Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: Dotzero <dotzero () gmail com>
Date: Fri, 3 Apr 2009 10:19:55 -0400
Interesting thread and comments. Rather than responding to any particular post I'll fire away in response to various comments. PCI-DSS is much like anything else, it's what you make of it. Some folks use it as a tool to meet their contractual obligations in handling credit cards and mesh it with their existing (strong) security practices, other folks use it as a checklist, some give it a wink and a nod. This is a fact of life. I'd also point out that there are significant differences between security, compliance and validation. Security is about risk management. As Bruce Schneier says, you can choose to mitigate risk, accept risk or transfer risk. Compliance means meeting some set of requirements whether regulatory, contractual or self-imposed. Validation simply measures how well we are doing, whether from internal or external assessment. At the end of the day, PCI-DSS is contractual. "In exchange for us allowing you to handle credit cards you must do XYZ". It is a baseline not the end goal of security achievement. If you don't want to deal with PCI-DSS, only accept cash, checks and alternative payments. Alternatively one might choose to shrink the PCI environment through a little planning. Chris Blask wrote: "Now, is PCI enough (or complete)? Apparently not (go ask Heartland). But if we can get people doing the things in the DSS for starters, at least they'll be evolved beyond gills and flippers when we get there to talk about actual security." Other than Heartland claiming they were compliant and a QSA asserting (validating) they were complaint, why would we think that they were in fact compliant when there are plenty of indicators that they were likely not compliant? If they were actually checking configurations, reviewing logs, monitoring traffic, etc, and all the other requirements of the standard, how is it that the breach went on as long as it did? And remember, it was the card companies that went to Heartland saying they had a problem. Every so often the CISP folks at VISA offer a workshop on PCI-DSS. It's well worth the time and money (less than $500). They are well aware of the issues with QSAs, the checklist mentality and other issues. The problem for the card companies is the sheer volume of organizations they need to move along the security curve. Looking at merchants, there aren't that many level ones and level twos are less than a couple thousand. When you get to level threes you jump into the hundreds of thousands. The other part of the equation is that if you plot organizational skillsets and resources along that same chart you get a very scary image. Firewalls (to keep this somewhat germane to the list) are only one aspect of security and compliance. And let's remember that for the longest time many drank the Cisco koolaid about how secure IOS was. We also saw the response to Mike Lynns presentation. Let's travel back even further...anyone else remember Sykes presenting at defcon (was it dc8?) "Let's smash some firewalls"? I'm going to implement security at multiple points in my environment whether it's my border routers, firewalls, hosts, applications,etc. I'm not going to mindlessly rely on any standard whether it's PCI-DSS, NIST 800 series, or anything else. There are others (both individuals and organizations) that will choose to do the minimum or worse yet lie about what they are doing.... Darwin was right. Penetration testing has been touched on. Over on the pen-test list this is the end all and be all. "See, we can show how sucky your security is." The reality is that pentesting is just one more tool. It can be used and it can be misused, just like a hammer or a chainsaw. Marcus wrote with regard to pentesting: "Why would I want someone taking an outsider's perspective - I'd be much more likely to find something really useful if I had another expert red-team my configuration and design." My response is why not do both? The reality is that most developers and operations folks tend to think about how things SHOULD work rather than how things MIGHT be abused. Back in the day most of the security folks I've known tended to pay their dues as developers and/or packet pushers before moving into security. Today not necessarily so much. Anyways, to bring it back to Pauls original question about playing CISSP buzzword bingo, my answer is no. There are if I remember off the top of my head, 243 compliance requirements in v1.1 and unless the folks that wrote PCI-DSS wanted to make up a new nomenclature we would expect to see significnat overlap in terminology. Just a few thoughts. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Chris Myers (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls R. DuFresne (Apr 02)
- Re: PCI DSS & Firewalls Potter, Albert (Al) (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls lordchariot (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Dotzero (Apr 03)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 03)
- Re: PCI DSS & Firewalls Bill McGee (Apr 03)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 05)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 06)
- Re: PCI DSS & Firewalls Chris Blask (Apr 06)