Re: [fw-wiz] PCI DSS & Firewalls
- From: Dotzero <dotzero@xxxxxxxxx>
- Date: Fri, 3 Apr 2009 10:19:55 -0400
Interesting thread and comments.
Rather than responding to any particular post I'll fire away in
response to various comments. PCI-DSS is much like anything else, it's
what you make of it. Some folks use it as a tool to meet their
contractual obligations in handling credit cards and mesh it with
their existing (strong) security practices, other folks use it as a
checklist, some give it a wink and a nod. This is a fact of life.
I'd also point out that there are significant differences between
security, compliance and validation. Security is about risk
management. As Bruce Schneier says, you can choose to mitigate risk,
accept risk or transfer risk.
Compliance means meeting some set of requirements whether regulatory,
contractual or self-imposed.
Validation simply measures how well we are doing, whether from
internal or external assessment.
At the end of the day, PCI-DSS is contractual. "In exchange for us
allowing you to handle credit cards you must do XYZ". It is a baseline
not the end goal of security achievement. If you don't want to deal
with PCI-DSS, only accept cash, checks and alternative payments.
Alternatively one might choose to shrink the PCI environment through a
Chris Blask wrote:
"Now, is PCI enough (or complete)? Apparently not (go ask Heartland).
But if we can get people doing the things in the DSS for starters, at
least they'll be evolved beyond gills and flippers when we get there
to talk about actual security."
Other than Heartland claiming they were compliant and a QSA asserting
(validating) they were complaint, why would we think that they were in
fact compliant when there are plenty of indicators that they were
likely not compliant? If they were actually checking configurations,
reviewing logs, monitoring traffic, etc, and all the other
requirements of the standard, how is it that the breach went on as
long as it did? And remember, it was the card companies that went to
Heartland saying they had a problem.
Every so often the CISP folks at VISA offer a workshop on PCI-DSS.
It's well worth the time and money (less than $500). They are well
aware of the issues with QSAs, the checklist mentality and other
issues. The problem for the card companies is the sheer volume of
organizations they need to move along the security curve. Looking at
merchants, there aren't that many level ones and level twos are less
than a couple thousand. When you get to level threes you jump into the
hundreds of thousands. The other part of the equation is that if you
plot organizational skillsets and resources along that same chart you
get a very scary image.
Firewalls (to keep this somewhat germane to the list) are only one
aspect of security and compliance. And let's remember that for the
longest time many drank the Cisco koolaid about how secure IOS was. We
also saw the response to Mike Lynns presentation. Let's travel back
even further...anyone else remember Sykes presenting at defcon (was it
dc8?) "Let's smash some firewalls"?
I'm going to implement security at multiple points in my environment
whether it's my border routers, firewalls, hosts, applications,etc.
I'm not going to mindlessly rely on any standard whether it's PCI-DSS,
NIST 800 series, or anything else. There are others (both individuals
and organizations) that will choose to do the minimum or worse yet lie
about what they are doing.... Darwin was right.
Penetration testing has been touched on. Over on the pen-test list
this is the end all and be all. "See, we can show how sucky your
security is." The reality is that pentesting is just one more tool.
It can be used and it can be misused, just like a hammer or a
Marcus wrote with regard to pentesting:
"Why would I want someone taking an outsider's perspective - I'd
be much more likely to find something really useful if I had
another expert red-team my configuration and design."
My response is why not do both?
The reality is that most developers and operations folks tend to think
about how things SHOULD work rather than how things MIGHT be abused.
Back in the day most of the security folks I've known tended to pay
their dues as developers and/or packet pushers before moving into
security. Today not necessarily so much.
Anyways, to bring it back to Pauls original question about playing
CISSP buzzword bingo, my answer is no. There are if I remember off the
top of my head, 243 compliance requirements in v1.1 and unless the
folks that wrote PCI-DSS wanted to make up a new nomenclature we would
expect to see significnat overlap in terminology.
Just a few thoughts.
firewall-wizards mailing list