How RedHat Backports Vulnerability Fixes

Michael Butash michael at butash.net
Fri Jun 12 12:14:32 MST 2015 

On 06/12/2015 11:12 AM, Keith Smith wrote:
> On 2015-06-12 10:43, der.hans wrote:
>> Am 12. Jun, 2015 schwätzte Keith Smith so:
>>
>>> I do some work on a couple CentOS 6.6 servers. Payment Card Industry 
>>> (PCI) scans seem to always see the server as vulnerable. I've have 
>>> to submit for a review since the server is not really vulnerable.
>>
>> Your auditors should understand that and be able to do proper 
>> verification.
>
>
> You would think.

I used to think so too, before having to deal with various qsa's 
throughout the years.  Most I find to be lacking, in either real or 
practical knowledge, especially when it comes to more nebulous things 
like networks and how they play into security.  Seemingly nothing more 
than glorified tech writers pushing some automagical "scan and make 
report go" button.

Case in point, I had one tell me that trunking/802.1q was "insecure" 
(requiring huge changes from "normal" physical deployment a sane network 
guy might deploy), but hey, my MPLS network, also using dot1q, was just 
dandy.  Mostly because they didn't know what mpls presumably even did, 
which was even more extensive logical separation than even dot1q, and 
just as prone to abuse/misconfiguration should someone bleed routes 
between tables of organizations in a service provider network accidentally.

Same one also just glossed over the 50-60k firewall rules we had 
involved, more just happy we simply had one, with or without an explicit 
permit any.

Of course, inherently insecure applications or systems can always have 
"mitigating controls" documented that in my experiences equals sleight 
of hand, putting some voodoo appliance in front of it they know even 
less about, or host security software that has McAfee or Symmantec in 
the name, but as long as it's called a *security* something, it makes it 
quite ok suddenly.

Target, Home Depot, and all the others you never hear about being 
exploited for your pci/pii data are good examples of how useless the 
certification really is, other than as another profit center for firms 
selling the audit services.

-mb

More information about the PLUG-discuss mailing list