RE: DSS

[Nick Duda <nduda () VistaPrint com>]

Rhetorical.

I just think that pre-PCI there was a lot that people didn’t know about what to do and secure and ways to do it. 
During/Post-PCI people started to understand and now have better insight on things to look at and consider. I think its 
pretty clear that PCI does nothing to "protect" a company, its merely guidelines for a company that "these are the 
things that should be getting done as best practice to help secure you and at least set you up with the ability to 
monitor and present data/logs should something happen".

How the company reacts and implements this is what my rhetorical question was about, "How does the company know that 
you are doing the right thing?"

When we went PCI , I looked at the checklist and everything made sense, almost "common sense" to a security guy. Others 
I've spoken to in the IT team still had no clue.

- Nick

-----Original Message-----
From: Adriel Desautels [mailto:adriel () netragard com]
Sent: Tuesday, May 27, 2008 9:21 AM
To: Nick Duda
Cc: 'nick.vaernhoej () capitalcardservices com'; 'Pete.Hill () sit-up tv'; 'security-basics () securityfocus com'
Subject: Re: DSS

Nick,
        Was your question directed at me or was it rhetorical? I can suggest many effective ways to test at actual/real 
threat levels, but not everyone will be able to do it. Testing at real threat levels involves significant research and 
experience. The most important aspect of which is to not rely on automated tools for your testing. Automated tools are 
very useful for reconnaissance, but they are not accurate enough to rely on for a final quality deliverable.

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know  : http://tinyurl.com/26pjsn


Nick Duda wrote:
> Its better than not having it.
>
> how does your company know what your doing and protecting them from real world threats...etc.
>
> I think pci dss has a great foundation for implementing best
> practicies....a checklist if you will (which is pretty much what it is
> anyway). It also gets companies that don't deploy best practices (like
> an IDS) to start doing (whether they know what to do with it is
> another story)
>
>
>
> <Sent from Blackberry>
>
> ----- Original Message -----
> From: listbounce () securityfocus com <listbounce () securityfocus com>
> To: Nick Vaernhoej <nick.vaernhoej () capitalcardservices com>
> Cc: Hill, Pete <Pete.Hill () sit-up tv>;
> security-basics () securityfocus com <security-basics () securityfocus com>
> Sent: Fri May 23 11:26:24 2008
> Subject: Re: DSS
>
> Just out of curiosity, how many people here thinks that PCI does
> anything to protect you from the real world threat?
>
> Regards,
>         Adriel T. Desautels
>         Chief Technology Officer
>         Netragard, LLC.
>         Office : 617-934-0269
>         Mobile : 617-633-3821
>         http://www.linkedin.com/pub/1/118/a45
>
>         Join the Netragard, LLC. Linked In Group:
>         http://www.linkedin.com/e/gis/48683/0B98E1705142
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
>
> Netragard Whitepaper Downloads:
> -------------------------------
> Choosing the right provider : http://tinyurl.com/2ahk3j Three Things
> you must know  : http://tinyurl.com/26pjsn
>
>
> Nick Vaernhoej wrote:
> > Good morning,
> >
> > Have you scanned through the supplemental information regarding 6.6?
> > https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfir
> > ewa
> > lls_codereviews.pdf
> >
> > You have two options, code review or web application firewall.
> > You state that you already have custom code reviewed so I would think
> > you are in good shape.
> > What makes you think you need to do both? (It is a good idea to do so
> > of course, but not necessary to satisfy PCI).
> >
> > Have a great day.
> >
> > Nick Vaernhoej
> > "Quidquid latine dictum sit, altum sonatur."
> >
> > > -->-----Original Message-----
> > > -->From: listbounce () securityfocus com
> > > -->[mailto:listbounce () securityfocus com] On Behalf Of Hill, Pete
> > > -->Sent: Friday, May 23, 2008 8:53 AM
> > > -->To: security-basics () securityfocus com
> > > -->Subject: PCI: DSS
> > > -->
> > > -->
> > > -->Hi all,
> > > -->
> > > -->Can anyone confirm for me what sort of workarounds there are
> > > -->concerning PCI:DSS and application layer firewalls?
> > > -->
> > > -->Requirement 6.6 of the standard states this:
> > > -->
> > > -->6.6 Ensure that all web-facing applications are protected against
> > > -->known attacks by applying either of the following methods:
> > > -->* Having all custom application code reviewed for common
> > > -->vulnerabilities by an organization that specializes in
> > > -->application security
> > > -->* Installing an application layer firewall in front of web-facing
> > > -->applications.
> > > -->Note: This method is considered a best practice until June 30,
> > > -->2008, after which it becomes a requirement.
> > > -->
> > > -->We already have our custom code reviewed, but Im wondering if I
> > > -->absolutely must sort out an application layer firewall or if
> > > -->there
> > is
> > > -->a
> > > -->workaround that would be acceptable for a level 1 merchant.
> > > -->
> > > -->If there are any knowledgeable auditors (qsa etc) out there I'd
> > > -->really appreciate your help on this one.
> > > -->
> > > -->Many thanks
> > > -->Pete
> > > -->
> > > -->
> > > -->A number of bogus e-mails are currently circulating in the UK
> > > -->encouraging customers to visit fraudulent websites where personal
> > > -->or Internet security details are requested. Bid tv/Price-drop
> > > -->tv/Speed auction tv would never send e-mails that ask for
> > > -->confidential, personal security information or details regarding
> > > -->your account status.
> > > -->
> > > -->The content of this e-mail does not constitute a contract and any
> > > -->matters discussed herein remain subject to contract.
> > > -->
> > > -->The contents of this message and all attachments have been sent
> > > -->in confidence for the attention of the addressee only.  If you
> > > -->are not the intended recipient you are kindly requested to
> > > -->preserve this confidentiality and to advise the sender
> > > -->immediately of the error in transmission.
> > > -->
> > > -->"sit-up ltd, registered in England No: 03877786.
> > > -->Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW.
> > > -->Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."
> >
> > This electronic transmission is intended for the addressee (s) named above. It contains information that is 
> > privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you 
> > are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any 
> > action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in 
> > error, please notify the sender that this message was received in error and then delete this message.
> > Thank you.