That's the insanity, PCI does require remediation of all known security vulnerabilities. PCI's own guidance does not make any such exception for DoS vulnerabilities. In the guidance on 6.2 which states for the reason why patching is so crucial, "a malicious individual can use these exploits to attack or disable a system, or gain access to sensitive data."
I've actually argued this point a few times with a QSA and the response was much better than initially expected. One still needs a compensating control, but the contradiction wasn't dismissed when it was explained. Most people I work with take one of two approaches. Either they bend their heads through insane apologetics to try and defend the contradiction, or they laugh and agree, and we go on to solving real problems like users recording passwords in plain text files, or leaving them on sticky notes, or passwords even being allowed in the first place. (That's another rant of mine.) > On 2014 Dec 19, at 01:56 , Tracy Reed <[email protected]> wrote: > > On Thu, Dec 04, 2014 at 06:18:30AM PST, Mark McCullough spake thusly: >> The rule that violates PCI: Requirement to lock or disable accounts after x >> failed login attempts. That's a remotely executable, no authentication >> required denial of service attack that is demonstrated over and over again. >> Since it is a known vulnerability, it must be remediated, per PCI. > > You would be referring to Requirement 8.1.6: Limit repeated access attempts by > locking out the user ID after not more than six attempts. > > This isn't a violation of PCI as PCI isn't concerned with data availability. > They would rather the data be unavailable or even destroyed than to have card > data leak. This is very much as opposed to something like HIPAA where data > availability is every bit as important as confidentiality. HIPAA beats the CIA > (Confidentiality, Integrity, Availability) drum regularly whereas PCI only > cares about Confidentiality. > > -- > Tracy Reed ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
