Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: hermit <hermit921 () yahoo com>
Date: Fri, 3 Apr 2009 08:27:48 -0700 (PDT)
I suspect my company is similar to many - a penetration test that succeeds in getting to sensitive information is the only way to get management's attention. Otherwise, "of course we are secure. No one has broken in" is the honest belief of managers at all levels. No, they don't do log analysis. Yes, that makes pen testing a political tool rather than a technical tool, but it sure does help those of us who see security as more than an assertion by people with no security training or experience. Nothing else works. hermit921 --- On Thu, 4/2/09, Darden, Patrick S. <darden () armc org> wrote:
From: Darden, Patrick S. <darden () armc org> Subject: Re: [fw-wiz] PCI DSS & Firewalls To: "Firewall Wizards Security Mailing List" <firewall-wizards () listserv icsalabs com> Date: Thursday, April 2, 2009, 12:30 PM Hmmm, no I don't think so. Network auditor would take care of regular stuff (e.g. your example of an open telnet service). Nessus, nmap, etc. Irregular stuff will be there no matter what, if someone knowledgeable enough spends enough time looking. Pen Testing has no real purpose that I can see.... Other than as a scare tactic to put someone in their place, get more money for security from admin, shame your IT department, or etc. It is more of a social/political tool than a security instrument. --Patrick Darden -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of AMuse Sent: Thursday, April 02, 2009 2:59 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] PCI DSS & Firewalls Isn't the point of pen-testing to take up an attackers' perspective and hit all your defenses to see if you missed something or misconfigured something? I mean, unless you're the only person who set up 100% of your infrastructure, how are you to know that someone didn't accidentally leave telnet open? If you didn't write 100% of the webapps your company is using, how are you to know they don't have SQL injection flaws? _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Dotzero (Apr 03)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 03)
- Re: PCI DSS & Firewalls Bill McGee (Apr 03)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 05)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 06)
- Re: PCI DSS & Firewalls Chris Blask (Apr 06)