[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
- From: Shaqe Wan <sha8e@xxxxxxxxx>
- Date: Sun, 25 Apr 2010 22:34:52 -0700 (PDT)
Nick,
Please if you don't know what the standards are, please read:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
See Requirement #5. Read that requirement carefully and its not bad to read it
twice though in case you don't figure it out from the first glance !
Also, I said that using an AV is some basic thing to do in any company that
wants to deal with CC, its a basic thing for even companies not dealing with CC
too !!! Or do you state that people must use a BOX with no AV installed on it?
If you believe in that fact? Then please request a change in the PCI DSS
requirements and make them force the usage of a non Windows O.S, such as any
*n?x system.
Finally, the topic here is not about "default allow vs default deny" and if I
understand what that is or not! You can open a new discussion about that, and I
shall join there and discuss it further with you, in case you need some
clarification regarding it.
Regards,
Shaqe
--- On Sun, 4/25/10, Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx> wrote:
>From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
>Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>To: full-disclosure@xxxxxxxxxxxxxxxxx
>Date: Sunday, April 25, 2010, 1:57 PM
>
>
>Shaqe Wan wrote:
>
><<snip>>
>> Because it shall be nonsense to deal with CC, and not have an Anti-virus for
>> example !!
>
>Well, you see, _that_ is abject nonsense on its face.
>
>Do you have any understanding of one of the most basic of security
>issues -- default allow vs.
> default deny?
>
>There are many more secure ways to run systems _without_ antivirus
>software.
>
>Anyone authoritatively stating that antivirus software is a necessary
>component of a "reasonably secure" system is a fool.
>
>Anyone authoritatively stating that antivirus software is a necessary
>component of a "sufficiently secure" system is one (or more) of; a
>fool, a person with an unusually low standard of system security, or a
>shill for an antivirus producer.
>
>So _if_, as you and another recent poster strongly imply, the PCI
>standards include a specific _requirement_ for antivirus software, then
>the standards themselves are total nonsense...
>
>
>
>Regards,
>
>Nick FitzGerald
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/