On 06/12/2015 11:12 AM, Keith Smith wrote:
> On 2015-06-12 10:43, der.hans wrote:
>> Am 12. Jun, 2015 schwätzte Keith Smith so:
>>
>>> I do some work on a couple CentOS 6.6 servers. Payment Card Industry
>>> (PCI) scans seem to always see the server as vulnerable. I've have
>>> to submit for a review since the server is not really vulnerable.
>>
>> Your auditors should understand that and be able to do proper
>> verification.
>
>
> You would think.
I used to think so too, before having to deal with various qsa's
throughout the years. Most I find to be lacking, in either real or
practical knowledge, especially when it comes to more nebulous things
like networks and how they play into security. Seemingly nothing more
than glorified tech writers pushing some automagical "scan and make
report go" button.
Case in point, I had one tell me that trunking/802.1q was "insecure"
(requiring huge changes from "normal" physical deployment a sane network
guy might deploy), but hey, my MPLS network, also using dot1q, was just
dandy. Mostly because they didn't know what mpls presumably even did,
which was even more extensive logical separation than even dot1q, and
just as prone to abuse/misconfiguration should someone bleed routes
between tables of organizations in a service provider network accidentally.
Same one also just glossed over the 50-60k firewall rules we had
involved, more just happy we simply had one, with or without an explicit
permit any.
Of course, inherently insecure applications or systems can always have
"mitigating controls" documented that in my experiences equals sleight
of hand, putting some voodoo appliance in front of it they know even
less about, or host security software that has McAfee or Symmantec in
the name, but as long as it's called a *security* something, it makes it
quite ok suddenly.
Target, Home Depot, and all the others you never hear about being
exploited for your pci/pii data are good examples of how useless the
certification really is, other than as another profit center for firms
selling the audit services.
-mb
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)