Security Basics mailing list archives
Re: DSS (Passing an audit is NOT compliance!)
From: "Mike Hale" <eyeronic.design () gmail com>
Date: Sun, 25 May 2008 10:26:23 -0700
If you're going to advertise these white papers, please remove the mandatory registration for them. That's kinda annoying. On 5/24/08, Adriel Desautels <adriel () netragard com> wrote:
Craig, I couldn't agree with you more and I am very pleased to see that someone has the same school of thought as us. That being that very, very few IT Security Companies are actually capable of delivering quality services. That is not the only issue though. If the Payment Card Industry would better define testing quality requirements for people that need to be PCI compliant then the "consumers" would be better armed to choose a quality service provider. It is important to remember that the customers are not always technical wizards, let alone security experts. For that reason it is easy for a "bunk" security vendor to sell them a "bunk" service. For this reason I think it is critical that customers interrogate their security vendors and gain a very clear understanding of their service delivery methodology. I think that vendors should be responsible, and required to educate their customers about the details of their services. We actually have two white papers that you can download that cover this subject. These white papers are the start of a program that we are running to help educate the consumer about how to choose quality security services. I'd be very interested in feedback about the white papers if anyone here is interested in downloading them. Here are the links (Tiny URLed): -------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Craig Wright wrote:"Just out of curiosity, how many people here thinks that PCI does anything to protect you from the real world threat?" This depends. Are you "REALLY" compliant. Or is the organisation doing just enough tofool the auditors.From experience, I see 80-90% in the latter. Most auditors are notexperienced enough to know when they are being BS'd.As for the question, I have not seen a compromise of a truly compliantorganisation. Every single organisation that has been compromised has actually also had a flaw that should have failed them.In some instances, the testing was completed on an alternate system thatwas given to the auditor in place of the real one. In others, they pointed out the good systems and missed many.I guess that people do not understand that in this case less than fulldisclosure is actually criminal fraud. In Australia in Corps act provisions (similar to the SEC provisions in the US) make it a criminal offence to mislead the auditor.To answer the question, yes. I think that getting to this (truly thislevel) would help. The issue is that which companies are?Take for instance a validated firewall. What does this mean? A validated firewall is one that is tested. This is you use hping or asimilar crafting tool to fire packets through ALL interfaces of the firewall and you validate the firewall policy.When you read these standards, think how a lawyer will read them, not anIT person. This is because it is a lawyer who is the judge and prosecutor.Many QSA's even following their wham bam thank you mam intro to audit andnow you are a QSA process are not ready to audit systems. Those same who do not know the systems they audit. An example being "how do I copy a directory on Unix":... being a real quote from the principle at a MAJOR PCI specialty firm.Passing an audit is NOT compliance! Let me say that again... Passing an audit is NOT compliance! The fun of having just completed my LLM in commercial law is understandingthese issues a little better. An audit is a risk report to management. It does nothing to stop the lawyers rolling over you if you are not compliant. The issue where people try to BS the auditors is BS. The auditors are NOT the enemy, they are the ones stopping the courts roll over you.You are either compliant 100% to the standards you need to meet, or you(both the individual AND the organisation) are at risk.I do not think that many on the list understand the issues. On anothercompliance topic, SOX, you tell management and the auditors that a system is compliant. The auditors are a little clueless (as many are) and do not (as by law they are required to) test the system.Who is to blame when the system is compromised? You are and management is - both. In fact, your ignorance as to the system security is not a good defence.You have defrauded the auditors and the worst case is 20 years with a new hubby called bubba... (or the equivalent for the female of bubba).To demonstrate this. I have a SOX client who is stating that they do notneed logs, they have never been compromised.I have another (who has for 4 years received a clean bill of health from aBig 4 firm) who has more services running on the finance database than come out of the box. They have the Archie filesystem as a consultant though it would be cool. They have also not patched it for the last 113 remote root level exploits.In Australia, not securing payroll and finance information (eg tax filenumbers of employees) is a criminal offence.I will say it again. Passing an audit is NOT compliance! Choosing a firm who will pass you is dumb. This is economic false economy.It is buying a broken umbrella in case it rains.Regards, Craig Wright (GSE-Compliance) LLM Craig Wright Manager, Risk Advisory Services Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW-VIC) Pty. Ltd. Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ The information in this email and any attachments is confidential. If youare not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.Any views expressed in this message are those of the individual sender andnot necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au.BDO Kendalls is a national association of separate partnerships andentities. Liability limited by a scheme approved under Professional Standards Legislation.-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Adriel DesautelsSent: Saturday, 24 May 2008 1:26 AM To: Nick Vaernhoej Cc: Hill, Pete; security-basics () securityfocus com Subject: Re: DSS Just out of curiosity, how many people here thinks that PCI does anything to protect you from the real world threat? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142---------------------------------------------------------------Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Nick Vaernhoej wrote:Good morning, Have you scanned through the supplemental information regarding 6.6?https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf You have two options, code review or web application firewall. You state that you already have custom code reviewed so I would think you are in good shape. What makes you think you need to do both? (It is a good idea to do so of course, but not necessary to satisfy PCI). Have a great day. Nick Vaernhoej "Quidquid latine dictum sit, altum sonatur."-->-----Original Message----- -->From: listbounce () securityfocus com -->[mailto:listbounce () securityfocus com] On Behalf Of Hill, Pete -->Sent: Friday, May 23, 2008 8:53 AM -->To: security-basics () securityfocus com -->Subject: PCI: DSS --> --> -->Hi all, --> -->Can anyone confirm for me what sort of workarounds there are -->concerning -->PCI:DSS and application layer firewalls? --> -->Requirement 6.6 of the standard states this: --> -->6.6 Ensure that all web-facing applications are protected against -->known -->attacks by applying either of -->the following methods: -->* Having all custom application code reviewed for common -->vulnerabilities -->by an organization -->that specializes in application security -->* Installing an application layer firewall in front of web-facing -->applications. -->Note: This method is considered a best practice until June 30,2008,-->after which it becomes a -->requirement. --> -->We already have our custom code reviewed, but Im wondering if I -->absolutely must sort out an application layer firewall or if thereis-->a -->workaround that would be acceptable for a level 1 merchant. --> -->If there are any knowledgeable auditors (qsa etc) out there I'd -->really -->appreciate your help on this one. --> -->Many thanks -->Pete --> --> -->A number of bogus e-mails are currently circulating in the UK -->encouraging customers to visit fraudulent websites where personalor-->Internet security details are requested. Bid tv/Price-drop tv/Speed -->auction tv would never send e-mails that ask for confidential, -->personal security information or details regarding your account -->status. --> -->The content of this e-mail does not constitute a contract and any -->matters discussed herein remain subject to contract. --> -->The contents of this message and all attachments have been sent in -->confidence for the attention of the addressee only. If you are not -->the intended recipient you are kindly requested to preserve this -->confidentiality and to advise the sender immediately of the errorin-->transmission. --> -->"sit-up ltd, registered in England No: 03877786. -->Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW. -->Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."This electronic transmission is intended for the addressee (s) namedabove. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message.Thank you.r use in any way this transmission or any information it contains. If youhave received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.\par \par Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au.\par \par BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.\par -----Original Message-----\par\par From: scott.carmody () au pwc com [mailto:scott.carmody () au pwc com] \par Sent: Friday, 23 May 2008 12:46 PM\par To: Pam Menzies\par Subject: Re: \par\par thats great - well done !\par\par I cooked a big meat pie and chips and watched Law & Order - good comfort\par food !\par\par Hope the day is going well\par\par\par\par Scott Carmody\par Senior Consultant\par PricewaterhouseCoopers Australia\par Office: +61 (2) 8266 0855\par Mobile: 0419 126 122\par Fax: +61 (2) 8286 0855\par scott.carmody () au pwc com\par http://www.p?
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Current thread:
- PCI: DSS Hill, Pete (May 23)
- Re: PCI: DSS Adriel Desautels (May 23)
- RE: DSS Nick Vaernhoej (May 23)
- Re: DSS Adriel Desautels (May 23)
- RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 24)
- Re: DSS (Passing an audit is NOT compliance!) Adriel Desautels (May 24)
- Re: DSS (Passing an audit is NOT compliance!) Mike Hale (May 25)
- RE: DSS (Passing an audit is NOT compliance!) Nick Vaernhoej (May 27)
- RE: DSS (Passing an audit is NOT compliance!) Craig Wright (May 27)
- <Possible follow-ups>
- RE: PCI: DSS Hill, Pete (May 23)
- Re: PCI: DSS Sheldon Malm (May 23)