Re: DSS (Passing an audit is NOT compliance!)

["Mike Hale" <eyeronic.design () gmail com>]

If you're going to advertise these white papers, please remove the
mandatory registration for them.  That's kinda annoying.

On 5/24/08, Adriel Desautels <adriel () netragard com> wrote:
> Craig,
>        I couldn't agree with you more and I am very pleased to see that
> someone has the same school of thought as us. That being that very, very few
> IT Security Companies are actually capable of delivering quality services.
> That is not the only issue though.
>
>        If the Payment Card Industry would better define testing quality
> requirements for people that need to be PCI compliant then the "consumers"
> would be better armed to choose a quality service provider. It is important
> to remember that the customers are not always technical wizards, let alone
> security experts. For that reason it is easy for a "bunk" security vendor to
> sell them a "bunk" service.
>
>        For this reason I think it is critical that customers interrogate
> their security vendors and gain a very clear understanding of their service
> delivery methodology. I think that vendors should be responsible, and
> required to educate their customers about the details of their services.
>
>        We actually have two white papers that you can download that cover
> this subject. These white papers are the start of a program that we are
> running to help educate the consumer about how to choose quality security
> services. I'd be very interested in feedback about the white papers if
> anyone here is interested in downloading them.
>
> Here are the links (Tiny URLed):
> --------------------------------
> Choosing the right provider : http://tinyurl.com/2ahk3j
> Three Things you must know  : http://tinyurl.com/26pjsn
>
>
> Regards,
>        Adriel T. Desautels
>        Chief Technology Officer
>        Netragard, LLC.
>        Office : 617-934-0269
>        Mobile : 617-633-3821
>        http://www.linkedin.com/pub/1/118/a45
>
>        Join the Netragard, LLC. Linked In Group:
>        http://www.linkedin.com/e/gis/48683/0B98E1705142
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
>
> Netragard Whitepaper Downloads:
> -------------------------------
> Choosing the right provider : http://tinyurl.com/2ahk3j
> Three Things you must know  : http://tinyurl.com/26pjsn
>
>
> Craig Wright wrote:
> > "Just out of curiosity, how many people here thinks that PCI does
> > anything to protect you from the real world threat?"
> >
> > This depends.
> > Are you "REALLY" compliant. Or is the organisation doing just enough to
> fool the auditors.
> > From experience, I see 80-90% in the latter. Most auditors are not
> experienced enough to know when they are being BS'd.
> > As for the question, I have not seen a compromise of a truly compliant
> organisation. Every single organisation that has been compromised has
> actually also had a flaw that should have failed them.
> > In some instances, the testing was completed on an alternate system that
> was given to the auditor in place of the real one. In others, they pointed
> out the good systems and missed many.
> > I guess that people do not understand that in this case less than full
> disclosure is actually criminal fraud. In Australia in Corps act provisions
> (similar to the SEC provisions in the US) make it a criminal offence to
> mislead the auditor.
> > To answer the question, yes. I think that getting to this (truly this
> level) would help. The issue is that which companies are?
> > Take for instance a validated firewall. What does this mean?
> >
> > A validated firewall is one that is tested. This is you use hping or a
> similar crafting tool to fire packets through ALL interfaces of the firewall
> and you validate the firewall policy.
> > When you read these standards, think how a lawyer will read them, not an
> IT person. This is because it is a lawyer who is the judge and prosecutor.
> > Many QSA's even following their wham bam thank you mam intro to audit and
> now you are a QSA process are not ready to audit systems. Those same who do
> not know the systems they audit. An example being "how do I copy a directory
> on Unix":... being a real quote from the principle at a MAJOR PCI specialty
> firm.
> > Passing an audit is NOT compliance!
> >
> > Let me say that again...
> >
> > Passing an audit is NOT compliance!
> >
> > The fun of having just completed my LLM in commercial law is understanding
> these issues a little better. An audit is a risk report to management. It
> does nothing to stop the lawyers rolling over you if you are not compliant.
> The issue where people try to BS the auditors is BS. The auditors are NOT
> the enemy, they are the ones stopping the courts roll over you.
> > You are either compliant 100% to the standards you need to meet, or you
> (both the individual AND the organisation) are at risk.
> > I do not think that many on the list understand the issues. On another
> compliance topic, SOX, you tell management and the auditors that a system is
> compliant. The auditors are a little clueless (as many are) and do not (as
> by law they are required to) test the system.
