funsec mailing list archives
Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach
From: chris () blask org
Date: Mon, 27 Jul 2009 13:47:08 -0700 (PDT)
--- On Mon, 7/27/09, Michael Graham <jmgraham () gmail com> wrote:
PCI means well, and it's relevant (and sometimes useful) at the smaller merchant levels because many of them will just ignore security concerns otherwise, but it's _well_ past time that we in the security profession stopped acting like PCI has anything to do with security posture or risk exposure in large or high-volume companies.
I still think PCI is fine for what it is, but confusing it with "all I need to do to secure myself" is the problem. What the DSS is is a least-common-denominator of some of the things that should be done, as could be agreed to by a committee of lawyers. As far as that goes it is correct: you should in fact have a firewall, configure it, separate data.... But thinking that achieving PCI compliance is all anyone needs to do - particularly, as you say, in large shops - is rank madness. I'll take them at their word that they passed a PCI audit, the SSC will be extremely cranky with them if they say they did when they didn't. But I would want them to have at least setup serious monitoring of traffic (as is not required by PCI) and preferably application behavior if at all possible, too - which is highly unlikely what they did. I'm thinking you could argue that the DSS actually makes things worse by lulling folks into a false sense of security, but I'm willing to be that these same folks would have done no more (and maybe less) without it... -chris _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Fwd: [Dataloss] Network Solutions was PCI compliant before breach Paul Ferguson (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Valdis . Kletnieks (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Michael Graham (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach chris (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Michael Graham (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Chris Blask (Jul 27)
- Re: new cybersecurity laws (was: Network Solutions was PCI compliant before breach) Young, Keith (Jul 28)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach chris (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Alexandre Dulaunoy (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach Valdis . Kletnieks (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliantbefore breach Larry Seltzer (Jul 27)
- Re: Fwd: [Dataloss] Network Solutions was PCI compliantbefore breach chris (Jul 27)