Re: PCI DSS & Firewalls

[Chris Blask <chris () blask org>]

From: Marcus J. Ranum <mjr () ranum com>,  Thursday, April 2, 2009 2:17:10 PM
> Chris Blask wrote:
> > having more Pen Testing done in the world is itself a move in a positive direction, so that's a good thing by any 
> > metric.

> I disagree.


Now, how did I know you might?

> What does pen testing show?? Pen testing can show one of two things:
> - your security sucks
> - your security is better than your pen tester

> Neither of those two determinations are equal to "your security is
> good."


Well, this brings us back around to the age-old debate.  Namely: "Can we start over or do we make the best of the sow's 
ear that we have?"  As you know I'm not big on holding out hope for starting over, and I'm not so sure that if we did 
we'd avoid the 'Ah Ha!" moments which always crop up halfway into any huge projects and thoroughly shoot the idea of a 
Pure Implementation in the foot anyway.

But since we aren't going to rebuild the whole thing - or even a single business network - we do with what we have.  
And in that case, pointing out some of the ways your security sucks - and showing you how to fix those - is 
statistically a step in the right direction.  Maybe you won't be the one to get compromised - maybe they'll get the 
next guy who didn't even try to secure his system - and maybe you'll start taking security more seriously as you 
continue to build out your business systems.

I'm much more an advocate of paying attention to what the hell is going  on with your network then simply doing testing 
to find the weaknesses, but both fall into the realm of tuning and operating what you have as well as it can be managed.

.d.
> a root cause and it's that "your managers are stupid" or "your
> executive management is clueless" or both. Those are not especially
> popular results but we both know of infinite numbers of stories of
> executives who didn't take security seriously until some pen
> test rubbed their nose in it. Pen testing may be a short-term
> cure for stupid, but it's a fairly expensive way of doing
> it and I doubt that it works particularly well in the long-term.


It's not our jobs to cure stupid, it's to make systems more secure, whatever the situation on the ground happens to be. 
 As in the case where you buy more or less insurance, whether or not you have been smart or stupid will not be resolved 
until the risk the insurance covers does or does not occur.   We're just here to sell and install the risk mitigation 
that we can help you understand and that you choose to pay for.

.d.
> So, generally I disagree with you, Chris. I think pen testing
> serves as an indicator of stupid more than anything else.
> Don't be confused by the fact that the indicator is in the
> red zone; it doesn't mean what you think it does.


I know you do, it's one of your more enduring characteristics. :~)

-cheers!

-chris


      
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards