On Mon, 23 Mar 2009, Anton Chuvakin wrote:
: > : I'd say that PCI DSS did more to information security than *anything : > : else* since Windows added automated updates. : : > Care to back that up in any way? I think the customers of Heartland, RBS : > and other compromises would disagree. : : Sorry, but this is kinda of what I was talking about :-) What I am : hearing in the above is that PCI was somehow supposed to guarantee their : un-hackability. Is that what you are implying? What about a simpler : explanation: they were breached DESPITE PCI DSS? You say "PCI DSS did more for infosec than anything else since.." Your implication is that PCI DSS did more for organizations like Hland/RBS than Windows patching. That is a pretty bold statement and I was curious if there was any way to back that statement, even anecdotal. I imply that PCI DSS did little / nothing to protect those companies. The fact each was compromised supports my position. : PCI did drive many small organization to think about: a) have we updated : our AV since 2004 (BTW, their answer was 'no' and not it is "yes' : [debate about AV efficiency is a separate story]) b) what on Earth is a : firewall? c) changing password is maybe a good idea. : : That is where I think it is useful. It's just as easy to say that all the news articles about big breaches scared them into asking those questions, as the PCI movement did. : > You forgot one part of your sig: : > Director of PCI Compliance Solutions at Qualys : : Was that remark intended to invalidate my arguments in any way? I hope : you are not implying they people working for vendor are not allowed - : gasp! - their own opinion... Invalidate, no. Help qualify, yes. You are absolutely allowed your opinion. I just wish we could see what it really is, rather than see the Qualys kool-aid dribbling from your mouth in its place. =) Without exception, anyone I have talked to involved in PCI, has said it is a joke and 'security theatre' is an appropriate term. In some cases, they were folks giving pro-PCI talks at conferences who then gave their own real opinion in person after. The posts on this list in the last day or two are from more PCI realists. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.