funsec mailing list archives
Re: The PCI sky *isn't* falling!
From: Anton Chuvakin <anton () chuvakin org>
Date: Tue, 24 Mar 2009 16:45:40 -0700
: Sorry, but this is kinda of what I was talking about :-) What I am : hearing in the above is that PCI was somehow supposed to guarantee their : un-hackability. Is that what you are implying? What about a simpler : explanation: they were breached DESPITE PCI DSS? You say "PCI DSS did more for infosec than anything else since.." Your implication is that PCI DSS did more for organizations like Hland/RBS than Windows patching. That is a pretty bold statement and I was curious if there was any way to back that statement, even anecdotal.
Sorry, definitely was NOT saying or implying that; when I made my point about PCI and patching I was talking in general - to the state of infosec - NOT specifically to Hland/RBS. Neither PCi nor patching helped Hland :-(
I imply that PCI DSS did little / nothing to protect those companies. The fact each was compromised supports my position.
Yup, agreed: after you are 0wned, it matters not whether you are/were compliant. Still, however, I disagree that them being 0wned EQUATES to PCI failure. It simply points to it being insufficient, which is - IMHO - kinda obvious. No external mandate can ever be sufficient for security, as all/most on this list would probably know.
: PCI did drive many small organization to think about: a) have we updated : our AV since 2004 (BTW, their answer was 'no' and not it is "yes' : [debate about AV efficiency is a separate story]) b) what on Earth is a : firewall? c) changing password is maybe a good idea. : : That is where I think it is useful. It's just as easy to say that all the news articles about big breaches scared them into asking those questions, as the PCI movement did.
Nope, for that I have specific proof, it was NOT the media breach stories, it was PCI. Their response to "breach noise" was always "ah, can't happen to us." PCI made them think about it since it was shoved in their face by banks/card brands/etc.
: > You forgot one part of your sig: : > Director of PCI Compliance Solutions at Qualys : : Was that remark intended to invalidate my arguments in any way? I hope : you are not implying they people working for vendor are not allowed - : gasp! - their own opinion... Invalidate, no. Help qualify, yes. You are absolutely allowed your opinion. I just wish we could see what it really is, rather than see the Qualys kool-aid dribbling from your mouth in its place. =)
I know that it sounds VERY hard to believe to many of the esteemed list members (esp to those employed by vendors), but I have never, ever picked an opinion based on my employer - on the contrary, I happen to believe in joining that company where people share my opinion (or I share theirs, which is the same thing)
Without exception, anyone I have talked to involved in PCI, has said it is a joke and 'security theatre' is an appropriate term. In some cases, they were folks giving pro-PCI talks at conferences who then gave their own real opinion in person after. The posts on this list in the last day or two are from more PCI realists.
I have encountered this as well, yes. I have seen people who claimed
that PCI distracted them from dealing with real security issues. Also,
people who say that they only do PCI to make their QSA go away and
who also lie to their QSAs. However, that doesn't make it bad, stupid,
or anything of that sort. It makes it "OK, with a mix of good and
bad." On the other hand, the biggest positive of PCI that I have
seen, which ALONE (IMHO) fully justifies its continued existence is:
it shoved security in the faces of people who managed to live thru
"wormy 90s" and "lossy 00s" without paying much attention to
infosec...
That was my main point, and I still stand by it, no matter who employs me.
--
Anton Chuvakin, Ph.D
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Current thread:
- Re: The PCI sky *isn't* falling!, (continued)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Alex Eckelberry (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Amrit Williams (Mar 23)
- Re: The PCI sky *isn't* falling! Paul Ferguson (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)
- Re: The PCI sky *isn't* falling! David Harley (Mar 24)