Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach

[chris () blask org]

--- On Mon, 7/27/09, Michael Graham <jmgraham () gmail com> wrote:

> PCI means well, and it's relevant (and sometimes useful) at the
> smaller merchant levels because many of them will just
> ignore security concerns otherwise, but it's _well_ past time that we in
> the security profession stopped acting like PCI has anything to do with
> security posture or risk exposure in large or high-volume
> companies.

I still think PCI is fine for what it is, but confusing it with "all I need to do to secure myself" is the problem.  
What the DSS is is a least-common-denominator of some of the things that should be done, as could be agreed to by a 
committee of lawyers.  As far as that goes it is correct: you should in fact have a firewall, configure it, separate 
data....  But thinking that achieving PCI compliance is all anyone needs to do - particularly, as you say, in large 
shops - is rank madness.

I'll take them at their word that they passed a PCI audit, the SSC will be extremely cranky with them if they say they 
did when they didn't.  But I would want them to have at least setup serious monitoring of traffic (as is not required 
by PCI) and preferably application behavior if at all possible, too - which is highly unlikely what they did.

I'm thinking you could argue that the DSS actually makes things worse by lulling folks into a false sense of security, 
but I'm willing to be that these same folks would have done no more (and maybe less) without it...

-chris


      
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.