Re: Compliance Is Wasted Money, Study Finds

[Shaqe Wan <sha8e () yahoo com>]

Nick,

Please if you don't know what the standards are, please read:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

See Requirement  #5. Read that requirement carefully and its not bad to read it twice though in case you don't figure 
it out from the first glance !

Also, I said that using an AV is some basic thing to do in any company that wants to deal with CC, its a basic thing 
for even companies not dealing with CC too !!! Or do you state that people must use a BOX with no AV installed on it? 
If you believe in that fact? Then please request a change in the PCI DSS requirements and make them force the usage of 
a non Windows O.S, such as any *n?x system.

Finally, the topic here is not about "default allow vs default deny" and if I understand what that is or not! You can 
open a new discussion about that, and I shall join there and discuss it further with you, in case you need some 
clarification regarding it.

Regards,
Shaqe


--- On Sun, 4/25/10, Nick FitzGerald <nick () virus-l demon co uk> wrote:


> From: Nick FitzGerald <nick () virus-l demon co uk>
> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
> To: full-disclosure () lists grok org uk
> Date: Sunday, April 25, 2010, 1:57 PM
>
>
> Shaqe Wan wrote:
>
> <<snip>>
> > Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !!
>
> Well, you see, _that_ is abject nonsense on its face.
>
> Do you have any understanding of one of the most basic of security 
> issues -- default allow vs.
> default deny?
>
> There are many more secure ways to run systems _without_ antivirus 
> software.
>
> Anyone authoritatively stating that antivirus software is a necessary 
> component of a "reasonably secure" system is a fool.
>
> Anyone authoritatively stating that antivirus software is a necessary 
> component of a "sufficiently secure" system is one (or more) of; a 
> fool, a person with an unusually low standard of system security, or a 
> shill for an antivirus producer.
>
> So _if_, as you and another recent poster strongly imply, the PCI 
> standards include a specific _requirement_ for antivirus software, then 
> the standards themselves are total nonsense...
>
>
>
> Regards,
>
> Nick FitzGerald
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/