[Dataloss] rant: Abandon Ship! Data Loss Ahoy!

Jamie C. Pole jpole at jcpa.com
Wed Mar 19 01:56:36 UTC 2008 

Yup.  And does anyone doubt that a company using Qualys would be in  
the same boat?

All of these vendors that sell non-functioning crapware are seriously  
damaging the efficacy of online commerce moving forward.  They sell a  
false sense of security.  Nothing more.  PCI compliance in a box?   
Yeah, right...

Then again, Visa is also very much to blame.  Until Visa gets serious  
about PCI compliance and starts certifying expert security  
practitioners, rather than clueless companies with big checkbooks,  
this is just going to keep happening over and over again.  Visa should  
be paying expert security practitioners to do PCI compliance  
assessments, rather than having the big consulting companies pay THEM  
for the privilege of saying they are certified to conduct PCI  
assessments.

All of these automated vulnerability assessment processes achieve the  
same result - they identify only the lowest of the low-hanging fruit.   
Automated tools might identify the exposures that script kiddies are  
looking for, but they most certainly can't identify the exposures that  
motivated and competent hackers are looking for.  Show me an automated  
tool that can identify vulnerabilities that are contingent on the  
successful exploit of other vulnerabilities, and I just might change  
my mind.  I'm not going to hold my breath, because companies are too  
wrapped up in buying automated scans for $19.99 per host.  As we can  
see, they always get exactly what they pay for.  What exactly do they  
think they are buying??

What's even worse is that there are "security consultants" running  
around telling the world that they base their entire vulnerability  
assessment offering on some of these useless tools.

Oh, well...

Jamie



On Mar 18, 2008, at 8:53 PM, lyger wrote:

>
> http://attrition.org/security/rant/z/rapid7.html
>
> Tue Mar 18 16:10:57 EST 2008
> d2d
>
> You are a security vendor. You sell the mightiest security doohickey  
> the world
> has ever seen. It does it all, including "...ensuring your network  
> is safe from
> hackers..." and amazingly it "...scans for Web site and database
> vulnerabilities that hackers can use to capture credit card  
> information without
> you being aware". Since your doohickey does what no others have ever
> successfully managed to do, you can tout your client list proudly,  
> and pimp
> your customer implementations liberally.
>
> UNTIL...
>
> One of your customers joins the etiolated top 10 with a massive hacker
> perpetrated data loss incident.
>
> OUCH.
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and  
> monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>

More information about the Dataloss mailing list