Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

[wilder_jeff Wilder <wilder_jeff@xxxxxxx>]

There is a big difference between being secure and being compliant.    If its a 
company's desire to be compliant, they may never be secure.  However, if they 
strive to be secure, they will always be compliant no mater what framework they 
are chasing.

I agree... money spent on compliance is useless..... money should be spent on 
being secure.

take it for what it cost you,

-Jeff


Date: Tue, 27 Apr 2010 10:34:22 +0200
From: uuf6429@xxxxxxxxx
To: sha8e@xxxxxxxxx
CC: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

"Where did I say that its a waste of time and money? "
Here you go:
"I 100% agree with you 
about most of the companies seek the paper work and get PCI certified 
and don't really bother about true
 security measures, but in the end if a breach is discovered they are 
the ones who shall get the penalty in the face, not us :)"


"BTW: I argued a lot with my managers about the PCI stuff, but no one 
gives you an ear, so let me be categorized in category #2 of yours :D"
Then I'm afraid this argument ends here.


Cheers.



On Tue, Apr 27, 2010 at 10:28 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:


Where did I say that its a waste of time and money? 

Hmmm, strange !!!

BTW: I argued a lot with my managers about the PCI stuff, but no one gives you 
an ear, so let me be categorized in category #2 of yours :D


From: Christian Sciberras <uuf6429@xxxxxxxxx>

To: Shaqe Wan <sha8e@xxxxxxxxx>
Cc: full-disclosure@xxxxxxxxxxxxxxxxx

Sent: Tue, April 27, 2010 11:22:59 AM
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds



In short, you just said that PCI compliance _is_ a waste of time and money.

Why else would you protect something which is bound to fail anyway?!

This is a lost battle, as I said no one cares about the arguments because these 
people fall into three categories:


-they believe the illusion that PCI by itself enhances security
-they do there job and don't give a f*ck about it
-they are arguing for the fun of it without any real arguments (why else prove 
me right on my arguments and later on deny it?)







On Tue, Apr 27, 2010 at 10:03 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:


You won't know not now, not ever. Maybe they do get a commission for your AV 
installation, who knows ! But maybe they think it is something that everybody 
needs so the force it. To get to know the true answer, we need to sit down with 
the guys who wrote the requirements and brainstorm with them those issues. We 
shall keep just running around and around in a circle here, because no one here 
"if no CC company guy is around" can give a definite answer. Just our simple 
argues !



As I said before, I have to use it on a windows box, because its a requirement, 
its not my opinion at all.

I 100% agree with you about most of the companies seek the paper work and get 
PCI certified and don't really bother about true
 security measures, but in the end if a breach is discovered they are the ones 
who shall get the penalty in the face, not us :)

NB: I don't use an AV, never did, and never will :p

Regards,



From: Christian Sciberras <uuf6429@xxxxxxxxx>
To: Shaqe Wan <sha8e@xxxxxxxxx>


Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Sent: Tue, April 27, 2010 10:37:24 AM


Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds


Surely being forced to install an anti-virus only brings in a monopoly? How do 
I know that PCI Standards writers are getting a nice commission off me 
installing the anti-virus? (I know they don't, I'm just hypothesizing).




You stated it yourself, an anti-virus may not do any difference, it is there as 
per PCI standard.....so what is it's use? Why the heck do I have to install 
something useless?

Lastly, that is where you are wrong, there is no "base starting point" 
companies don't give a shit about proper security measures, they get 
PCI-certified and all security ends there.



That is the freaken problem.

NB: I do use anti-virus software, what I specified above is not in any way my 
opinion about anti-virus vendors, etc.







On Tue, Apr 27, 2010 at 9:25 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:



Hi,




I don't actually beleive there is a "democratic society". No such thing exists. 
If it does? Then ask the organizations who made the compliance requirements 
drop them and make audits based on some other measure that you believe is more 
secure and has less flaws in it. Finally, regarding the AV issue that I wish I 
end here, is that "I don't believe that an AV shall make your box secure, but 
its a requirement to be done - Added by PCI"




And yes I have noticed that FD is for such security measures discussion, but 
never thought of joining it and discussing with others until a couple of days 
ago when I saw this topic.

Finally, the compliance can be taken of as a base starting point, and then 
moving further, like that it shall not be a waste of money
 !

Regards,





From: Christian Sciberras <uuf6429@xxxxxxxxx>
To: Shaqe Wan <sha8e@xxxxxxxxx>



Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Sent: Tue, April 27, 2010 9:59:59 AM



Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds


Perhaps you haven't noticed, this is Full-Disclosure, which at least, is used 
to discuss security measures.
As such, it is only natural to argue with PCI's possible security flaws.

