Re: The PCI sky *isn't* falling!

[Drsolly <drsollyp () drsolly com>]

On Tue, 24 Mar 2009, security curmudgeon wrote:

> On Mon, 23 Mar 2009, Anton Chuvakin wrote:
>
> : > : I'd say that PCI DSS did more to information security than *anything
> : > : else* since Windows added automated updates.
> : 
> : > Care to back that up in any way? I think the customers of Heartland, RBS
> : > and other compromises would disagree.
> : 
> : Sorry, but this is kinda of what I was talking about :-)  What I am 
> : hearing in the above is that PCI was somehow supposed to guarantee their 
> : un-hackability. Is that what you are implying? What about a simpler 
> : explanation: they were breached DESPITE PCI DSS?
>
> You say "PCI DSS did more for infosec than anything else since.." Your 
> implication is that PCI DSS did more for organizations like Hland/RBS than 
> Windows patching. That is a pretty bold statement and I was curious if 
> there was any way to back that statement, even anecdotal.
>
> I imply that PCI DSS did little / nothing to protect those companies. The 
> fact each was compromised supports my position.
>
> : PCI did drive many small organization to think about: a) have we updated 
> : our AV since 2004 (BTW, their answer was 'no' and not it is "yes' 
> : [debate about AV efficiency is a separate story])  b) what on Earth is a 
> : firewall?  c) changing password is maybe a good idea.
> : 
> : That is where I think it is useful.
>
> It's just as easy to say that all the news articles about big breaches 
> scared them into asking those questions, as the PCI movement did.
>
> : > You forgot one part of your sig:
> : > Director of PCI Compliance Solutions at Qualys
> : 
> : Was that remark intended to invalidate my arguments in any way? I hope 
> : you are not implying they people working for vendor are not allowed - 
> : gasp! - their own opinion...
>
> Invalidate, no. Help qualify, yes. You are absolutely allowed your 
> opinion. I just wish we could see what it really is, rather than see the 
> Qualys kool-aid dribbling from your mouth in its place. =)
>
> Without exception, anyone I have talked to involved in PCI, has said it is 
> a joke and 'security theatre' is an appropriate term. In some cases, they 
> were folks giving pro-PCI talks at conferences who then gave their own 
> real opinion in person after. The posts on this list in the last day or 
> two are from more PCI realists.
 
Some of it is "security theater". And some of it does lead to useful 
changes. But the main purpose of PCIDSS is so that the card companies can 
say "Hey, all these breaches, we're doing everything we can".

Which they aren't, of course. Credit cards are very convenient to 
use, and card companies are unwilling to sacrifice *any* of that 
convenience to get real security.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.