funsec mailing list archives
Re: The PCI sky *isn't* falling!
From: Drsolly <drsollyp () drsolly com>
Date: Tue, 24 Mar 2009 08:03:58 +0000 (GMT)
On Tue, 24 Mar 2009, security curmudgeon wrote:
On Mon, 23 Mar 2009, Anton Chuvakin wrote: : > : I'd say that PCI DSS did more to information security than *anything : > : else* since Windows added automated updates. : : > Care to back that up in any way? I think the customers of Heartland, RBS : > and other compromises would disagree. : : Sorry, but this is kinda of what I was talking about :-) What I am : hearing in the above is that PCI was somehow supposed to guarantee their : un-hackability. Is that what you are implying? What about a simpler : explanation: they were breached DESPITE PCI DSS? You say "PCI DSS did more for infosec than anything else since.." Your implication is that PCI DSS did more for organizations like Hland/RBS than Windows patching. That is a pretty bold statement and I was curious if there was any way to back that statement, even anecdotal. I imply that PCI DSS did little / nothing to protect those companies. The fact each was compromised supports my position. : PCI did drive many small organization to think about: a) have we updated : our AV since 2004 (BTW, their answer was 'no' and not it is "yes' : [debate about AV efficiency is a separate story]) b) what on Earth is a : firewall? c) changing password is maybe a good idea. : : That is where I think it is useful. It's just as easy to say that all the news articles about big breaches scared them into asking those questions, as the PCI movement did. : > You forgot one part of your sig: : > Director of PCI Compliance Solutions at Qualys : : Was that remark intended to invalidate my arguments in any way? I hope : you are not implying they people working for vendor are not allowed - : gasp! - their own opinion... Invalidate, no. Help qualify, yes. You are absolutely allowed your opinion. I just wish we could see what it really is, rather than see the Qualys kool-aid dribbling from your mouth in its place. =) Without exception, anyone I have talked to involved in PCI, has said it is a joke and 'security theatre' is an appropriate term. In some cases, they were folks giving pro-PCI talks at conferences who then gave their own real opinion in person after. The posts on this list in the last day or two are from more PCI realists.
Some of it is "security theater". And some of it does lead to useful changes. But the main purpose of PCIDSS is so that the card companies can say "Hey, all these breaches, we're doing everything we can". Which they aren't, of course. Credit cards are very convenient to use, and card companies are unwilling to sacrifice *any* of that convenience to get real security. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The PCI sky *isn't* falling!, (continued)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Alex Eckelberry (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Amrit Williams (Mar 23)
- Re: The PCI sky *isn't* falling! Paul Ferguson (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 24)
- Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)