It all started from this tweet: “if you read on #PCI and #APT on the same day, you get some pretty darn interesting high.” Some more …mmm…thinking about the subject resulted in this blog post.
So, how is PCI like APT?
- “P” in “APT” stands for “persistent”, “P”in PCI stands for … well … PCI is pretty darn persistent.
- Both are absolutely a threat, whether of non-compliance or of severe 0wnage…
- “Nobody would ever find that we lied on our SAQ” is said sometimes in PCI, and “no APT will want to hack us” is often said about APT.
- People under PCI sometimes do not want to update their anti-malware defenses, because they say “it is too hard.” People under APT often also do not update their anti-malware because… hey… what’s the point?
- “A” in APT stands for “advanced,” PCI is pretty advanced stuff for some people who have to be compliant with it (think: your neighborhood gas station)
- With PCI, you don’t always know what you need to do; with APT you almost never know what to do.
- Also, you are never “done” with PCI, you need to maintain compliance and security; you’re absolutely never “done” with APT.
- PCI compliance requires logging and monitoring; dealing with APT absolutely requires extensive logging and monitoring.
- People refuse to deal with PCI because they do not believe that anything bad will happen to them, similarly people refuse to deal with APT since they don’t know that APT has already happened to them.
UPDATE: an awesome follow-up "Why PCI and APTs are NOTHING alike" from Cassandra Security.
Possibly related posts:
- All posts labeled humor.