IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / Sigh
Post #291,121
by crazy
8/19/07 12:35:52 AM
Reply
New Sigh
Read the initial request, the situation, and the current cost / limitations involved.
Post #291,123
by folkert
Picture of folkert
8/19/07 2:03:36 AM
Reply
New If its PCI, its gotta be done.
Its a cost of dealing with the PCI.

Its the same with SSL/TLS.

PCI uses "Scan Alert" checks for stupid asinine things that mean nothing, but in order to "comply" you have to do them, no matter that we don't use Windows for ANYTHING on the server side. We still have to "do them" even though we can't. They don't care.

If you possibly have data being on a disk... good or bad.

You even have to have "wireless" security measures in place *EVEN* if you have *ZERO* wireless on your server network environment.

I can pull they survey questions if you'd like. They are very stupid, they assume Windows servers.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
PGP key: 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
Post #291,129
by jbrabeck
8/19/07 7:59:06 AM
Reply
New I"ve had to live with these requirements
for the past three months. My initial project was to merge DSS with the corporate security standards, keeping the stricter of the two (Yes, some of the internal requirements are much stricter than PCI). The questions get quite interesting when you start to apply them to a mixed environment of mainframe, Unix, Linux, and Windows.

The questions about residual data on these drives is something that had been given only cursory investigation. PCI has force us to re-examine this issue.

The cost of destroying the drives exceeds the penalty for non-compliance. The cost to brand would be huge if there was a privacy leak.

Should we be destroying the drives? Maybe. As with every security issue it comes down to cost vs risk. My job is to report on risks and possible solutions. I do like Crazy's suggestion about setting up a workstation to scrub the disks before EMC takes them - if we are contractually allowed to remove the drives. I will also recommend that the EMC contract be reviewed to see if they are required to scrub the drives prior to reuse, and if they are not, see if we have the necessary language added.

And fwiw, we have other data storage vendors also. I just happened to start the discussion with the EMC group. It will only get uglier!
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
Post #291,136
by folkert
Picture of folkert
8/19/07 11:49:44 AM
Reply
New There is a certain point... that enough non-compliance...
will cause de-certification.

That would be BAD.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
PGP key: 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
Post #291,137
by crazy
8/19/07 11:57:40 AM
Reply
New I've done PCI before
I seem to recall (from my point of view) the level of effort was based on how many transactions you dealt with. That way small companies would not be killed by the overhead of dealing with it,

Also, I remember our Unix admin getting really pissed when we would not allow him to explain to the auditors that a particular sysem was Linux, did not have inbound email, did not present any shares using ANY protocol, was accessed strictly via secure shell from me and him, and had it's own very restrictive firewall settings and DID NOT NEED WINDOWS VIRUS SCANNING!

After meeting with the auditors once, we realized it was far easier to setup bullshit technical "fixes" that we could then check-off the list. The admin was ready to kill me. He was a talker, and was furious that we'd require him to setup and maintain software (including ongoing signature updates).

And then the flip side was worse. These auditors did not like the way something was done under Windows. My Windows admin pulls out the MS book, highlights the phrase "best practicies", and they then corrected their check-off lists to included whatever our admin told them.

Idiots.
Post #291,138
by jbrabeck
8/19/07 12:22:24 PM
8/19/07 12:23:58 PM
Reply
New Well, we're definitely not a small merchant
And this is our first pass at PCI compliance. I've already annotated the lack of virus scans on the mainframe and the Sun boxes... :-) You are right in that the focus of these questions is definitely Windows based. However...

I have the IG office following right behind me. They are checking my work, ensuring that my questions did deep enough and that I don't ignore anything.

I wish we were a smaller organization. I have to tromp though many fiefdoms to get the info. The test say to document how we comply. The normal reply I've been getting back is "yes we comply". I'm glad that some of these questions can be applied enterprise wide, as we have many applications that must be certified PCI compliant. This is just number one.

From what I've been told, if we were to only keep the auth number and iirc last 4 of the PAN, then we would not have to comply with all these standards because we would not have any PCI sensitive data. For some reason HQ decided to keep the full PAN.

/rant
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
Expand Edited by jbrabeck Aug. 19, 2007, 12:23:58 PM EDT
Expand All History
     Data recovery on Striped drives - (jbrabeck) - (19) - Aug. 17, 2007, 01:54:01 PM EDT
         Any recovery would be pretty unlikely - (Andrew Grygus) - Aug. 17, 2007, 02:13:24 PM EDT
         You may be Ok, but not guaranteed safe. - (Another Scott) - Aug. 17, 2007, 02:15:44 PM EDT
         can useful information be pulled and re-assembled by block? - (boxley) - Aug. 17, 2007, 02:22:23 PM EDT
         Depends on chunk size and what you are hiding - (crazy) - Aug. 17, 2007, 04:31:10 PM EDT
         Thanks for all the replys, let's add clarification - (jbrabeck) - (14) - Aug. 18, 2007, 06:19:28 AM EDT
             Move the risk? - (pwhysall) - (10) - Aug. 18, 2007, 06:22:01 AM EDT
                 That will be one of my suggestions. -NT - (jbrabeck) - Aug. 18, 2007, 06:38:46 AM EDT
                 Bulk Erase Tape Demanetizer. - (folkert) - (8) - Aug. 18, 2007, 08:44:46 PM EDT
                     Can't use it if they expect to reuse the hard disk - (crazy) - (7) - Aug. 18, 2007, 08:53:28 PM EDT
                         That doesn't matter, if the disk has sensitive info. - (folkert) - (6) - Aug. 18, 2007, 11:57:48 PM EDT
                             Sigh - (crazy) - (5) - Aug. 19, 2007, 12:35:52 AM EDT
                                 If its PCI, its gotta be done. - (folkert) - (4) - Aug. 19, 2007, 02:03:36 AM EDT
                                     I"ve had to live with these requirements - (jbrabeck) - (1) - Aug. 19, 2007, 07:59:06 AM EDT
                                         There is a certain point... that enough non-compliance... - (folkert) - Aug. 19, 2007, 11:49:44 AM EDT
                                     I've done PCI before - (crazy) - (1) - Aug. 19, 2007, 11:57:40 AM EDT
                                         Well, we're definitely not a small merchant - (jbrabeck) - Aug. 19, 2007, 12:23:58 PM EDT
             that SHOULD be covered in your contract with EMC -NT - (boxley) - Aug. 18, 2007, 07:30:28 AM EDT
             What Peter and Box said. - (static) - Aug. 18, 2007, 08:52:59 AM EDT
             Like others said, but, that's pure political - (crazy) - Aug. 18, 2007, 03:15:49 PM EDT

It's what's for breakfast!
101 ms