Re: DSS

Nick,
Well said. Something that I read once and always found interesting was "The ROI of good security is equal to the cost of one successful compromise." Which translates to, the cost of quality security services will always be a fraction of the cost of a single malicious penetration.

I think that most businesses need to be educated about what the threat actually is and what quality security services really are. The fact of the matter is, to defend against a particular threat you must first have usable intelligence about that threat. Once you have that intelligence you must then test your defenses against an accurate reproduction of that threat in a controlled manner. Not many companies can re-create the threat in a realistic way.

Failing to be compliant will result in fines. Failing to be secure could put you out of business. Think about how much money TJX or CardSystems could have saved had they actually focused more on "quality" security.



Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Office : 617-934-0269
Mobile : 617-633-3821
http://www.linkedin.com/pub/1/118/a45

Join the Netragard, LLC. Linked In Group:
http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn


Nick Vaernhoej wrote:
Adriel,

I think the intention is good.
The implementation is still flawed due to the quantity of the material
coming down to individual interpretation, from auditor to auditor even.
Over three years of passing the experience here has been that what is
great one year is a disaster waiting to happen the next, finally the
third year no one even checks.

Maybe some hefty fines for losing data in the first place would spark
the sort of environments PCI is trying to enforce?
If companies had the risk of going down in flames due to a breach maybe
they would change their view on a secure environment.
Maybe then a PCI equivalent requirement would never be needed.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."


-->-----Original Message-----
-->From: Adriel Desautels [mailto:adriel@xxxxxxxxxxxxx]
-->Sent: Friday, May 23, 2008 10:26 AM
-->To: Nick Vaernhoej
-->Cc: Hill, Pete; security-basics@xxxxxxxxxxxxxxxxx
-->Subject: Re: DSS
-->
-->Just out of curiosity, how many people here thinks that PCI does
-->anything to protect you from the real world threat?
-->
-->Regards,
--> Adriel T. Desautels
--> Chief Technology Officer
--> Netragard, LLC.
--> Office : 617-934-0269
--> Mobile : 617-633-3821
--> http://www.linkedin.com/pub/1/118/a45
-->
--> Join the Netragard, LLC. Linked In Group:
--> http://www.linkedin.com/e/gis/48683/0B98E1705142
-->
-->---------------------------------------------------------------
-->Netragard, LLC - http://www.netragard.com - "We make IT Safe"
-->Penetration Testing, Vulnerability Assessments, Website Security
-->
-->Netragard Whitepaper Downloads:
-->-------------------------------
-->Choosing the right provider : http://tinyurl.com/2ahk3j Three Things
-->you must know : http://tinyurl.com/26pjsn

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message.
Thank you.

Relevant Pages

  • MI5 Boss hints kiss goodbye to civil rights...
    ... "THE INTERNATIONAL TERRORIST THREAT AND THE DILEMMAS IN COUNTERING IT" ... I am delighted to be here to celebrate the 60th Birthday of the AIVD. ... The friendship between the AIVD and my Service, the British Security ... fascism then, by the time I met him, on countering terrorism. ...
    (soc.culture.scottish)
  • Re: NDC-Al Gore invented being a hypocrite
    ... misuse terror threats to manipulate the public for political purposes. ... It said nothing about this particular instance, and it no way implies ... or suggests that this specific threat or the threat of terrorism in ... time of war or national unrest due to security issues. ...
    (rec.music.gdead)
  • Re: U.S. Embassy Warning Of Possible Terror Attack On 4-5 Star Hotels in China
    ... November 9 Threat Message Retracted ... The Chinese Ministry of Public Security informed the U.S. Embassy in Beijing ...
    (rec.travel.asia)
  • Re: (NFL) Government Doubts Threat on 7 NFL Stadiums
    ... explosives at a parkin lot near a College football game. ... Wednesday by government security officials. ... stadium owners were alerted "out of an abundance of caution." ... FBI spokesman Richard Kolko said the threat was "questionable" and was ...
    (rec.sport.pro-wrestling)
  • << Small Biz News the week of January 23>>
    ... If you are using a POP connector in SBS 2003 to pull email ... SeanDaniel.com - why we shouldn't run the Security Configuration Wizard ... T-Mobile: Hacker had limited access ... A company's biggest security threat isn't the ...
    (microsoft.public.backoffice.smallbiz)