> > Who is to blame when the system is compromised?
> > You are and management is - both.
> >
> > In fact, your ignorance as to the system security is not a good defence.
> You have defrauded the auditors and the worst case is 20 years with a new
> hubby called bubba... (or the equivalent for the female of bubba).
> > To demonstrate this. I have a SOX client who is stating that they do not
> need logs, they have never been compromised.
> > I have another (who has for 4 years received a clean bill of health from a
> Big 4 firm) who has more services running on the finance database than come
> out of the box. They have the Archie filesystem as a consultant though it
> would be cool. They have also not patched it for the last 113 remote root
> level exploits.
> > In Australia, not securing payroll and finance information (eg tax file
> numbers of employees) is a criminal offence.
> > I will say it again.
> >
> > Passing an audit is NOT compliance!
> >
> > Choosing a firm who will pass you is dumb. This is economic false economy.
> It is buying a broken umbrella in case it rains.
> > Regards,
> > Craig Wright (GSE-Compliance) LLM
> >
> >
> > Craig Wright
> > Manager, Risk Advisory Services
> >
> > Direct : +61 2 9286 5497
> > Craig.Wright () bdo com au
> > +61 417 683 914
> >
> > BDO Kendalls (NSW-VIC) Pty. Ltd.
> > Level 19, 2 Market Street Sydney NSW 2000
> > GPO BOX 2551 Sydney NSW 2001
> > Fax +61 2 9993 9497
> > http://www.bdo.com.au/
> >
> > The information in this email and any attachments is confidential. If you
> are not the named addressee you must not read, print, copy, distribute, or
> use in any way this transmission or any information it contains. If you have
> received this message in error, please notify the sender by return email,
> destroy all copies and delete it from your system.
> > Any views expressed in this message are those of the individual sender and
> not necessarily endorsed by BDO Kendalls. You may not rely on this message
> as advice unless subsequently confirmed by fax or letter signed by a Partner
> or Director of BDO Kendalls. It is your responsibility to scan this
> communication and any files attached for computer viruses and other defects.
> BDO Kendalls does not accept liability for any loss or damage however caused
> which may result from this communication or any files attached. A full
> version of the BDO Kendalls disclaimer, and our Privacy statement, can be
> found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing
> mailto:administrator () bdo com au.
> > BDO Kendalls is a national association of separate partnerships and
> entities. Liability limited by a scheme approved under Professional
> Standards Legislation.
> > -----Original Message-----
> >
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Adriel Desautels
> > Sent: Saturday, 24 May 2008 1:26 AM
> > To: Nick Vaernhoej
> > Cc: Hill, Pete; security-basics () securityfocus com
> > Subject: Re: DSS
> >
> > Just out of curiosity, how many people here thinks that PCI does
> > anything to protect you from the real world threat?
> >
> > Regards,
> >        Adriel T. Desautels
> >        Chief Technology Officer
> >        Netragard, LLC.
> >        Office : 617-934-0269
> >        Mobile : 617-633-3821
> >        http://www.linkedin.com/pub/1/118/a45
> >
> >        Join the Netragard, LLC. Linked In Group:
> >        http://www.linkedin.com/e/gis/48683/0B98E1705142
> ---------------------------------------------------------------
> > Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> > Penetration Testing, Vulnerability Assessments, Website Security
> >
> > Netragard Whitepaper Downloads:
> > -------------------------------
> > Choosing the right provider : http://tinyurl.com/2ahk3j
> > Three Things you must know  : http://tinyurl.com/26pjsn
> >
> >
> > Nick Vaernhoej wrote:
> >
> > > Good morning,
> > >
> > > Have you scanned through the supplemental information regarding 6.6?
> https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewa
> > > lls_codereviews.pdf
> > >
> > > You have two options, code review or web application firewall.
> > > You state that you already have custom code reviewed so I would think
> > > you are in good shape.
> > > What makes you think you need to do both? (It is a good idea to do so of
> > > course, but not necessary to satisfy PCI).
> > >
> > > Have a great day.
> > >
> > > Nick Vaernhoej
> > > "Quidquid latine dictum sit, altum sonatur."
