Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 2 Apr 2009 09:31:37 -0500 (EST)
On Thu, 2 Apr 2009, Chris Blask wrote:
Nope, not just you. ;~) The DSS (and regulatory tools in total) are not bits-und-bytes technical artifacts, they are human engineering technical artifacts. The idea being to find a way to move people in a desired direction an achievable distance. The funcational DNA in PCI is not what gadgets to use how, it's "if it's done wrong there are legal ramifications at the executive level".
But they fail at that level in so fars as they don't help small and mid-sized companies know what they really need to do- does a small compay with 5 servers *really* need to seperate every single function onto its own system? Does anyone actually seperate DNS from Active direcotry for instance?
One of our folks did PCI for Walmart, and when the CEO sent out a note saying (sic): "Listen to this guy or you're fired" it proved that PCI worked. It reduced the prospect of spending in the future the millions of man-hours we have spent in the past arguing with people that maybe they should at least consider changing default passwords.
But the buy in is to check the boxes so they don't get fined- and the boxes are checkable by interpretation. Outside of a few basic requirements, things are vague, ambiguous and not helpful at all- frankly, it's the worst "standard" I've seen in ~25 years of computer security- and I've rarely seen good ones. I also agree with Marcus that it's the Pen Tester's Employment Security Act.. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PCI DSS & Firewalls Paul D. Robertson (Apr 01)
- Re: PCI DSS & Firewalls Kurt Buff (Apr 01)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls david (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Paul Melson (Apr 03)
- Re: PCI DSS & Firewalls Brian Loe (Apr 05)
- Re: PCI DSS & Firewalls miedaner (Apr 05)
- Re: PCI DSS & Firewalls Mark (Apr 06)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)