Have you seen how these POS networks and systems are architected and how crappy the software is that is run on these systems?
Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> Work:401-255-2497 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Monday, December 23, 2013 10:20 PM To: [email protected] Subject: Re: [NTSysADM] RE: 40 Million CC breach at Target.... I can only assume they dont, since historically (generally speaking) there have had serious breaches that should not have happened. I've been involved with POS systems, banking systems, as well as various wifi-devices - and for years, there's been a lot of foolishness. Business rarely does what it should - and instead only does what it has to, or can financially bet against. * Banking: We (the US) still allow a system that relies heavily on magnetic strip media. * Telco: We (the US) still allow a system were cell phones can be stolen and reused. -- Espi On Mon, Dec 23, 2013 at 6:31 PM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: Your rant presupposes that there isn't "decent security" already in place. What evidence do you have that there isn't? Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of J- P Sent: Tuesday, 24 December 2013 12:43 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] RE: 40 Million CC breach at Target.... /rant on I have one question that rings in the back of my mind, they (banks creditors merchants etc..) charge all sorts of fee's, sometimes i'have heard of fees larger than a bill thats due- Why cant they take a piece of that to get some decent security into place? /rant off Happy holidays and a prosperous new year to all Jean-Paul Natola ________________________________ From: [email protected]<mailto:[email protected]> Date: Mon, 23 Dec 2013 08:10:19 -0500 Subject: Re: [NTSysADM] RE: 40 Million CC breach at Target.... To: [email protected]<mailto:[email protected]> >>That's a pretty fair analogy - and both statements are true. On the other hand, banking is much better understood - experience with banking goes back hundreds of years, with concomitant expertise in many fields in dealing with the risks in banking. The experience around computing is much more shallow, and the risks are not as well known, nor has nearly as much thought and practice gone into mitigating them. Okay, so how about when banking relies upon computing? Which risk profile comes into play, then -- the hundreds of years, or the shallow years/decades? Whether or not YOU use online banking, it is almost assured that your bank provides it and that others are aware of its existence. Do you think that your bank is providing such a service without any reliance upon 3rd parties? Do you think that because you aren't using the online services from your bank that your data would be unimpacted? (Hint: I'm sure that some of the people impacted in the Target breach, as in the TJX breach before it, were *not* online users) ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market... On Sun, Dec 22, 2013 at 10:31 PM, Kurt Buff <[email protected]<mailto:[email protected]>> wrote: On Sun, Dec 22, 2013 at 6:59 PM, Andrew S. Baker <[email protected]<mailto:[email protected]>> wrote: >>>Amazon's cloud is external to its customers - Amazon's staff, > procedures and infrastructure are a risk to its customers. > > That's as illogical a statement as the following: > XYZ Bank's technology infrastructure is external to its customers - XYZ > Bank's staff, procedures and infrastructure are a risk to its customers... That's a pretty fair analogy - and both statements are true. On the other hand, banking is much better understood - experience with banking goes back hundreds of years, with concomitant expertise in many fields in dealing with the risks in banking. The experience around computing is much more shallow, and the risks are not as well known, nor has nearly as much thought and practice gone into mitigating them. >>>Except when suborned or perverted by money, patriotism or blackmail: > http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 > > And how does you maintaining your infrastructure on-premises, but having to > rely on 3rd party telecommunications mitigate the above risk in any way? It's not just that specific incident - that's but one example, and in this specific instance, there was no remedy - trusted parties were subverted, and the same can happen in other fields. I'm not arguing for perfection here - just a recognition that complexity brings risk, and that keeping things simple and under more control is usually wise. Indeed, for some businesses, especially small ones with no IT staff, or very limited IT staff, going with a public cloud might make sense. But if a business has good IT staff, I'd venture that migrating most or all of their infrastructure to a public cloud isn't their best bet. Kurt
<<inline: image001.jpg>>
