Sounds more like a brute force attack to me ;) -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Paul Asadoorian Sent: Wednesday, August 12, 2009 3:01 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Question about PCI audit results and reality....
Simple, hit each of the squirrels on the head with a baseball bat. Note which squirrels die, and which ones live. Send report to management. I think we call this a penetration test ;) Cheers, Paul Jason Wood wrote: > So I have a "hypothetical" situation that I'd like some ideas on. > > Say you go through a PCI audit and certain things that you know are a > problem are not marked as such by the auditor. (we can get into getting > a new QSA later) To make up a completely fake scenario, lets say that > item 15.3 requires all squirrels to wear helmets when running the credit > card numbers from the web server to the database server. (squirrelNet > anyone?) The QSA says that there are no problems and that the squirrels > are wearing helmets properly. The issue is that the helmets are made of > newspaper and don't look like a helmet from anything beyond a passing > glance. > > As the admin/squirrel handler, I want to justify getting proper helmets > on the squirrels. However, here's this audit report which states that > there's no problem here. How do you go about justifying "real" squirrel > helmets when the QSA says everything is good. Chances are good > management is going to look at the report and tell you to leave the > newspaper hats in place because it is good enough for the QSA. > > Short of calling up the QSA and asking him WTF (and getting in hot water > for doing so), how do you deal with this? > > Here's some of the ideas that have occurred to me: > > * Explain to management what squirrel helmets really are supposed to > be and that not every QSA is going to be so... casual about them. > * Explain that PCI is a minimum set of requirements and doesn't > insure actual security. > * Club a squirrel on the head and demonstrate that newspaper isn't > an adequate helmet. > > How do you deal with justifying security improvements when an audit > report says that everything is blue skies and happy days? > > Thanks, > Jason > > P.S. SquirrelNet was inspired by @beaker and no actual squirrels were > used to run credit card numbers or were clubbed on the head while > writing this email. > > -- > > irc: Tadaka > Twitter: Jason_Wood > jwnetworkconsulting.com <http://jwnetworkconsulting.com> > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com -- Paul Asadoorian PaulDotCom Enterprises Web: http://pauldotcom.com Phone: 401.829.9552 _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
