Dealing with auditors (was Re: We hit half-million: The Cidr Report)
On 4/30/2014 11:30 AM, Valdis.Kletnieks@vt.edu wrote:
On Wed, 30 Apr 2014 15:40:43 -0000, Jamie Bowden said:
You're not funny. And if you're not joking, you're wrong. We just went over this on this very list two weeks ago.
And in that discussion, we ascertained that what the PCI standard actually says, and what you need to do in order to get unclued boneheaded auditors to sign the piece of paper, are two very different things.
Yes, the PCI standard gives a list of 4 options and then continues on to say that other creative solutions are acceptable as well. But if you discover mid-engagement that your auditor *thinks* it says "Thou shalt NAT", you have a problem.
Anybody got recommendations on how to make sure the company you engage for the audit ends up sending you critters that actually have a clue? (Not necessarily PCI, but in general)
I am no longer active on the battlefield but as of the last time I was, it can't be did. For years I managed various aspect of a UNIVAC 1100 operation and the audits thereof. EVERY TIME, we were dinged badly because we didn't look like an IBM shop (some may be surprised to learn that different hardware and different operating systems require very different operating procedures (and it appeared to us that some of the things they wanted us to do would weaken us badly, others just simply didn't make any sense, and we got dinged for things we DID do, because they were strange. Later years I was in a small 1100-many HP9000 shop--same thing only different. (That was also the environment with a medical school and hospital with Internet-accessible heart monitors on Windows 95.) I think there has been some drift away from IBMishness as The Gold Standard, but it still looks like there is no allowance for the real world in computing and networking. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon@cox.net> wrote:
On 4/30/2014 11:30 AM, Valdis.Kletnieks@vt.edu wrote:
And in that discussion, we ascertained that what the PCI standard actually says, and what you need to do in order to get unclued boneheaded auditors to sign the piece of paper, are two very different things.
I am no longer active on the battlefield but as of the last time I was, it can't be did.
For years I managed various aspect of a UNIVAC 1100 operation and the audits thereof. EVERY TIME, we were dinged badly because we didn't look like an IBM shop (some may be surprised to learn that different hardware and different operating systems require very different operating procedures (and it appeared to us that some of the things they wanted us to do would weaken us badly, others just simply didn't make any sense, and we got dinged for things we DID do, because they were strange.
I won the argument with PCI auditors about leaving telnet alive on my exterior router (which at the time would have had to be replaced to support ssh). It's not a chore for the timid. You'd better be a heck of a guru before you challenge the auditors expectations and you'd better be prepared for your boss' aggravation that the audit isn't done yet. And I think we pretty well established that PCI auditors arrive expecting to see NAT. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
The auditors VMware sent to us were just as bad. To ensure we weren't running "rogue" ESX(i) servers or WorkStation, they made us provide full arp/cam tables. Then a list of the virtual machines. "Oh look, this MAC isn't listed as one of your virtual machines". It isn't because it was running on virtual box or something like that. Auditor didn't know you could export a virtual machine from VMware and load it into another visualization software and it would keep the VMware MAC .... On Wed, Apr 30, 2014 at 2:31 PM, William Herrin <bill@herrin.us> wrote:
On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon@cox.net> wrote:
On 4/30/2014 11:30 AM, Valdis.Kletnieks@vt.edu wrote:
And in that discussion, we ascertained that what the PCI standard actually says, and what you need to do in order to get unclued boneheaded auditors to sign the piece of paper, are two very different things.
I am no longer active on the battlefield but as of the last time I was, it can't be did.
For years I managed various aspect of a UNIVAC 1100 operation and the audits thereof. EVERY TIME, we were dinged badly because we didn't look like an IBM shop (some may be surprised to learn that different hardware and different operating systems require very different operating procedures (and it appeared to us that some of the things they wanted us to do would weaken us badly, others just simply didn't make any sense, and we got dinged for things we DID do, because they were strange.
I won the argument with PCI auditors about leaving telnet alive on my exterior router (which at the time would have had to be replaced to support ssh). It's not a chore for the timid. You'd better be a heck of a guru before you challenge the auditors expectations and you'd better be prepared for your boss' aggravation that the audit isn't done yet.
And I think we pretty well established that PCI auditors arrive expecting to see NAT.
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
-- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-396-1764 You can find my resume at: http://www.Alameda.net/~ulf/resume.html
We just dealt with a vmware audit too; it was a joke. In any case, the thing I found curious with their auditor as well as a PCI QSA (fancy auditor), is that neither entity seemed to know IPv6 exists. The whole time I'm thinking okay, now why aren't you investigating these same attack vectors in IPv6? Just another reason PCI is not necessarily about security.... David -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ulf Zimmermann Sent: Wednesday, April 30, 2014 8:36 PM To: William Herrin Cc: nanog@nanog.org Subject: Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report) The auditors VMware sent to us were just as bad. To ensure we weren't running "rogue" ESX(i) servers or WorkStation, they made us provide full arp/cam tables. Then a list of the virtual machines. "Oh look, this MAC isn't listed as one of your virtual machines". It isn't because it was running on virtual box or something like that. Auditor didn't know you could export a virtual machine from VMware and load it into another visualization software and it would keep the VMware MAC .... On Wed, Apr 30, 2014 at 2:31 PM, William Herrin <bill@herrin.us> wrote:
On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon@cox.net> wrote:
On 4/30/2014 11:30 AM, Valdis.Kletnieks@vt.edu wrote:
And in that discussion, we ascertained that what the PCI standard actually says, and what you need to do in order to get unclued boneheaded auditors to sign the piece of paper, are two very different things.
