medal of honor multiplayer comments part 2

I’ve already pined way too long about Medal of Honor in a previous post, and while I have no intention to make gaming a major part of this blog, I do have other comments, for closure. Again, this is the xbox version I’m playing. And, again, I still feel the multiplayer game is broken, unfinished, and unplaytested. And combinations of issues such as poor death text, poor player name displays, horrible maps, and no indication of who is talking on voice make this game pretty much impossible to truly play as a team unless you’re all in a party/clan and used to each other. If you tend to play solo or with just a couple buds like I do, the game is broken and useless.

Cons Part 2

  • It bears repeating: multiplayer is not playtested and unfinished. The maps are broken. The menu system is nearly useless. The gametypes are not finished.
  • I like to play Hardcore game modes. Hardcore modes tend to lower player health, remove helpful HUD pieces, and enable friendly fire. This often slows down the game a bit as players need to be a bit more careful. In MOH, not at all. The games are just as frenetic as normal teams.
  • There’s only one Hardcore mode, and it rotates game types between team deathmatch, objective, sabotage, and scenario objective game types. While this is cool to experience different things, unfortunately it means all the players who just want to play team deathmatch fuck up the rest of the dynamic of the other game types. You really need to only have players playing sabotage/objective types who want to and know how to play them. It’s ok to randomize it a little bit, perhaps, but the rotation seems to go way too often to non-team deathmatch modes. Mixing in a different gametype every 10-50 matches wouldn’t be a bad thing…
  • Hardcore sabotage gametypes are broken and useless. Really, what should happen is a team plays as the defenders for a round and then the other team defends, and the winner is whomever completes the objectives quicker. This game has no continuity between sessions, so you can flat out lose even if you get one objective, no matter if you owned the other team the previous game and the next game. Then again, whether you win or lose never matters, since you get no bonus points for a win and there is no tallied record of how you do.
  • Hardcore mode utterly breaks offensive scorechain rewards. The offensive rewards are things like mortar strikes or rocket strikes (like artillery or bombs in COD:MW2). You set them at a target by looking through a device and marking the target. In normal modes, this device (like a pair of binoculars) has a crosshair in the middle. For some absolutely unknown reason, hardcore mode removes this crosshair. This means you’re firing blind and have no idea where you’re really hitting. In fact, I’ve killed myself this way more than enemies! This makes me choose defensive rewards almost every time. Stupid.
  • I’ve had a few games in team deathmatch finish where my team had more kills and more scorechains, but a lower score such that we lost. If you’re going to score a match based on some tally of points, you need to explain the points. My only guess is the other team had longer scorechains or more headshots.
  • Playing hardcore mode yields less points per game. This is backwards from every COD offering. You can do alright in points if you do the sector controlling or objectives, but obviously there are only so many of those that you can do per match. It would be nice if you also got points for winning a match.
  • Teamkills should kill the team-killer. COD:MW2 gets this perfectly, if you ask me. Score penalty is nice, but what happens when you’re maxed?
  • Combat assault, the game mode where a team defends a series of story-like objectives that the other team has to assault, control, or destroy, is kinda fun, but needs work. Instead of a timer, the defenders have only x number of respawns allowed for their team (200?). This means the more players the attackers kill, the more they cause this soft-timer to expire. This means the game should be played by attackers running up to objectives and defending them, then running to the next, and not killing defenders on the way unless they have to. Unfortunately, too many players play this as team deathmatch. As such, I’ve only seen one full completion in this mode. I’d like to have played this with a hard-timer to see how that goes (like 30 minutes). Also, once you get pinned down as attackers at the start, you can pretty much just be screwed. I also see no reason the attacker team should have a respawn timer. Defenders, yes. But attackers? I’d be curious how the dynamic changes without that timer for attackers.
  • I and a buddy have had times where we’ve been able to see glowing outlines of other players *through* walls and boxes, especially before they’ve stepped out from behind them. I think this is a reflection of buggy netcode and whatever graphics code is used to subtly outline enemy players to differentiate them from background textures. Really cheap and silly and it’s bad that this bleeds through sometimes. This only happened in about 1 in 100 matches we played.

