lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4BD1E452.6090903@csuohio.edu>
Date: Fri, 23 Apr 2010 14:17:54 -0400
From: Michael Holstein <michael.holstein@...ohio.edu>
To: Stephen Mullins <steve.mullins.work@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	"security-basics@...urityfocus.com" <security-basics@...urityfocus.com>,
	"Thor \(Hammer of God\)" <Thor@...merofgod.com>
Subject: Re: Compliance Is Wasted Money, Study Finds


> Some people in the information security industry actually care about
> securing systems and the information they contain rather than filling
> in check boxes.  

So what's the problem? .. if you have done it according to (or
exceeding) the spec .. check the box, buy a box of donuts for the
auditor .. let them look it over, and be done with it.


> Compliance may ensure a minimum standard is met, but
> it does not ensure or imply that real security is being maintained at
> an organization.
>
>   

If VISA (et.al.) could define "real security" and write it down, they
would. What is "real security" exactly? .. I'd argue the only "secure"
computer is one that's still sealed in the factory carton. Break the
seal, game over .. just like it says on a box of Band-Aids "Sterility
guaranteed until opened".

> As you say, PCI has become a cost of doing business whereas having a
> secure network is apparently not a cost of doing business.  This is a
> problem.
>   

The thinking goes .. that if you implement the PCI standards and aim to
actually do as it suggests (meaning doing what the documents suggests
*correctly* .. not just having a blinkinlight in place so you can check
a box) .. you're already down the right path.

Even so .. the problem with securing networks/systems is there's
millions of "them" and only a few of "you". Also .. you have to be right
100% of the time, and "they" only have to get lucky once.

My $10.02 ($10 minimum purchase on all credit cards). **

Cheers,

Michael Holstein
Cleveland State University

** : yes, I know this goes against the merchant agreement .. sarcasm.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