I've spent some time lately in discussions around Web Application Firewalls. WAFs seem to be a hot topic in recent times and with PCI DSS 6.6, many people are now starting to look at these technologies.
Though, with the PCI SSC council watering down the 6.6 requirement, I questioned here whether they were required at all under PCI DSS:
http://tinyurl.com/4rtkdf
Everytime I come back to visit IT Security Link between posts, I am greeted with a google ad for "Ethical Hacking" - company: Classic Blue. I don't know if you are and I don't profess to understanding how Google does these ads.
I do know one thing - "Classic Blue" does nothing of the sort. (I hate the term "ethical hacking"....it sounds so BS but that is beside the point!)
Another US merchant is now suffering from the effects of being compromised big time:
http://beastorbuddha.com/2008/03/18/oopsanother-big-one/
Who's being investigated and who is being hunted on this? You know what? probably no one...because the priority today is to shut down and stop how it happened and hope it does not happen that way again!
Adam Boileau's release of code to take ownership of a Windows system as reported in recent press is nothing new. He first released this 18 months ago at Ruxcon 2006 when working with Security-Assessment.com (Australia/Asia Pacific now known as Securus Global and NZ now owned by Datacraft).
So why the press now?
Maybe that is too harsh a title to describe most "managed services" provided by vendors to clients....maybe not?!
The question needs to be asked though. When is the last time a client seriously looked at what they were getting for their large investment and asked some questions of the vendor and most importantly of themselves.
I upset people....sometimes with my bluntness about the state of the industry...in particular my goes at some business IT managers. Sometimes you need to be blunt to get a point across.
eg; I bag a lot of them in Beast or Buddha because they deserve it. (http://www.beastorbuddha.com/).
If the Payment Card Industry Data Security Standard (PCI DSS) has done one thing, it’s been to highlight that there are such things as basic, good security practices.
