[Dataloss] Best Western Response

Daniel Clemens daniel.clemens at packetninjas.net
Tue Aug 26 22:02:53 UTC 2008


On Aug 26, 2008, at 3:21 PM, Jamie C. Pole wrote:

>
> The PCI DSS program is a joke.  Pure & simple.  Definitely broken,
> sometimes ignored.
>
> I teach a LOT of public and private classes on auditing and ethical
> hacking/penetration analysys, and it never ceases to amaze me how
> little the people with the QSA designation actually know.  Most of
> them seem to be former IT auditors - that particular bar (QSA) is set
> W-A-Y too low.
>
> Think about it - when was the last time you heard about a security
> breach involving credit card processing where the target was NOT PCI-
> compliant?
>

Better yet, when have you done any penetration testing engagement  
where the client was 'Compliant with x and y regulation and or  
standard' and you still gained access? (Probably almost every time or  
at worst 85% of the time)

This is the exact reason why penetration testing and hacking will  
almost always win over an institutionalized process and or standard.
Penetration testing (or whatever you want to call it now days) does  
not equate to a 'completely formal audit' which I think the PCI (PCI  
Scanning companies) standards and all the 'certified ethical hacker  
mindsets'  seem to confuse. They are similar , but they are not the  
same.

What I think the real complaint is about, -  is the fact that there is  
a watered down Carolyn Meinel / JP happy hacker mindset which has  
successfully infected all that follow the logic that security equates  
to an exact science when fighting against creative minds.

So there , I said it. :P

| Daniel Uriah Clemens
| http://bits.packetninjas.org
"Imagination is more important than knowledge."-- Albert Einstein










More information about the Dataloss mailing list