On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale <eyeronic.des...@gmail.com> wrote: > "really isn't a whole lot different from 'lock your damned doors and > windows' brick/mortar security." > > Except it's *massively* more expensive. >
is it? how much does a datacenter pay for people + locks + card-key + pin-pad + ... vs the requisite bits for security their customer portal/backoffice/etc ? done right the cost shouldn't be super much more. -chris > On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow > <morrowc.li...@gmail.com> wrote: >> On Sun, Dec 27, 2015 at 1:59 PM, <valdis.kletni...@vt.edu> wrote: >>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said: >>> >>>> SSH password + key file is accepted as two factor by PCI DSS auditors, so >>>> yes it is in fact two factor. >>> >>> They also accept NAT as "security". If anything, PCI DSS is yet another >>> example >>> of a money grab masquerading as security theater (not even real security). >> >> is it that? or is it that once you click the checkboxes on /pci audit/ >> 'no one' ever does the daily due-diligence required to keep their >> security processes updated/running/current/etc ? >> >> I'm not a fan of the compliance regimes, but their goal (in a utopian >> world where corporations are not people and such) is the equivalent of >> the little posterboard person 42" tall before the roller-coaster >> rides, right? >> >> "You really, REALLY should have at least these protections/systems/etc >> in place before you attempt to process credit-card transactions..." >> >> In the utopian world this list would be sane, useful and would include >> daily/etc processes to monitor the security controls for issues... I >> don't think there's a process bit in PCI about: "And joey the firewall >> admin looks at his logs daily/hourly/everly for evidence of >> compromise" (and yes, ideally there's some adaptive/learning/AI-like >> system that does the 'joey the firewall admin' step... but let's walk >> before running, eh?) >> >> so, it's not really a mystery why failures like this happen. >> >>> I remember seeing a story a while ago that stated that of companies hit >>> by a data breach on a system that was inside their PCI scope, something >>> insane like 98% or 99% were in 100% full PCI compliance at the time of >>> the breach. The only conclusion to be drawn is that the PCI set of >>> checkboxes >>> are missing a lot of really crucial things for real security. (And let's >>> not forget the competence level of the average PCI auditor, as the ones >>> I've encountered have all been very nice people, but more suited to checking >>> boxes based on buzzwords than actual in-deopth security analysis). >> >> people toss pci/sox/etc auditors under the bus 'all the time', and i'm >> guilty of this i'm sure as well, but really ... if you put systems on >> the tubes and you don't take the same care you would for your >> brick/mortar places ... you're gonna have a bad day. 'cyber security' >> really isn't a whole lot different from 'lock your damned doors and >> windows' brick/mortar security. >> >>> So excuse me for not taking "is accepted by PCI auditors" as grounds for >>> a claim of strong actual security. > > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0