Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: Chris Blask <chris () blask org>
Date: Thu, 2 Apr 2009 09:19:14 -0700 (PDT)
From: Paul D. Robertson <paul () compuwar net> Thursday, April 2, 2009 10:31:37 AM
On Thu, 2 Apr 2009, Chris Blask wrote:
One of our folks did PCI for Walmart, and when the CEO sent out a note saying (sic): "Listen to this guy or you're fired" it proved that PCI worked. It reduced the prospect of spending in the future the millions of man-hours we have spent in the past arguing with people that maybe they should at least consider changing default passwords.
But the buy in is to check the boxes so they don't get fined- and the boxes are checkable by interpretation. Outside of a few basic requirements, things are vague, ambiguous and not helpful at all- frankly, it's the worst "standard" I've seen in ~25 years of computer security- and I've rarely seen good ones.
The most enlightening fact about PCI is that most Tier One organizations - who should have had the assets and motivation to know and do better all along - haven't even been able to interpret what they are doing to match those check boxes prior to being forced to comply with PCI. So, obviously, every standard before PCI - no matter whether better or worse by technical measures - has been ineffective. Look, I'm not defending the DSS itself. When I first read it I went back and read it again, just to be sure I didn't skim over an actual piece of serious substance in there somewhere. It is - at best - the morning of a one-day Network Security For Idiots class (maybe the first hour) and the folks writing it are a thousand times more interested in not doing anything that could lead to them being sued than they are about creating actual security. But we need to set baseline standards in industry as a whole somehow and whatever we can get people to reliably follow is a better start than a more laudable standard that is ignored.
I also agree with Marcus that it's the Pen Tester's Employment Security Act..
Oh, it is. And even there, having more Pen Testing done in the world is itself a move in a positive direction, so that's a good thing by any metric. -chris _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Kurt Buff (Apr 01)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls david (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Paul Melson (Apr 03)
- Re: PCI DSS & Firewalls Brian Loe (Apr 05)
- Re: PCI DSS & Firewalls miedaner (Apr 05)
- Re: PCI DSS & Firewalls Mark (Apr 06)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)