[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
- To: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
- From: Christian Sciberras <uuf6429@xxxxxxxxx>
- Date: Sat, 24 Apr 2010 00:39:19 +0200
Sorry, forgot to reply to your quoting me about false sense of security. Let
me explain myself.
It is relatively easier to forget real security concerns (such as [really]
bad coding) when one follows a checklist for "high security" (quoting
pcisecuritystandards.org).
Unless I missed something (which I don't think I did) PCI/DSS doesn't help
at all since it is putting security methodologies over your project
manager's desk, rather then get a IT Security specialist do the job.
Cheers.
On Sat, Apr 24, 2010 at 12:33 AM, Christian Sciberras <uuf6429@xxxxxxxxx>wrote:
> No problem with that.
>
> 1) No.
> 2) Planning to, but no.
> 3) Heavens no.
> 4) I've looked into whether it was into our best interest to use PCI. (it
> was decided that it wasn't worth the trouble)
> At that time, I knew about PCI but not its details, at which point we got
> someone to explain in detail for us.
> The end decision wasn't mine, though.
> We do take security as a main concern, however, it is preferred to have a
> more realistic approach to security rather then restrict employees' access
> (by signing some oath..).
>
> Regards,
> Christian Sciberras.
>
>
>
>
>
> On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) <
> Thor@xxxxxxxxxxxxxxx> wrote:
>
>> Marketing propaganda? I have no idea what you are talking about.
>>
>>
>>
>> Before commenting on PCI not helping at all and at the most being a false
>> sense of security, let me ask:
>>
>> 1) Does the company you work for perform PCI audits?
>>
>> 2) Is the company you work for required to undergo PCI audits?
>>
>> 3) Are you certified to be able to perform a PCI audit?
>>
>> 4) Have you ever been directly involved with, as in contributing to,
>> a PCI audit, and if so, in what capacity?
>>
>>
>>
>> I would like to see some truthful expansion on the answers to those
>> questions before continuing dialog about if PCI contributes to security or
>> not.
>>
>>
>>
>> t
>>
>>
>>
>> *From:* Christian Sciberras [mailto:uuf6429@xxxxxxxxx]
>> *Sent:* Friday, April 23, 2010 3:02 PM
>> *To:* Mike Hale
>> *Cc:* Stephen Mullins; full-disclosure; security-basics@xxxxxxxxxxxxxxxxx;
>> Thor (Hammer of God)
>>
>> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>>
>>
>>
>> If you strive for security, and weave that into your network,
>> complying with PCI should be cake.
>>
>> Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document
>> any more secure then having server facing the wild of the net?
>>
>> Truth is, PCI doesn't help in security at all. It at most a sense of false
>> security (and at least serves as a recreational exercise for auditors).
>>
>> Thor, I'm not arguing with the article, since I didn't read it, and I
>> won't bother to. I just want to point out some hard facts about PCI/DSS
>> which you call "no big deal".
>> I surely agree with that, but what is not a big deal for you doesn't mean
>> it ain't for the rest of the world.
>> What stops an uninformed programmer from complying with PCI/DSS (or at
>> least, think to) and leave RFI/XSS/whatever holes everywhere?
>> That said, security flaws are just about everywhere so no need to get
>> critical about it. For now at least.
>>
>> The point isn't "who" should be using credit cards or not, it's a matter
>> of security.
>>
>> I find it strange that you're excusing marketing propaganda.
>>
>> Sincere regards,
>> Christian Sciberras.
>>
>>
>> On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale <eyeronic.design@xxxxxxxxx>
>> wrote:
>>
>> Look at the PCI requirements.
>>
>> What's unreasonable about them? Which portions are *NOT* part of
>> having a secure network?
>>
>> If you strive for security, and weave that into your network,
>> complying with PCI should be cake.
>>
>>
>> On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins
>> <steve.mullins.work@xxxxxxxxx> wrote:
>> >>I don't see what the hubbub is
>> >
>> > Some people in the information security industry actually care about
>> > securing systems and the information they contain rather than filling
>> > in check boxes. Compliance may ensure a minimum standard is met, but
>> > it does not ensure or imply that real security is being maintained at
>> > an organization.
>> >
>> > As you say, PCI has become a cost of doing business whereas having a
>> > secure network is apparently not a cost of doing business. This is a
>> > problem.
