Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: jseymour () linxnet com (Jim Seymour)
Date: Fri, 3 Apr 2009 07:32:59 -0400 (EDT)
<lordchariot () embarqmail com> wrote:
5.1.1 Ensure that all anti-virus programs are capable of detecting, removing and protecting against all known types of malicious software. [Honestly? All TYPES? Every time?]Hmm, all known types... I'm really surprised it doesn't say all UN-known types, too.
Problem is: Many anti-malware tools aren't capable of detecting much of what they haven't been taught about and, on the systems most vulnerable (or most widely-exploited today), many exploits, once they become established, prevent anti-malware tools from seeing them. (I'm certainly not telling *this* crowd anything it doesn't already know. I'm just being complete. [Or pedantic. Take your pick ;).]) The latter problem being due to a combination of poor system design, brain-dead apps and bad end-user practices.
That's where the risk really is.
Eh. Not really. Yes: The risk is certainly there with these, but that doesn't reduce the risk posed by known (FSVO "known") malicious software.
...of malicious software. Is the exploitable application the offender or the data that tries to get in and trigger the exploit? Which one do I delete or protect against? The programs that read the PDF or the PDF itself?
If y'all will bear with me through a short story... Years ago, back when dialup and glass ttys were still the way we accessed systems remotely, one of the software engineers wanted to do something he felt was Totally Safe. (I no longer recall what it was.) One of the other software engineers, who was also a part-time admin, was in favour of allowing it. I shot it down. I explained that many security compromises were not the result of one, big, gaping hole, but often a series of little vulnerabilities that, taken separately, might not seem like such a big deal, but that, when chained-together, were a Real Threat. Then I showed them how that applied to what they wanted to do. They were quite astonished. The point of that story is this: The reasons that the currently most- widely-exploited systems *are* that way isn't for any single reason. It's for a series of reasons that, when put together, turn them into what I call "electronic petri dishes." It is inadequate design; poor design and coding practices of the OS, OS-level stuff and its applications, and poor end-user practices--sometimes literally *mandated* by these things--even when general cluelessness is not at fault. How are customers told to address these weaknesses? By hanging bags off the side of them. Ineffective bags. It's kind of sounding to me like PCI is current history repeating itself. I can't say as I'm overly surprised. And I'm kind of getting past being disappointed. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.linxnet.com/contact/scform.php>. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls AMuse (Apr 02)
- Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Chris Myers (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls R. DuFresne (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls lordchariot (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Dotzero (Apr 03)