TT Braintrust,

eIs anyone familiar enough with this to throw out some resources, tips and hell even a general explanation of the entire process? I keep having random thoughts such as, palm greasing, fire-marshall-esque crews armed with Nessus, Backtrack, etc.

I might need to dive into this soon and I need to figure out what I'm up against and hell if I'm even capable of it. Is it decided by corporate branding (sonicwall, cisco pix, watchguard) or by your ability to pass a bullshit security test?

Is pfSense compliant if properly setup? It seems like the easiest method is to segment the network with an OPT1 interface and a simple ruleset.

Any advice here or PM preferably would be most appreciated.

7/22/2009 2:20:08 PM

PCI compliance is 90% common sense 10% ridiculous bullshit to sell PCI audits. My company recently had an external scan done by a 3rd party (Vigilar). They essentailly ran nessus or nmap or some other scanner against our external network and provided us with a nice report of whats open, whats a potential problem, and what fails PCI. While its certainly something you could do on your own and should do on your own on a regular basis, its nice to have a 3rd party to validate your network.

For me most of our "vulnerablilties" are due to the fact that some of the SSL/TLS capable hosts we have allow weak ciphers. While weak ciphers are a real vulnerability, in practice no one is going to be using those. In apache and IIS these are easy enough to disable, but its a bitch for me because filezilla and sendmail dont really have easy ways to turn off weak ciphers.

The rest of my problems are holes in apache and php. None of which are used for anything more than displaying our company website. There is no sensitive data on those servers and they're in the DMZ.

Theres a load of crap you're also supposed to do internally (ex: database encryption). But the first thing any potential client is going to want to see is the results of your recent external audit.

[Edited on July 22, 2009 at 2:32 PM. Reason : a]

7/22/2009 2:31:14 PM

http://www.techbargains.com/vendor_detail.cfm/409/Tradepub-coupon-code

Free PCI Compliance e-book posted on techbargains today. Don't know if it will specifically answer all of your questions, but it may be worth a look.

[Edited on July 22, 2009 at 5:30 PM. Reason : .]

7/22/2009 5:30:11 PM

Good looking out, I appreciate that.

7/22/2009 10:27:08 PM

I cannot even begin to explain how fucking ridiculous PCI and PA-DSS is.

Nor can I describe the fucking pain it has caused me, and continues to cause me.

That being said, even the auditors interpret some things differently, and two different ones will tell you two different things.

7/22/2009 11:25:32 PM

There's plenty of vendors ready to sell you software that will help you get PCI compliant though.

7/23/2009 1:53:16 PM

Quote :

"I cannot even begin to explain how fucking ridiculous PCI and PA-DSS is. Nor can I describe the fucking pain it has caused me, and continues to cause me. That being said, even the auditors interpret some things differently, and two different ones will tell you two different things."

This pretty much sums up my thoughts on PCI DSS. Among my numerous run-ins with PCI-DSS related stuff, I had one situation where a customer was trying to make their xen environment PCI-compliant, and after going out of my way and doing the research I gave them a compliant solution, and they still bitched that it wouldn't pass.

Some auditors won't pass our customers if they don't have AV on all of their [i]linux]/i] systems, while others can easily tell them it's a stupid requirement and get a pass on it.

7/24/2009 5:11:18 PM