On Sun, Dec 27, 2015 at 1:59 PM,  <valdis.kletni...@vt.edu> wrote:
> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>
>> SSH password + key file is accepted as two factor by PCI DSS auditors, so
>> yes it is in fact two factor.
>
> They also accept NAT as "security".  If anything, PCI DSS is yet another 
> example
> of a money grab masquerading as security theater (not even real security).

is it that? or is it that once you click the checkboxes on /pci audit/
'no one' ever does the daily due-diligence required to keep their
security processes updated/running/current/etc ?

I'm not a fan of the compliance regimes, but their goal (in a utopian
world where corporations are not people and such) is the equivalent of
the little posterboard person 42" tall before the roller-coaster
rides, right?

"You really, REALLY should have at least these protections/systems/etc
in place before you attempt to process credit-card transactions..."

In the utopian world this list would be sane, useful and would include
daily/etc processes to monitor the security controls for issues... I
don't think there's a process bit in PCI about: "And joey the firewall
admin looks at his logs daily/hourly/everly for evidence of
compromise" (and yes, ideally there's some adaptive/learning/AI-like
system that does the 'joey the firewall admin' step... but let's walk
before running, eh?)

so, it's not really a mystery why failures like this happen.

> I remember seeing a story a while ago that stated that of companies hit
> by a data breach on a system that was inside their PCI scope, something
> insane like 98% or 99% were in 100% full PCI compliance at the time of
> the breach.  The only conclusion to be drawn is that the PCI set of checkboxes
> are missing a lot of really crucial things for real security.  (And let's
> not forget the competence level of the average PCI auditor, as the ones
> I've encountered have all been very nice people, but more suited to checking
> boxes based on buzzwords than actual in-deopth security analysis).

people toss pci/sox/etc auditors under the bus 'all the time', and i'm
guilty of this i'm sure as well, but really ... if you put systems on
the tubes and you don't take the same care you would for your
brick/mortar places ... you're gonna have a bad day. 'cyber security'
really isn't a whole lot different from 'lock your damned doors and
windows' brick/mortar security.

> So excuse me for not taking "is accepted by PCI auditors" as grounds for
> a claim of strong actual security.

Reply via email to