Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: Chris Blask <chris () blask org>
Date: Thu, 2 Apr 2009 19:56:49 -0700 (PDT)
From: Marcus J. Ranum <mjr () ranum com>, Thursday, April 2, 2009 2:17:10 PM
Chris Blask wrote:having more Pen Testing done in the world is itself a move in a positive direction, so that's a good thing by any metric.
I disagree.
Now, how did I know you might?
What does pen testing show?? Pen testing can show one of two things: - your security sucks - your security is better than your pen tester
Neither of those two determinations are equal to "your security is good."
Well, this brings us back around to the age-old debate. Namely: "Can we start over or do we make the best of the sow's ear that we have?" As you know I'm not big on holding out hope for starting over, and I'm not so sure that if we did we'd avoid the 'Ah Ha!" moments which always crop up halfway into any huge projects and thoroughly shoot the idea of a Pure Implementation in the foot anyway. But since we aren't going to rebuild the whole thing - or even a single business network - we do with what we have. And in that case, pointing out some of the ways your security sucks - and showing you how to fix those - is statistically a step in the right direction. Maybe you won't be the one to get compromised - maybe they'll get the next guy who didn't even try to secure his system - and maybe you'll start taking security more seriously as you continue to build out your business systems. I'm much more an advocate of paying attention to what the hell is going on with your network then simply doing testing to find the weaknesses, but both fall into the realm of tuning and operating what you have as well as it can be managed. .d.
a root cause and it's that "your managers are stupid" or "your executive management is clueless" or both. Those are not especially popular results but we both know of infinite numbers of stories of executives who didn't take security seriously until some pen test rubbed their nose in it. Pen testing may be a short-term cure for stupid, but it's a fairly expensive way of doing it and I doubt that it works particularly well in the long-term.
It's not our jobs to cure stupid, it's to make systems more secure, whatever the situation on the ground happens to be. As in the case where you buy more or less insurance, whether or not you have been smart or stupid will not be resolved until the risk the insurance covers does or does not occur. We're just here to sell and install the risk mitigation that we can help you understand and that you choose to pay for. .d.
So, generally I disagree with you, Chris. I think pen testing serves as an indicator of stupid more than anything else. Don't be confused by the fact that the indicator is in the red zone; it doesn't mean what you think it does.
I know you do, it's one of your more enduring characteristics. :~) -cheers! -chris _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Paul Melson (Apr 03)
- Re: PCI DSS & Firewalls Brian Loe (Apr 05)
- Re: PCI DSS & Firewalls miedaner (Apr 05)
- Re: PCI DSS & Firewalls Mark (Apr 06)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls ArkanoiD (Apr 10)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls AMuse (Apr 02)
- Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Chris Myers (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls R. DuFresne (Apr 02)