[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <q2s3af3d47c1004270117s570d3c1yf5108015d72da730@mail.gmail.com>
Date: Tue, 27 Apr 2010 10:17:07 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Lyal Collins <lyal.collins@...2it.com.au>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compliance Is Wasted Money, Study Finds
Why are you saying "wasted money"? They didn't waste it, they allocated that
sum to cater for PCI compliance and they are still PCI compliant.
Ie, it is not wasted in the sense that they obtained what they wanted. The
point in question is, does PCI obtain what it should be?
However, as many already said before, PCI is only basic security it doesn't
cover full details.
In short, PCI Complient != Secure. Basic Security != Optimal Security.
Smart companies usually take security seriously.
But why did we deviate to the 1% of all companies out there?
Security isn't about "smart companies" it is about all of them.
On Tue, Apr 27, 2010 at 10:01 AM, Lyal Collins
<lyal.collins@...2it.com.au>wrote:
> "Lastly, that is where you are wrong, there is no "base starting point"
> companies don't give a shit about proper security measures, they get
> PCI-certified and all security ends there.
> That is the freaken problem."
>
> Well, when this occurs, they are not compliant = Epic FAIL = wasted
> dollars. i.e. they went through a process, got a point-in-time report, then
> promptly forgot all those procedures they promised (and showed) they were
> actually following.
> PCI DSS requires ongoing security management, patching, change control,
> monitoring and alert responses.
> If a company subject to PCI DSS does this, then that company has wasted its
> money - but the standard remains a effective risk reduction program.
>
> Smart companies don't waste money this way.
>
> lyal
>
>
>
> ------------------------------
> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *Christian
> Sciberras
> *Sent:* Tuesday, 27 April 2010 5:37 PM
> *To:* Shaqe Wan
>
> *Cc:* full-disclosure@...ts.grok.org.uk
> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>
> Surely being forced to install an anti-virus only brings in a monopoly? How
> do I know that PCI Standards writers are getting a nice commission off me
> installing the anti-virus? (I know they don't, I'm just hypothesizing).
>
> You stated it yourself, an anti-virus may not do any difference, it is
> there as per PCI standard.....so what is it's use? Why the heck do I have to
> install something useless?
>
> Lastly, that is where you are wrong, there is no "base starting point"
> companies don't give a shit about proper security measures, they get
> PCI-certified and all security ends there.
> That is the freaken problem.
>
> NB: I do use anti-virus software, what I specified above is not in any way
> my opinion about anti-virus vendors, etc.
>
>
>
>
>
>
>
> On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>
>> Hi,
>>
>> I don't actually beleive there is a "democratic society". No such thing
>> exists. If it does? Then ask the organizations who made the compliance
>> requirements drop them and make audits based on some other measure that you
>> believe is more secure and has less flaws in it. Finally, regarding the AV
>> issue that I wish I end here, is that "I don't believe that an AV shall make
>> your box secure, but its a requirement to be done - Added by PCI"
>>
>> And yes I have noticed that FD is for such security measures discussion,
>> but never thought of joining it and discussing with others until a couple of
>> days ago when I saw this topic.
>>
>> Finally, the compliance can be taken of as a base starting point, and then
>> moving further, like that it shall not be a waste of money !
>>
>> Regards,
>>
>>
>> ------------------------------
>> *From:* Christian Sciberras <uuf6429@...il.com>
>> *To:* Shaqe Wan <sha8e@...oo.com>
>> *Cc:* full-disclosure@...ts.grok.org.uk
>> *Sent:* Tue, April 27, 2010 9:59:59 AM
>>
>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>
>> Perhaps you haven't noticed, this is Full-Disclosure, which at least, is
>> used to discuss security measures.
>> As such, it is only natural to argue with PCI's possible security flaws.
>>
>> Besides, in a democratic society (where CC do operate as well), you can't
>> "force" someone to install an anti-virus just because _you_ think it is
>> secure.
>>
>> The argument were compliance is wasted money still holds.
>>
>> Cheers.
>>
>>
>>
>>
>> On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>
>>> Hola,
>>>
>>> The problem is not weather they are educated against other standards or
>>> policies or not, the problem is that without this compliance you can't work
>>> with CC !!! Its something that is enforced on you !
>>>
>>> BTW: why don't people discuss what is the points missing in the PCI
>>> Compliance better than this argue ?
>>>
>>> Regards,
>>>
>>>
>>> ------------------------------
>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>> *Sent:* Mon, April 26, 2010 4:19:27 PM
>>>
>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>>
>>> OK.
>>>
>>> "All those in favour of PCI raises their hands."
>>>
>>> Kidding aside, of course it is a must, since the said companies doesn't
>>> have any notion of security before this happens.
>>> However, how much is this actually helpful? Now let's be honest, how much
>>> would it stop a potential attacker from getting into a system "protected" by
>>> PCI?
>>> Little, if at all.
>>>
>>> On the other hand, a company should adopt real and complete security
>>> practices.
>>>
>>> Again, my point is, these companies shouldn't be "educated" or limit
>>> their security to this standard. Because if they do (and I'm pretty sure
>>> they do) would make this standard pretty much useless.
>>>
>>> Anyway, I won't get into this argument, since no one will give a sh*t
>>> about it anyway.
>>>
>>> Cheers.
>>>
>>>
>>>
>>>
>>> On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>
>>>> Christian,
>>>>
>>>> Did you read my first post?
>>>>
>>>> ((( IMO, PCI is not that big security policy, but without it your not
>>>> able to use the credit card companies gateway. I think its just the
>>>> basics that any company dealing with CC must implement. Because it shall be
>>>> nonsense to deal with CC, and not have an Anti-virus for example !! )))
>>>>
>>>> I am not stating that PCI is good in no way, but I am saying that its a
>>>> MUST for companies dealing with CC. And in a windows environment, an AV is
>>>> important.
>>>>
>>>> He probably thought that I am with the rules of PCI, or that I don't
>>>> have any idea that the world is not just WINDOWS !!!
>>>>
>>>> Regards,
>>>>
>>>> ------------------------------
>>>> *From:* Christian Sciberras <uuf6429@...il.com>
>>>> *To:* Shaqe Wan <sha8e@...oo.com>
>>>> *Cc:* full-disclosure@...ts.grok.org.uk
>>>> *Sent:* Mon, April 26, 2010 3:54:20 PM
>>>>
>>>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study
>>>> Finds
>>>>
>>>> Why exactly are you complying with Nick's statements? I would have
>>>> thought you guys were arguing against said statements?
>>>>
>>>>
>>>> By the way, requirement #6 is particularly funny; it sounds peculiarly
>>>> redundant to me...
>>>>
>>>> Cheers.
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@...oo.com> wrote:
>>>>
>>>>>
>>>>> Nick,
>>>>>
>>>>> Please if you don't know what the standards are, please read:
>>>>>
>>>>> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>>>>>
>>>>> See *Requirement #5*. Read that requirement carefully and its not bad
>>>>> to read it twice though in case you don't figure it out from the first
>>>>> glance !
>>>>>
>>>>> Also, I said that using an AV is some basic thing to do in any company
>>>>> that wants to deal with CC, its a basic thing for even companies not dealing
>>>>> with CC too !!! Or do you state that people must use a BOX with no AV
>>>>> installed on it? If you believe in that fact? Then please request a change
>>>>> in the PCI DSS requirements and make them force the usage of a non Windows
>>>>> O.S, such as any *n?x system.
>>>>>
>>>>> Finally, the topic here is not about "default allow vs default deny"
>>>>> and if I understand what that is or not! You can open a new discussion about
>>>>> that, and I shall join there and discuss it further with you, in case you
>>>>> need some clarification regarding it.
>>>>>
>>>>> Regards,
>>>>> Shaqe
>>>>>
>>>>>
>>>>> --- On *Sun, 4/25/10, Nick FitzGerald <nick@...us-l.demon.co.uk>*wrote:
>>>>>
>>>>>
>>>>> From: Nick FitzGerald <nick@...us-l.demon.co.uk>
>>>>> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>>>> To: full-disclosure@...ts.grok.org.uk
>>>>> Date: Sunday, April 25, 2010, 1:57 PM
>>>>>
>>>>> Shaqe Wan wrote:
>>>>>
>>>>> <<snip>>
>>>>> > Because it shall be nonsense to deal with CC, and not have an
>>>>> Anti-virus for example !!
>>>>>
>>>>> Well, you see, _that_ is abject nonsense on its face.
>>>>>
>>>>> Do you have any understanding of one of the most basic of security
>>>>> issues -- default allow vs. default deny?
>>>>>
>>>>> There are many more secure ways to run systems _without_ antivirus
>>>>> software.
>>>>>
>>>>> Anyone authoritatively stating that antivirus software is a necessary
>>>>> component of a "reasonably secure" system is a fool.
>>>>>
>>>>> Anyone authoritatively stating that antivirus software is a necessary
>>>>> component of a "sufficiently secure" system is one (or more) of; a
>>>>> fool, a person with an unusually low standard of system security, or a
>>>>> shill for an antivirus producer.
>>>>>
>>>>> So _if_, as you and another recent poster strongly imply, the PCI
>>>>> standards include a specific _requirement_ for antivirus software, then
>>>>>
>>>>> the standards themselves are total nonsense...
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Nick FitzGerald
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists