Session recording
Ben Scott
dragonhawk at gmail.com
Thu Apr 3 12:32:10 EDT 2008
On Thu, Apr 3, 2008 at 12:10 PM, Bill McGonigle <bill at bfccomputing.com> wrote:
> http://blog.bfccomputing.com/articles/2008/03/18/eliminating-credit-card-fraud
From the above: "PCI ... can never be perfect, no matter how hard
everybody tries."
A'yup. Say it with me now: "Security is a process, not a product."
That's rule #1. (Thank you to Bruce Schneider for that wonderful
quote.)
A standards specification document can't provide security. It can
provide a list of good ideas -- like protecting your logs against
tampering -- to help you implement good security practices, but
running through a checklist isn't a substitute for doing it with the
right attitude.
Statements like "tamper-proof logs" -- or even "logs which cannot be
tampered by regular user accounts" -- are ultimately just special
cases of the statement, "It should be secure". See rule #1, above. A
corollary is, "Security is a process, not a state."
It helps to think of security as a verb. You can't manufacture "a
cleaning". You can buy tools which help you clean, but ultimately,
you have to do it. Continuously.
BTW, Bill -- you have comment spam in that blog entry. How ironic. :-)
-- Ben
More information about the gnhlug-discuss
mailing list