Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
It appears that the content of the security audit procedures (the PDF download-able from https://www.pcisecuritystandards.org/security_standards/pci_dss_download_agr eement.html) still has not crept into this discussion by some who consider PCI a waste of effort, merely a comment on the 12 section headings of PCI DSS. Judging anything by responding to key words, without considering context, usually leads to expensive and potentially non-compliant outcomes in my experience. This is particularly true of PCI DSS compliance efforts among many companies I've worked with. Just on anti-malware solutions per PCI DSS, to take one example. Take a piece of paper and list the ways in which malware controls can be implemented, then see how many are point solutions from vendors. Here's a start, using mechanisms that can be PCI DSS compliant: * Most Anti-virus software products (the easy route in some platforms. Particularly good when non-Windows platforms exchange complex content with Windows platforms e.g mail relays, web servers etc) * Application whitelisting (hard to tune, but good in some scenarios, esspecially servers) * File integrity controls (good, once tuned and applied comprehensively to the target servers) * Using an operating system that is not commonly suspcetibale to malware (rare, but does happen) Some of the options listed above can be free, other than some labour time to implement the necessary changes. Although a product is marketed as an anti-virus product, it may not meet all PCI DSS expectations e.g. detecting malware is one criteria on which some solutions fail. The above ignores the update, logging, monitoring and reponses processes behind the above options, for simplicity in this discussion. lyal _ From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Tuesday, 27 April 2010 11:33 PM To: Lyal Collins Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Has everyone on this list read the PCI DSS requirements? They are freely available, at www.pcisecuritystandards.org http://www.pcisecuritystandards.org/ . Were you even following the thread? There's been at least 4 times were different people cited different parts of the standard. But I would suppose that there's always the possibility of someone imagining the standard, who knows! AV is about 4 requirements out of over 230 requirements Actually, it's the 5th out of 12... https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Many views in this thread sound like drowning people who reject a lifeboat because it doesn't match their eye colour. And I take it the lifeboat matched your eye-colour? By your comparison, it doesn't match my eye colour and neither the amount of holes in the lifeboat as I would deem safe. Sure, some people would evacuate on a handkerchief if it means less money more compliance. I don't think you grasped the point either, so I won't argue with the rest of your message. On Tue, Apr 27, 2010 at 12:34 AM, Lyal Collins ly...@swiftdsl.com.au wrote: Has everyone on this list read the PCI DSS requirements? They are freely available, at www.pcisecuritystandards.org. AV is about 4 requirements out of over 230 requirements, covering secure coding/development, patching, network security, hardening systems, least privilege, robust authenticaiton, staff probity, physical security, obligations on third parties, annual risk assessments and improvements, pluss annually re validating all of these security control areas. Many views in this thread sound like drowning people who reject a lifeboat because it doesn't match their eye colour. PCI DSS isn't perfect, but it is fairly comprehensive about confidentiality. In terms of all organisational information security threats, PCI DSS lacks a focus on DR/BCP and integrity of data and system (other than that subset of threats affecting protection of card data). I posit that DR and data integrity are as much a commercial decision as a information security goals, for which simple, repeatable processes are already available and resonably well known amongst IT professionals. Anti-virus and anti-malware products are not perfect either, but they are better than the alternative of 'doing nothing until a perfect solution is found, an undertone I see so often in this list and among many well-intentioned but unsuccessful security professionals at sites I visit. Implementing any halfway decent solution is almost always better than doing nothing, when it comes to reducing risk and increasing assurance. Implementing ongoing improvements is cost effective spend of scarce security/IT dollars. Building the perfect' security solution is too expensive and takes too long - by the time it's delviered, security threats have moved on, and you remain vulnerable. There are some dreadful compliance programs out there. There are some
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Tue, Apr 27, 2010 at 08:58:24AM -0400, Honer, Lance wrote: What's your choice: Company A installs an anti-virus and updates it regularly (BTW regularly includes once a year). Company B has a recovery concept, incident response team, vulnerability monitoring, patch management, NIDS, security training but no anti-virus. You do realize that PCI says everything you stated above needs to be done, right? I never stated what needs to be done or what PCI might require :) And I didn't ask to compare the two statements but just choose your priority: A = Spend money on compliance but don't *think* about your threats B = Think about security, reduce your risks and don't waste money on compliance 'nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
A = Spend money on compliance 'A' is *mandatory* if you choose to do certain operations in-house. Why is this so hard to understand? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Mon, April 26, 2010 4:19:27 PM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds OK. All those in favour of PCI raises their hands. Kidding aside, of course it is a must, since the said companies doesn't have any notion of security before this happens. However, how much is this actually helpful? Now let's be honest, how much would it stop a potential attacker from getting into a system protected by PCI? Little, if at all. On the other hand, a company should adopt real and complete security practices. Again, my point is, these companies shouldn't be educated or limit their security to this standard. Because if they do (and I'm pretty sure they do) would make this standard pretty much useless. Anyway, I won't get into this argument, since no one will give a sh*t about it anyway. Cheers. On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan sh...@yahoo.com wrote: Christian, Did you read my first post? ((( IMO, PCI is not that big security policy, but without it your not able to use the credit card companies gateway. I think its just the basics that any company dealing with CC must implement. Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! ))) I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Mon, April 26, 2010 3:54:20 PM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Why exactly are you complying with Nick's statements? I would have thought you guys were arguing against said statements? By the way, requirement #6 is particularly funny; it sounds peculiarly redundant to me... Cheers. On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan sh...@yahoo.com wrote: Nick, Please if you don't know what the standards are, please read: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml See *Requirement #5*. Read that requirement carefully and its not bad to read it twice though in case you don't figure it out from the first glance ! Also, I said that using an AV is some basic thing to do in any company that wants to deal with CC, its a basic thing for even companies not dealing with CC too !!! Or do you state that people must use a BOX with no AV installed on it? If you believe in that fact? Then please request a change in the PCI DSS requirements and make them force the usage of a non Windows O.S, such as any *n?x system. Finally, the topic here is not about default allow vs default deny and if I understand what that is or not! You can open a new discussion about that, and I shall join there and discuss it further with you, in case you need some clarification regarding it. Regards, Shaqe --- On *Sun, 4/25/10, Nick FitzGerald n...@virus-l.demon.co.uk* wrote: From: Nick FitzGerald n...@virus-l.demon.co.uk Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds To: full-disclosure@lists.grok.org.uk Date: Sunday, April 25, 2010, 1:57 PM Shaqe Wan wrote: snip Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! Well, you see, _that_ is abject nonsense on its face. Do you have any understanding of one of the most basic of security issues -- default allow vs. default deny? There are many more secure ways to run systems _without_ antivirus software. Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Anyone authoritatively stating that antivirus software is a necessary component of a sufficiently secure system is one (or more) of; a fool, a person
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Mon, April 26, 2010 4:19:27 PM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds OK. All those in favour of PCI raises their hands. Kidding aside, of course it is a must, since the said companies doesn't have any notion of security before this happens. However, how much is this actually helpful? Now let's be honest, how much would it stop a potential attacker from getting into a system protected by PCI? Little, if at all. On the other hand, a company should adopt real and complete security practices. Again, my point is, these companies shouldn't be educated or limit their security to this standard. Because if they do (and I'm pretty sure they do) would make this standard pretty much useless. Anyway, I won't get into this argument, since no one will give a sh*t about it anyway. Cheers. On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan sh...@yahoo.com wrote: Christian, Did you read my first post? ((( IMO, PCI is not that big security policy, but without it your not able to use the credit card companies gateway. I think its just the basics that any company dealing with CC must implement. Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! ))) I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Mon, April 26, 2010 3:54:20 PM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Why exactly are you complying with Nick's statements? I would have thought you guys were arguing against said statements? By the way, requirement #6 is particularly funny; it sounds peculiarly redundant to me... Cheers. On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan sh...@yahoo.com wrote: Nick, Please if you don't know what
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. Well, when this occurs, they are not compliant = Epic FAIL = wasted dollars. i.e. they went through a process, got a point-in-time report, then promptly forgot all those procedures they promised (and showed) they were actually following. PCI DSS requires ongoing security management, patching, change control, monitoring and alert responses. If a company subject to PCI DSS does this, then that company has wasted its money - but the standard remains a effective risk reduction program. Smart companies don't waste money this way. lyal _ From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: Tuesday, 27 April 2010 5:37 PM To: Shaqe Wan Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, _ From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 9:59:59 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, _ From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Mon, April 26, 2010 4:19:27 PM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds OK. All those in favour of PCI raises their hands. Kidding aside, of course it is a must, since the said companies doesn't have any notion of security before this happens. However, how much is this actually helpful? Now let's be honest, how much would it stop a potential attacker from getting into a system protected by PCI? Little, if at all. On the other hand, a company should adopt real and complete security practices. Again, my point is, these companies shouldn't be educated or limit their security to this standard. Because if they do (and I'm pretty sure they do) would make this standard pretty much useless. Anyway, I won't get into this argument, since no one will give a sh*t about it anyway. Cheers. On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan sh...@yahoo.com wrote: Christian, Did you read my first post? ((( IMO, PCI is not that big security policy, but without it your not able to use the credit card companies gateway. I think its just the basics that any company dealing with CC must implement. Because it shall be nonsense to deal with CC
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Why are you saying wasted money? They didn't waste it, they allocated that sum to cater for PCI compliance and they are still PCI compliant. Ie, it is not wasted in the sense that they obtained what they wanted. The point in question is, does PCI obtain what it should be? However, as many already said before, PCI is only basic security it doesn't cover full details. In short, PCI Complient != Secure. Basic Security != Optimal Security. Smart companies usually take security seriously. But why did we deviate to the 1% of all companies out there? Security isn't about smart companies it is about all of them. On Tue, Apr 27, 2010 at 10:01 AM, Lyal Collins lyal.coll...@key2it.com.auwrote: Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. Well, when this occurs, they are not compliant = Epic FAIL = wasted dollars. i.e. they went through a process, got a point-in-time report, then promptly forgot all those procedures they promised (and showed) they were actually following. PCI DSS requires ongoing security management, patching, change control, monitoring and alert responses. If a company subject to PCI DSS does this, then that company has wasted its money - but the standard remains a effective risk reduction program. Smart companies don't waste money this way. lyal -- *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Christian Sciberras *Sent:* Tuesday, 27 April 2010 5:37 PM *To:* Shaqe Wan *Cc:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Mon, April 26, 2010 4:19:27 PM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds OK. All those in favour of PCI raises their hands. Kidding aside, of course it is a must, since the said companies doesn't have any notion of security before this happens. However, how much is this actually helpful? Now let's
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Mon, April 26, 2010 4:19:27 PM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds OK. All those in favour of PCI raises their hands. Kidding aside, of course it is a must, since the said companies doesn't have any notion of security before this happens. However, how much is this actually helpful? Now let's be honest, how much would it stop a potential
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Where did I say that its a waste of time and money? Here you go: I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D Then I'm afraid this argument ends here. Cheers. On Tue, Apr 27, 2010 at 10:28 AM, Shaqe Wan sh...@yahoo.com wrote: Where did I say that its a waste of time and money? Hmmm, strange !!! BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 11:22:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
There is a big difference between being secure and being compliant.If its a company's desire to be compliant, they may never be secure. However, if they strive to be secure, they will always be compliant no mater what framework they are chasing. I agree... money spent on compliance is useless. money should be spent on being secure. take it for what it cost you, -Jeff Date: Tue, 27 Apr 2010 10:34:22 +0200 From: uuf6...@gmail.com To: sh...@yahoo.com CC: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Where did I say that its a waste of time and money? Here you go: I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D Then I'm afraid this argument ends here. Cheers. On Tue, Apr 27, 2010 at 10:28 AM, Shaqe Wan sh...@yahoo.com wrote: Where did I say that its a waste of time and money? Hmmm, strange !!! BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 11:22:59 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 10:37:24 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Your comparison doesn't work. It's not A versus B, it's A versus C, with C being Company does nothing because it can't afford a thorough security program. On Mon, Apr 26, 2010 at 2:07 PM, Michel Messerschmidt li...@michel-messerschmidt.de wrote: On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe Wan wrote: I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. Did you consider that an anti-virus may actually be the worst security solution for certain threats because it allows companies not to think about security while providing insufficient protection? What's your choice: Company A installs an anti-virus and updates it regularly (BTW regularly includes once a year). Company B has a recovery concept, incident response team, vulnerability monitoring, patch management, NIDS, security training but no anti-virus. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! No, I don't think so. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Has everyone on this list read the PCI DSS requirements? They are freely available, at www.pcisecuritystandards.org. AV is about 4 requirements out of over 230 requirements, covering secure coding/development, patching, network security, hardening systems, least privilege, robust authenticaiton, staff probity, physical security, obligations on third parties, annual risk assessments and improvements, pluss annually re validating all of these security control areas. Many views in this thread sound like drowning people who reject a lifeboat because it doesn't match their eye colour. PCI DSS isn't perfect, but it is fairly comprehensive about confidentiality. In terms of all organisational information security threats, PCI DSS lacks a focus on DR/BCP and integrity of data and system (other than that subset of threats affecting protection of card data). I posit that DR and data integrity are as much a commercial decision as a information security goals, for which simple, repeatable processes are already available and resonably well known amongst IT professionals. Anti-virus and anti-malware products are not perfect either, but they are better than the alternative of 'doing nothing until a perfect solution is found, an undertone I see so often in this list and among many well-intentioned but unsuccessful security professionals at sites I visit. Implementing any halfway decent solution is almost always better than doing nothing, when it comes to reducing risk and increasing assurance. Implementing ongoing improvements is cost effective spend of scarce security/IT dollars. Building the perfect' security solution is too expensive and takes too long - by the time it's delviered, security threats have moved on, and you remain vulnerable. There are some dreadful compliance programs out there. There are some excellent compliance standards. The lyal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Pieter, I somehow agree with you that using an AV is not always necessary if you have implemented a good protection for your environment, but I mean in my previous comments that using an AV is a requirement of PCI, it is forced on us. If you deal with CC then you need to get compliant and that means you need to install an AV based on the compliance requirements. Its a shame, but thats a fact. Regards, From: Pieter de Boer pie...@thedarkside.nl To: full-disclosure@lists.grok.org.uk Sent: Mon, April 26, 2010 5:20:01 PM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Shaqe Wan wrote: I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! Now you've missed both Nick's and Christian's points ;) Nick's point was (at least, this is how I understood it ;) that AV is not necessarily the best approach to protect your systems against malware. If you have implemented a better way to protect your systems against malware, but the PCI standard and auditors force you to install AV software anyway, then the standard or the auditor's practices are flawed. Please do remember that adding complexity in the form of AV software can have a negative impact on security. The recent McAfee 'svchost.exe' debacle is a perfect example. -- Pieter ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Mon, April 26, 2010 4:19:27 PM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds OK. All those in favour of PCI raises their hands. Kidding aside, of course it is a must, since the said companies doesn't have any notion of security before this happens. However, how much is this actually helpful? Now let's be honest, how much would it stop a potential attacker from getting into a system protected by PCI? Little, if at all. On the other hand, a company should adopt real and complete security practices. Again, my point is, these companies shouldn't be educated or limit their security to this standard. Because if they do (and I'm pretty sure they do) would make this standard pretty much useless. Anyway, I won't get into this argument, since no one will give a sh*t about it anyway. Cheers. On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan sh...@yahoo.com wrote: Christian, Did you read my first post? ((( IMO, PCI is not that big security policy, but without it your not able to use the credit card companies gateway. Ithink its just the basics that any company dealing with CC must implement. Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! ))) I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Mon, April 26, 2010 3:54:20 PM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Why exactly are you complying with Nick's statements? I would have thought you guys were arguing against said statements? By the way, requirement #6 is particularly funny; it sounds peculiarly redundant to me... Cheers. On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan sh...@yahoo.com wrote: Nick, Please if you don't know what the standards are, please read: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml See Requirement #5. Read that requirement carefully and its not bad to read it twice though in case you don't figure it out from the first glance ! Also, I said that using an AV is some basic thing to do in any company that wants to deal with CC, its a basic thing for even companies not dealing with CC too !!! Or do you state that people must use a BOX with no AV installed on it? If you believe in that fact? Then please request a change in the PCI DSS requirements and make them force the usage of a non Windows O.S, such as any *n?x system. Finally, the topic here is not about default allow vs default deny and if I understand what that is or not! You can open a new discussion about that, and I shall join there and discuss it further with you, in case you need some clarification regarding it. Regards, Shaqe --- On Sun, 4/25/10, Nick FitzGerald n...@virus-l.demon.co.uk wrote: From: Nick FitzGerald n...@virus-l.demon.co.uk Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds To: full-disclosure@lists.grok.org.uk Date: Sunday, April 25, 2010, 1:57 PM Shaqe Wan wrote: snip Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! Well, you see, _that_ is abject nonsense on its face. Do you have any understanding of one of the most basic of security issues -- default allow vs. default deny? There are many more secure ways to run systems _without_ antivirus software. Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Anyone authoritatively stating that antivirus software is a necessary component of a sufficiently secure system is one (or more) of; a fool, a person with an unusually low standard of system security, or a shill for an antivirus producer. So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Pieter, I somehow agree with you that using an AV is not always necessary if you have implemented a good protection for your environment, but I mean in my previous comments that using an AV is a requirement of PCI, it is forced on us. If you deal with CC then you need to get compliant and that means you need to install an AV based on the compliance requirements. Its a shame, but thats a fact. Regards, From: Pieter de Boer pie...@thedarkside.nl To: full-disclosure@lists.grok.org.uk Sent: Mon, April 26, 2010 5:20:01 PM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Shaqe Wan wrote: I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! Now you've missed both Nick's and Christian's points ;) Nick's point was (at least, this is how I understood it ;) that AV is not necessarily the best approach to protect your systems against malware. If you have implemented a better way to protect your systems against malware, but the PCI standard and auditors force you to install AV software anyway, then the standard or the auditor's practices are flawed. Please do remember that adding complexity in the form of AV software can have a negative impact on security. The recent McAfee 'svchost.exe' debacle is a perfect example. -- Pieter ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Michel, Sorry, I didn't understand your first question! Regarding your 2nd question. You won't get compliant if you update your AV on a annually basis. You shall fail the quarter check done by an QSA(s). So first check is not available. For me if the companies staff is well educated and a we have a good IR team, plus the other goodies you mentioned, then for sure I shall go with selection #2 :) I hate these rules, but really they are something enforced on us. And without them our business can't be done. Or does someone here suggest we close our shops/companies and go home just because we dislike/disagree/hate the PCI Compliance requirements? I think that its not a bad to implement these requirements to get compliant by these companies, and then do what we think is the best. I.e, develop a more security policy to work on top of the PCI or vise versa. Get compliant then go further. BTW: I hope your able to understand my point, as my English seems to be bad :( Regards, From: Michel Messerschmidt li...@michel-messerschmidt.de To: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 12:07:14 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe Wan wrote: I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. Did you consider that an anti-virus may actually be the worst security solution for certain threats because it allows companies not to think about security while providing insufficient protection? What's your choice: Company A installs an anti-virus and updates it regularly (BTW regularly includes once a year). Company B has a recovery concept, incident response team, vulnerability monitoring, patch management, NIDS, security training but no anti-virus. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! No, I don't think so. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Yep, your right. The auditors nowadays even ask for an AV on a *n?x OS (what a shame) !!! From: Digital X digital...@gmail.com To: Tracy Reed tr...@ultraviolet.org; Nick FitzGerald n...@virus-l.demon.co.uk Cc: Full-disclosure full-disclosure@lists.grok.org.uk Sent: Mon, April 26, 2010 3:48:05 PM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds PCI only requires antivirus for systems commonly affected by viruses. This means Windows. PCI security council has said that UN*X OSs etc. are not required to have antivirus. -- Tracy Reed http://tracyreed.org Just an FYI...if your nix devices are in scope, my last audit (4 weeks ago) directed me to install A/V plus a rootkit finder on linux devices in scope. Whitelisting is an alternative, but seems more a headache then A/V. Hope this helps someone somewhere. James ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 9:59:59 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Mon, April 26, 2010 4:19:27 PM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds OK. All those in favour of PCI raises their hands. Kidding aside, of course it is a must, since the said companies doesn't have any notion of security before this happens. However, how much is this actually helpful? Now let's be honest, how much would it stop a potential attacker from getting into a system protected by PCI? Little, if at all. On the other hand, a company should adopt real and complete security practices. Again, my point is, these companies shouldn't be educated or limit their security to this standard. Because if they do (and I'm pretty sure they do) would make this standard pretty much useless. Anyway, I won't get into this argument, since no one will give a sh*t about it anyway. Cheers. On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan sh...@yahoo.com wrote: Christian, Did you read my first post? ((( IMO, PCI is not that big security policy, but without it your not able to use the credit card companies gateway. Ithink its just the basics that any company dealing with CC must implement. Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! ))) I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Mon, April 26, 2010 3:54:20 PM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Why exactly are you complying with Nick's statements? I would have thought you guys were arguing against said statements? By the way, requirement #6 is particularly funny; it sounds peculiarly redundant to me... Cheers. On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan sh...@yahoo.com wrote: Nick, Please if you don't know what the standards are, please read: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml See Requirement #5. Read that requirement carefully and its not bad to read it twice though in case you don't figure it out from the first glance ! Also, I said that using an AV is some basic thing to do in any company that wants to deal with CC, its a basic thing for even companies not dealing with CC too !!! Or do you state that people must use a BOX with no AV installed on it? If you believe in that fact? Then please request a change in the PCI DSS requirements and make them force the usage of a non Windows O.S, such as any *n?x system. Finally, the topic here is not about default allow vs default deny and if I understand what that is or not! You can open a new discussion about that, and I shall join there and discuss it further with you
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 10:37:24 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 9:59:59 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Mon, April 26, 2010 4:19:27 PM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds OK. All those in favour of PCI raises their hands. Kidding aside, of course it is a must, since the said companies doesn't have any notion of security before this happens. However, how much is this actually helpful? Now let's be honest, how much would it stop a potential attacker from getting into a system protected by PCI? Little, if at all. On the other hand, a company should adopt real and complete security practices. Again, my point is, these companies shouldn't be educated or limit their security to this standard. Because if they do (and I'm pretty sure they do) would make this standard pretty much useless. Anyway, I won't get into this argument, since no one will give a sh*t about it anyway. Cheers. On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan sh...@yahoo.com wrote: Christian, Did you read my first post? ((( IMO, PCI is not that big security policy, but without it your
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
FYI, The Evolution of PCI DSS http://www.net-security.org/secworld.php?id=9202 Guys, they are evolving, so be calm :) From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 11:34:22 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Where did I say that its a waste of time and money? Here you go: I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D Then I'm afraid this argument ends here. Cheers. On Tue, Apr 27, 2010 at 10:28 AM, Shaqe Wan sh...@yahoo.com wrote: Where did I say that its a waste of time and money? Hmmm, strange !!! BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 11:22:59 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 10:37:24 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 9:59:59 AM Subject: Re: [Full
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
What's your choice: Company A installs an anti-virus and updates it regularly (BTW regularly includes once a year). Company B has a recovery concept, incident response team, vulnerability monitoring, patch management, NIDS, security training but no anti-virus. You do realize that PCI says everything you stated above needs to be done, right? -- This e-mail is confidential, intended only for the named recipient(s) above and may contain information that is privileged and confidential. If you receive this message in error, or are not the named recipient(s), please notify the sender at the phone number above, do not copy this message, do not disclose its contents to anyone, and delete this e-mail message from your computer. Thank you. LECG, LLC and SMART and Associates, LLP have an alternative practice structure. The two companies are separate and independent legal entities that work together to meet clients' business needs. LECG, LLC is not a licensed CPA firm. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Where did I say that its a waste of time and money? Hmmm, strange !!! BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 11:22:59 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 10:37:24 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 9:59:59 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Christian, I said most not all :) And yes for me I don't give the f*ck about it, as long as there is no one that hears you. Do I have to jump from a tower so they see what I am stating? Cheers From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 11:34:22 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Where did I say that its a waste of time and money? Here you go: I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D Then I'm afraid this argument ends here. Cheers. On Tue, Apr 27, 2010 at 10:28 AM, Shaqe Wan sh...@yahoo.com wrote: Where did I say that its a waste of time and money? Hmmm, strange !!! BTW: I argued a lot with my managers about the PCI stuff, but no one gives you an ear, so let me be categorized in category #2 of yours :D From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 11:22:59 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Tue, April 27, 2010 10:37:24 AM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Has everyone on this list read the PCI DSS requirements? They are freely available, at www.pcisecuritystandards.org. Were you even following the thread? There's been at least 4 times were different people cited different parts of the standard. But I would suppose that there's always the possibility of someone imagining the standard, who knows! AV is about 4 requirements out of over 230 requirements Actually, it's the 5th out of 12... https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Many views in this thread sound like drowning people who reject a lifeboat because it doesn't match their eye colour. And I take it the lifeboat matched your eye-colour? By your comparison, it doesn't match my eye colour and neither the amount of holes in the lifeboat as I would deem safe. Sure, some people would evacuate on a handkerchief if it means less money more compliance. I don't think you grasped the point either, so I won't argue with the rest of your message. On Tue, Apr 27, 2010 at 12:34 AM, Lyal Collins ly...@swiftdsl.com.auwrote: Has everyone on this list read the PCI DSS requirements? They are freely available, at www.pcisecuritystandards.org. AV is about 4 requirements out of over 230 requirements, covering secure coding/development, patching, network security, hardening systems, least privilege, robust authenticaiton, staff probity, physical security, obligations on third parties, annual risk assessments and improvements, pluss annually re validating all of these security control areas. Many views in this thread sound like drowning people who reject a lifeboat because it doesn't match their eye colour. PCI DSS isn't perfect, but it is fairly comprehensive about confidentiality. In terms of all organisational information security threats, PCI DSS lacks a focus on DR/BCP and integrity of data and system (other than that subset of threats affecting protection of card data). I posit that DR and data integrity are as much a commercial decision as a information security goals, for which simple, repeatable processes are already available and resonably well known amongst IT professionals. Anti-virus and anti-malware products are not perfect either, but they are better than the alternative of 'doing nothing until a perfect solution is found, an undertone I see so often in this list and among many well-intentioned but unsuccessful security professionals at sites I visit. Implementing any halfway decent solution is almost always better than doing nothing, when it comes to reducing risk and increasing assurance. Implementing ongoing improvements is cost effective spend of scarce security/IT dollars. Building the perfect' security solution is too expensive and takes too long - by the time it's delviered, security threats have moved on, and you remain vulnerable. There are some dreadful compliance programs out there. There are some excellent compliance standards. The lyal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that? On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.comwrote: -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.comwrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, -- *From:* Christian Sciberras uuf6...@gmail.com
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
based on your own admission On who's admission? Perhaps you should bother to cite sources next time? And, how is quoting me in a different argument your point? On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale eyeronic.des...@gmail.comwrote: Point is, you're arguing for the sake of arguing, as you have no understanding what PCI is, based on your own admission. On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras uuf6...@gmail.comwrote: Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that? On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.comwrote: -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.com wrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
My point isn't about a particular section, nor whether the amount of experience I have in PCI DSS compliance (which is next to novice). The point is, what s PCI aiming at? Real security, or just a way companies can excuse their incompetence by citing full PCI compliance? Which reminds me, it wasn't I that brought anti-viruses to the discussion. Cheers. On Tue, Apr 27, 2010 at 5:16 PM, Mike Hale eyeronic.des...@gmail.comwrote: Actually, you're right. You're not the one who said that, I apologize. But I maintain that you're arguing over something that you don't understand. You took one section (the anti-virus one) and got your panties in a bunch over a security standard that says you *should* run anti-virus. You completely ignored that PCI allows you to have compensating controls in place for virtually any requirement. On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras uuf6...@gmail.comwrote: based on your own admission On who's admission? Perhaps you should bother to cite sources next time? And, how is quoting me in a different argument your point? On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale eyeronic.des...@gmail.comwrote: Point is, you're arguing for the sake of arguing, as you have no understanding what PCI is, based on your own admission. On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras uuf6...@gmail.comwrote: Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that? On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.comwrote: -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.com wrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
-they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.comwrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced on you ! BTW: why don't people discuss what is the points missing in the PCI Compliance better than this argue ? Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Mon, April 26, 2010 4:19:27 PM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds OK. All those in favour
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Point is, you're arguing for the sake of arguing, as you have no understanding what PCI is, based on your own admission. On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras uuf6...@gmail.comwrote: Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that? On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.comwrote: -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.com wrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used to discuss security measures. As such, it is only natural to argue with PCI's possible security flaws. Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. The argument were compliance is wasted money still holds. Cheers. On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan sh...@yahoo.com wrote: Hola, The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC !!! Its something that is enforced
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Actually, you're right. You're not the one who said that, I apologize. But I maintain that you're arguing over something that you don't understand. You took one section (the anti-virus one) and got your panties in a bunch over a security standard that says you *should* run anti-virus. You completely ignored that PCI allows you to have compensating controls in place for virtually any requirement. On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras uuf6...@gmail.comwrote: based on your own admission On who's admission? Perhaps you should bother to cite sources next time? And, how is quoting me in a different argument your point? On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale eyeronic.des...@gmail.comwrote: Point is, you're arguing for the sake of arguing, as you have no understanding what PCI is, based on your own admission. On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras uuf6...@gmail.comwrote: Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that? On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.comwrote: -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.com wrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so what is it's use? Why the heck do I have to install something useless? Lastly, that is where you are wrong, there is no base starting point companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. That is the freaken problem. NB: I do use anti-virus software, what I specified above is not in any way my opinion about anti-virus vendors, etc. On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan sh...@yahoo.com wrote: Hi, I don't actually beleive there is a democratic society. No such thing exists. If it does? Then ask the organizations who made the compliance requirements drop them and make audits based on some other measure that you believe is more secure and has less flaws in it. Finally, regarding the AV issue that I wish I end here, is that I don't believe that an AV shall make your box secure, but its a requirement to be done - Added by PCI And yes I have noticed that FD is for such security measures discussion, but never thought of joining it and discussing with others until a couple of days ago when I saw this topic. Finally, the compliance can be taken of as a base starting point, and then moving further, like that it shall not be a waste of money ! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 9:59:59 AM *Subject:* Re
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
The point is, what s PCI aiming at? It's aiming for a basic level of security among companies that process credit cards. Nothing more. You have to remember that PCI didn't come about in a vacuum. It was created to solve a specific problem that the major credit cards faced in regards to the security posture of their processors. The two alternatives for the Payment Card Industry are: 1) The base level of security specified by PCI 2) No base level of security, with most companies not implementing any security whatsoever. PCI does not stop a company from enacting stricter and better security controls. If your internal security is better than what PCI specifies, but you do not meet one of the requirements, you use the compensating control mechanism to justify it. For the record, I apologize for the 'panties in a bunch' comment. I lost track of who said what, and you did not bring up the AV stuff. Haven't had my coffee yet... ;) On Tue, Apr 27, 2010 at 8:33 AM, Christian Sciberras uuf6...@gmail.comwrote: My point isn't about a particular section, nor whether the amount of experience I have in PCI DSS compliance (which is next to novice). The point is, what s PCI aiming at? Real security, or just a way companies can excuse their incompetence by citing full PCI compliance? Which reminds me, it wasn't I that brought anti-viruses to the discussion. Cheers. On Tue, Apr 27, 2010 at 5:16 PM, Mike Hale eyeronic.des...@gmail.comwrote: Actually, you're right. You're not the one who said that, I apologize. But I maintain that you're arguing over something that you don't understand. You took one section (the anti-virus one) and got your panties in a bunch over a security standard that says you *should* run anti-virus. You completely ignored that PCI allows you to have compensating controls in place for virtually any requirement. On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras uuf6...@gmail.com wrote: based on your own admission On who's admission? Perhaps you should bother to cite sources next time? And, how is quoting me in a different argument your point? On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale eyeronic.des...@gmail.comwrote: Point is, you're arguing for the sake of arguing, as you have no understanding what PCI is, based on your own admission. On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras uuf6...@gmail.com wrote: Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that? On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.comwrote: -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.com wrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.com wrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? (I know they don't, I'm just hypothesizing). You stated it yourself, an anti-virus may not do any difference, it is there as per PCI standard.so
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Haven't had my coffee yet... ;) I thought so, that would explain everything. :) Cheers, On Tue, Apr 27, 2010 at 6:30 PM, Mike Hale eyeronic.des...@gmail.comwrote: The point is, what s PCI aiming at? It's aiming for a basic level of security among companies that process credit cards. Nothing more. You have to remember that PCI didn't come about in a vacuum. It was created to solve a specific problem that the major credit cards faced in regards to the security posture of their processors. The two alternatives for the Payment Card Industry are: 1) The base level of security specified by PCI 2) No base level of security, with most companies not implementing any security whatsoever. PCI does not stop a company from enacting stricter and better security controls. If your internal security is better than what PCI specifies, but you do not meet one of the requirements, you use the compensating control mechanism to justify it. For the record, I apologize for the 'panties in a bunch' comment. I lost track of who said what, and you did not bring up the AV stuff. Haven't had my coffee yet... ;) On Tue, Apr 27, 2010 at 8:33 AM, Christian Sciberras uuf6...@gmail.comwrote: My point isn't about a particular section, nor whether the amount of experience I have in PCI DSS compliance (which is next to novice). The point is, what s PCI aiming at? Real security, or just a way companies can excuse their incompetence by citing full PCI compliance? Which reminds me, it wasn't I that brought anti-viruses to the discussion. Cheers. On Tue, Apr 27, 2010 at 5:16 PM, Mike Hale eyeronic.des...@gmail.comwrote: Actually, you're right. You're not the one who said that, I apologize. But I maintain that you're arguing over something that you don't understand. You took one section (the anti-virus one) and got your panties in a bunch over a security standard that says you *should* run anti-virus. You completely ignored that PCI allows you to have compensating controls in place for virtually any requirement. On Tue, Apr 27, 2010 at 8:07 AM, Christian Sciberras uuf6...@gmail.com wrote: based on your own admission On who's admission? Perhaps you should bother to cite sources next time? And, how is quoting me in a different argument your point? On Tue, Apr 27, 2010 at 4:55 PM, Mike Hale eyeronic.des...@gmail.comwrote: Point is, you're arguing for the sake of arguing, as you have no understanding what PCI is, based on your own admission. On Tue, Apr 27, 2010 at 7:51 AM, Christian Sciberras uuf6...@gmail.com wrote: Nice way of reading whatever feels right to you. Perhaps you'd have better read what I wrote a few lines before that? On Tue, Apr 27, 2010 at 4:43 PM, Mike Hale eyeronic.des...@gmail.com wrote: -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) So you fall into this category? On Tue, Apr 27, 2010 at 1:22 AM, Christian Sciberras uuf6...@gmail.com wrote: In short, you just said that PCI compliance _is_ a waste of time and money. Why else would you protect something which is bound to fail anyway?! This is a lost battle, as I said no one cares about the arguments because these people fall into three categories: -they believe the illusion that PCI by itself enhances security -they do there job and don't give a f*ck about it -they are arguing for the fun of it without any real arguments (why else prove me right on my arguments and later on deny it?) On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan sh...@yahoo.comwrote: You won't know not now, not ever. Maybe they do get a commission for your AV installation, who knows ! But maybe they think it is something that everybody needs so the force it. To get to know the true answer, we need to sit down with the guys who wrote the requirements and brainstorm with them those issues. We shall keep just running around and around in a circle here, because no one here if no CC company guy is around can give a definite answer. Just our simple argues ! As I said before, I have to use it on a windows box, because its a requirement, its not my opinion at all. I 100% agree with you about most of the companies seek the paper work and get PCI certified and don't really bother about true security measures, but in the end if a breach is discovered they are the ones who shall get the penalty in the face, not us :) NB: I don't use an AV, never did, and never will :p Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Tue, April 27, 2010 10:37:24 AM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Surely being forced to install an anti-virus only brings in a monopoly? How do I know that PCI Standards writers are getting a nice commission
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. This isn't a democracy .. it's a business. You want to process credit cards in-house, you need to comply with the PCI standards. It *doesn't matter* if you think you're smarter/better than what's in the standard .. you play by their rules or you don't play. Much like if your boss says you have to wear a tie, but you think ties are stupid. You've already stated in a prior email that you have no involvement with PCI implementation on either side of the fence (hell no, was your answer, I believe) .. so I don't see where you're really qualified to make a categorical statement that PCI compliance lends nothing to security. PCI/DSS is an attempt to paint (as broadly as possible) a minimum set of standards. You are allowed (in some cases) to state a mitigating circumstances that renders a particular point moot. None of the things in the PCI/DSS standard contradict basic best practice when it comes to securing data and the networks and hosts on which it resides and traverses. The argument were compliance is wasted money still holds. Well .. waste your money on compliance .. or waste your money on the surcharge you pay to another entity that *is* compliant. Take your pick. Cheers, Michael Holstein Cleveland State University PS: Just because you say your network is secure doesn't make it so. Internal and external audit is routine course in the business world, and you'll find that the less you try and make life difficult for them, the easier things tend to go. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
