Re: Heartland Gets Religion on Security

Hi Rajat,

...but I'd like to think that the assessor didn't do a
thorough job either of reviewing them.
I agree. Over at DataLossDB, I inquired about adding a column for the
firm(s) performing the audit in an attempt to [possibly] correlate
breaches with firms. Unfortunately, DataLossDB did not feel they had
the resources to accommodate. I can't help but feel there is an
Enron/Arthur Anderson relationship among some of these folks.

Jeff

On 6/19/09, rajat swarup <rajats@xxxxxxxxx> wrote:
On Thu, Jun 18, 2009 at 7:02 AM, Jeffrey Walton<noloader@xxxxxxxxx> wrote:
> From the folks at Attrition and the DataLossDB.
>
> ---------- Forwarded message ----------
>

Carr says that one lesson he's learned from the breach is that the
> industry's security standard, called Payment Card Industry or PCI, doesn't
> go far enough. It's the "lowest common denominator," he says, adding that
> the audit didn't detect the vulnerability that led to the hack even though
> it had existed for years.
>

It's interesting to see their perspective but I'd like to think that
the assessor didn't do a thorough job either of reviewing them. I
could be wrong too! Not to place faith in the PCI DSS or anything but
I'm yet to see a *truly* compliant merchant being breached. Media
reports led me to believe that the ones that were compliant and
breached had been weakly assessed on certain aspects of the
assessment.

Just a thought!

--
Rajat Swarup

http://rajatswarup.blogspot.com/


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Relevant Pages

  • Re: For what reason would IRS send certified mail?
    ... I got one of those "we are reviewing your 2004 return" ... decided that I owed them some unpayable amount and I had two choices, ... My favorite story along those lines was the "mail audit" my live-in ... mortgage interest deduction. ...
    (rec.sport.football.college)
  • Re: Heartland Gets Religion on Security
    ... Over at DataLossDB, I inquired about adding a column for the ... firmperforming the audit in an attempt to correlate ... : breaches with firms. ...
    (Security-Basics)
  • Local and remote copies of audit.log?
    ... Reviewing the man pages of auditd on CentOS 5, it doesn't seem obvious that I can log events locally AND send a copy to a remote log host. ...
    (RedHat)
  • Re: Whats wrong with this trigger
    ... After reviewing what the previous datbase developer did with the audit ... tables I realized that there was no need for an identity field in the audit ...
    (microsoft.public.access.adp.sqlserver)