[186673] in North American Network Operators' Group
Re: de-peering for security sake
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Dec 27 16:11:27 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAL9jLaZR57Nv4jCiY=8jxfGhn-yx=aVLeinznpGJdDmtjr_Zkw@mail.gmail.com>
Date: Sun, 27 Dec 2015 13:08:32 -0800
To: Christopher Morrow <morrowc.lists@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Dec 27, 2015, at 11:26 , Christopher Morrow =
<morrowc.lists@gmail.com> wrote:
>=20
> On Sun, Dec 27, 2015 at 1:59 PM, <Valdis.Kletnieks@vt.edu> wrote:
>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>>=20
>>> SSH password + key file is accepted as two factor by PCI DSS =
auditors, so
>>> yes it is in fact two factor.
>>=20
>> They also accept NAT as "security". If anything, PCI DSS is yet =
another example
>> of a money grab masquerading as security theater (not even real =
security).
>=20
> is it that? or is it that once you click the checkboxes on /pci audit/
> 'no one' ever does the daily due-diligence required to keep their
> security processes updated/running/current/etc ?
You ask this as if those two were mutually exclusive. They are not. I =
believe
that both are actually true. The PCI-DSS checklist can be completed =
without
relatively weak security and involves a lot of theatrical requirements =
that have
nothing to do with actual security.
Beyond that, yes, most organizations survive the audit and then go back =
to
ignore it until time for the next audit mode.
> I'm not a fan of the compliance regimes, but their goal (in a utopian
> world where corporations are not people and such) is the equivalent of
> the little posterboard person 42" tall before the roller-coaster
> rides, right?
>=20
> "You really, REALLY should have at least these protections/systems/etc
> in place before you attempt to process credit-card transactions=E2=80=A6=
"
Right. And that=E2=80=99s a decent goal. Unfortunately, if you read the =
actual document,
the standards require lots of things that don=E2=80=99t actually improve =
(and in some
cases can actually degrade) security, such as NAT.
> In the utopian world this list would be sane, useful and would include
> daily/etc processes to monitor the security controls for issues... I
> don't think there's a process bit in PCI about: "And joey the firewall
> admin looks at his logs daily/hourly/everly for evidence of
> compromise" (and yes, ideally there's some adaptive/learning/AI-like
> system that does the 'joey the firewall admin' step... but let's walk
> before running, eh?)
Yeah, it doesn=E2=80=99t actually require anyone or anything to ever =
really look at
logs at all.
> so, it's not really a mystery why failures like this happen.
This is a bit of a tangent, really. The discussion was about =
authentication factor
counts and Baldur tried to use PCI-DSS acceptance of password-encrypted
private key authentication as two-factor to bolster his claim that it =
was, in fact
two-factor, when it clearly isn=E2=80=99t actually two-factor as has =
been stated previously.
The comments about PCI-DSS being a non-credible standard were primarily
an additional note that his argument was built on thin air.
>> I remember seeing a story a while ago that stated that of companies =
hit
>> by a data breach on a system that was inside their PCI scope, =
something
>> insane like 98% or 99% were in 100% full PCI compliance at the time =
of
>> the breach. The only conclusion to be drawn is that the PCI set of =
checkboxes
>> are missing a lot of really crucial things for real security. (And =
let's
>> not forget the competence level of the average PCI auditor, as the =
ones
>> I've encountered have all been very nice people, but more suited to =
checking
>> boxes based on buzzwords than actual in-deopth security analysis).
>=20
> people toss pci/sox/etc auditors under the bus 'all the time', and i'm
> guilty of this i'm sure as well, but really ... if you put systems on
> the tubes and you don't take the same care you would for your
> brick/mortar places ... you're gonna have a bad day. 'cyber security'
> really isn't a whole lot different from 'lock your damned doors and
> windows' brick/mortar security.
Conceptually, sure. However, in actual implementation, there=E2=80=99s a =
plethora of
decent locksmiths and reasonably good security contractors out there to =
provide
good solutions for physical security.
In the cyber security world, the waters are a lot murkier. There are no =
good
standards to allow a lay person to identify a good capable contractor =
vs. a
charlatan with a flashy web site. Most of the widely known standards are
crap. I=E2=80=99ve met some really good CISSPs in my day, but I=E2=80=99ve=
also met a number
of people touting their CISSP certification who don=E2=80=99t realize =
that NAT is actually
detrimental to security and a few who even claimed that NAT was good.
Several couldn=E2=80=99t even get the concept of separating NAT from =
stateful inspection
after repeated attempts to explain it to them in kindergarten terms.
Cyber security is a lot harder to understand well and quite a bit more =
complicated
than physical security.
Owen
