funsec mailing list archives
Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach
From: Michael Graham <jmgraham () gmail com>
Date: Mon, 27 Jul 2009 17:45:04 -0400
On Mon, Jul 27, 2009 at 4:47 PM, <chris () blask org> wrote:
I still think PCI is fine for what it is, but confusing it with "all I need to do to secure myself" is the problem. What the DSS is is a least-common-denominator of some of the things that should be done, as could be agreed to by a committee of lawyers. As far as that goes it is correct: you should in fact have a firewall, configure it, separate data.... But thinking that achieving PCI compliance is all anyone needs to do - particularly, as you say, in large shops - is rank madness. I'll take them at their word that they passed a PCI audit, the SSC will be extremely cranky with them if they say they did when they didn't. But I would want them to have at least setup serious monitoring of traffic (as is not required by PCI) and preferably application behavior if at all possible, too - which is highly unlikely what they did. I'm thinking you could argue that the DSS actually makes things worse by lulling folks into a false sense of security, but I'm willing to be that these same folks would have done no more (and maybe less) without it... -chris
This is essentially exactly what annoys me about PCI as it's often thrown around these days. It's difficult to find companies that need to be PCI compliant that are running real, serious internal risk management programs to make their own decisions about risk and avoidance/mitigation. Instead they have a lowest common denominator to apply and after that well it's not their problem. The mentality is obvious in the companies that suffer breaches and immediately blurt out "We were PCI compliant!" As if that's a defense against the rudeness of reality. Obviously, meeting an arbitrary metric shouldn't absolve you of the responsibility to make your own risk decisions as appropriate to your business and your customers, and after having done so it doesn't absolve you of the responsibility to execute those risk decisions properly. Compound this absurd notion that PCI compliance divests you of core custodian responsibilities with the questionable value of PCI itself and we've got the PCI council helping all of us into an overall worse security situation, not a better one, regardless of intent. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Fwd: [Dataloss] Network Solutions was PCI compliant before breach Paul Ferguson (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Valdis . Kletnieks (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Michael Graham (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach chris (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Michael Graham (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Chris Blask (Jul 27)
- Re: new cybersecurity laws (was: Network Solutions was PCI compliant before breach) Young, Keith (Jul 28)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach chris (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Alexandre Dulaunoy (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Valdis . Kletnieks (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliantbefore breach Larry Seltzer (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliantbefore breach chris (Jul 27)