"really isn't a whole lot different from 'lock your damned doors and windows' brick/mortar security." Except it's *massively* more expensive. On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Sun, Dec 27, 2015 at 1:59 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
SSH password + key file is accepted as two factor by PCI DSS auditors, so yes it is in fact two factor.
They also accept NAT as "security". If anything, PCI DSS is yet another example of a money grab masquerading as security theater (not even real security).
is it that? or is it that once you click the checkboxes on /pci audit/ 'no one' ever does the daily due-diligence required to keep their security processes updated/running/current/etc ?
I'm not a fan of the compliance regimes, but their goal (in a utopian world where corporations are not people and such) is the equivalent of the little posterboard person 42" tall before the roller-coaster rides, right?
"You really, REALLY should have at least these protections/systems/etc in place before you attempt to process credit-card transactions..."
In the utopian world this list would be sane, useful and would include daily/etc processes to monitor the security controls for issues... I don't think there's a process bit in PCI about: "And joey the firewall admin looks at his logs daily/hourly/everly for evidence of compromise" (and yes, ideally there's some adaptive/learning/AI-like system that does the 'joey the firewall admin' step... but let's walk before running, eh?)
so, it's not really a mystery why failures like this happen.
I remember seeing a story a while ago that stated that of companies hit by a data breach on a system that was inside their PCI scope, something insane like 98% or 99% were in 100% full PCI compliance at the time of the breach. The only conclusion to be drawn is that the PCI set of checkboxes are missing a lot of really crucial things for real security. (And let's not forget the competence level of the average PCI auditor, as the ones I've encountered have all been very nice people, but more suited to checking boxes based on buzzwords than actual in-deopth security analysis).
people toss pci/sox/etc auditors under the bus 'all the time', and i'm guilty of this i'm sure as well, but really ... if you put systems on the tubes and you don't take the same care you would for your brick/mortar places ... you're gonna have a bad day. 'cyber security' really isn't a whole lot different from 'lock your damned doors and windows' brick/mortar security.
So excuse me for not taking "is accepted by PCI auditors" as grounds for a claim of strong actual security.
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0