Re: The PCI sky *isn't* falling!

[Amrit Williams <johndoe321 () gmail com>]

I think the point he was making about you being from a vendor that offers
PCI oriented solutions for a fee is that your view is somewhat tainted and
not objective, not that there's anythign wrong with having a biased view,
but it is what it is...

> : I'd say that PCI DSS did more to information security than *anything
> : else* since Windows added automated updates.

2 years ago you might have said...

> : I'd say that "Log management" did more to information security than
*anything
> : else* since Windows added automated updates.

I can see a POV that states that PCI has helped organizations that lack even
a base level of security to find a path towards a base level of things they
could check for like whether or not they have updated their AV - not that it
makes them more or less secure or more less prone to a breach, just a set of
things they can check for, but to say that "PCI DSS did more to information
security than anything else since..." is bordering on ridiculous at best .
Of course no offense Anton =)

Amrit

On Mon, Mar 23, 2009 at 9:50 PM, Anton Chuvakin <anton () chuvakin org> wrote:

> > : I'd say that PCI DSS did more to information security than *anything
> > : else* since Windows added automated updates.
>
> > Care to back that up in any way? I think the customers of Heartland, RBS
> > and other compromises would disagree.
>
> Sorry, but this is kinda of what I was talking about :-)  What I am
> hearing in the above is that PCI was somehow supposed to guarantee
> their un-hackability. Is that what you are implying? What about a
> simpler explanation: they were breached DESPITE PCI DSS?
>
>
> > : Now, some might say that my argument is of the type "Why do 99% of
> > : lawyers give the rest a bad name?", but it is not. I am pretty sure
> that
> > : even companies that "do it just the auditor" or, worse, deceive their
> > : PCI assessor still gain a tiny fraction of risk reduction, both for
> > : themselves - and for the rest of us.
> >
> > Is that "tiny fraction of risk reduction" evident in Heartland / RBS? Is
> > that fraction worth the trade-off for an entirely inflated false sense of
> > security?
>
> This supposed reduction of risk was NOT in any way evident in case of
> Hland/RBS, at least not in the way it was reported publicly.  In
> addition, it is entirely possible that their security staff was "under
> the influence" of false sense of security and, as a result, made made
> decisions that lead to their compromise.
>
> However!
>
> PCI did drive many small organization to think about: a) have we
> updated our AV since 2004 (BTW, their answer was 'no' and not it is
> "yes' [debate about AV efficiency is a separate story])  b) what on
> Earth is a firewall?  c) changing password is maybe a good idea.
>
> That is where I think it is useful.
>
> > You forgot one part of your sig:
> > Director of PCI Compliance Solutions at Qualys
>
> Was that remark intended to invalidate my arguments in any way? I hope
> you are not implying they people working for vendor are not allowed -
> gasp! - their own  opinion...
>
> --
>     Anton Chuvakin, Ph.D
>   http://www.chuvakin.org
> http://chuvakin.blogspot.com
>  http://www.info-secure.org
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.