> > >
> > >
> > > > -->-----Original Message-----
> > > > -->From: listbounce () securityfocus com
> > > > -->[mailto:listbounce () securityfocus com] On Behalf Of Hill, Pete
> > > > -->Sent: Friday, May 23, 2008 8:53 AM
> > > > -->To: security-basics () securityfocus com
> > > > -->Subject: PCI: DSS
> > > > -->
> > > > -->
> > > > -->Hi all,
> > > > -->
> > > > -->Can anyone confirm for me what sort of workarounds there are
> > > > -->concerning
> > > > -->PCI:DSS and application layer firewalls?
> > > > -->
> > > > -->Requirement 6.6 of the standard states this:
> > > > -->
> > > > -->6.6 Ensure that all web-facing applications are protected against
> > > > -->known
> > > > -->attacks by applying either of
> > > > -->the following methods:
> > > > -->* Having all custom application code reviewed for common
> > > > -->vulnerabilities
> > > > -->by an organization
> > > > -->that specializes in application security
> > > > -->* Installing an application layer firewall in front of web-facing
> > > > -->applications.
> > > > -->Note: This method is considered a best practice until June 30,
> 2008,
> > > > -->after which it becomes a
> > > > -->requirement.
> > > > -->
> > > > -->We already have our custom code reviewed, but Im wondering if I
> > > > -->absolutely must sort out an application layer firewall or if there
> > > is
> > >
> > > > -->a
> > > > -->workaround that would be acceptable for a level 1 merchant.
> > > > -->
> > > > -->If there are any knowledgeable auditors (qsa etc) out there I'd
> > > > -->really
> > > > -->appreciate your help on this one.
> > > > -->
> > > > -->Many thanks
> > > > -->Pete
> > > > -->
> > > > -->
> > > > -->A number of bogus e-mails are currently circulating in the UK
> > > > -->encouraging customers to visit fraudulent websites where personal
> or
> > > > -->Internet security details are requested. Bid tv/Price-drop tv/Speed
> > > > -->auction tv would never send e-mails that ask for confidential,
> > > > -->personal security information or details regarding your account
> > > > -->status.
> > > > -->
> > > > -->The content of this e-mail does not constitute a contract and any
> > > > -->matters discussed herein remain subject to contract.
> > > > -->
> > > > -->The contents of this message and all attachments have been sent in
> > > > -->confidence for the attention of the addressee only.  If you are not
> > > > -->the intended recipient you are kindly requested to preserve this
> > > > -->confidentiality and to advise the sender immediately of the error
> in
> > > > -->transmission.
> > > > -->
> > > > -->"sit-up ltd, registered in England No: 03877786.
> > > > -->Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW.
> > > > -->Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."
> > >
> > > This electronic transmission is intended for the addressee (s) named
> above. It contains information that is privileged, confidential, or
> otherwise protected from use and disclosure. If you are not the intended
> recipient you are hereby notified that any review, disclosure, copy, or
> dissemination of this transmission or the taking of any action in reliance
> on its contents, or other use is strictly prohibited. If you have received
> this transmission in error, please notify the sender that this message was
> received in error and then delete this message.
> > > Thank you.
> >
> > r use in any way this transmission or any information it contains. If you
> have received this message in error, please notify the sender by return
> email, destroy all copies and delete it from your system.\par  \par Any
> views expressed in this message are those of the individual sender and not
> necessarily endorsed by BDO Kendalls. You may not rely on this message as
> advice unless subsequently confirmed by fax or letter signed by a Partner or
> Director of BDO Kendalls. It is your responsibility to scan this
> communication and any files attached for computer viruses and other defects.
> BDO Kendalls does not accept liability for any loss or damage however caused
> which may result from this communication or any files attached. A full
> version of the BDO Kendalls disclaimer, and our Privacy statement, can be
> found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing
> mailto:administrator () bdo com au.\par  \par BDO Kendalls is a national
> association of separate partnership
> >
> s and entities. Liability limited by a scheme approved under Professional
> Standards Legislation.\par -----Original Message-----\par\par From:
> scott.carmody () au pwc com [mailto:scott.carmody () au pwc com] \par Sent:
> Friday, 23 May 2008 12:46 PM\par To: Pam Menzies\par Subject: Re: \par\par
> thats great - well done !\par\par I cooked a big meat pie and chips and
> watched Law & Order - good comfort\par food !\par\par Hope the day is going
> well\par\par\par\par Scott Carmody\par Senior Consultant\par
> PricewaterhouseCoopers Australia\par Office: +61 (2) 8266 0855\par Mobile:
> 0419 126 122\par Fax: +61 (2) 8286 0855\par scott.carmody () au pwc com\par
> http://www.p?


-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0