RE: DSS (Passing an audit is NOT compliance!)

[Craig Wright <Craig.Wright () bdo com au>]

"Just out of curiosity, how many people here thinks that PCI does
anything to protect you from the real world threat?"

This depends.
Are you "REALLY" compliant. Or is the organisation doing just enough to fool the auditors.

> From experience, I see 80-90% in the latter. Most auditors are not experienced enough to know when they are being BS'd.

As for the question, I have not seen a compromise of a truly compliant organisation. Every single organisation that has 
been compromised has actually also had a flaw that should have failed them.

In some instances, the testing was completed on an alternate system that was given to the auditor in place of the real 
one. In others, they pointed out the good systems and missed many.

I guess that people do not understand that in this case less than full disclosure is actually criminal fraud. In 
Australia in Corps act provisions (similar to the SEC provisions in the US) make it a criminal offence to mislead the 
auditor.

To answer the question, yes. I think that getting to this (truly this level) would help. The issue is that which 
companies are?

Take for instance a validated firewall. What does this mean?

A validated firewall is one that is tested. This is you use hping or a similar crafting tool to fire packets through 
ALL interfaces of the firewall and you validate the firewall policy.

When you read these standards, think how a lawyer will read them, not an IT person. This is because it is a lawyer who 
is the judge and prosecutor.

Many QSA's even following their wham bam thank you mam intro to audit and now you are a QSA process are not ready to 
audit systems. Those same who do not know the systems they audit. An example being "how do I copy a directory on 
Unix":... being a real quote from the principle at a MAJOR PCI specialty firm.

Passing an audit is NOT compliance!

Let me say that again...

Passing an audit is NOT compliance!

The fun of having just completed my LLM in commercial law is understanding these issues a little better. An audit is a 
risk report to management. It does nothing to stop the lawyers rolling over you if you are not compliant. The issue 
where people try to BS the auditors is BS. The auditors are NOT the enemy, they are the ones stopping the courts roll 
over you.

You are either compliant 100% to the standards you need to meet, or you (both the individual AND the organisation) are 
at risk.

I do not think that many on the list understand the issues. On another compliance topic, SOX, you tell management and 
the auditors that a system is compliant. The auditors are a little clueless (as many are) and do not (as by law they 
are required to) test the system.

Who is to blame when the system is compromised?
You are and management is - both.

In fact, your ignorance as to the system security is not a good defence. You have defrauded the auditors and the worst 
case is 20 years with a new hubby called bubba... (or the equivalent for the female of bubba).

To demonstrate this. I have a SOX client who is stating that they do not need logs, they have never been compromised.

I have another (who has for 4 years received a clean bill of health from a Big 4 firm) who has more services running on 
the finance database than come out of the box. They have the Archie filesystem as a consultant though it would be cool. 
They have also not patched it for the last 113 remote root level exploits.

In Australia, not securing payroll and finance information (eg tax file numbers of employees) is a criminal offence.

I will say it again.

Passing an audit is NOT compliance!

Choosing a firm who will pass you is dumb. This is economic false economy. It is buying a broken umbrella in case it 
rains.

Regards,
Craig Wright (GSE-Compliance) LLM


Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au.

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved 
under Professional Standards Legislation.
-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adriel Desautels
Sent: Saturday, 24 May 2008 1:26 AM
To: Nick Vaernhoej
Cc: Hill, Pete; security-basics () securityfocus com
Subject: Re: DSS

Just out of curiosity, how many people here thinks that PCI does
anything to protect you from the real world threat?

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Nick Vaernhoej wrote:
> Good morning,
>
> Have you scanned through the supplemental information regarding 6.6?
> https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewa
> lls_codereviews.pdf
>
> You have two options, code review or web application firewall.
> You state that you already have custom code reviewed so I would think
> you are in good shape.
> What makes you think you need to do both? (It is a good idea to do so of
> course, but not necessary to satisfy PCI).
>
> Have a great day.
>
> Nick Vaernhoej
> "Quidquid latine dictum sit, altum sonatur."
>
> > -->-----Original Message-----
> > -->From: listbounce () securityfocus com
> > -->[mailto:listbounce () securityfocus com] On Behalf Of Hill, Pete
> > -->Sent: Friday, May 23, 2008 8:53 AM
> > -->To: security-basics () securityfocus com
> > -->Subject: PCI: DSS
> > -->
> > -->
> > -->Hi all,
> > -->
> > -->Can anyone confirm for me what sort of workarounds there are
> > -->concerning
> > -->PCI:DSS and application layer firewalls?
> > -->
> > -->Requirement 6.6 of the standard states this:
> > -->
> > -->6.6 Ensure that all web-facing applications are protected against
> > -->known
> > -->attacks by applying either of
> > -->the following methods:
> > -->* Having all custom application code reviewed for common
> > -->vulnerabilities
> > -->by an organization
> > -->that specializes in application security
> > -->* Installing an application layer firewall in front of web-facing
> > -->applications.
> > -->Note: This method is considered a best practice until June 30, 2008,
> > -->after which it becomes a
> > -->requirement.
> > -->
> > -->We already have our custom code reviewed, but Im wondering if I
> > -->absolutely must sort out an application layer firewall or if there
> is
> > -->a
> > -->workaround that would be acceptable for a level 1 merchant.
> > -->
> > -->If there are any knowledgeable auditors (qsa etc) out there I'd
> > -->really
> > -->appreciate your help on this one.
> > -->
> > -->Many thanks
> > -->Pete
> > -->
> > -->
> > -->A number of bogus e-mails are currently circulating in the UK
> > -->encouraging customers to visit fraudulent websites where personal or
> > -->Internet security details are requested. Bid tv/Price-drop tv/Speed
> > -->auction tv would never send e-mails that ask for confidential,
> > -->personal security information or details regarding your account
> > -->status.
> > -->
> > -->The content of this e-mail does not constitute a contract and any
> > -->matters discussed herein remain subject to contract.
> > -->
> > -->The contents of this message and all attachments have been sent in
> > -->confidence for the attention of the addressee only.  If you are not
> > -->the intended recipient you are kindly requested to preserve this
> > -->confidentiality and to advise the sender immediately of the error in
> > -->transmission.
> > -->
> > -->"sit-up ltd, registered in England No: 03877786.
> > -->Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW.
> > -->Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."
>
>
> This electronic transmission is intended for the addressee (s) named above. It contains information that is 
> privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you 
> are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any 
> action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in 
> error, please notify the sender that this message was received in error and then delete this message.
> Thank you.

r use in any way this transmission or any information it contains. If you have received this message in error, please 
notify the sender by return email, destroy all copies and delete it from your system.\par  \par Any views expressed in 
this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this 
message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is 
your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO 
Kendalls does not accept liability for any loss or damage however caused which may result from this communication or 
any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO 
Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au.\par  \par BDO Kendalls is 
a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional 
Standards Legislation.\par -----Original Message-----\par\par From: scott.carmody () au pwc com [mailto:scott.carmody 
() au pwc com] \par Sent: Friday, 23 May 2008 12:46 PM\par To: Pam Menzies\par Subject: Re: \par\par thats great - well 
done !\par\par I cooked a big meat pie and chips and watched Law & Order - good comfort\par food !\par\par Hope the day 
is going well\par\par\par\par Scott Carmody\par Senior Consultant\par PricewaterhouseCoopers Australia\par Office: +61 
(2) 8266 0855\par Mobile: 0419 126 122\par Fax: +61 (2) 8286 0855\par scott.carmody () au pwc com\par http://www.p?