Pros Part 2

  • I usually like playing a sniper, but often find them unfun in multiplayer games because you can’t really hide very long or get decent sightlines. In MOH, I actually find sniping rather fun. The shooting mechanism is probably the best I’ve felt in gaming (a pro for the engine moreso than anything to do with multiplayer), despite the buggy netcode. It helps that many maps have a sniper-friendly open feel to them (of course the flip side to this is how the maps break safe-spawning and game flow).
  • There are painfully few maps in multiplayer, but at least in other game modes (maybe just hardcore?) the maps *seem* different because they have different lighting. There are just a few flow changes in them as well (very subtle) and maybe the backgrounds outside the map boundaries change, but overall it’s just enough to make the maps initially disconcerting and seemingly different. It’s amazing how much in game I actually make use of lighting as much as the terrain to get my bearings… It’s a pleasant surprise, even if I still believe the maps are fatally flawed.
  • Combat assault, the game type that forces one team to defense while the other team pursues progressively-placed objectives is kinda fun, but untweaked. Nonetheless, it is a good attempt at the concept and I actually like how those particular maps flow.

powershell: get a web page

Want to grab a web page via PowerShell? Well, I do, and I found a Get-Web function on a MSDN blog post. For me, I tend to manage many web servers and sites using PowerShell scripting, and it might be useful to incorporate some Gets as part of an error checking routine. Or, as in my quick case today, an ugly one-time page monitoring script to look for delivery issues in the wee hours of a morning.

Note: I spent all of 3 minutes searching for this function, so your mileage may vary… The key part to check if you want to roll your own is the “New-Object Net.Webclient” object.

I’ll repost below just in case the source ever disappears from the web, but I suggest copying it from the link above rather than here, due to any formatting issues.

function Get-Web($url,
# Downloads a file from the web
# Uses System.Net.Webclient (not the browser) to download data
# from the web.
#.Parameter self
# Uses the default credentials when downloading that page (for downloading intranet pages)
#.Parameter credential
# The credentials to use to download the web data
#.Parameter url
# The page to download (e.g.
#.Parameter toFile
# The file to save the web data to
#.Parameter bytes
# Download the data as bytes
# # Downloads and outputs it as a string
# Get-Web
# # Downloads and saves it to a file
# Get-Web -toFile
$webclient = New-Object Net.Webclient
if ($credential) {
$webClient.Credential = $credential
if ($self) {
$webClient.UseDefaultCredentials = $true
if ($toFile) {
if (-not “$toFile”.Contains(“:”)) {
$toFile = Join-Path $pwd $toFile
$webClient.DownloadFile($url, $toFile)
} else {
if ($bytes) {
} else {

firefox 0day on peace site, details sought

Norman is currently warning about a new Firefox 0day discovered on the Nobel Peace Prize site. I don’t have much more information than that, mostly because all the “here’s the exploit details” links just talk about the delivered payload and not about this nifty Firefox 0day.

They “recommend all Internet users be cautious when surfing the net.” Really? So browsing the Nobel Peace Prize site on Tuesday would be ok if done…cautiously? Maybe click slower? Meh…this sort of advice does no one any good. Unfortunately, without knowing about this 0day, there’s not much to say other than don’t run scripts and, for home-bound geeks, watch your outbound traffic for strange things (like connections to Taiwan). For enterprise geeks, maybe inspect DNS requests for the flagged destinations and/or poke your IDS/IPS sigs. Hell, just blackhole or egress-block those destinations. Still, these are containment/detection tips…again none of which helps prevent the Firefox 0day.

keeping it real with what really matters

We often get our panties into bunches about security issues and cyberstupidity, but Mike Murray has a career advice post that needs repeating (and I’m going to steal his punchline).

Here’s my advice: do one thing today that makes you healthier. It might be just stepping away from the desk for a while and taking a few deep breaths to relax. Maybe it’s a salad instead of the Double Whopper with Cheese. Maybe it’s taking a walk at lunch. Do something.

The older you get, the more this finally hits home not just from lessons you learn on your own but lessons you learn from others people’s mistakes and tragedies. Take care of your health, both mental and physical. Get checked out regularly, take preventive measures before things get out of control, investigate and possibly seek expert assistance when things feel off. Don’t put off to tomorrow something you can go today for your betterment. And enjoy yourself when you can. (As too many things are wont to do appear when you’re a security geek, this advice is eerily similar to advice for a good security program.)

I’m posting this because I need this advice as much as anyone else.

quick medal of honor impressions

So far I’ve not been terribly impressed by the new Medal of Honor game (xbox version), but it is a nice distraction between COD titles, especially since I don’t take to Halo much.

Single Player: I’m still working through this, but so far there is nothing new here and just perpetuates how I don’t enjoy modern FPS campaigns very much. The whole “on rails” thing is just annoying. Most of the time I don’t feel like I have to actually *do* anything except let my teammates do it, and then run around trying to figure out where they went and get caught up because I was exploring. I miss the games where it’s me against 1000 enemies…although I imagine that would create some AI challenges when you are the only target 12 enemies are shooting at… I imagine I won’t like the highest difficulty level, Tier 1, because it is time-based.

On a brighter note, I really like the low-key yet driving music so far, I love the feel of the early game sniper rifle, and I’m glad the controls are essentially identically to COD. Checkpoints are often as well. It is otherwise a solid single player experience so far. The individual moments aren’t as good as MW2 individual moments, but the sum is likely better. (COD:MW2 was a strange game built as individual moments strung together by a horrible plot, making the sum of its parts actually LESS than the parts alone. Go figure, but that’s what you get by making a story in backwards fashion and making the climax a boat chase and quick-time-event.)

Multiplayer: In short, multiplayer Medal of Honor is just plain unpolished. It really feels like the bare minimum has been done with very little real play testing. I suspect this needed to be rushed out before COD hit and after Halo. The litany of little complains mounts slowly. I’ve tried out other modes, but I play mostly Team Assault (essentially team deathmatch). I’ll constantly compare this to the current bar: Call of Duty.

