Re: PCI DSS & Firewalls

[jseymour () linxnet com (Jim Seymour)]

<lordchariot () embarqmail com> wrote:
> > 5.1.1 Ensure that all anti-virus programs are capable of detecting, 
> > removing and protecting against all known types of malicious software.
> >
> > [Honestly?  All TYPES?  Every time?]
>
> Hmm, all known types... 
> I'm really surprised it doesn't say all UN-known types, too.

Problem is: Many anti-malware tools aren't capable of detecting much of
what they haven't been taught about and, on the systems most vulnerable
(or most widely-exploited today), many exploits, once they become
established, prevent anti-malware tools from seeing them.  (I'm
certainly not telling *this* crowd anything it doesn't already know.
I'm just being complete.  [Or pedantic.  Take your pick ;).])  The
latter problem being due to a combination of poor system design,
brain-dead apps and bad end-user practices.

> That's where
> the risk really is.

Eh.  Not really.  Yes: The risk is certainly there with these, but
that doesn't reduce the risk posed by known (FSVO "known") malicious
software.

> ...of malicious software.  
> Is the exploitable application the offender or the data that tries to get in
> and  trigger the exploit? Which one do I delete or protect against? The
> programs that read the PDF or the PDF itself?

If y'all will bear with me through a short story...

Years ago, back when dialup and glass ttys were still the way we
accessed systems remotely, one of the software engineers wanted to do
something he felt was Totally Safe.  (I no longer recall what it was.)
One of the other software engineers, who was also a part-time admin,
was in favour of allowing it.  I shot it down.  I explained that many
security compromises were not the result of one, big, gaping hole, but
often a series of little vulnerabilities that, taken separately, might
not seem like such a big deal, but that, when chained-together, were a
Real Threat.  Then I showed them how that applied to what they wanted
to do.  They were quite astonished.

The point of that story is this: The reasons that the currently most-
widely-exploited systems *are* that way isn't for any single reason.
It's for a series of reasons that, when put together, turn them into
what I call "electronic petri dishes."  It is inadequate design; poor
design and coding practices of the OS, OS-level stuff and its
applications, and poor end-user practices--sometimes literally
*mandated* by these things--even when general cluelessness is not at
fault.  How are customers told to address these weaknesses?  By hanging
bags off the side of them.  Ineffective bags.

It's kind of sounding to me like PCI is current history repeating
itself.

I can't say as I'm overly surprised.  And I'm kind of getting past
being disappointed.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards