de-peering for security sake

Christopher Morrow morrowc.lists at gmail.com
Sun Dec 27 20:27:05 UTC 2015


On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale <eyeronic.design at gmail.com> wrote:
> "really isn't a whole lot different from 'lock your damned doors and
> windows' brick/mortar security."
>
> Except it's *massively* more expensive.
>

is it? how much does a datacenter pay for people + locks + card-key +
pin-pad + ...

vs

 the requisite bits for security their customer portal/backoffice/etc ?

done right the cost shouldn't be super much more.

-chris

> On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow
> <morrowc.lists at gmail.com> wrote:
>> On Sun, Dec 27, 2015 at 1:59 PM,  <Valdis.Kletnieks at vt.edu> wrote:
>>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>>>
>>>> SSH password + key file is accepted as two factor by PCI DSS auditors, so
>>>> yes it is in fact two factor.
>>>
>>> They also accept NAT as "security".  If anything, PCI DSS is yet another example
>>> of a money grab masquerading as security theater (not even real security).
>>
>> is it that? or is it that once you click the checkboxes on /pci audit/
>> 'no one' ever does the daily due-diligence required to keep their
>> security processes updated/running/current/etc ?
>>
>> I'm not a fan of the compliance regimes, but their goal (in a utopian
>> world where corporations are not people and such) is the equivalent of
>> the little posterboard person 42" tall before the roller-coaster
>> rides, right?
>>
>> "You really, REALLY should have at least these protections/systems/etc
>> in place before you attempt to process credit-card transactions..."
>>
>> In the utopian world this list would be sane, useful and would include
>> daily/etc processes to monitor the security controls for issues... I
>> don't think there's a process bit in PCI about: "And joey the firewall
>> admin looks at his logs daily/hourly/everly for evidence of
>> compromise" (and yes, ideally there's some adaptive/learning/AI-like
>> system that does the 'joey the firewall admin' step... but let's walk
>> before running, eh?)
>>
>> so, it's not really a mystery why failures like this happen.
>>
>>> I remember seeing a story a while ago that stated that of companies hit
>>> by a data breach on a system that was inside their PCI scope, something
>>> insane like 98% or 99% were in 100% full PCI compliance at the time of
>>> the breach.  The only conclusion to be drawn is that the PCI set of checkboxes
>>> are missing a lot of really crucial things for real security.  (And let's
>>> not forget the competence level of the average PCI auditor, as the ones
>>> I've encountered have all been very nice people, but more suited to checking
>>> boxes based on buzzwords than actual in-deopth security analysis).
>>
>> people toss pci/sox/etc auditors under the bus 'all the time', and i'm
>> guilty of this i'm sure as well, but really ... if you put systems on
>> the tubes and you don't take the same care you would for your
>> brick/mortar places ... you're gonna have a bad day. 'cyber security'
>> really isn't a whole lot different from 'lock your damned doors and
>> windows' brick/mortar security.
>>
>>> So excuse me for not taking "is accepted by PCI auditors" as grounds for
>>> a claim of strong actual security.
>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0



More information about the NANOG mailing list