controlgap.com

Posts about:

Non-compliance lessons

pci, humour, Non-compliance lessons

Non-Compliance Lesson No. 3: Don't upgrade or patch your old stuff

PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.

  • Don’t upgrade your end-of-life software, it’s fine. After all it’s not like you won’t be able to upgrade overnight when a zero-day gets published. Besides the vendor's sure to provide a patch.
  • Don’t patch those pesky middle and high-risk items on internal networks. It’s not like an intruder will try and move laterally through your network.
  • Ignore those network and security appliances. You didn’t install the OS and who ever heard of firmware vulnerabilities.
  • You’re only doing this for a PCI checkbox, your assessor may not notice, and it isn’t like you should be worried about ransomware.
  • Sleep better at night, it's run fine for years and just look at all the time, money, and effort you saved.
David Gamey
Read More
pci, humour, Non-compliance lessons

Non-Compliance Lesson No. 2: Outsource your payments/security and don't read the fine print | blog,pci,humour | Control Gap

PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.

  • Assume you can outsource your accountability for security and compliance.
  • Assume your service provider does everything for you and don't confirm your responsibilities.
  • Change service providers to save money.
  • Act surprised when your assessor asks you for your scans, pen-tests, code reviews, patching records, etc.
  • Exercise your right to audit clause (if you have one) and include your service providers inside your annual assessment at your cost.
  • Due diligence and preparation are just too boring.
David Gamey
Read More