Besides, in a democratic society (where CC do operate as well), you can't 
"force" someone to install an anti-virus just because _you_ think it is secure.





The argument were compliance is wasted money still holds.

Cheers.




On Tue, Apr 27, 2010 at 7:36 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:




Hola,





The problem is not weather they are educated against other standards or 
policies or not, the problem is that without this compliance you can't work 
with CC !!! Its something that is enforced on you !

BTW: why don't people discuss what is the points missing in the PCI Compliance 
better than this argue ?





Regards,






From: Christian Sciberras <uuf6429@xxxxxxxxx>
To: Shaqe Wan <sha8e@xxxxxxxxx>




Cc:
 full-disclosure@xxxxxxxxxxxxxxxxx
Sent: Mon, April 26, 2010 4:19:27 PM




Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds


OK.

"All those in favour of PCI raises their hands."

Kidding aside, of course it is a must, since the said companies doesn't have 
any notion of security before this happens.
However, how much is this actually helpful? Now let's be honest, how much would 
it stop a potential attacker from getting into a system "protected" by PCI?





Little, if at all.

On the other hand, a company should adopt real and complete security practices.

Again, my point is, these companies shouldn't be "educated" or limit their 
security to this standard. Because if they do (and I'm pretty sure they do) 
would make this standard pretty much useless.






Anyway, I won't get into this argument, since no one will give a sh*t about it 
anyway.

Cheers.




On Mon, Apr 26, 2010 at 3:02 PM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:





Christian,






Did you read my first post? 

((( IMO, PCI is not that big security policy, but without it your not able to 
use the credit card companies gateway. I
 think its just the basics that any company dealing with CC must implement. 
Because it shall be nonsense to deal with CC, and not have an Anti-virus for 
example !! )))






I am not stating that PCI is good in no way, but I am saying that its a MUST 
for companies dealing with CC. And in a windows environment, an AV is 
important. 

He probably thought that I am with the rules of PCI, or that I don't have any 
idea that the world is not just WINDOWS !!!






Regards,

From: Christian Sciberras <uuf6429@xxxxxxxxx>





To: Shaqe Wan <sha8e@xxxxxxxxx>
Cc:
 full-disclosure@xxxxxxxxxxxxxxxxx
Sent: Mon, April 26, 2010 3:54:20 PM





Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds


Why exactly are you complying with Nick's statements? I would have thought you 
guys were arguing against said statements?


By the way, requirement #6 is particularly funny; it sounds peculiarly 
redundant to me...







Cheers.




On Mon, Apr 26, 2010 at 7:34 AM, Shaqe Wan <sha8e@xxxxxxxxx> wrote:














Nick,

Please if you don't know what the standards are, please read:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml







See Requirement  #5. Read that requirement carefully and its not bad to read it 
twice though in case you don't figure it out from the first glance !

Also, I said that using an AV is some basic thing to do in any company that 
wants to deal with CC, its a
 basic thing for even companies not dealing with CC too !!! Or do you state 
that people must use a BOX with no AV installed on it? If you believe in that 
fact? Then please request a change in the PCI DSS requirements and make them 
force the usage of a non Windows O.S, such as any *n?x system.







Finally, the topic here is not about "default allow vs default deny" and if
 I understand what that is or not! You can open a new discussion about that, 
and I shall join there and discuss it further with you, in case you need some 
clarification regarding it.

Regards,
Shaqe


--- On Sun, 4/25/10, Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx> wrote:







From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>






Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
To: full-disclosure@xxxxxxxxxxxxxxxxx
Date: Sunday, April 25, 2010, 1:57 PM







Shaqe Wan wrote:

<<snip>>
> Because it shall be nonsense to deal with CC, and not have an Anti-virus for 
> example !!

Well, you see, _that_ is abject nonsense on its face.







Do you have any understanding of one of the most basic of security 
issues -- default allow vs.
 default deny?

There are many more secure ways to run systems _without_ antivirus 
software.

Anyone authoritatively stating that antivirus software is a necessary 
component of a "reasonably secure" system is a fool.







Anyone authoritatively stating that antivirus software is a necessary 
component of a "sufficiently secure" system is one (or more) of; a 
fool, a person with an unusually low standard of system security, or a 






shill for an antivirus producer.

So _if_, as you and another recent poster strongly imply, the PCI 
standards include a specific _requirement_ for antivirus software, then 
the standards themselves are total nonsense...









Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html






Hosted and sponsored by Secunia - http://secunia.com/





      



      
_______________________________________________

Full-Disclosure - We believe in it.

Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/






      





      





      





      





      
                                          
_________________________________________________________________
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/