lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4BD72892.1010401@csuohio.edu>
Date: Tue, 27 Apr 2010 14:10:26 -0400
From: Michael Holstein <michael.holstein@...ohio.edu>
To: Christian Sciberras <uuf6429@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compliance Is Wasted Money, Study Finds


> My point isn't about a particular section, nor whether the amount of
> experience I have in PCI DSS compliance (which is next to novice).
>   

So we can agree that you're arguing about something with which you have
no experience?

> The point is, what s PCI aiming at?
>   

It's on the first substantive page of the document .. to wit :

 "The Payment Card Industry (PCI) Data Security Standard (DSS) was
developed to encourage and enhance cardholder data security and
facilitate the broad adoption of consistent data security measures
globally."

> Real security

Again, I ask "what is 'real security'?".

> or just a way companies can excuse their incompetence by citing full PCI compliance?
>   

If you "self-audit" and just check the boxes because you have a box that
says "firewall" on it and another that says "IDS" and so forth, then yes
.. it's just excusing incompetence .. but any "real" auditor would be
asking you about change management for those assets, who has access to
them and why, how logs are reviewed and by whom, etc.

There's 12 basic points in the 1.2 spec, none of which contradict
current best-practice for network design.

Cheers,

Michael Holstein
Cleveland State University

PS: This is starting to sound like the discussion many of us have with
Mac end-users .. the one that goes "but Mac's don't get viruses".

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