Comments on: Saturday morning reading 01/24/09 http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/ The views of one man on security, privacy and anything else that catches his attention. The views expressed on this blog do not reflect the views of my employer or anyone other than myself. Thu, 02 Feb 2012 21:45:54 +0000 hourly 1 http://wordpress.org/?v= By: Mike http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/comment-page-1/#comment-4150 Mike Wed, 28 Jan 2009 05:22:44 +0000 http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/#comment-4150 Being through the entire PCI DSS compliance with my company for the last 3 to 4 years I got the impression that one QSA could go into a site and determine something is an appropiate compensating control where another QSA would disagree. Grant it I don't find it as bad as HIPPA in trying to get compliant but as was stated above no matter how much money and time you throw at being or trying to be complaint you can almost always digg deep enough and find something that is not complaint. A QSA friend of mine put it best one time in a talk we was giving about securing a network. If a bear is chasing you, you don't have to run faster than the bear you just have to run faster than the person with you. You don't and probably won't have the most secure network but striving to be more secure than the next person will deter your average person attempting to breach your network. Mike Being through the entire PCI DSS compliance with my company for the last 3 to 4 years I got the impression that one QSA could go into a site and determine something is an appropiate compensating control where another QSA would disagree.

Grant it I don’t find it as bad as HIPPA in trying to get compliant but as was stated above no matter how much money and time you throw at being or trying to be complaint you can almost always digg deep enough and find something that is not complaint.

A QSA friend of mine put it best one time in a talk we was giving about securing a network. If a bear is chasing you, you don’t have to run faster than the bear you just have to run faster than the person with you. You don’t and probably won’t have the most secure network but striving to be more secure than the next person will deter your average person attempting to breach your network.

Mike

]]> By: Martin http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/comment-page-1/#comment-4148 Martin Wed, 28 Jan 2009 02:10:48 +0000 http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/#comment-4148 I officially have no comment. I unofficially have no comment. As a Trustwave QSA, I can't make any comment on this. I officially have no comment. I unofficially have no comment. As a Trustwave QSA, I can’t make any comment on this.

]]> By: SecurityNinja http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/comment-page-1/#comment-4147 SecurityNinja Wed, 28 Jan 2009 01:19:53 +0000 http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/#comment-4147 Tough times for Trustwave and PCI DSS Compliance management service provider and PCI QSA Trustwave appear to be having tough time recently. A colleague of mine pointed out today that Trustwave had been the QSA who certified RBS Worldpay as being compliant just 4 days before their data breach. Fair enough, every one can get caught out now and then but I have also found out that Trustwave (all complaint companies and their assessors can be found here http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-%20January%2015%202009.pdf) had also certified Heartlands as being compliant with PCI. If you have ignored the security news for a few days you would have missed the fact that Heartlands have also had breach of data which could top TJX as the largest breach ever. Heartlands process in excess of 100m transactions per month so I would imagine the amount of records lost could be immense. Trustwave, I think the PCI Council should think about something George Bush once said: fool me once, shame on — shame on you. Fool me — you can’t get fooled again. Dave http://securityninja.co.uk/blog/?p=145 Tough times for Trustwave and PCI DSS

Compliance management service provider and PCI QSA Trustwave appear to be having tough time recently. A colleague of mine pointed out today that Trustwave had been the QSA who certified RBS Worldpay as being compliant just 4 days before their data breach.

Fair enough, every one can get caught out now and then but I have also found out that Trustwave (all complaint companies and their assessors can be found here http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-%20January%2015%202009.pdf) had also certified Heartlands as being compliant with PCI. If you have ignored the security news for a few days you would have missed the fact that Heartlands have also had breach of data which could top TJX as the largest breach ever. Heartlands process in excess of 100m transactions per month so I would imagine the amount of records lost could be immense.

Trustwave, I think the PCI Council should think about something George Bush once said: fool me once, shame on — shame on you. Fool me — you can’t get fooled again.

Dave

http://securityninja.co.uk/blog/?p=145

]]> By: Martin http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/comment-page-1/#comment-4140 Martin Mon, 26 Jan 2009 13:51:19 +0000 http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/#comment-4140 Or two months after, when the QSA has come in and told them they're not going to pass the assessment. Martin Or two months after, when the QSA has come in and told them they’re not going to pass the assessment.

Martin

]]> By: Branden Williams http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/comment-page-1/#comment-4129 Branden Williams Sat, 24 Jan 2009 16:53:36 +0000 http://www.mckeay.net/2009/01/24/saturday-morning-reading-012409/#comment-4129 I agree with your statements, however, that's why we created a service around managing compliance. If a company takes it seriously, they will be able to hit those high-risk areas and avoid the breach by maintaining their compliance. The problem is, most companies don't take it seriously until two months before their deadline. I agree with your statements, however, that’s why we created a service around managing compliance. If a company takes it seriously, they will be able to hit those high-risk areas and avoid the breach by maintaining their compliance.

The problem is, most companies don’t take it seriously until two months before their deadline.

]]>