My point isn't about a particular section, nor whether the amount of experience I have in PCI DSS compliance (which is next to novice). So we can agree that you're arguing about something with which you have no experience? The point is, what s PCI aiming at? It's on the first substantive page of the document .. to wit : The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Real security Again, I ask what is 'real security'?. or just a way companies can excuse their incompetence by citing full PCI compliance? If you self-audit and just check the boxes because you have a box that says firewall on it and another that says IDS and so forth, then yes .. it's just excusing incompetence .. but any real auditor would be asking you about change management for those assets, who has access to them and why, how logs are reviewed and by whom, etc. There's 12 basic points in the 1.2 spec, none of which contradict current best-practice for network design. Cheers, Michael Holstein Cleveland State University PS: This is starting to sound like the discussion many of us have with Mac end-users .. the one that goes but Mac's don't get viruses. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Tue, 27 Apr 2010 13:48:11 EDT, Michael Holstein said: You've already stated in a prior email that you have no involvement with PCI implementation on either side of the fence (hell no, was your answer, I believe) .. so I don't see where you're really qualified to make a categorical statement that PCI compliance lends nothing to security. To be fair - the claim has mutated a bit along the way. What it *started* as was more like: Once you've spent money actually securing the enterprise, then the time and money spent on actually getting the audit done is wasted from a security viewpoint, as that time/money isn't actually getting spent on something that affects security. Your site runs a relatively tight ship already. You read the PSI specs, and you spend $10K and 2 man-months getting compliant because your ship isn't totally tight, and there's a few things you should have done. That's not wasted security-wise. You then pay $10K and 4 man-weeks to actually get the audit done. What actual *security* benefit do you get from that $10K and 4 man-weeks? Pretty much zero, unless you stretch it to the risk-management side and have to declare risk of not getting PCI compliance impacting our revenue stream on an SEC filing. But that's one heck of a stretch. pgpglqTnxjukV.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry PCI (Payment Card Industry) compliances is what people HAVE to do, as in FORCED to do whether they want to or not, in order to be able to process credit cards. the problem is that without this compliance you can't work with CC !!! While I have heard the same thing repeated many times, I've never found a credible source for the claim that all breaches involved fully PCI compliant processors. According to the 2009 Verizon Business Breach Report, 81% of the attack victims were not PCI compliant: Is PCI Compliance a giant bluff from VISA? Have any large companies ever been forced to stop processing CCs because they failed to be PCI compliant? According to the Verizon report 81% of attack victims were not PCI compliant. Ok then how is that they were still processing the CCs that became compromised? Or does VISA come in after a large company has PCI data breached and then claim oh but they're not compliant because of X that wasn't correctly identified during their last audit? How many of those breached companies were PCI certified at the time of the breach only to have it taken away post mortem. On Tue, Apr 27, 2010 at 11:10 AM, Michael Holstein michael.holst...@csuohio.edu wrote: My point isn't about a particular section, nor whether the amount of experience I have in PCI DSS compliance (which is next to novice). So we can agree that you're arguing about something with which you have no experience? The point is, what s PCI aiming at? It's on the first substantive page of the document .. to wit : The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Real security Again, I ask what is 'real security'?. or just a way companies can excuse their incompetence by citing full PCI compliance? If you self-audit and just check the boxes because you have a box that says firewall on it and another that says IDS and so forth, then yes .. it's just excusing incompetence .. but any real auditor would be asking you about change management for those assets, who has access to them and why, how logs are reviewed and by whom, etc. There's 12 basic points in the 1.2 spec, none of which contradict current best-practice for network design. Cheers, Michael Holstein Cleveland State University PS: This is starting to sound like the discussion many of us have with Mac end-users .. the one that goes but Mac's don't get viruses. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
--On Tuesday, April 27, 2010 13:37:39 -0700 J Roger securityho...@gmail.com wrote: Is PCI Compliance a giant bluff from VISA? Have any large companies ever been forced to stop processing CCs because they failed to be PCI compliant? They don't force you to stop processing. They fine you. VISA assessed $3.3 million in fines in 2005 and $4.6 million in 2007 alone. According to the Verizon report 81% of attack victims were not PCI compliant. Ok then how is that they were still processing the CCs that became compromised? You *do* understand that if the card vendors refuse to process cards they are arbitrarily shutting down a business, right? So, when someone is breached, they're going to be fined and expected to get into compliance. If they refuse or continue to have breaches, then the card vendors might refuse to accept their business any more. But one breach is not enough to put a company out of business. I doubt VISA could win that case in court. Or does VISA come in after a large company has PCI data breached and then claim oh but they're not compliant because of X that wasn't correctly identified during their last audit? How many of those breached companies were PCI certified at the time of the breach only to have it taken away post mortem. PCI compliance is determined by approved third party assessors, not by the card vendors themselves. If a compliant company is breached, the fines have a cap of $500,000. There is no cap for non-compliant merchants. Non-compliant merchants are also charged a higher interchange rate until they come into compliance. PCI compliance isn't something you can have taken away. You're either compliant or your not, as determined by the third party assessor. And you can be compliant today and fail tomorrow. All you need is for one element to go out of compliance for some reason. In 2007 VISA began fining their acquirers between $5000 and $25,000 a month for every merchant they serviced that wasn't compliant. (The acquirers, in general, pass those fines on to the offending merchant.) In 2009 Ponemon surveyed the PCI landscape and found that 22% of companies were in full complaince with PCI while another 53% were either mostly or partly compliant. I suspect the fully compliant merchants were probably all or mostly all Tier 1. 79% of the companies surveyed had experienced at least on data breach that required disclosure. So even among compliant or partially compliant businesses there were a significant number of reportable breaches. If you think this is laughable, then strap on your super security man suit and start fixing it. Doing security is a lot harder, at the enterprise level, than people realize. For example, try identifying and remediating all the vulnerable versions of Java in your enterprise. I'm betting you can't. I recently checked, and the average workstation had more than fifteen (15) separate versions of Java installed, most of which are vulnerable, and none of which can be updated without breaking the application they were installed with. Better yet, try getting a funtioning version of antivirus that is properly updating installed on 100% of your assets. I'll bet you can't do that either. (Note I said 100%, not 99% or 98%.) It's damn near impossible to maintain every single computer in an enterprise, without exception, to a secure standard 100% of the time and have all of them functioning without problems 100% of the time. Until software vendors get their act together and start building security in from the beginning of development, companies will continue to experience breaches. Even in a perfect world of zero vulnerable software packages you'll still have to deal with the human element, which is demonstrably harder to overcome. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
I would have hoped cross-platform virii were nothing new to you guys? Or am I wrong? On Mon, Apr 26, 2010 at 6:16 AM, Tracy Reed tr...@ultraviolet.org wrote: On Mon, Apr 26, 2010 at 12:07:05AM -0400, valdis.kletni...@vt.edu spake thusly: On Sun, 25 Apr 2010 20:25:47 PDT, Tracy Reed said: On Mon, Apr 26, 2010 at 08:57:18AM +1200, Nick FitzGerald spake thusly: Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. No, they just think all the world is Windows. Which proves Nick's point... I'm not sure what Nick's point was. Although it doesn't suggest that anything is wrong with PCI because they explicitly leave an out for systems which tend not to have virus problems. -- Tracy Reed http://tracyreed.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Nick, Please if you don't know what the standards are, please don't post junk and foolish comments just to state your opinion: Read: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml See Requirement #5. Read that requirement carefully and its not bad to read it twice though in case you don't figure it out from the first glance ! Also, I said that using an AV is some basic thing to do in any company that wants to deal with CC, its a basic thing for even companies not dealing with CC too !!! Or do you state that people must use a BOX with no AV installed on it? If you believe in that fact? Then please request a change in the PCI DSS requirements and make them force the usage of a non Windows O.S, such as any *n?x system. Finally, the topic here is not about default allow vs default deny and if I understand what that is or not! You can open a new discussion about that, and I shall join there and discuss it further with you, in case you need some clarification regarding it. Regards, Shaqe --- On Sun, 4/25/10, Nick FitzGerald n...@virus-l.demon.co.uk wrote: From: Nick FitzGerald n...@virus-l.demon.co.uk Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds To: full-disclosure@lists.grok.org.uk Date: Sunday, April 25, 2010, 1:57 PM Shaqe Wan wrote: snip Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! Well, you see, _that_ is abject nonsense on its face. Do you have any understanding of one of the most basic of security issues -- default allow vs. default deny? There are many more secure ways to run systems _without_ antivirus software. Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Anyone authoritatively stating that antivirus software is a necessary component of a sufficiently secure system is one (or more) of; a fool, a person with an unusually low standard of system security, or a shill for an antivirus producer. So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Then, as I said, the PCI requirements are total nonsense... You say this based on absolutely zero understanding of what the requirements are, by your own admission? On Sun, Apr 25, 2010 at 8:40 PM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Tracy Reed to me: Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. No, they just think all the world is Windows. My comments were, and still are, OS agnostic. It matters not what the OS -- anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Ditto my second comment... So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... PCI only requires antivirus for systems commonly affected by viruses. ... Then, as I said, the PCI requirements are total nonsense... ... This means Windows. PCI security council has said that UN*X OSs etc. are not required to have antivirus. So what system and application integrity requirements do they require for those OSes (presumably instead of antivirus)? Your response strengthens my belief that PCI is dangerous because it enshrines small-minded ignorance as best practice (or, at least, as minimally acceptable practice) without recognizing the possibility that there may be better options that have not been so, ummm over sold as to become perceived as necessary. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Nick, Please if you don't know what the standards are, please read: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml See Requirement #5. Read that requirement carefully and its not bad to read it twice though in case you don't figure it out from the first glance ! Also, I said that using an AV is some basic thing to do in any company that wants to deal with CC, its a basic thing for even companies not dealing with CC too !!! Or do you state that people must use a BOX with no AV installed on it? If you believe in that fact? Then please request a change in the PCI DSS requirements and make them force the usage of a non Windows O.S, such as any *n?x system. Finally, the topic here is not about default allow vs default deny and if I understand what that is or not! You can open a new discussion about that, and I shall join there and discuss it further with you, in case you need some clarification regarding it. Regards, Shaqe --- On Sun, 4/25/10, Nick FitzGerald n...@virus-l.demon.co.uk wrote: From: Nick FitzGerald n...@virus-l.demon.co.uk Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds To: full-disclosure@lists.grok.org.uk Date: Sunday, April 25, 2010, 1:57 PM Shaqe Wan wrote: snip Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! Well, you see, _that_ is abject nonsense on its face. Do you have any understanding of one of the most basic of security issues -- default allow vs. default deny? There are many more secure ways to run systems _without_ antivirus software. Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Anyone authoritatively stating that antivirus software is a necessary component of a sufficiently secure system is one (or more) of; a fool, a person with an unusually low standard of system security, or a shill for an antivirus producer. So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Why exactly are you complying with Nick's statements? I would have thought you guys were arguing against said statements? By the way, requirement #6 is particularly funny; it sounds peculiarly redundant to me... Cheers. On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan sh...@yahoo.com wrote: Nick, Please if you don't know what the standards are, please read: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml See *Requirement #5*. Read that requirement carefully and its not bad to read it twice though in case you don't figure it out from the first glance ! Also, I said that using an AV is some basic thing to do in any company that wants to deal with CC, its a basic thing for even companies not dealing with CC too !!! Or do you state that people must use a BOX with no AV installed on it? If you believe in that fact? Then please request a change in the PCI DSS requirements and make them force the usage of a non Windows O.S, such as any *n?x system. Finally, the topic here is not about default allow vs default deny and if I understand what that is or not! You can open a new discussion about that, and I shall join there and discuss it further with you, in case you need some clarification regarding it. Regards, Shaqe --- On *Sun, 4/25/10, Nick FitzGerald n...@virus-l.demon.co.uk* wrote: From: Nick FitzGerald n...@virus-l.demon.co.uk Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds To: full-disclosure@lists.grok.org.uk Date: Sunday, April 25, 2010, 1:57 PM Shaqe Wan wrote: snip Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! Well, you see, _that_ is abject nonsense on its face. Do you have any understanding of one of the most basic of security issues -- default allow vs. default deny? There are many more secure ways to run systems _without_ antivirus software. Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Anyone authoritatively stating that antivirus software is a necessary component of a sufficiently secure system is one (or more) of; a fool, a person with an unusually low standard of system security, or a shill for an antivirus producer. So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
PCI only requires antivirus for systems commonly affected by viruses. This means Windows. PCI security council has said that UN*X OSs etc. are not required to have antivirus. -- Tracy Reed http://tracyreed.org Just an FYI...if your nix devices are in scope, my last audit (4 weeks ago) directed me to install A/V plus a rootkit finder on linux devices in scope. Whitelisting is an alternative, but seems more a headache then A/V. Hope this helps someone somewhere. James ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
OK. All those in favour of PCI raises their hands. Kidding aside, of course it is a must, since the said companies doesn't have any notion of security before this happens. However, how much is this actually helpful? Now let's be honest, how much would it stop a potential attacker from getting into a system protected by PCI? Little, if at all. On the other hand, a company should adopt real and complete security practices. Again, my point is, these companies shouldn't be educated or limit their security to this standard. Because if they do (and I'm pretty sure they do) would make this standard pretty much useless. Anyway, I won't get into this argument, since no one will give a sh*t about it anyway. Cheers. On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan sh...@yahoo.com wrote: Christian, Did you read my first post? ((( IMO, PCI is not that big security policy, but without it your not able to use the credit card companies gateway. I think its just the basics that any company dealing with CC must implement. Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! ))) I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! Regards, -- *From:* Christian Sciberras uuf6...@gmail.com *To:* Shaqe Wan sh...@yahoo.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Mon, April 26, 2010 3:54:20 PM *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Why exactly are you complying with Nick's statements? I would have thought you guys were arguing against said statements? By the way, requirement #6 is particularly funny; it sounds peculiarly redundant to me... Cheers. On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan sh...@yahoo.com wrote: Nick, Please if you don't know what the standards are, please read: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml See *Requirement #5*. Read that requirement carefully and its not bad to read it twice though in case you don't figure it out from the first glance ! Also, I said that using an AV is some basic thing to do in any company that wants to deal with CC, its a basic thing for even companies not dealing with CC too !!! Or do you state that people must use a BOX with no AV installed on it? If you believe in that fact? Then please request a change in the PCI DSS requirements and make them force the usage of a non Windows O.S, such as any *n?x system. Finally, the topic here is not about default allow vs default deny and if I understand what that is or not! You can open a new discussion about that, and I shall join there and discuss it further with you, in case you need some clarification regarding it. Regards, Shaqe --- On *Sun, 4/25/10, Nick FitzGerald n...@virus-l.demon.co.uk* wrote: From: Nick FitzGerald n...@virus-l.demon.co.uk Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds To: full-disclosure@lists.grok.org.uk Date: Sunday, April 25, 2010, 1:57 PM Shaqe Wan wrote: snip Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! Well, you see, _that_ is abject nonsense on its face. Do you have any understanding of one of the most basic of security issues -- default allow vs. default deny? There are many more secure ways to run systems _without_ antivirus software. Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Anyone authoritatively stating that antivirus software is a necessary component of a sufficiently secure system is one (or more) of; a fool, a person with an unusually low standard of system security, or a shill for an antivirus producer. So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Christian, Did you read my first post? ((( IMO, PCI is not that big security policy, but without it your not able to use the credit card companies gateway. Ithink its just the basics that any company dealing with CC must implement. Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! ))) I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! Regards, From: Christian Sciberras uuf6...@gmail.com To: Shaqe Wan sh...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Sent: Mon, April 26, 2010 3:54:20 PM Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Why exactly are you complying with Nick's statements? I would have thought you guys were arguing against said statements? By the way, requirement #6 is particularly funny; it sounds peculiarly redundant to me... Cheers. On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan sh...@yahoo.com wrote: Nick, Please if you don't know what the standards are, please read: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml See Requirement #5. Read that requirement carefully and its not bad to read it twice though in case you don't figure it out from the first glance ! Also, I said that using an AV is some basic thing to do in any company that wants to deal with CC, its a basic thing for even companies not dealing with CC too !!! Or do you state that people must use a BOX with no AV installed on it? If you believe in that fact? Then please request a change in the PCI DSS requirements and make them force the usage of a non Windows O.S, such as any *n?x system. Finally, the topic here is not about default allow vs default deny and if I understand what that is or not! You can open a new discussion about that, and I shall join there and discuss it further with you, in case you need some clarification regarding it. Regards, Shaqe --- On Sun, 4/25/10, Nick FitzGerald n...@virus-l.demon.co.uk wrote: From: Nick FitzGerald n...@virus-l.demon.co.uk Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds To: full-disclosure@lists.grok.org.uk Date: Sunday, April 25, 2010, 1:57 PM Shaqe Wan wrote: snip Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! Well, you see, _that_ is abject nonsense on its face. Do you have any understanding of one of the most basic of security issues -- default allow vs. default deny? There are many more secure ways to run systems _without_ antivirus software. Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Anyone authoritatively stating that antivirus software is a necessary component of a sufficiently secure system is one (or more) of; a fool, a person with an unusually low standard of system security, or a shill for an antivirus producer. So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Shaqe Wan wrote: I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! Now you've missed both Nick's and Christian's points ;) Nick's point was (at least, this is how I understood it ;) that AV is not necessarily the best approach to protect your systems against malware. If you have implemented a better way to protect your systems against malware, but the PCI standard and auditors force you to install AV software anyway, then the standard or the auditor's practices are flawed. Please do remember that adding complexity in the form of AV software can have a negative impact on security. The recent McAfee 'svchost.exe' debacle is a perfect example. -- Pieter ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Mon, 26 Apr 2010 16:20:01 +0200, Pieter de Boer said: Nick's point was (at least, this is how I understood it ;) that AV is not necessarily the best approach to protect your systems against malware. If you have implemented a better way to protect your systems against malware, but the PCI standard and auditors force you to install AV software anyway, then the standard or the auditor's practices are flawed. http://xkcd.com/463/ pgpOLxvv7mn5i.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Mon, Apr 26, 2010 at 06:02:48AM -0700, Shaqe Wan wrote: I am not stating that PCI is good in no way, but I am saying that its a MUST for companies dealing with CC. And in a windows environment, an AV is important. Did you consider that an anti-virus may actually be the worst security solution for certain threats because it allows companies not to think about security while providing insufficient protection? What's your choice: Company A installs an anti-virus and updates it regularly (BTW regularly includes once a year). Company B has a recovery concept, incident response team, vulnerability monitoring, patch management, NIDS, security training but no anti-virus. He probably thought that I am with the rules of PCI, or that I don't have any idea that the world is not just WINDOWS !!! No, I don't think so. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
IMO, PCI is not that big security policy, but without it your not able to use the credit card companies gateway. I think its just the basics that any company dealing with CC must implement. Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Shaqe Wan wrote: snip Because it shall be nonsense to deal with CC, and not have an Anti-virus for example !! Well, you see, _that_ is abject nonsense on its face. Do you have any understanding of one of the most basic of security issues -- default allow vs. default deny? There are many more secure ways to run systems _without_ antivirus software. Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Anyone authoritatively stating that antivirus software is a necessary component of a sufficiently secure system is one (or more) of; a fool, a person with an unusually low standard of system security, or a shill for an antivirus producer. So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Mon, Apr 26, 2010 at 08:57:18AM +1200, Nick FitzGerald spake thusly: Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. No, they just think all the world is Windows. So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... PCI only requires antivirus for systems commonly affected by viruses. This means Windows. PCI security council has said that UN*X OSs etc. are not required to have antivirus. -- Tracy Reed http://tracyreed.org pgp4pqK0QYtXs.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Tracy Reed to me: Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. No, they just think all the world is Windows. My comments were, and still are, OS agnostic. It matters not what the OS -- anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. Ditto my second comment... So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... PCI only requires antivirus for systems commonly affected by viruses. ... Then, as I said, the PCI requirements are total nonsense... ... This means Windows. PCI security council has said that UN*X OSs etc. are not required to have antivirus. So what system and application integrity requirements do they require for those OSes (presumably instead of antivirus)? Your response strengthens my belief that PCI is dangerous because it enshrines small-minded ignorance as best practice (or, at least, as minimally acceptable practice) without recognizing the possibility that there may be better options that have not been so, ummm over sold as to become perceived as necessary. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Sun, 25 Apr 2010 20:25:47 PDT, Tracy Reed said: On Mon, Apr 26, 2010 at 08:57:18AM +1200, Nick FitzGerald spake thusly: Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. No, they just think all the world is Windows. Which proves Nick's point... pgp47Ueh4yJrn.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Mon, Apr 26, 2010 at 12:07:05AM -0400, valdis.kletni...@vt.edu spake thusly: On Sun, 25 Apr 2010 20:25:47 PDT, Tracy Reed said: On Mon, Apr 26, 2010 at 08:57:18AM +1200, Nick FitzGerald spake thusly: Anyone authoritatively stating that antivirus software is a necessary component of a reasonably secure system is a fool. No, they just think all the world is Windows. Which proves Nick's point... I'm not sure what Nick's point was. Although it doesn't suggest that anything is wrong with PCI because they explicitly leave an out for systems which tend not to have virus problems. -- Tracy Reed http://tracyreed.org pgpHXsYKngPQG.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Uhm.. No Uhm, yes? It's a 'hassle' if: You don't have a firewall. You use default passwords. You don't protect stored data. You don't encrypt that data in transit. You don't use antivirus. You don't restrict data access. You don't use unique logins. You don't log stuff. You don't test your security regularly. You don't have an information security policy. Seriously dude? It's a hassle? If you run a secure network, it's cake. If you don't, it's a very necessary hassle. On Fri, Apr 23, 2010 at 3:01 PM, Christian Sciberras uuf6...@gmail.com wrote: .. -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
- FISMA, for example, based on press reports. Your mileage may vary. PCI DSS is one compliance program making measurable, significant improvements to the protection and security management of selected information and systems, imho. Disclaimer - I've cherry picked some examples above, for deliberate effect. However these examples and minor variations are representative examples of the overall state of information security I've seen in companies, prior to them progressing toward PCI compliance. lyalc -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: Saturday, 24 April 2010 4:32 AM To: Stephen Mullins Cc: full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds Three things: 1) I am one of those people, as many of us are. 2) I disagree - compliance with the standard, as put forth by the body developing the standard, certainly implies a real security benefit. Does PCI=Security? No, but it certainly helps. There is a huge difference between ensure and imply. Using them together like that as if they are synonymous is a red herring. Think about what you just said: it doesn't imply real security. THAT doesn't define ANYTHING actionable. Nothing. What the standard does IS to define at least measures to be taken that can increase security - it has specifics and action items. It is tangible. And, it is far more likely to provide a real benefit than not. It *certainly* does more than having some policy say You must imply real security. If you are one of those people that care about security, and if your takeaway from PCI is that it doesn't imply real security but you fail to tell us what does, then I would have to say you are not really providing any benefit. 3) Apparently not a cost of doing business how? What did I say that makes that statement apparent? I fail to see how you can connect what the OP stated as Compliance is Wasted Money with apparently having a secure network is not a cost of doing business. They are two different things. If you want to process credit cards in your business to make more money, and the credit card industry says, up front, ok, you can play if you follow these rules, then that is a cost of doing business. If you actually do enough business to justify PCI audits, and you as a security person implement a system that passes all PCI audit requirements as written, but still FAIL to have a system where no security is implied, then YOU have not done your job. No amount a blaming PCI's inadequacies is going to make up for people not taking responsibility for doing their jobs. Period. t -Original Message- From: Stephen Mullins [mailto:steve.mullins.w...@gmail.com] Sent: Friday, April 23, 2010 10:40 AM To: Thor (Hammer of God) Cc: Christian Sciberras; security-bas...@securityfocus.com; full-disclosure Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is wasted? It doesn't matter if you are a fan of it or not, in the same way that it doesn't matter if you are a fan of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is wasted money, and might bring into question the value of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can't handle credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can self audit. If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don't like PCI, then don't process credit cards, or come up with your own. I still don't really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.comwrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Their conclusions are based, IMO, on a flawed methodology. With some conservative assumptions, the paper indicates that companies actually spend 50% of their budget protecting secrets versus 20% on complying with external regulations. I wrote up a more thorough response which I'll post in a few days when I've proof-read it some more. On Thu, Apr 22, 2010 at 4:48 PM, Christopher Gilbert mot...@gmail.com wrote: The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don't know why people get all emotional about it and throw up their hands with all the this is wasted money positioning - it's not wasted at all; it is simply part of the cost of doing business in that market. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christopher Gilbert Sent: Thursday, April 22, 2010 4:48 PM To: Mike Hale Cc: full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.commailto:eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don’t know why people get all emotional about it and throw up their hands with all the “this is wasted money” positioning – it’s not wasted at all; it is simply part of the cost of doing business in that market. t *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Christopher Gilbert *Sent:* Thursday, April 22, 2010 4:48 PM *To:* Mike Hale *Cc:* full-disclosure; security-bas...@securityfocus.com *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
How can you say it is wasted? It doesn't matter if you are a fan of it or not, in the same way that it doesn't matter if you are a fan of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is wasted money, and might bring into question the value of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can't handle credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can self audit. If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don't like PCI, then don't process credit cards, or come up with your own. I still don't really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don't know why people get all emotional about it and throw up their hands with all the this is wasted money positioning - it's not wasted at all; it is simply part of the cost of doing business in that market. t From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christopher Gilbert Sent: Thursday, April 22, 2010 4:48 PM To: Mike Hale Cc: full-disclosure; security-bas...@securityfocus.commailto:security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.commailto:eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t “handle” credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can “self audit.” If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don’t like PCI, then don’t process credit cards, or come up with your own. I still don’t really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don’t know why people get all emotional about it and throw up their hands with all the “this is wasted money” positioning – it’s not wasted at all; it is simply part of the cost of doing business in that market. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christopher Gilbert Sent: Thursday, April 22, 2010 4:48 PM To: Mike Hale Cc: full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. So what's the problem? .. if you have done it according to (or exceeding) the spec .. check the box, buy a box of donuts for the auditor .. let them look it over, and be done with it. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. If VISA (et.al.) could define real security and write it down, they would. What is real security exactly? .. I'd argue the only secure computer is one that's still sealed in the factory carton. Break the seal, game over .. just like it says on a box of Band-Aids Sterility guaranteed until opened. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. The thinking goes .. that if you implement the PCI standards and aim to actually do as it suggests (meaning doing what the documents suggests *correctly* .. not just having a blinkinlight in place so you can check a box) .. you're already down the right path. Even so .. the problem with securing networks/systems is there's millions of them and only a few of you. Also .. you have to be right 100% of the time, and they only have to get lucky once. My $10.02 ($10 minimum purchase on all credit cards). ** Cheers, Michael Holstein Cleveland State University ** : yes, I know this goes against the merchant agreement .. sarcasm. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Three things: 1) I am one of those people, as many of us are. 2) I disagree - compliance with the standard, as put forth by the body developing the standard, certainly implies a real security benefit. Does PCI=Security? No, but it certainly helps. There is a huge difference between ensure and imply. Using them together like that as if they are synonymous is a red herring. Think about what you just said: it doesn't imply real security. THAT doesn't define ANYTHING actionable. Nothing. What the standard does IS to define at least measures to be taken that can increase security - it has specifics and action items. It is tangible. And, it is far more likely to provide a real benefit than not. It *certainly* does more than having some policy say You must imply real security. If you are one of those people that care about security, and if your takeaway from PCI is that it doesn't imply real security but you fail to tell us what does, then I would have to say you are not really providing any benefit. 3) Apparently not a cost of doing business how? What did I say that makes that statement apparent? I fail to see how you can connect what the OP stated as Compliance is Wasted Money with apparently having a secure network is not a cost of doing business. They are two different things. If you want to process credit cards in your business to make more money, and the credit card industry says, up front, ok, you can play if you follow these rules, then that is a cost of doing business. If you actually do enough business to justify PCI audits, and you as a security person implement a system that passes all PCI audit requirements as written, but still FAIL to have a system where no security is implied, then YOU have not done your job. No amount a blaming PCI's inadequacies is going to make up for people not taking responsibility for doing their jobs. Period. t -Original Message- From: Stephen Mullins [mailto:steve.mullins.w...@gmail.com] Sent: Friday, April 23, 2010 10:40 AM To: Thor (Hammer of God) Cc: Christian Sciberras; security-bas...@securityfocus.com; full-disclosure Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is wasted? It doesn't matter if you are a fan of it or not, in the same way that it doesn't matter if you are a fan of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is wasted money, and might bring into question the value of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can't handle credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can self audit. If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don't like PCI, then don't process credit cards, or come up with your own. I still don't really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t “handle” credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can “self audit.” If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don’t like PCI, then don’t process credit cards, or come up with your own. I still don’t really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don’t know why people get all emotional about it and throw up their hands with all the “this is wasted money” positioning – it’s not wasted at all; it is simply part of the cost of doing business in that market. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christopher Gilbert Sent: Thursday, April 22, 2010 4:48 PM To: Mike Hale Cc: full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds The paper concludes that companies are underinvesting in--or improperly prioritizing--the protection of their secrets. Nowhere does it state that the money spent on compliance is money wasted. On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale eyeronic.des...@gmail.com wrote: I find the findings completely flawed. Am I missing something? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
You don't think in-house payment gateways can be as stable as third party gateways? Probably not .. it goes back to the how many '9s' can you afford to pay for question. But in-house has the advantage of knowing who to yell at when it breaks. Management generally prefers to yell locally instead of being told I dunno, ask the cloud. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out some hard facts about PCI/DSS which you call no big deal. I surely agree with that, but what is not a big deal for you doesn't mean it ain't for the rest of the world. What stops an uninformed programmer from complying with PCI/DSS (or at least, think to) and leave RFI/XSS/whatever holes everywhere? That said, security flaws are just about everywhere so no need to get critical about it. For now at least. The point isn't who should be using credit cards or not, it's a matter of security. I find it strange that you're excusing marketing propaganda. Sincere regards, Christian Sciberras. On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale eyeronic.des...@gmail.comwrote: Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t “handle” credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can “self audit.” If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don’t like PCI, then don’t process credit cards, or come up with your own. I still don’t really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want, an inventory of credit cards, or a stable payment system? The later I guess. As to security, it totally depends on implementation; one can handle credit cards without the need of standards compliance. My two cents. Regards, Christian Sciberras. On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Another thing that I think people fail to keep in mind is that when it comes to PCI, it is part of a contractual agreement between the entity and card facility they are working with. If a business wants to accept credit cards as a means of payment (based on volume) then part of their agreement is that they must undergo compliance to a standard implemented by the industry. I don’t know why people get all emotional about it and throw up their hands with all the “this is wasted money” positioning – it’s not wasted at all; it is simply part of the cost of doing business in that market. t
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 3:02 PM To: Mike Hale Cc: Stephen Mullins; full-disclosure; security-bas...@securityfocus.com; Thor (Hammer of God) Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out some hard facts about PCI/DSS which you call no big deal. I surely agree with that, but what is not a big deal for you doesn't mean it ain't for the rest of the world. What stops an uninformed programmer from complying with PCI/DSS (or at least, think to) and leave RFI/XSS/whatever holes everywhere? That said, security flaws are just about everywhere so no need to get critical about it. For now at least. The point isn't who should be using credit cards or not, it's a matter of security. I find it strange that you're excusing marketing propaganda. Sincere regards, Christian Sciberras. On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale eyeronic.des...@gmail.commailto:eyeronic.des...@gmail.com wrote: Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.commailto:steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: How can you say it is wasted? It doesn't matter if you are a fan of it or not, in the same way that it doesn't matter if you are a fan of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is wasted money, and might bring into question the value of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can't handle credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can self audit. If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don't like PCI, then don't process credit cards, or come up with your own. I still don't really see what all the hubbub is about here. t From: Christian Sciberras [mailto:uuf6...@gmail.commailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 9:29 AM To: Thor (Hammer of God) Cc: Christopher Gilbert; Mike Hale; full-disclosure; security-bas...@securityfocus.commailto:security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds it is simply part of the cost of doing business in that market. A.k.a. wasted money. Truth be told, I'm no fan of PCI. Other companies get the same functionality (accept the storage of credit cards) without worrying about PCI/DSS (e.g. through Payment Gateways). In the end, as a service, what do I want
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:02 PM *To:* Mike Hale *Cc:* Stephen Mullins; full-disclosure; security-bas...@securityfocus.com; Thor (Hammer of God) *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out some hard facts about PCI/DSS which you call no big deal. I surely agree with that, but what is not a big deal for you doesn't mean it ain't for the rest of the world. What stops an uninformed programmer from complying with PCI/DSS (or at least, think to) and leave RFI/XSS/whatever holes everywhere? That said, security flaws are just about everywhere so no need to get critical about it. For now at least. The point isn't who should be using credit cards or not, it's a matter of security. I find it strange that you're excusing marketing propaganda. Sincere regards, Christian Sciberras. On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale eyeronic.des...@gmail.com wrote: Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t “handle” credit cards in the classic sense of the word without complying with PCI. If you pass along the transaction to a gateway, you are not handling it. If you DO handle it, then you have to comply with PCI. If you process less than 1 million transactions a year, you can “self audit.” If you process more, you have to be audit by a PCI auditor. None of this MEANS you are secure, it means you comply. If you don’t like PCI, then don’t process credit cards, or come up with your own. I still don’t really see what all the hubbub is about here. t
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Sorry, forgot to reply to your quoting me about false sense of security. Let me explain myself. It is relatively easier to forget real security concerns (such as [really] bad coding) when one follows a checklist for high security (quoting pcisecuritystandards.org). Unless I missed something (which I don't think I did) PCI/DSS doesn't help at all since it is putting security methodologies over your project manager's desk, rather then get a IT Security specialist do the job. Cheers. On Sat, Apr 24, 2010 at 12:33 AM, Christian Sciberras uuf6...@gmail.comwrote: No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:02 PM *To:* Mike Hale *Cc:* Stephen Mullins; full-disclosure; security-bas...@securityfocus.com; Thor (Hammer of God) *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out some hard facts about PCI/DSS which you call no big deal. I surely agree with that, but what is not a big deal for you doesn't mean it ain't for the rest of the world. What stops an uninformed programmer from complying with PCI/DSS (or at least, think to) and leave RFI/XSS/whatever holes everywhere? That said, security flaws are just about everywhere so no need to get critical about it. For now at least. The point isn't who should be using credit cards or not, it's a matter of security. I find it strange that you're excusing marketing propaganda. Sincere regards, Christian Sciberras. On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale eyeronic.des...@gmail.com wrote: Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network? If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins steve.mullins.w...@gmail.com wrote: I don't see what the hubbub is Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. Crazy notion, I know. On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it or not, in the same way that it doesn’t matter if you are a “fan” of the 4% surcharge retail establishments pay to accept the credit card as payment. Using your logic, you would way it is “wasted money,” and might bring into question the “value” of the surcharge, etc. It is simply a cost of doing business. If you choose to offload processing to a payment gateway, then that will also incur a cost. Depending on your volume, that cost may or may not be higher than you processing them yourself while complying to standards. The implementation of actual security measures will be different. But you can’t
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
OK - so, when you say to use PCI what do you mean? I get the feeling that you are equating being PCI certified as something people just get to show other people they are secure. Hence your use of marketing propaganda. People don't go through an audit and get PCI certified so that they can claim they are secure. It doesn't work like that. PCI (Payment Card Industry) compliances is what people HAVE to do, as in FORCED to do whether they want to or not, in order to be able to process credit cards. If you process less than 1 million xactions per year, you can self audit. Can you lie? Sure. But you'll get your ability to process payments yanked if they catch you. More than that requires an auditor. If that auditor finds you have horrible security controls in place, you will fail. If they pass you anyway, they can lose their certification to audit. If you fail, you have x time to get with the program and be audited again. It's just a way for the CC industry to make sure the people handling card info follow best practices for security. That's all it means - it is a certification FOR the industry BY the industry. No one ever said it mean people had real security. It means companies illustrate a base of practices required to handle consumer credit card data. That's it. And I totally agree with Mike Hale's comments about if you are really secure, as in 'already secure' then it's cake. I don't know that I would say cake as it depends on the scope of audit, but he's right. If you already have a drive to secure your infrastructure, then PCI should be easy. My requirements for security are far more strict than PCI. Yours may or may not be, so you'll have to adjust as necessary. Regarding code, I do believe that in PCI audits for dev that you have to illustrate an SDL, in which case things like XSS and BOs and such would be part of. That's the skinny on PCI :) t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 3:34 PM To: Thor (Hammer of God) Cc: Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t From: Christian Sciberras [mailto:uuf6...@gmail.commailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 3:02 PM To: Mike Hale Cc: Stephen Mullins; full-disclosure; security-bas...@securityfocus.commailto:security-bas...@securityfocus.com; Thor (Hammer of God) Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out some hard facts about PCI/DSS which you call no big deal. I surely agree with that, but what is not a big deal for you doesn't mean it ain't for the rest of the world. What stops an uninformed programmer from complying with PCI/DSS (or at least, think to) and leave RFI/XSS/whatever holes everywhere? That said, security flaws are just about everywhere so no need to get critical about it. For now at least. The point isn't who should be using credit cards or not, it's a matter of security. I find it strange that you're excusing marketing propaganda. Sincere regards, Christian Sciberras. On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale eyeronic.des
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Fri, Apr 23, 2010 at 3:33 PM, Christian Sciberras uuf6...@gmail.com wrote: 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. This right here screams bullshitter. It isn't as if you get to decide if you want to use PCI or not. If you process credit cards with the major card brands you are going to do PCI either now or eventually. There is no other security standard which you can choose. You also show signs of being a victim of absolutism. Nobody has ever claimed that PCI makes you secure. It is a minimal standard which experience has shown most companies need spelled out for them. There is much more than just the things spelled out by PCI that need to be done. As usual in these situations, your real complaint isn't about PCI but about the people who just don't get the point. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
I just want to emphasize on a point you mentioned right now: It means companies illustrate a *base* of practices required to handle consumer credit card data. So why waste resources, time and money when one would be better off with proper security measures? As Mr Hale said, it's a piece of cake if you had the right stuff already going. Problem is, it's a piece of expensive cake. I just want[ed] to make my point clear, I don't see any discussion into this at all. As I already said, it is not my intention to argue with the original message. Cheers. On Sat, Apr 24, 2010 at 12:46 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: OK – so, when you say “to use PCI” what do you mean? I get the feeling that you are equating being “PCI certified” as something people just “get” to show other people they are “secure.” Hence your use of “marketing propaganda.” People don’t go through an audit and get PCI certified so that they can claim they are secure. It doesn’t work like that. PCI (Payment Card Industry) compliances is what people HAVE to do, as in FORCED to do whether they want to or not, in order to be able to process credit cards. If you process less than 1 million xactions per year, you can “self audit.” Can you lie? Sure. But you’ll get your ability to process payments yanked if they catch you. More than that requires an auditor. If that auditor finds you have horrible security controls in place, you will fail. If they pass you anyway, they can lose their certification to audit. If you fail, you have x time to get with the program and be audited again. It’s just a way for the CC industry to make sure the people handling card info follow best practices for security. That’s all it means – it is a certification FOR the industry BY the industry. No one ever said it mean people had “real security.” It means companies illustrate a base of practices required to handle consumer credit card data. That’s it. And I totally agree with Mike Hale’s comments about “if you are really secure, as in ‘already secure’ then it’s cake.” I don’t know that I would say “cake” as it depends on the scope of audit, but he’s right. If you already have a drive to secure your infrastructure, then PCI should be easy. My requirements for security are far more strict than PCI. Yours may or may not be, so you’ll have to adjust as necessary. Regarding code, I do believe that in PCI audits for dev that you have to illustrate an SDL, in which case things like XSS and BOs and such would be part of. That’s the skinny on PCI J t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:34 PM *To:* Thor (Hammer of God) *Cc:* Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.com *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:02 PM *To:* Mike Hale *Cc:* Stephen Mullins; full-disclosure; security-bas...@securityfocus.com; Thor (Hammer of God) *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds If you strive for security, and weave that into your network, complying with PCI should be cake. Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document any more secure then having server facing the wild of the net? Truth is, PCI doesn't help in security at all. It at most a sense of false security (and at least serves as a recreational exercise for auditors). Thor, I'm not arguing with the article, since I didn't read it, and I won't bother to. I just want to point out
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Payment Gateways are a nice alternative to processing credit cards yourself. Well, as nice as it gets... Other then that, it's not me that is being absolutist, but rather seeing this from a company perspective. Nobody has ever claimed that PCI makes you secure. Interesting statement. Why's the need for PCI then? (don't bother with an answer) It is a minimal standard which experience has shown most companies need spelled out for them. Exactly. So where was the security again? On Sat, Apr 24, 2010 at 12:56 AM, BMF badmotherfs...@gmail.com wrote: On Fri, Apr 23, 2010 at 3:33 PM, Christian Sciberras uuf6...@gmail.com wrote: 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. This right here screams bullshitter. It isn't as if you get to decide if you want to use PCI or not. If you process credit cards with the major card brands you are going to do PCI either now or eventually. There is no other security standard which you can choose. You also show signs of being a victim of absolutism. Nobody has ever claimed that PCI makes you secure. It is a minimal standard which experience has shown most companies need spelled out for them. There is much more than just the things spelled out by PCI that need to be done. As usual in these situations, your real complaint isn't about PCI but about the people who just don't get the point. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
You spend the time, resources, and money because you are contracted to. You are required to. You HAVE to. That's what we've all been getting on about - you don't get to choose, you have to if you want to continue to process credit card information yourself. If you want to use a gateway service or other processor, then fine - do that. No harm, no foul. You just pay more. If you want to do yourself, you have to be PCI certified. It's just that simple. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 3:57 PM To: Thor (Hammer of God) Cc: Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds I just want to emphasize on a point you mentioned right now: It means companies illustrate a base of practices required to handle consumer credit card data. So why waste resources, time and money when one would be better off with proper security measures? As Mr Hale said, it's a piece of cake if you had the right stuff already going. Problem is, it's a piece of expensive cake. I just want[ed] to make my point clear, I don't see any discussion into this at all. As I already said, it is not my intention to argue with the original message. Cheers. On Sat, Apr 24, 2010 at 12:46 AM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: OK - so, when you say to use PCI what do you mean? I get the feeling that you are equating being PCI certified as something people just get to show other people they are secure. Hence your use of marketing propaganda. People don't go through an audit and get PCI certified so that they can claim they are secure. It doesn't work like that. PCI (Payment Card Industry) compliances is what people HAVE to do, as in FORCED to do whether they want to or not, in order to be able to process credit cards. If you process less than 1 million xactions per year, you can self audit. Can you lie? Sure. But you'll get your ability to process payments yanked if they catch you. More than that requires an auditor. If that auditor finds you have horrible security controls in place, you will fail. If they pass you anyway, they can lose their certification to audit. If you fail, you have x time to get with the program and be audited again. It's just a way for the CC industry to make sure the people handling card info follow best practices for security. That's all it means - it is a certification FOR the industry BY the industry. No one ever said it mean people had real security. It means companies illustrate a base of practices required to handle consumer credit card data. That's it. And I totally agree with Mike Hale's comments about if you are really secure, as in 'already secure' then it's cake. I don't know that I would say cake as it depends on the scope of audit, but he's right. If you already have a drive to secure your infrastructure, then PCI should be easy. My requirements for security are far more strict than PCI. Yours may or may not be, so you'll have to adjust as necessary. Regarding code, I do believe that in PCI audits for dev that you have to illustrate an SDL, in which case things like XSS and BOs and such would be part of. That's the skinny on PCI :) t From: Christian Sciberras [mailto:uuf6...@gmail.commailto:uuf6...@gmail.com] Sent: Friday, April 23, 2010 3:34 PM To: Thor (Hammer of God) Cc: Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.commailto:security-bas...@securityfocus.com Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see some truthful expansion on the answers to those questions before continuing dialog about if PCI contributes to security or not. t From: Christian
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Hmm. Point taken. Think I'm getting some sleep... G'night. On Sat, Apr 24, 2010 at 1:12 AM, Thor (Hammer of God) t...@hammerofgod.comwrote: You spend the time, resources, and money because you are contracted to. You are required to. You HAVE to. That’s what we’ve all been getting on about – you don’t get to choose, you have to if you want to continue to process credit card information yourself. If you want to use a gateway service or other processor, then fine – do that. No harm, no foul. You just pay more. If you want to do yourself, you have to be PCI certified. It’s just that simple. t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:57 PM *To:* Thor (Hammer of God) *Cc:* Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.com *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds I just want to emphasize on a point you mentioned right now: It means companies illustrate a *base* of practices required to handle consumer credit card data. So why waste resources, time and money when one would be better off with proper security measures? As Mr Hale said, it's a piece of cake if you had the right stuff already going. Problem is, it's a piece of expensive cake. I just want[ed] to make my point clear, I don't see any discussion into this at all. As I already said, it is not my intention to argue with the original message. Cheers. On Sat, Apr 24, 2010 at 12:46 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: OK – so, when you say “to use PCI” what do you mean? I get the feeling that you are equating being “PCI certified” as something people just “get” to show other people they are “secure.” Hence your use of “marketing propaganda.” People don’t go through an audit and get PCI certified so that they can claim they are secure. It doesn’t work like that. PCI (Payment Card Industry) compliances is what people HAVE to do, as in FORCED to do whether they want to or not, in order to be able to process credit cards. If you process less than 1 million xactions per year, you can “self audit.” Can you lie? Sure. But you’ll get your ability to process payments yanked if they catch you. More than that requires an auditor. If that auditor finds you have horrible security controls in place, you will fail. If they pass you anyway, they can lose their certification to audit. If you fail, you have x time to get with the program and be audited again. It’s just a way for the CC industry to make sure the people handling card info follow best practices for security. That’s all it means – it is a certification FOR the industry BY the industry. No one ever said it mean people had “real security.” It means companies illustrate a base of practices required to handle consumer credit card data. That’s it. And I totally agree with Mike Hale’s comments about “if you are really secure, as in ‘already secure’ then it’s cake.” I don’t know that I would say “cake” as it depends on the scope of audit, but he’s right. If you already have a drive to secure your infrastructure, then PCI should be easy. My requirements for security are far more strict than PCI. Yours may or may not be, so you’ll have to adjust as necessary. Regarding code, I do believe that in PCI audits for dev that you have to illustrate an SDL, in which case things like XSS and BOs and such would be part of. That’s the skinny on PCI J t *From:* Christian Sciberras [mailto:uuf6...@gmail.com] *Sent:* Friday, April 23, 2010 3:34 PM *To:* Thor (Hammer of God) *Cc:* Mike Hale; Stephen Mullins; full-disclosure; security-bas...@securityfocus.com *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds No problem with that. 1) No. 2) Planning to, but no. 3) Heavens no. 4) I've looked into whether it was into our best interest to use PCI. (it was decided that it wasn't worth the trouble) At that time, I knew about PCI but not its details, at which point we got someone to explain in detail for us. The end decision wasn't mine, though. We do take security as a main concern, however, it is preferred to have a more realistic approach to security rather then restrict employees' access (by signing some oath..). Regards, Christian Sciberras. On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: Marketing propaganda? I have no idea what you are talking about. Before commenting on PCI not helping at all and at the most being a false sense of security, let me ask: 1) Does the company you work for perform PCI audits? 2) Is the company you work for required to undergo PCI audits? 3) Are you certified to be able to perform a PCI audit? 4) Have you ever been directly involved with, as in contributing to, a PCI audit, and if so, in what capacity? I would like to see
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
I actually disagree with the conclusions presented by this paper. I'm in the process of writing up a more thorough explanation, but my main issue lies with their key finding on compliance spending. According to the paper, roughly 40% is spend on directly securing secrets, and another 40% is spent on compliance of some type. They further suggest that half of this compliance spending is spent on internal compliance, and half on regulatory/external compliance. Internal security policies are designed to protect the network and the companys data. Therefore, reason would dictate that spending on internal compliance is money spent on securing your secrets (a fraction of that spending, anyway). Is it unreasonable to assume that half of money spent on compliance with internal policies postively affects security of your data? I find the findings completely flawed. Am I missing something? -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Wed, 21 Apr 2010 14:44:35 PDT, Mike Hale said: According to the paper, roughly 40% is spend on directly securing secrets, and another 40% is spent on compliance of some type. They further suggest that half of this compliance spending is spent on internal compliance, and half on regulatory/external compliance. I find the findings completely flawed. Am I missing something? My reading of it is we spent 40% actually securing it, and an equal amount on total bullshit paperwork and checkbox-checking to prove we secured it, and the paperwork and checkboxes didn't do anything to directly secure the data. Consider - if you spend a week talking to the auditors, that's a week's salary spent on talking to auditors that didn't actually do squat for the security. Similar to if you had to get a yearly safety inspection on your car, and you had to pay $20 to the mechanic to do the inspection (which will hopefully actually verify your car meets the legal standards if your mechanic is honest), but then had to spend another $20 to file the paperwork with the local Dept of Motor Vehicles to make it official. pgp7jDqGcsZCA.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Tracy Reed to Digital X: Having just gone through a PCI audit I can safely say a few things: Not the fault of PCI. Perhaps you should consider a better auditor. Um -- isn't the point that PCI is set up such that lowest (common denominator amongst) auditors are actually the ones that define what PCI compliance really is? As an earlier poster already pointed out, all the vaguely recent major credit card data theft cases have involved fully PCI compliant (as defined by that perpetrator's PCI auditors) card processors, etc... What part of that's really fsck'ed-up did you not understand? ... Sure, you _can_ retain a morally [and maybe even technically] superior PCI auditor, but WTF does that buy you other than a bigger bill for an essentially meaningless certification? Did any of those massive PCI accredited fsck-up operators lose their accreditations? Did any of them have to give up there CC processing business activities as a result of their _proven_ (by the mostly generally trivial hacks that fsck'ed them up) poor practice? So Why would any other must be PCI compliant operators even consider spending more money than the lowliest of PCI auditors charge? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Sat, 10 Apr 2010 18:00:23 -, Thor (Hammer of God) said: According to the 2009 Verizon Business Breach Report, 81% of the attack victims were not PCI compliant: http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Verizon Business has gotten a good reputation for having good hard numbers. I'd have to say their breach reports are probably close to the most accurate numbers we're going to get in this industry. 81% of victims were not PCI compliant. In and of itself, doesn't say much, but combined with these 3: 83% of attacks were not highly difficult. 87% were considered avoidable through simple or intermediate controls. 99.9% of records were compromised from servers and applications (meaning, not clients). Sad, ain't it? Over 4 out of 5 times, the hack wasn't hard, and almost 9 out of 10 times, basic hardening would have prevented it. Unfortunately, there's not enough data there to say if the 81% had been compliant, if that would have imposed enough hardening to stop the attacks dead in their tracks. Probably in most of the cases it would have, though. pgpIjyVIqIzEB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Wed, Apr 07, 2010 at 03:52:00PM -0600, Digital X spake thusly: Having just gone through a PCI audit I can safely say a few things: Not the fault of PCI. Perhaps you should consider a better auditor. -- Tracy Reed http://tracyreed.org pgp0MpTXa0ifv.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Whether said checkbox is actually the best solution *for the actual problem* is the issue. I've seen cases where checkbox auditors insisted that a certain critical system absolutely positively *HAD* to have a firewall. This is where compensating controls come in with PCI. If there is an even better solution you are free to implement it. Yes, the PCI compensating controls are overall a Good Thing. Unfortunately, a lot of regulatory regimes don't see things that way yet. And it still requires a clued PCI auditor who actually understands the real world enough to deal with compensating controls. Having just gone through a PCI audit I can safely say a few things: A) Approaching compliance from a risk management approach went out the window B) Items the auditor didn't understand absolutely went back to a checkmark mentality C) Items that were gray areas were treating VERY liberally in their interpretation Bleh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On 4/6/10 1:23 AM, Ivan . ivan...@gmail.com wrote: For those who don't frequent slashdot... Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF). http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.p df That's not really a surprise. While it's not the only thing that can cost big bucks or put you out of business, non-compliance is just about the only one that's checked regularly. Bert ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
That is not really surprising. Regulations are (fairly) clearly defined 'tick box' exercises. They avoid three difficult requirements: identifying what is important and should be protected; identifying what is an acceptable response; and persuading the executive it is worthwhile. If you have a regulation (like PCI and HIPAA, for example) it defines what should be protected and what is expected as a reasonable response. The weight of the law, or a regulatory authority, that defines fines and even makes CXOs personally responsible quickly gets attention. The best hope is that with a bit of innovative thinking infosec professionals can implement a programme that covers various regulations, finds synergy between them and properly protects valuable assets. It should then be possible to cover other information assets that are important to the organisation, but not covered by regulations, at only incremental costs. Personally I think the values created by Forrester are a bit suspect. They don't give any information about the mix of industries and sizes of the enterprises represented in the survey. My assumption is that they are all Forrester customers. This means they are large and they are extremely reliant on information and technology to run their businesses. On 6 April 2010 07:23, Ivan . ivan...@gmail.com wrote: For those who don't frequent slashdot... Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF). http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
You say: ...Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found... BALONEY As an Information Systems Auditor, it seems that if you have a valid finding and a reasonable recommendation, management usually doesn't act on it. However, if you have the same finding and recommendation and then cite a regulation, management is forced to act upon it. I believe that the regulations were drafted in order to force entities into doing what they should have done in the first place. I should not have to cite regulations in order to make sure logs are being reviewed, business recovery plans are drafted and machines are disposed of properly. But people and companies do not do these things, so laws are made in order to force compliance. For example: (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. The regulations are a bit dry, but enlightening nonetheless. http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html On Tue, Apr 6, 2010 at 2:23 AM, Ivan . ivan...@gmail.com wrote: For those who don't frequent slashdot... Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF). http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
The entire compliance industry has design flaws which cause results to be skewed such that the intended value is lost. CompanyA hires a PCI auditor for their annual PCI audit. It is in the auditors best interest to make sure CompanyA has a pleasant enough experience with them through the audit up to and including the reported findings otherwise CompanyA will just select a different auditor for the following year that will be kinder to them for the same reasons. If an auditor fails to pass CompanyA, they stand a very good chance to lose a customer. Not only that but word of mouth could hurt their potential to gain new customers. Naturally, auditors like everyone else want to make money. As such, auditors want to keep existing customers and gain new customers. Keep in mind that all of the large PCI breaches reported publicly over the past couple years have been for companies that have passed their annual PCI audits. 1) The bar for PCI compliance is fairly low 2) The cost to go through an annual PCI audit can be fairly high (which unfortunately gives executives signing the checks the false impression that there is much security value from the process and not just the ability to continue processing payment cards) 3) The auditors required for large companies annual PCI audits have conflicting interests between the intent of PCI compliance and making money The recipe results in organizations paying lots of money to continue making more money for themselves while the real information assets go ignored and the PCI relevant findings are either swept under the carpet or downplayed such that they are no real issue. On Wed, Apr 7, 2010 at 7:24 AM, Keith Tomler ktom...@gmail.com wrote: You say: ...Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found... BALONEY As an Information Systems Auditor, it seems that if you have a valid finding and a reasonable recommendation, management usually doesn't act on it. However, if you have the same finding and recommendation and then cite a regulation, management is forced to act upon it. I believe that the regulations were drafted in order to force entities into doing what they should have done in the first place. I should not have to cite regulations in order to make sure logs are being reviewed, business recovery plans are drafted and machines are disposed of properly. But people and companies do not do these things, so laws are made in order to force compliance. For example: (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. The regulations are a bit dry, but enlightening nonetheless. http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html On Tue, Apr 6, 2010 at 2:23 AM, Ivan . ivan...@gmail.com wrote: For those who don't frequent slashdot... Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF). http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Wed, 07 Apr 2010 10:24:00 EDT, Keith Tomler said: BALONEY As an Information Systems Auditor, it seems that if you have a valid finding and a reasonable recommendation, management usually doesn't act on it. However, if you have the same finding and recommendation and then cite a regulation, management is forced to act upon it. I believe that the regulations were drafted in order to force entities into doing what they should have done in the first place. I think the issue is a bit deeper than that - the way most regulations are drafted, they do *not* force entities to do what they should have done in the first place. What they *do* force is implementing a checkbox. Whether said checkbox is actually the best solution *for the actual problem* is the issue. I've seen cases where checkbox auditors insisted that a certain critical system absolutely positively *HAD* to have a firewall. Even though the the owners of the system were *more* paranoid, and had done an even more thorough securing of the system by not even having a network connection to the machine. I should not have to cite regulations in order to make sure logs are being reviewed, Now stop for a moment - what is the *reason* for logs being reviewed? Is it acceptable to *not* review logs if there's a suitable throw alert on exception mechanism in place? Which is actually more long-term cost effective security for the organization? That's the problem with most of the regulations - they enforce checkboxes, not actually dealing with the overall security posture in a sane way. pgpYswdCpnjX9.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
That's not entirely the case. Auditors aren't robots. It's their job to make determinations about your organizations capabilities and how they map against somewhat loosely defined compliance standards that have lots of wiggle room and lots of gray areas. All the gray areas are extremely useful to auditors so they can massage things around such that the organization can pass and be happy and hire them again next year. An auditor can very well see that your organization has a throw alert on exception mechanism in place and determine that meets the review logs requirement. box checked On Wed, Apr 7, 2010 at 9:43 AM, valdis.kletni...@vt.edu wrote: On Wed, 07 Apr 2010 10:24:00 EDT, Keith Tomler said: BALONEY As an Information Systems Auditor, it seems that if you have a valid finding and a reasonable recommendation, management usually doesn't act on it. However, if you have the same finding and recommendation and then cite a regulation, management is forced to act upon it. I believe that the regulations were drafted in order to force entities into doing what they should have done in the first place. I think the issue is a bit deeper than that - the way most regulations are drafted, they do *not* force entities to do what they should have done in the first place. What they *do* force is implementing a checkbox. Whether said checkbox is actually the best solution *for the actual problem* is the issue. I've seen cases where checkbox auditors insisted that a certain critical system absolutely positively *HAD* to have a firewall. Even though the the owners of the system were *more* paranoid, and had done an even more thorough securing of the system by not even having a network connection to the machine. I should not have to cite regulations in order to make sure logs are being reviewed, Now stop for a moment - what is the *reason* for logs being reviewed? Is it acceptable to *not* review logs if there's a suitable throw alert on exception mechanism in place? Which is actually more long-term cost effective security for the organization? That's the problem with most of the regulations - they enforce checkboxes, not actually dealing with the overall security posture in a sane way. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Wed, 07 Apr 2010 11:31:28 PDT, J Roger said: That's not entirely the case. Auditors aren't robots. Unfortunately, that's far too often not true. Internal audit departments in particular seem to accumulate people with no real clue, because they *don't* rely on passing the client in order to get the job again next year. They stay around for the next fiscal year by showing a pretty list with See all the things we found wrong, not by See all the creative solutions we looked at and decided were in fact OK. pgp5qyoEMu4wm.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
You're right, they aren't robots, they're overpaid tech writers that memorized just enough industry jargon and buzzwords to talk the talk without being able to walk the walk. http://www.computerweekly.com/Articles/2010/03/25/240719/Sans-founder-slams-39terribly-damaging39-US-cyber-security.htm SANS Institute founder Alan Paller had some comments about FISMA compliance and CA professionals. [They] rewarded ineffective behavior and created a cadre of people who call themselves security professionals but who proudly admit they cannot implement security settings on systems and network devices or find a programming flaw, he said. Fisma had created and rewarded a culture of compliance rather than security, Paller said. Federal and state governments were radically short of money, but they were forced to spend it on reporting rather than security, he said. Writers who know how a few words about security and federal regulations now make 50% to 80% more money than the people who actually secure systems and networks and applications, he said. It is as if we paid the compliance staff at a hospital more than the surgeons. He said the nation's attention should be on real-time monitoring of its information systems and networks to prevent or mitigate attacks as they happened. Oversight must be focused on the effectiveness of the agencies' real time defences, he said. On Wed, Apr 7, 2010 at 2:52 PM, valdis.kletni...@vt.edu wrote: On Wed, 07 Apr 2010 11:31:28 PDT, J Roger said: That's not entirely the case. Auditors aren't robots. Unfortunately, that's far too often not true. Internal audit departments in particular seem to accumulate people with no real clue, because they *don't* rely on passing the client in order to get the job again next year. They stay around for the next fiscal year by showing a pretty list with See all the things we found wrong, not by See all the creative solutions we looked at and decided were in fact OK. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Wed, 07 Apr 2010 14:06:41 PDT, Tracy Reed said: On Wed, Apr 07, 2010 at 12:43:47PM -0400, valdis.kletni...@vt.edu spake thusly: Whether said checkbox is actually the best solution *for the actual problem* is the issue. I've seen cases where checkbox auditors insisted that a certain critical system absolutely positively *HAD* to have a firewall. This is where compensating controls come in with PCI. If there is an even better solution you are free to implement it. Yes, the PCI compensating controls are overall a Good Thing. Unfortunately, a lot of regulatory regimes don't see things that way yet. And it still requires a clued PCI auditor who actually understands the real world enough to deal with compensating controls. pgpfz5QjHyWUd.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
On Wed, Apr 07, 2010 at 12:43:47PM -0400, valdis.kletni...@vt.edu spake thusly: I think the issue is a bit deeper than that - the way most regulations are drafted, they do *not* force entities to do what they should have done in the first place. What they *do* force is implementing a checkbox. I have been doing a lot of PCI work in recent years. It isn't government regulation (although it is often acquiring bank/card brand regulation) and serves a similar purpose subject to similar criticisms. How would you draft regulations such that they do not force them into implementing a checkbox? I am actually somewhat impressed with the PCI guidelines. They provide the ability to have compensating controls. So if you can adequately explain why a particular requirement does not need to be met to the letter but the data can instead be secured by some other means (even better than what the requirement specifies) you can go that route. It is not a free pass or an exception to the requirements. What it does do is prevent you from having your hands tied in silly ways. Whether said checkbox is actually the best solution *for the actual problem* is the issue. I've seen cases where checkbox auditors insisted that a certain critical system absolutely positively *HAD* to have a firewall. This is where compensating controls come in with PCI. If there is an even better solution you are free to implement it. Now stop for a moment - what is the *reason* for logs being reviewed? Is it acceptable to *not* review logs if there's a suitable throw alert on exception mechanism in place? Yes. Nobody really has a human read every line of every log. I have some home-grown stuff which filters out exceptional stuff. That is quite adequate under PCI. That's the problem with most of the regulations - they enforce checkboxes, not actually dealing with the overall security posture in a sane way. Maybe SOX or HIPAA are that way but not PCI. If anything the problem is more likely with the organizations *wanting* a box to check (because that is easier than actual thinking about the real problem) than the regs forcing mindless checkboxes. -- Tracy Reed http://tracyreed.org pgpdXbTtZKK3h.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/