undefined | Better HN

0 pointstptacek2y ago0 comments

None of this would have had anything to do with PCI (nobody gives a shit about PCI; the worst shops in the world, the proprietors of the largest breaches, have had no trouble getting PCI certified and keeping certification after their breaches). At much smaller company sizes than this, insurance requires you to retain forensics/incident response firms. There's a variety of ways they could do that cheaply. They brought in the IR firm with the best reputation in the industry (now that Google owns Mandiant), at what I'm assuming are nosebleed rates, because they want to be perceived as taking this as seriously as they seem to be.

It's a very good writeup, as these things go. Cloudflare is huge. An ancillary system of theirs got popped as sequelae to the Okta breach. They reimaged every machine in their fleet and burned all their secrets. People are going to find ways to snipe at them, because that's fun to do, but none of those people are likely to handle an incident like this better.

I am not a Cloudflare customer (technically, I am a competitor). But my estimation of them went up (I won't say by how much) after reading this writeup.

0 comments

mardifoufs2y ago

Yeah at best PCI is somewhat hard to get at first, but after that it's basically only good, or less shady, corporations that bother keeping up compliance or make sure that they follow the guidelines at every step. Shady/troubled operators don't, and to an extent don't have to really be afraid of losing said certification unless they just go fully rogue.

tptacekOP2y ago

It's not hard to get at first, either. It's the archetypical checklist audit.

mardifoufs2y ago

Ah I think I'm just not used to those then, I hated the whole checklist busywork that we had to do even though we were barely related to the sales infra. But yeah, it was a bit like soc2 in that regard. Is there any certification that isn't just checklist "auditing"? That involves actual monitoring or something? Not sure if that's even possible

2 more replies

dijit2y ago

PCI:DSS Tier 1 is difficult to get and keep.

But everyone here is missing the point of it, it's not to make sure you never get breached it's to ensure forensics exist that cannot be tampered with.

Separation of concerns to keep any single party from within the company from doing anything fraudulent or for an attacker to cover any tracks.

It's not intended at all to be any kind of security by itself outside of the damage an employee can do. Bad code exists and PCI will do nothing to prevent this, because that's not the purpose of the compliance.

yardstick2y ago

> nobody gives a shit about PCI; the worst shops in the world, the proprietors of the largest breaches, have had no trouble getting PCI certified and keeping certification after their breaches

IMO it’s more a risk reward trade off. I know some companies are paying relative peanuts in non-compliance fines rather than spend money on some semblance of security which they may still not be compliant with and have to pay the fines anyway…

j / k navigate · click thread line to collapse

0 pointstptacek2y ago0 comments

I am not a Cloudflare customer (technically, I am a competitor). But my estimation of them went up (I won't say by how much) after reading this writeup.

0 comments

mardifoufs2y ago

tptacekOP2y ago

It's not hard to get at first, either. It's the archetypical checklist audit.

mardifoufs2y ago

2 more replies

dijit2y ago

PCI:DSS Tier 1 is difficult to get and keep.

But everyone here is missing the point of it, it's not to make sure you never get breached it's to ensure forensics exist that cannot be tampered with.

Separation of concerns to keep any single party from within the company from doing anything fraudulent or for an attacker to cover any tracks.

yardstick2y ago

> nobody gives a shit about PCI; the worst shops in the world, the proprietors of the largest breaches, have had no trouble getting PCI certified and keeping certification after their breaches

j / k navigate · click thread line to collapse