Hash: SHA1

Todd Parker wrote:
> The dirty secret PCI is trying to hide, is that much of the information
> flying on their clients networks is cleartext. I've been inside some of
> those networks, and was appalled.

I have done incident response after breaches on a couple very large
etailers. I have found firewalls that allow everything outbound, most
stuff inbound, Internet facing Cisco devices with the login 'cisco
cisco' still enabled on the device (I would bet that about 10% to 15% of
all newer cisco devices still have this default local login enabled!), I
have found BIND 4.x name servers running on Internet facing firewalls,
and like Todd -- clear text everywhere, and on and on I could go.

PCI is 110% joke. Security theater at its absolute complete worst!

Still worse, most auditors are clueless. They take the PCI auditing
course and hang out their shingle as a PCI auditor. All they know how to
do is to check the check boxes on the list. (I know of one organization
that had a label "FIREWALL" covering the Dell logo on a server, and that
got them an automatic check on the PCI audit for having a firewall.) PCI
DSS is a complete joke! There are even pen testing firms that will
guarantee you a pass for PCI compliance. The whole process is pure
security theater. It is sickening -- absolutely sickening.

At least, that is my $0.02 worth.

Jon K
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

Reply via email to