Firewall Wizards mailing list archives

Re: PCI DSS & Firewalls

From: Chris Blask <chris () blask org>
Date: Thu, 2 Apr 2009 09:19:14 -0700 (PDT)

From: Paul D. Robertson <paul () compuwar net> Thursday, April 2, 2009 10:31:37 AM

On Thu, 2 Apr 2009, Chris Blask wrote:

One of our folks did PCI for Walmart, and when the CEO sent out a note
saying (sic): "Listen to this guy or you're fired" it proved that PCI
worked.  It reduced the prospect of spending in the future the millions
of man-hours we have spent in the past arguing with people that maybe
they should at least consider changing default passwords.

But the buy in is to check the boxes so they don't get fined- and the 
boxes are checkable by interpretation.  Outside of a few basic 
requirements, things are vague, ambiguous and not helpful at all- frankly, 
it's the worst "standard" I've seen in ~25 years of computer security- and 
I've rarely seen good ones.



The most enlightening fact about PCI is that most Tier One organizations - who should have had the assets and 
motivation to know and do better all along - haven't even been able to interpret what they are doing to match those 
check boxes prior to being forced to comply with PCI.  So, obviously, every standard before PCI - no matter whether 
better or worse by technical measures - has been ineffective.

Look, I'm not defending the DSS itself.  When I first read it I went back and read it again, just to be sure I didn't 
skim over an actual piece of serious substance in there somewhere.  It is - at best - the morning of a one-day Network 
Security For Idiots class (maybe the first hour) and the folks writing it are a thousand times more interested in not 
doing anything that could lead to them being sued than they are about creating actual security.  But we need to set 
baseline standards in industry as a whole somehow and whatever we can get people to reliably follow is a better start 
than a more laudable standard that is ignored.

I also agree with Marcus that it's the Pen Tester's Employment Security 
Act..



Oh, it is.  And even there, having more Pen Testing done in the world is itself a move in a positive direction, so 
that's a good thing by any metric.

-chris


      
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Kurt Buff (Apr 01)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
  - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
    - Re: PCI DSS & Firewalls Victor Williams (Apr 02)
  - Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
    - Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
    - Re: PCI DSS & Firewalls david (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
  - Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
    - Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
    - Re: PCI DSS & Firewalls Chris Blask (Apr 02)
    - Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
    - Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
    - Re: PCI DSS & Firewalls Paul Melson (Apr 03)
    - Re: PCI DSS & Firewalls Brian Loe (Apr 05)
    - Re: PCI DSS & Firewalls miedaner (Apr 05)
    - Re: PCI DSS & Firewalls Mark (Apr 06)
    - Re: PCI DSS & Firewalls Brian Loe (Apr 06)
    - Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
    - Re: PCI DSS & Firewalls Chris Blask (Apr 02)

(Thread continues...)