I am no longer active on the battlefield but as of the last time I was, it can't be did.
For years I managed various aspect of a UNIVAC 1100 operation and the audits thereof. EVERY TIME, we were dinged badly because we didn't look like an IBM shop (some may be surprised to learn that different hardware and different operating systems require very different operating procedures (and it appeared to us that some of the things they wanted us to do would weaken us badly, others just simply didn't make any sense, and we got dinged for things we DID do, because they were strange.
I won the argument with PCI auditors about leaving telnet alive on my exterior router (which at the time would have had to be replaced to support ssh). It's not a chore for the timid. You'd better be a heck of a guru before you challenge the auditors expectations and you'd better be prepared for your boss' aggravation that the audit isn't done yet.
And I think we pretty well established that PCI auditors arrive expecting to see NAT.
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
-- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-396-1764 You can find my resume at: http://www.Alameda.net/~ulf/resume.html
Well, Right now, 1/2 my day$ are spend doing PCI auditing, technical side, not as a QSA. There is not shortage of horror stories about my customers previous QSA... Best one to date... Firewalling the FC SANs from the pool of VMWares servers. Bill & Telnet... I hope that QSA didn't let you keep that telnet facing any public interface without any protection. PS: Same deal with SSH ... encryption != protection since keylogging is way easier than sniffing packets. But at least you can limit SSH authentication to public keys. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 04/30/14 20:58, David Hubbard wrote:
We just dealt with a vmware audit too; it was a joke. In any case, the thing I found curious with their auditor as well as a PCI QSA (fancy auditor), is that neither entity seemed to know IPv6 exists. The whole time I'm thinking okay, now why aren't you investigating these same attack vectors in IPv6? Just another reason PCI is not necessarily about security....
David
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ulf Zimmermann Sent: Wednesday, April 30, 2014 8:36 PM To: William Herrin Cc: nanog@nanog.org Subject: Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report)
The auditors VMware sent to us were just as bad. To ensure we weren't running "rogue" ESX(i) servers or WorkStation, they made us provide full arp/cam tables. Then a list of the virtual machines. "Oh look, this MAC isn't listed as one of your virtual machines". It isn't because it was running on virtual box or something like that. Auditor didn't know you could export a virtual machine from VMware and load it into another visualization software and it would keep the VMware MAC ....
On Wed, Apr 30, 2014 at 2:31 PM, William Herrin <bill@herrin.us> wrote:
On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon@cox.net> wrote:
On 4/30/2014 11:30 AM, Valdis.Kletnieks@vt.edu wrote:
And in that discussion, we ascertained that what the PCI standard actually says, and what you need to do in order to get unclued boneheaded auditors to sign the piece of paper, are two very different things. I am no longer active on the battlefield but as of the last time I was, it can't be did.
For years I managed various aspect of a UNIVAC 1100 operation and the audits thereof. EVERY TIME, we were dinged badly because we didn't look like an IBM shop (some may be surprised to learn that different hardware and different operating systems require very different operating procedures (and it appeared to us that some of the things they wanted us to do would weaken us badly, others just simply didn't make any sense, and we got dinged for things we DID do, because they were strange. I won the argument with PCI auditors about leaving telnet alive on my exterior router (which at the time would have had to be replaced to support ssh). It's not a chore for the timid. You'd better be a heck of a guru before you challenge the auditors expectations and you'd better be prepared for your boss' aggravation that the audit isn't done yet.
And I think we pretty well established that PCI auditors arrive expecting to see NAT.
Regards, Bill Herrin
-- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Thu, May 1, 2014 at 6:29 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Bill & Telnet...
I hope that QSA didn't let you keep that telnet facing any public interface without any protection.
Hi Alain, The point I made, successfully, was that it was outside the firewall hence out of scope for the audit. What I do in a different security domain from the one which handles the credit card transactions is none of their business. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Bill - anything that puts another routable network alongside of the card processing info is in scope. The real; issue is that the PCI-SSC decided to formally create a policy to hold the auditors harmless in their actions and that is about to change. Todd On 5/1/2014 8:52 AM, William Herrin wrote:
On Thu, May 1, 2014 at 6:29 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Bill & Telnet...
I hope that QSA didn't let you keep that telnet facing any public interface without any protection.
Hi Alain,
The point I made, successfully, was that it was outside the firewall hence out of scope for the audit. What I do in a different security domain from the one which handles the credit card transactions is none of their business.
Regards, Bill Herrin
-- ------------- Personal Email - Disclaimers Apply
participants (6)
-
Alain Hebert -
David Hubbard -
Larry Sheldon -
TGLASSEY -
Ulf Zimmermann -
William Herrin