Tuesday, February 02, 2010

Top Nine Reasons How PCI Is Like APT


It all started from this tweet: “if you read on #PCI and #APT on the same day, you get some pretty darn interesting high.” Some more …mmm…thinking about the subject resulted in this blog post.


BTW, everybody knows what PCI DSS is, what about APT? APT is “Advanced Persistent Threat”, an acronym with a murky past (some say going back to 1876…) that is used to label “some advanced bad shit that just doesn’t go away” – yes, it is that vague. Some fun discussion about it can be found here, here and here and of course here.
So, how is PCI like APT?
  1. “P” in “APT” stands for “persistent”, “P”in PCI stands for … well … PCI is pretty darn persistent.
  2. Both are absolutely a threat, whether of non-compliance or of severe 0wnage…
  3. “Nobody would ever find that we lied on our SAQ” is said sometimes in PCI, and “no APT will want to hack us” is often said about APT.
  4. People under PCI sometimes do not want to update their anti-malware defenses, because they say “it is too hard.” People under APT often also do not update their anti-malware because… hey… what’s the point?
  5. “A” in APT stands for “advanced,” PCI is pretty advanced stuff for some people who have to be compliant with it (think: your neighborhood gas station)
  6. With PCI, you don’t always know what you need to do; with APT you almost never know what to do.
  7. Also, you are never “done” with PCI, you need to maintain compliance and security; you’re absolutely never “done” with APT.
  8. PCI compliance requires logging and monitoring; dealing with APT absolutely requires extensive logging and monitoring.
  9. People refuse to deal with PCI because they do not believe that anything bad will happen to them, similarly people refuse to deal with APT since they don’t know that APT has already happened to them.

UPDATE: an awesome follow-up "Why PCI and APTs are NOTHING alike" from Cassandra Security.

Possibly related posts:

  • All posts labeled humor.

Dr Anton Chuvakin