>> >
>> > Crazy notion, I know.
>> >
>> > On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God)
>> > <Thor@xxxxxxxxxxxxxxx> wrote:
>> >> How can you say it is “wasted”? It doesn’t matter if you are a “fan” of
>> it
>> >> or not, in the same way that it doesn’t matter if you are a “fan” of
>> the 4%
>> >> surcharge retail establishments pay to accept the credit card as
>> payment.
>> >> Using your logic, you would way it is “wasted money,” and might bring
>> into
>> >> question the “value” of the surcharge, etc. It is simply a cost of
>> doing
>> >> business.
>> >>
>> >>
>> >>
>> >> If you choose to offload processing to a payment gateway, then that
>> will
>> >> also incur a cost. Depending on your volume, that cost may or may not
>> be
>> >> higher than you processing them yourself while complying to standards.
>> The
>> >> implementation of actual security measures will be different. But you
>> can’t
>> >> “handle” credit cards in the classic sense of the word without
>> complying
>> >> with PCI. If you pass along the transaction to a gateway, you are not
>> >> handling it. If you DO handle it, then you have to comply with PCI.
>> If you
>> >> process less than 1 million transactions a year, you can “self audit.”
>> If
>> >> you process more, you have to be audit by a PCI auditor.
>> >>
>> >>
>> >>
>> >> None of this MEANS you are secure, it means you comply. If you don’t
>> like
>> >> PCI, then don’t process credit cards, or come up with your own. I
>> still
>> >> don’t really see what all the hubbub is about here.
>> >>
>> >>
>> >>
>> >> t
>> >>
>> >>
>> >>
>> >> From: Christian Sciberras [mailto:uuf6429@xxxxxxxxx]
>> >> Sent: Friday, April 23, 2010 9:29 AM
>> >> To: Thor (Hammer of God)
>> >> Cc: Christopher Gilbert; Mike Hale; full-disclosure;
>> >> security-basics@xxxxxxxxxxxxxxxxx
>> >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>> >>
>> >>
>> >>
>> >> it is simply part of the cost of doing business in that market.
>> >> A.k.a. wasted money. Truth be told, I'm no fan of PCI.
>> >> Other companies get the same functionality (accept the storage of
>> credit
>> >> cards) without worrying about PCI/DSS (e.g. through Payment Gateways).
>> >> In the end, as a service, what do I want, an inventory of credit cards,
>> or a
>> >> stable payment system? The later I guess.
>> >> As to security, it totally depends on implementation; one can handle
>> credit
>> >> cards without the need of standards compliance.
>> >>
>> >> My two cents.
>> >>
>> >> Regards,
>> >> Christian Sciberras.
>> >>
>> >>
>> >> On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) <
>> Thor@xxxxxxxxxxxxxxx>
>> >> wrote:
>> >>
>> >> Another thing that I think people fail to keep in mind is that when it
>> comes
>> >> to PCI, it is part of a contractual agreement between the entity and
>> card
>> >> facility they are working with. If a business wants to accept credit
>> cards
>> >> as a means of payment (based on volume) then part of their agreement is
>> that
>> >> they must undergo compliance to a standard implemented by the
>> industry. I
>> >> don’t know why people get all emotional about it and throw up their
>> hands
>> >> with all the “this is wasted money” positioning – it’s not wasted at
>> all; it
>> >> is simply part of the cost of doing business in that market.
>> >>
>> >>
>> >>
>> >> t
>> >>
>> >>
>> >>
>> >> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>> >> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of
>> Christopher
>> >> Gilbert
>> >> Sent: Thursday, April 22, 2010 4:48 PM
>> >> To: Mike Hale
>> >> Cc: full-disclosure; security-basics@xxxxxxxxxxxxxxxxx
>> >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>> >>
>> >>
>> >>
>> >> The paper concludes that companies are underinvesting in--or improperly
>> >> prioritizing--the protection of their secrets. Nowhere does it state
>> that
>> >> the money spent on compliance is money wasted.
>> >>
>> >> On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <eyeronic.design@xxxxxxxxx>
>> >> wrote:
>> >>
>> >> I find the findings completely flawed. Am I missing something?
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>>
>> --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>>
>> _______________________________________________
>>
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/