Re: The PCI sky *isn't* falling!

[Jon Kibler <Jon.Kibler () aset com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kaegler, Mike wrote:
> Alone, PCI can't do a lot; one needs a competent and interested security
> professional. Likewise, said professional can't do a lot without a business
> mandate (which PCI provides).
>
> PCI is not a magic bullet, but it isn't useless theatre either (provided its
> routed to the IT department instead of the marketing department).

Mike,

You recognized the problem and then just ignore it!

"Alone, PCI can't do a lot" -- I agree 1,000%!

"one needs a competent and interested security professional" -- and
there is the problem! In the overwhelming majority of organizations I
see that want the "PCI Stamp of Approval", there is NO security
professional involved! It is just the "web site guys" saying "we need
PCI DSS, what is the minimum we can do to get that stamp of approval?"
In reality, they could care less about security. Security is an added
cost to a business with already tight margins. "We don't want security,
its too much of a hassle -- just get us 'approved'."

"can't do a lot without a business mandate (which PCI provides)" -- I
disagree that PCI DSS even provides a mandate for security. It mandates
only certain minimum practices that give the APPEARANCE of security, but
in reality do not actually REQUIRE security. Anyone can put a firewall
in place, not really configure it, and declare "I have a firewall, so
therefore I am secure!" (We call that "M&M Security" -- just like the
candy -- hard a crunchy on the outside [maybe], soft and chewy on the
inside!) Worse, most organizations that put a firewall in place actually
think that they are now secure!! I know organizations with minimal to no
firewalls, but have good security practices, that are far more secure
than organizations with firewalls that are security clueless.

"provided its routed to the IT department" -- most IT departments are
the first to fight security in small organizations. They want to do only
the minimum they can get by with; they are too busy with day-to-day
operations to care about passing some auditor's check list. So, what do
they do? The absolute minimum they can to get the auditor to "give them
a 'pass' and go away." Even if it means lying or deception to get the
'pass', it is only the 'pass' they care about, not anything to do with
improving security. Worse, most corporate management has the exact same
view: "Do the absolute minimum possible to get us that certification."

I stand by my statement: PCI DSS is security theater of the worst kind!

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknItvwACgkQUVxQRc85QlPlDQCbB4BtZAi14xnbRup/7xZ8oXgQ
HbgAn0zWB8gDwSbjzwnd04rjI1sPej14
=zohM
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.