Dealing with auditors (was Re: We hit half-million: The Cidr Report)
ahebert at pubnix.net
Thu May 1 10:29:35 UTC 2014
Right now, 1/2 my day$ are spend doing PCI auditing, technical side,
not as a QSA.
There is not shortage of horror stories about my customers previous
Best one to date... Firewalling the FC SANs from the pool of
Bill & Telnet...
I hope that QSA didn't let you keep that telnet facing any
public interface without any protection.
PS: Same deal with SSH ... encryption != protection since
keylogging is way easier than sniffing packets. But at least you can
limit SSH authentication to public keys.
Alain Hebert ahebert at pubnix.net
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 04/30/14 20:58, David Hubbard wrote:
> We just dealt with a vmware audit too; it was a joke. In any case, the
> thing I found curious with their auditor as well as a PCI QSA (fancy
> auditor), is that neither entity seemed to know IPv6 exists. The whole
> time I'm thinking okay, now why aren't you investigating these same
> attack vectors in IPv6? Just another reason PCI is not necessarily
> about security....
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ulf Zimmermann
> Sent: Wednesday, April 30, 2014 8:36 PM
> To: William Herrin
> Cc: nanog at nanog.org
> Subject: Re: Dealing with auditors (was Re: We hit half-million: The
> Cidr Report)
> The auditors VMware sent to us were just as bad. To ensure we weren't
> running "rogue" ESX(i) servers or WorkStation, they made us provide full
> arp/cam tables. Then a list of the virtual machines. "Oh look, this MAC
> isn't listed as one of your virtual machines". It isn't because it was
> running on virtual box or something like that. Auditor didn't know you
> could export a virtual machine from VMware and load it into another
> visualization software and it would keep the VMware MAC ....
> On Wed, Apr 30, 2014 at 2:31 PM, William Herrin <bill at herrin.us> wrote:
>> On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon at cox.net>
>>> On 4/30/2014 11:30 AM, Valdis.Kletnieks at vt.edu wrote:
>>>> And in that discussion, we ascertained that what the PCI standard
>>>> says, and what you need to do in order to get unclued boneheaded
>>>> to sign the piece of paper, are two very different things.
>>> I am no longer active on the battlefield but as of the last time I
>>> can't be did.
>>> For years I managed various aspect of a UNIVAC 1100 operation and
>>> thereof. EVERY TIME, we were dinged badly because we didn't look
>>> like an IBM shop (some may be surprised to learn that different
>>> hardware and different operating systems require very different
>>> operating procedures
>>> it appeared to us that some of the things they wanted us to do would
>>> us badly, others just simply didn't make any sense, and we got
>>> dinged for things we DID do, because they were strange.
>> I won the argument with PCI auditors about leaving telnet alive on my
>> exterior router (which at the time would have had to be replaced to
>> support ssh). It's not a chore for the timid. You'd better be a heck
>> of a guru before you challenge the auditors expectations and you'd
>> better be prepared for your boss' aggravation that the audit isn't
>> done yet.
>> And I think we pretty well established that PCI auditors arrive
>> expecting to see NAT.
>> Bill Herrin
>> William D. Herrin ................ herrin at dirtside.com bill at herrin.us
>> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
>> Falls Church, VA 22042-3004
More information about the NANOG