Re: PCI DSS & Firewalls

["Paul Melson" <pmelson () gmail com>]

Marcus J Ranum wrote:
> More to the point, if your system is configured at all
> sanely, it should be resistant to all the known attacks
> to which it's likely to be subject. So a pen test, that
> tries all the known attacks is completely worthless.

In the sense that it could add value to an organization that has configured
their systems "at all sanely," I agree. It's no help.  But in the context of
baseline standards enforcement, which is what PCI-DSS tries to do, that's
the whole point. You've made their case: to make sure that systems are
resistant to all the known attacks.

At the end of the day, offensive security (scanning, pen-testing, auditing,
etc.) is testing.  And some testing is ALWAYS better than no testing.  Show
me a company that doesn't require testing before moving a system into
production and I'll show you a company that can afford lots of downtime.
Security has to play by these rules, too.  How do you know your design is
effective?  Test it.


> Not surprisingly, if
> you build your systems that way, you'll find that the
> pen testers have to bend over backwards to find a
> way they can still yell "GOTCHA!" (by doing stuff
> like the leave-a-USB-key-on-the-exec's-bmw trick)

This annoying trait has to do with the fact that most pen-testing is
outsourced to third-parties.  While I understand the need for independence,
internal testers are usually better and far less afraid of admitting they
didn't find a "hole" by the simple fact that they aren't under the same
pressure to report findings every time. They don't have to.  

You see this played out again in many companies' move to internal audit
teams, who then become the interface to the third party auditors.  I suspect
for organizations that do this with pen-testing, they have the same
experience.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards