetable? Paul -----------------------------------------------------------------------------Paul D. Robertson "My statements in this message are personal opinionspaul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Mark (Apr 06)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls ArkanoiD (Apr 10)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls AMuse (Apr 02)
- Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Chris Myers (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls R. DuFresne (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls lordchariot (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Dotzero (Apr 03)