[Dataloss] Best Western Response
Daniel Clemens
daniel.clemens at packetninjas.net
Tue Aug 26 22:02:53 UTC 2008
On Aug 26, 2008, at 3:21 PM, Jamie C. Pole wrote:
>
> The PCI DSS program is a joke. Pure & simple. Definitely broken,
> sometimes ignored.
>
> I teach a LOT of public and private classes on auditing and ethical
> hacking/penetration analysys, and it never ceases to amaze me how
> little the people with the QSA designation actually know. Most of
> them seem to be former IT auditors - that particular bar (QSA) is set
> W-A-Y too low.
>
> Think about it - when was the last time you heard about a security
> breach involving credit card processing where the target was NOT PCI-
> compliant?
>
Better yet, when have you done any penetration testing engagement
where the client was 'Compliant with x and y regulation and or
standard' and you still gained access? (Probably almost every time or
at worst 85% of the time)
This is the exact reason why penetration testing and hacking will
almost always win over an institutionalized process and or standard.
Penetration testing (or whatever you want to call it now days) does
not equate to a 'completely formal audit' which I think the PCI (PCI
Scanning companies) standards and all the 'certified ethical hacker
mindsets' seem to confuse. They are similar , but they are not the
same.
What I think the real complaint is about, - is the fact that there is
a watered down Carolyn Meinel / JP happy hacker mindset which has
successfully infected all that follow the logic that security equates
to an exact science when fighting against creative minds.
So there , I said it. :P
| Daniel Uriah Clemens
| http://bits.packetninjas.org
"Imagination is more important than knowledge."-- Albert Einstein
More information about the Dataloss
mailing list