Saturday, 24 May 2008

Passing an audit is NOT compliance!

"Just out of curiosity, how many people here thinks that PCI does
anything to protect you from the real world threat?"

This depends.
Are you "REALLY" compliant. Or is the organisation doing just enough to fool the auditors.

From experience, I see 80-90% in the latter. Most auditors are not experienced enough to know when they are being BS'd.

As for the question, I have not seen a compromise of a truly compliant organisation. Every single organisation that has been compromised has actually also had a flaw that should have failed them.

In some instances, the testing was completed on an alternate system that was given to the auditor in place of the real one. In others, they pointed out the good systems and missed many.

I guess that people do not understand that in this case less than full disclosure is actually criminal fraud. In Australia in Corps act provisions (similar to the SEC provisions in the US) make it a criminal offence to mislead the auditor.

To answer the question, yes. I think that getting to this (truly this level) would help. The issue is that which companies are?

Take for instance a validated firewall. What does this mean?

A validated firewall is one that is tested. This is you use hping or a similar crafting tool to fire packets through ALL interfaces of the firewall and you validate the firewall policy.

When you read these standards, think how a lawyer will read them, not an IT person. This is because it is a lawyer who is the judge and prosecutor.

Many QSA's even following their wham bam thank you mam intro to audit and now you are a QSA process are not ready to audit systems. Those same who do not know the systems they audit. An example being "how do I copy a directory on Unix":... being a real quote from the principle at a MAJOR PCI specialty firm.

Passing an audit is NOT compliance!

Let me say that again...

Passing an audit is NOT compliance!

The fun of having just completed my LLM in commercial law is understanding these issues a little better. An audit is a risk report to management. It does nothing to stop the lawyers rolling over you if you are not compliant. The issue where people try to BS the auditors is BS. The auditors are NOT the enemy, they are the ones stopping the courts roll over you.

You are either compliant 100% to the standards you need to meet, or you (both the individual AND the organisation) are at risk.

I do not think that many on the list understand the issues. On another compliance topic, SOX, you tell management and the auditors that a system is compliant. The auditors are a little clueless (as many are) and do not (as by law they are required to) test the system.

Who is to blame when the system is compromised?
You are and management is - both.

In fact, your ignorance as to the system security is not a good defence. You have defrauded the auditors and the worst case is 20 years with a new hubby called bubba... (or the equivalent for the female of bubba).

To demonstrate this. I have a SOX client who is stating that they do not need logs, they have never been compromised.

I have another (who has for 4 years received a clean bill of health from a Big 4 firm) who has more services running on the finance database than come out of the box. They have the Archie filesystem as a consultant though it would be cool. They have also not patched it for the last 113 remote root level exploits.

In Australia, not securing payroll and finance information (eg tax file numbers of employees) is a criminal offence.

I will say it again.

Passing an audit is NOT compliance!

Choosing a firm who will pass you is dumb. This is economic false economy. It is buying a broken umbrella in case it rains.

No comments: