Home page logo

basics logo Security Basics mailing list archives

RE: [Full-disclosure] Compliance Is Wasted Money, Study Finds
From: "Lyal Collins" <lyalc () swiftdsl com au>
Date: Sat, 24 Apr 2010 14:37:15 +1000

I'd like to jump into this exchange of views for a moment.

As a QSA, I know PCI DSS is not perfect.  
Its certainly better that ISO 27001/2 imho, where you decide what you want
assessed against criteria you define.  HIPAA, SOC and GLBA et al are
virtually non-existent apply in my country, so 27001 is one viable yardstick
for this international discussion.
I  know one bank that had 27001 compliance years ago - they simply defined
the target as the 6 person IT security team, not the 35,000 employees across
1000+ locations and 300+ systems.  
Outcome = tick in the box, great publicity, and no actual changes to their
security posture.   
However, PCI doesn't let you get a tick in a box by allowing you to choose
which things to assess - its all or nothing.
Compared to the security status of a site prior to a PCI review, PCI is
pushing virtually all companies miles ahead in their security posture.
Of the 12 compliance areas in PCI DSS, virtually all the sites I, and my
colleagues see are mostly complaint to 1 or 2 (anti-virus, and encrypted
transmission over external networks).  
Out of the 230+ individual PCI DSS requirements, 30% is an average score
prior to a company starting PCI compliance activities.  They'd be in the
same situation when measured against any 'good security practice' criteria.

Some examples, minor variations of which emerge in every new site:
- Watching 3 people in a room argue about the actual network layout, because
there is no network diagram that is remotely accurate or less than 2 years
old, and the details are all in 1 or 2 person's heads, is scary - they have
no idea of network assets - and these are in sites with under 100 employees.

- Finding firewall rules that include 'any any' because that's what they
applied when first setting up the device 3 years ago but forgot to remove is
scary - meaning all the subsequent effort on applying specific firewall
rules have protected nothing and wasted change management time!
- finding that a company 20+ systems with sensitive data, not two as they
originally thought is scary
- Builds of servers, databases and web app frameworks that are virtually
"out of the box" is scary.
- Patching that is a 'not at all' situation, or a process that occurs
annually or semi-annually at best in many companies.  Yet Verizon's report,
and similar, show a significant number of successful attacks leveraged holes
that are years old.
- IPS/IDS, and audit logging, reviewing audit logs - who needs 'e,m - we
KNOW we are secure' is a simplified summary of how systems are actually
- "We've got a firewall and ant-virus so we are secure' is still a
significant part of many site's security posture.
- Seeing security policies that literally require a firewall, locked server
rooms and a password on workstations is scary.
- Seeing developers who insist the production system retains between 3 and
10 copies of every record processed, indefinitely, spread across multiple
components and all associated backups, exponentially increases the range of
targets an attacker can compromise for gain.
- Production systems running NT4, Windows 2000, Solaris 8 and AIX 5.1 ( all
in 2009) - scary

And these situations are nation wide, and in some cases, multi-national
organisations, not a 'business in a garage'.

So when PCI demands that aspects are addressed, it is not wasted effort imho
- its merely making companies invest in 'average security practice' (no, its
not even expecting 'security best practice').

In my personal experience of over 40 sites PCI DSS is a major advance in the
security posture of companies, for at least some of their systems,
applications and data.  
Many of these same companies do actually have reasonable security in many
other aspects of their systems. Unfortunately, the security gaps are wide,
deep and ever present.
Its not perfect, its not even applied to a whole enterprise, just selected
elements of a business.

However, PCI does reduce risks in these selected elements of a business
relative to the pre-PCI status quo.  Further, when a company absorbs PCI
into the 'business as usual' management of IT, it slowly permeates
elsewhere, due to budget unlocking, increased awareness, and many
infrastructure security controls in PCI overlap into non-PCI parts of the
business.  Of course, when the company pay 'check in a box' attitudes to
information security, then they get 'ticks ina box, not security. Year 2 and
3 PCI assessments of clients shows PCI has either 'stuck' as BAU or means
repeated remediation effort.  Treating any form of compliance as a tick in a
box invariably means a low cost to benefit outcome in my experience.

PCI is not always cheap.  The reality I've experienced over 5 years of PCI
is that companies have under invested in people, processes and in some
cases, security products in some (occasionally all) areas of their business.

As indicated above, some security compliance programs do appear to provide
little or no real security improvement - FISMA, for example, based on press
reports.  Your mileage may vary.
PCI DSS is one compliance program making measurable, significant
improvements to the protection and security management of selected
information and systems, imho.

Disclaimer - I've cherry picked some examples above, for deliberate effect.
However these examples and minor variations are representative examples of
the overall state of information security I've seen in companies, prior to
them progressing toward PCI compliance.




-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Thor (Hammer
of God)
Sent: Saturday, 24 April 2010 4:32 AM
To: Stephen Mullins
Cc: full-disclosure; security-basics () securityfocus com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

Three things:  

1) I am one of those people, as many of us are.
2) I disagree - compliance with the standard, as put forth by the body
developing the standard, certainly implies a real security benefit.  Does
PCI=Security?  No, but it certainly helps.  There is a huge difference
between "ensure" and "imply."  Using them together like that as if they are
synonymous is a red herring.   Think about what you just said: "it doesn't
imply real security."  THAT doesn't define ANYTHING actionable.  Nothing.
What the standard does IS to define at least measures to be taken that can
increase security - it has specifics and action items.  It is tangible.
And, it is far more likely to provide a real benefit than not.  It
*certainly* does more than having some policy say "You must imply real
security."  If you are one of those people that care about security,  and if
your takeaway from PCI is that "it doesn't imply real security" but you fail
to tell us what does, then I would have to say you are not really providing
any benefit.  
3) "Apparently not a cost of doing business" how?  What did I say that makes
that statement apparent?   I fail to see how you can connect what the OP
stated as "Compliance is Wasted Money" with "apparently having a secure
network is not a cost of doing business."   They are two different things.
If you want to process credit cards in your business to make more money, and
the credit card industry says, up front, "ok, you can play if you follow
these rules," then that is a cost of doing business.  If you actually do
enough business to justify PCI audits, and you as a security person
implement a system that passes all PCI audit requirements as written, but
still FAIL to have a system where no security is implied, then YOU have not
done your job.  No amount a blaming PCI's inadequacies is going to make up
for people not taking responsibility for doing their jobs.  Period.


-----Original Message-----
From: Stephen Mullins [mailto:steve.mullins.work () gmail com]
Sent: Friday, April 23, 2010 10:40 AM
To: Thor (Hammer of God)
Cc: Christian Sciberras; security-basics () securityfocus com; full-disclosure
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

I don't see what the hubbub is

Some people in the information security industry actually care about
securing systems and the information they contain rather than filling in
check boxes.  Compliance may ensure a minimum standard is met, but it does
not ensure or imply that real security is being maintained at an

As you say, PCI has become a cost of doing business whereas having a secure
network is apparently not a cost of doing business.  This is a problem.

Crazy notion, I know.

On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) <Thor () hammerofgod com>
How can you say it is "wasted"? It doesn't matter if you are a "fan" 
of it or not, in the same way that it doesn't matter if you are a 
"fan" of the 4% surcharge retail establishments pay to accept the credit
card as payment.
Using your logic, you would way it is "wasted money," and might bring 
into question the "value" of the surcharge, etc.  It is simply a cost 
of doing business.

If you choose to offload processing to a payment gateway, then that 
will also incur a cost.  Depending on your volume, that cost may or 
may not be higher than you processing them yourself while complying to 
standards.  The implementation of actual security measures will be 
different.  But you can't "handle" credit cards in the classic sense 
of the word without complying with PCI.  If you pass along the 
transaction to a gateway, you are not handling it.  If you DO handle 
it, then you have to comply with PCI.  If you process less than 1 
million transactions a year, you can "self audit."  If you process more,
you have to be audit by a PCI auditor.

None of this MEANS you are secure, it means you comply.  If you don't 
like PCI, then don't process credit cards, or come up with your own.
I still don't really see what all the hubbub is about here.


From: Christian Sciberras [mailto:uuf6429 () gmail com]
Sent: Friday, April 23, 2010 9:29 AM
To: Thor (Hammer of God)
Cc: Christopher Gilbert; Mike Hale; full-disclosure; 
security-basics () securityfocus com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

it is simply part of the cost of doing business in that market.
A.k.a. wasted money. Truth be told, I'm no fan of PCI.
Other companies get the same functionality (accept the storage of 
cards) without worrying about PCI/DSS (e.g. through Payment Gateways).
In the end, as a service, what do I want, an inventory of credit 
cards, or a stable payment system? The later I guess.
As to security, it totally depends on implementation; one can handle 
credit cards without the need of standards compliance.

My two cents.

Christian Sciberras.

On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) 
<Thor () hammerofgod com>

Another thing that I think people fail to keep in mind is that when it 
comes to PCI, it is part of a contractual agreement between the entity 
and card facility they are working with.   If a business wants to 
accept credit cards as a means of payment (based on volume) then part 
of their agreement is that they must undergo compliance to a standard 
implemented by the industry.  I don't know why people get all 
emotional about it and throw up their hands with all the "this is 
wasted money" positioning - it's not wasted at all; it is simply part of
the cost of doing business in that market.


From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Christopher Gilbert
Sent: Thursday, April 22, 2010 4:48 PM
To: Mike Hale
Cc: full-disclosure; security-basics () securityfocus com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

The paper concludes that companies are underinvesting in--or 
improperly prioritizing--the protection of their secrets. Nowhere does 
it state that the money spent on compliance is money wasted.

On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <eyeronic.design () gmail com>

I find the findings completely flawed.  Am I missing something?

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]