How much would it cost me to hire a security analyst for a day or two
- Thread starter manic111
- Start date
Man of Honour
It hasn't been said yet which suprises me but do not mistake anything PCI-DSS related for security. It's a ridiculous made up standard which both mandates things which have no benefit (must have RFC 1918 addresses behind firewalls etc...) and is hopelessly inconsistent. Get assessed by 10 different companies and you'll get 10 different answers. And 5 will tell you you pass and 5 will fail you. It's security theatre.
Man of Honour
I know all about PCI-DSS, we are scanned reguarly for both our office network and our websites
DJMK4 - thanks for explaining a bit more, thats all I was after really. I'm not questioning my abilities in this field, I dont have any more than most idiots who have played with computers for 30 years. I did however set up our router, firewall, IPSEC VPN, NAT and routing table - all work ok and have not caused a problem yet and pass the PCI-DSS scans we get so I guess are secure too
I don't know - in theory you need a system in place for FIM (file integrity monitoring) which means *you* could not make a change to relevant code/systems without somebody else knowing. If any one person can make changes without anybody knowing you *should* fail PCI-DSS. Only that standard is only applied to people taking serious amounts in transactions...which is a lovely inconsistency.
I'm sure you pass you're assessors version of PCI-DSS, what that actually means is open to question. Point two is the people who do the scans are morons. Nobody seriously talented does that job - why on earth would they? So you hire security consultants because they *really* know what they're about and can advise you of those things.
And lastly:
have not caused a problem yet and pass the PCI-DSS scans we get so I guess are secure too
That's a terrible thought process, PCI-DSS does not resemble security in any meaningful sense. I could implement a compliant solution which leaked like a seive and I could design a flawless system which would never pass. It's a lazy, badly written standard implemented by fools. It's not security.
And 'it's never been a problem before' is a fairly common one to come out the mouths of those in possession of hacked servers and no longer in sole possession on their customers details...just saying....
When I was working for a large financial (building society) it was interesting to be involved in all the PCI stuff there.
It would have cost us big money to go all in compliant, serious amounts of cash for everything to tick all the boxes, but they were holding off on a lot of things.
The reason being there were talks of the standard being abandoned or at least big changes as it was just unreasonable, especially for the issuers.
I can't remember the specifics as whilst involved I was only really concerned with a couple of areas of the standard.
It would have cost us big money to go all in compliant, serious amounts of cash for everything to tick all the boxes, but they were holding off on a lot of things.
The reason being there were talks of the standard being abandoned or at least big changes as it was just unreasonable, especially for the issuers.
I can't remember the specifics as whilst involved I was only really concerned with a couple of areas of the standard.
Soldato
v2.0 of the standard came in at the beginning of '11 which may have been related to that, (gave us few issues due to timescales on the project I was providing advice too).
It was a right pain not helped by project managers not understanding as much as they though they did and not helped by some sub-par QSAs whose advice at times was questionable (they were replaced). When you're putting in a system which falls under the level 1 remit you can't afford to get it wrong and when it needs to be supportable too then you need to get a bit vocal at times.
It was a right pain not helped by project managers not understanding as much as they though they did and not helped by some sub-par QSAs whose advice at times was questionable (they were replaced). When you're putting in a system which falls under the level 1 remit you can't afford to get it wrong and when it needs to be supportable too then you need to get a bit vocal at times.
Seperation of Duties???
You clearly dont know what its like to be the boss or be in an sme/small business. EVERYONE in my business is capable of many tasks, if anyone says no, then they can exit swiftly through the door as everyone is expected to do anything that is reasonably asked of them. There is no room for a lazy ass IT person who just looks after the network, and from my experience of big and small business they are exactly that a lot of the time.
My data inputters/customer service staff also help with packing and production when its quiet out front, they also sweep the floors and wash up.
My packers assist with printing and production jobs and even occasionally answer the phone, they also sweep and wash up.
