Re: [fw-wiz] PCI DSS & Firewalls



On Thu, 2 Apr 2009, Potter, Albert (Al) wrote:

</lurk>

Chris hits the nail on the head. The DSS is about helping the clewless
make measureable progress in a better direction and giving management (C
and board level) the motivation and justificatio to spen money on
security and to induce their staffs to get moving.

No- the fine is what does that, the DSS is just the artifact with which to
do it. However as a "Standard" it's worse than ICSA Firewall testing
criteria! ;-P

Is it perfect? No, but it is regularly revised (the DSS) and has a
mechanism to get better.

Not only is it not perfect, it's frankly about as bad as a document can
get and claim to be a "Security Standard." It *has* to have the mechanism
to get better, it really would have to try to get any worse... Are two
revisions really "regularly revised?"

Heck, the license to download it is more clear and to the point than the
document itself.

Here are some examples from the current "Standard" with my comments in
brackets.

PCI DSS Requirement:

6.5.8 Insecure cryptographic storage
[Really? They require insecure storage?]

Testing Procedure:
6.5.8 Insecure cryptographic storage (Prevent cryptographic flaws.)

PCI DSS Requirement:

5.1.1 Ensure that all anti-virus programs are capable of detecting,
removing and protecting against all known types of malicious software.

[Honestly? All TYPES? Every time?]

1.3.5 Restrict outbound traffic from the cardholder data environment to
the Internet such that outbound traffic can only access IP addresses
within the DMZ.

1.3.5 Verify that outbound traffic from the cardholder data environment to
the Internet can only access IP addresses within the DMZ.

[Really? No Web browsing from a PC from a call center? No hitting an
internal proxy server that's not on the DMZ?...]

Seriously, I'd be embarrassed to release "criteria" like the above (and
it's just a small sampling for educational purposes...)

AL
<Lurk>

*cough*
Isn't Verizon a QSA?
*cough*

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards