lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 27 Apr 2010 08:34:27 +1000
From: "Lyal Collins" <lyalc@...ftdsl.com.au>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: Compliance Is Wasted Money, Study Finds

Has everyone on this list read the PCI DSS requirements?
They are freely available, at www.pcisecuritystandards.org.

AV is about 4 requirements out of over 230 requirements, covering secure
coding/development, patching, network security, hardening systems, least
privilege, robust authenticaiton, staff probity, physical security,
obligations on third parties, annual risk assessments and improvements,
pluss annually re validating all of these security control areas.

Many views in this thread sound like drowning people who reject a lifeboat
because it doesn't match their eye colour.

PCI DSS isn't perfect, but it is fairly comprehensive about confidentiality.
In terms of all organisational information security threats, PCI DSS lacks a
focus on DR/BCP and integrity of data and system (other than that subset of
threats affecting protection of card data).  I posit that DR and data
integrity are as much a commercial decision as a information security goals,
for which simple, repeatable processes are already available and resonably
well known amongst IT professionals.

Anti-virus and anti-malware products are not perfect either, but they are
better than the alternative of 'doing nothing until a perfect solution is
found", an undertone I see so often in this list and among many
well-intentioned but unsuccessful security professionals at sites I visit.

Implementing any halfway decent solution is almost always better than doing
nothing, when it comes to reducing risk and increasing assurance.
Implementing ongoing improvements is cost effective spend of scarce
security/IT dollars.
Building the "perfect' security solution is too expensive and takes too long
- by the time it's delviered, security threats have moved on, and you remain
vulnerable.

There are some dreadful compliance programs out there.  There are some
excellent compliance standards.
The


lyal

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