PCI is just the beginning of security
Published by DINESH under PCI
What do I need to log? What product will make me PCI compliant? Can you give me a list of acceptable services to run on my Windows 2008 server? Where’s the punch list of things I need to do to be compliant?; These and a number of other ’silver bullet’ questions are things a PCI assessor hears on a daily basis. And we’re not the only ones if Dr. Chuvakin’s recent post is any indicator: IT managers want to know exactly what they need to log to be PCI compliant. Unluckily, the answer is “it depends”. There is no list, no resource to refer to, no silver bullet for compliance and despite many marketeers’ wishes, there probably won’t be. Unless we want to make every network out there exactly the same that is.
That’s the real reason that Anton can’t answer the question of logging for his customers; each network is different and what’s good for one client might leave gaping holes in another network. Even networks that are using the same types of switches, routers and servers still have enough variation that what’s good for one won’t be enough for another. And just as logging nothing isn’t an acceptable solution, logging everything isn’t acceptable because someone has to actually sit down on a daily basis and review the logs. A recent comment on a mailing list I read asked “who did you piss off to be put in charge of the Linux logs?” It’s tedious work under the best of situations.
The PCI DSS is about risk mitigation (or risk transference, depending on your point of view). It list a minimum set of standards that merchants and service providers must meet to do business. The risks each business face are unique and no one can honestly give a cookie cutter approach or a product that meets all the requirements. Even implying that a product is going to solve your problems out of the box is at best bad marketing and at worst an outright lie. No matter what product you choose, customizing it to your environment is going to be vital. Not that I have strong feelings on the subject.
So what is the use of the PCI DSS if there are no real solutions? It’s a starting point to make your network secure. And that’s all it is, a starting point. It’s a minimum set of standards, not an end point in and of itself. And this is the place many merchants and service providers fail in that they think once they’ve received the blessing of their auditor for PCI they’re done securing their network. But anyone who’s relying on a PCI assessment to prove that they’re secure is missing the point of PCI and doing their company a disservice.
We all know of a company who was ‘PCI compliant’ but got hacked a lost millions of credit cards due to an improperly secured wireless network. I can only guess they got their letter of compliance, let lose with a big sigh of relief and went on to other projects. Which is exactly why they ended up as front page news. They made the mistake of believing PCI compliance equated to security. And they’re still paying the price for that assumption.
PCI is a starting point for your security programs. It’s a tool to get management to pay for implementing technologies and projects that can secure your network. It can be used as leverage to do the things that really will protect your network. Yes, there are points in the PCI DSS that won’t apply to many businesses but have to be complied with anyways. Luckily, those items are in the minority and the majority of PCI items are things every business should be doing. Your assessor has the job of making sure you’re network and systems meet with the PCI standards and will hopefully have suggestions for continuing beyond PCI to make your business secure. But the fact is, an assessor has to audit to the standards; they can make suggestions beyond PCI, but that’s all they are, suggestions. It’s up to you to take those suggestions and continue the efforts to secure your business.
I’ve been on both sides of the PCI aisle and have a pretty good idea of the problems and benefits of PCI. Obviously I view it as a jumping off point to go beyond just securing credit card data. The same tools that secure your card holder data environment can be used to protect the rest of your network. PCI can and should be used as an agent for change, giving you good guidelines for basic security. But it’s up to you to implement them in the way that best suits your environment and find any holes that PCI and your assessor may have missed. After all, your assessor is human and just as likely to miss something as anyone else; they just have a checklist of things they have to verify.
Feb
26
2008
Network Security Podcast, Episode 95
Published by Martin under Podcast
Rich and I are back after a short break for the doctors to rip open Rich’s shoulder and move things about. We recorded a little earlier than usual so he can take some of his drugs and go back to sleep. He’s going to be recovering for quite a while, but hopefully the pain will soon subside to the point where he doesn’t need Percodine much longer. We had a lot of interesting articles to talk about tonight, but the thing you’ll want to watch out for is a contest Rich’ll be running on Securosis.com in the next week or so. It’s his contest and I don’t know all the details yet, so keep your eyes open.
We’ll be covering RSA together, and with any luck we’ll be doing at least a short podcast from the showroom floor each day. We’ll also be doing a live video stream from this year’s Security Bloggers Meetup, so if you want to watch a bunch of security professionals stand around and shoot the breeze, stay tuned. We’ll be doing one or two interviews while while we’re there, so it’ll be more than guys BS’ing. Again, there’ll be more details to follow.
Show Notes
Network Security Podcast, Episode 95 [41:50m]: Hide Player | Play in Popup | Download
Feb
21
2008
It’s just coincidence, honest
Published by Martin under Hacking
So the week I’m in Montreal there’s a total lunar eclipse and the Montreal police bust a ring of hackers ranging in age from 17 to 26. I want to state for the record that I had absolutely nothing to do with either event, though I got some really nice pictures of the eclipse. All I had to do was drive 15 miles north to get out of the light pollution and sit in -15C for a couple of hours. I think busting the hackers took a little longer and that the police had nice warm offices to sit in.
Feb
19
2008
No podcast tonight
Published by Martin under Podcast
Rich had shoulder surgery recently and I’m in Montreal with very
limited internet access from my hotel room, so there won’t be a podcast
recorded tonight. Which is too bad given that there are some very
interesting things going on this week: the WikiLeak site has been shut
down by a judge in California and some of the telecommunications
experts in the middle east are saying the cable cuts last month may be
sabotage. I guess we’ll have to talk about that next week.
Feb
17
2008
Headed North for a few days
Published by Martin under General
I’m going somewhere I’ve never been before this week, specifically Montreal. I’ll be there tonight through Friday morning, spending most of my time working with a client. However, I won’t be working at night, so if there are any security professionals in the Montreal area who want to meet up for a drink and to shoot the breeze, drop me an email or give me a call on my cell. My contact information is in the ‘About’ page, but I’m not going to reprint them here, just to avoid one more place for scrappers to find the information.
I am looking for some ideas of things to do while I’m in Montreal, so suggestions will be appreciated. I’m finally get to find out what the big deal is about Tim Horton’s coffee and potene (spelling?), two topics that come up often on the CISSP mailing list. I feel confident that I can make a objective judgment about which is better, Tim Hortons or Starbucks.
Feb
15
2008
Our government loves us!
Published by Martin under Government, Humor
I’ve been staying away from the topic of the abuse of the FISA courts, illegal wiretapping and the Republican cries of “if you don’t pass this law, you’re supporting terrorism”, but this video sums it up so well. Making the Executive Branch of government answerable to the Judiciary branch isn’t supporting terrorism, it’s supporting our civil liberties, something we haven’t seen much of in the last 6 years. You owe it to yourself to watch this video, if only for the laughs.
Feb
15
2008
Apply for a press pass at RSA
Published by Martin under Blogging
If your a blogger or a podcaster in the security arena, do yourself a favor and
Friday, February 29, 2008
Subscribe to:
Posts (Atom)