Everyone helps when big deliveries arrive, the ladies are only expected to carry hlaf that of the men, sexist it may be but its fair and works.
I know all about PCI-DSS, we are scanned reguarly for both our office network and our websites
Passing a scan is only the beginning of PCI DSS compliance...
Whilst as Big Red Shark says it's only a superficial test of your card handling practices, when you fill in that SAQ you're effectively warranting your system and processes as far as card security goes.
Last edited:
Soldato
you clearly don't know what he means by separation of duties ... In this context it means that the person who has access to do a task on a system does not have access to audit what tasks have been done on said system. This is supposed to prevent people doing nefarious things and then fudging the audit trail to hide it.
Soldato
Yes there are always people with admin access ... but it doesn't mean that the person with admin access to the system holding card holder data is the same person who has admin access to the system holding the audit information, or the responsibility for checking said data and vice versa. Hence the separation of duties.
If you have admin access to everything then there is no separation of duties as whilst you may say it's my job to do this, and their job to do that, there is nothing to prevent you from accessing things which are not normally under "your job" and altering the audit trail of what is occuring.
If you have admin access to everything then there is no separation of duties as whilst you may say it's my job to do this, and their job to do that, there is nothing to prevent you from accessing things which are not normally under "your job" and altering the audit trail of what is occuring.
You clearly dont understand how SME's work. I'm the MD, EVERYTHING is my job and my responsibility so just like I hold the keys to the doors, the alarm codes, the safe keys and sign all the paperwork and comply with the legal requirements I also hold admin access. This is no uncommon in the REAL world.
Great
so you don't have segregation of duties at your organisation. Thanks for helping us to clarify that.And you seem to be bunching every SME businesses under the same umbrella. Very naive.
Soldato
Admittedly I don't normally deal with SME's ... normally it's more larger enterprises with proper structures in place to prevent customers getting their details stolen by nefarious staff ...
Although even with the smaller companies we deal with it's not normal for the management to have day to day admin access to systems.
(And you know what ... all these companies are in the REAL WORLD too ...)
Last edited:
Man of Honour
On a serious note, the requirements for SOD are fairly onerous on small business - one of the common consequences of that is that SMEs dodge most of PCI-DSS by farming their card processing to a payment provider wholesale so they never see the data on their systems. While I seriously dislike pay-pal et al, his is probably a good thing because, with all due respect to SME owners, they lack both the skills and mindset to design properly secure solutions.
The basic principle is that, even as the designer of the system, you should not be able to modify the system or access payment details without somebody knowing. If there are only a few of you that's hard. Hell, it's hard for companies with hundreds of staff even...
The basic principle is that, even as the designer of the system, you should not be able to modify the system or access payment details without somebody knowing. If there are only a few of you that's hard. Hell, it's hard for companies with hundreds of staff even...
Soldato
Great
And you seem to be bunching every SME businesses under the same umbrella. Very naive.
He said it's not uncommon, not that every SME is the same.
Whilst it depends on where in the SME range you are (ie Small, Medium or somewhere in between), I can think of many of our customers at work who have little SOD simply because of head count and the budgets available.
The EU defines the SME sector as anything from micro (sub 10 staff, under 2 million Euro turnover) to Medium (sub 250 staff and 50 million Euro T/O).
Man of Honour
While that's fair enough and it's not expected or necessary for many small business to have SOD, it's an impediment to passing PCI-DSS. The easiest way around this is to avoiding having to pass it and while it is a little draconian saying (effectively) small businesses can't take card payments directly it's practically not a bad thing.
with all due respect to trnc, i think i can summerise by saying the data security challenges of a corner shop are different to an organisation that transacts 8 billion a day, for example. Trying to tell us that he knows all about this and how there isn't much to security in the context of the latter based on his experience at the former probably isn't going to convince many people.
the sme's that i do have dealings with use paypal or similar to outsource payments and i think that is a perfectly valid and appropriate model.