On Sun, Dec 27, 2015 at 3:32 PM, Mike Hale <eyeronic.des...@gmail.com> wrote: > "done right the cost shouldn't be super much more." > I disagree. Done wrong, it's not super much more. > > Done right, it's massively more.
please cite useful numbers... It's not (I think) really all that much more. Sure it's a new expense (not really, since ... you've always had security costs) but it's not 'massive'. > Like Randy said, compare salaries alone. A good security employee > will run you, what, 100k or more in the major job markets? And how > many do you need, full time, to provide acceptable coverage for your > environment? > ideally you need 2-3 people (for a larger operation, less for small shops) with a bunch of automation to help things run along. Ideally your 2-3 experts aren't responding to the pager, almost all of that is offloaded to your noc/etc staff in a manner that they can actually deal with problems NOT as pager-spam which gets turned off. 'high quality alerts' with actionable playbooks. it'd be great if more of this was COTS-able for the smaller shops... I bet a bunch of it IS, though the parts aren't quite in place today :( which is sad. > The costs add up really fast without a corresponding return. the return is not having to fend off the WSJ reporters of the world, and consequent lawsuits from your customers, subscribers, partners, etc... -chris > On Sun, Dec 27, 2015 at 12:27 PM, Christopher Morrow > <morrowc.li...@gmail.com> wrote: >> On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale <eyeronic.des...@gmail.com> wrote: >>> "really isn't a whole lot different from 'lock your damned doors and >>> windows' brick/mortar security." >>> >>> Except it's *massively* more expensive. >>> >> >> is it? how much does a datacenter pay for people + locks + card-key + >> pin-pad + ... >> >> vs >> >> the requisite bits for security their customer portal/backoffice/etc ? >> >> done right the cost shouldn't be super much more. >> >> -chris >> >>> On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow >>> <morrowc.li...@gmail.com> wrote: >>>> On Sun, Dec 27, 2015 at 1:59 PM, <valdis.kletni...@vt.edu> wrote: >>>>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said: >>>>> >>>>>> SSH password + key file is accepted as two factor by PCI DSS auditors, so >>>>>> yes it is in fact two factor. >>>>> >>>>> They also accept NAT as "security". If anything, PCI DSS is yet another >>>>> example >>>>> of a money grab masquerading as security theater (not even real security). >>>> >>>> is it that? or is it that once you click the checkboxes on /pci audit/ >>>> 'no one' ever does the daily due-diligence required to keep their >>>> security processes updated/running/current/etc ? >>>> >>>> I'm not a fan of the compliance regimes, but their goal (in a utopian >>>> world where corporations are not people and such) is the equivalent of >>>> the little posterboard person 42" tall before the roller-coaster >>>> rides, right? >>>> >>>> "You really, REALLY should have at least these protections/systems/etc >>>> in place before you attempt to process credit-card transactions..." >>>> >>>> In the utopian world this list would be sane, useful and would include >>>> daily/etc processes to monitor the security controls for issues... I >>>> don't think there's a process bit in PCI about: "And joey the firewall >>>> admin looks at his logs daily/hourly/everly for evidence of >>>> compromise" (and yes, ideally there's some adaptive/learning/AI-like >>>> system that does the 'joey the firewall admin' step... but let's walk >>>> before running, eh?) >>>> >>>> so, it's not really a mystery why failures like this happen. >>>> >>>>> I remember seeing a story a while ago that stated that of companies hit >>>>> by a data breach on a system that was inside their PCI scope, something >>>>> insane like 98% or 99% were in 100% full PCI compliance at the time of >>>>> the breach. The only conclusion to be drawn is that the PCI set of >>>>> checkboxes >>>>> are missing a lot of really crucial things for real security. (And let's >>>>> not forget the competence level of the average PCI auditor, as the ones >>>>> I've encountered have all been very nice people, but more suited to >>>>> checking >>>>> boxes based on buzzwords than actual in-deopth security analysis). >>>> >>>> people toss pci/sox/etc auditors under the bus 'all the time', and i'm >>>> guilty of this i'm sure as well, but really ... if you put systems on >>>> the tubes and you don't take the same care you would for your >>>> brick/mortar places ... you're gonna have a bad day. 'cyber security' >>>> really isn't a whole lot different from 'lock your damned doors and >>>> windows' brick/mortar security. >>>> >>>>> So excuse me for not taking "is accepted by PCI auditors" as grounds for >>>>> a claim of strong actual security. >>> >>> >>> >>> -- >>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 > > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0