Dailydave mailing list archives
Anonimized reply
From: Dave Aitel <dave () immunitysec com>
Date: Tue, 24 Aug 2004 06:11:13 -0400
Mike Bailey(mike.bailey () sunbladesecurity com)@Mon, Aug 23, 2004 at 11:53:36PM -0400:
Dave's Direction 2: I think we're already there. Banking for example,
If you
look at the 15,000+ banks out there you will find a very small
percentage
that really want to be secure or even know what insecurities they
have. They
want to know the FFIEC is not going to lower their rating (or worse
let
their customers know) due to findings that don't meet the assessment criteria the FDIC, OCC and Federal Reserve examiners are looking for.
I'm
sure it will be the same for HIPPA as soon as they get an federal
level
audit division for it. It's my opinion that companies want to know
they
won't get in trouble more so than protecting themselves and others
from
security incidents.
The regulators are in a really bad position right now to determine security insecurities as they are not allowed to do any more than ask questions and review reports. I was shocked to find this out, but they are not allowed to use any tools or perform hands-on validation of any kind. They are just there to review audit reports done by 3rd parties and ask follow up questions. These audits range in scope from port scans, penetration tests, security validation tests, to SAS70 reports. Based on their inability to verify information gathered it would only be from gross negligence that any financial site could be poorly rated by the regulators. -anon _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Anonimized reply Dave Aitel (Aug 24)
- Re: Anonimized reply Daniel (Aug 24)
- Re: Anonimized reply Ben (Aug 24)
- more flotsam and jetsam Dave Aitel (Aug 24)
- Message not available
- Re: more flotsam and jetsam Dave Aitel (Aug 24)
- Re: Anonimized reply Ben (Aug 24)
- Re: Anonimized reply Daniel (Aug 24)