  • no team balancing! Yes, really, if your team is getting owned, you’ll keep getting owned until players come and go. This is the COD equivalent of being forced, at times, to play against a whole clan/party. The sorts of games I often avoid if I’m not the one in a large party. Also, if you and a buddy join a game and are placed on different teams despite being in a party/playgroup, you have to back out, reinvite, and rejoin a game to get on the same team. The game doesn’t recover from this. (This happened only twice for me, but that’s two times the game should have recovered on the next map.)
  • I shit you not, there is no way to tell who is talking. There’s no indicationo on the HUD and no indication in the player score tab or minimap or big map. None.
  • no audio and really no visual indication that a match is ready to be joined. And it never starts on its own, you *have* to press A. So if you’ve turned to a buddy to jaw a bit or grabbed a drink in between matches, you never know without closely watching the screen that the game is under way. COD had an audio tick, a timer, and forcefully started the match for you.
  • As in COD:MW2, shotguns still feel way over-powered, even at a distance. At least you can’t run around like an idiot getting cheap kills by double-fisting them…
  • I dislike multiplayer games where the more you play, then the better you are. MOH doesn’t make any attempt to fix this. The more you play, the more you unlock. I have high hopes that COD:BO will get this right with the purchasing mechanic.
  • I also dislike abilities that allow better players to be even better by scoring kills in a row. An example is COD:MW2. If you’re good enough to get 5 kills in a row, the game will help you get another 20 cheesy kills (predator, harrier, chopper=nuke). If you’re already slightly better, the game makes the gulf even bigger. At least in MOH the rewards are based on points and not kills and it is harder to string them together without some additional kills of your own in the middle. So this is better than COD, at least.
  • between-game screens suck! Not only do they rotate in a forced fashion (game scores, your stats, and then map description text which is useless), but you get very little time to absorb much. COD gives you about 30 seconds to digest information and jaw with players. MOH gives about 5 seconds.
  • between-game screens suck 2! There’s not much information here, but at least what is given is relevant. I just wish it didn’t need three screens to do it and wish there were better stats…like suicides, team kills, maybe some ratios on who I killed or who killed me more, etc. Oh, and you’ll never know how many assists you got. To MOHs credit, COD:MW2 also failed in this regard. COD:WaW was far (far!) superior.
  • between-game screens suck 3! You can vote to skip a map, but you’ll never see any vote tally nor ever know the vote passed or failed. WTF?
  • death text sucks. “Player1 [M124AM] Player2.” At least in COD you get an icon of the weapon used, which is a great and quick way to see how someone died. I don’t know what M124AM is and it will take a very long time to figure that out…
  • death text sucks 2. No headshots are represented. I do like to know when I was headshot which would explain why I die so quick sometimes.
  • death text sucks 3. I can’t describe how many double-kills I’ve had on players in game, but I would never know it if I hadn’t been playing right next to a buddy and could glance at his screen’s death text. It is very useful to know when a double-kill occurs because you know that your enemy is no longer in that spot.
  • Hardcore doesn’t feel hardcore, other than the lack of a HUD. I should be expecting more one-shot kills.
  • I really hate not being able to see teammate names when they’re 30 feet away from me or more. MOH displays them only if you’re close, but if you’re far away you just see the friendly marker. If I see a teammate ahead of me duck into a room and he dies, I want to be able to know who ran in and how he died. This plus the death text makes this impossible. Yes, I really do get into the meta-game of how the ebb and flow feel…if I know John went left, Bob went right, and Jim ran up the middle, and it took 15 seconds for John to die but only 2 for Jim to die, I have just gained a *lot* of intel about where the enemy is and where the flow is. MOH doesn’t give me any chance to play on this level.
  • netcode is suspect. Far more than other games, I feel movement is glitchy when I’m next to a teammate. I also have plenty of moments where center-mass body shots gain me nothing but a shot I obviously missed on nets me a kill. Mysterious.
  • netcode is suspect 2: There is no indication of your latency in game. None.
  • Respawning is buggy. COD has done a great job making sure players spawn out of site of other players, but MOH has a lot to learn. I’m not sure I’ve actually ever seen someone spawn in COD, but in MOH I regularly actually see them spawn. There are moments where you can get set up and snipe guys spawning into the game. Not cool. Even less cool when you target artillery on a spawn. In COD, it happens but is rare that I die within seconds of a spawn. In MOH, it happens. A lot. More spawn locations and better ability to spawn out of sight is needed.
  • Map flow is suspect. Somewhat similar to the spawn item above, there are places on some maps in Team Assault where you can pin an enemy into and it absolutely sucks to bust out. This smacks of poor playtesting or poor multiplayer map design. COD also has come a long way in this regard these days.
  • In Team Assault, I really wish the maps had been larger. I really think game flow would be far better with larger maps where it is not just run 5 steps and start shooting. With some of these maps there is no chance to get a feel of the ebb and flow of the team dynamics. In maps that are big enough, they often suffer from a team being spawned in a poor corner and getting stuck in there.
  • Defensive perks are lost quickly. Because of some of the issues with maps and game flow, defensive perks are very quickly lost because you can die. A lot. And quickly.
  • Deaths are kinda slow (netcode?). It takes effort to figure out that I killed someone sometimes. They’ll take the hit, I’ll line up again, and then they keel over and I get the credit. Huh? Did he not know he was dead right away? Also in the same vein, I would love better indication on the HUD that I killed someone and who it was. COD:MW2 has this beautifully displayed along with their title/emblem for easy ID.
  • No titles, emblems, or anything that really helps you distinguish yourself. Sure, you can unlock a new skin at higher levels, but there’s not much else you can do.
  • When you step back for a moment, you realize there aren’t very many guns in the game.
  • Your team in a deathmatch can lose the game even if you had more net kills. This is because the score is based on points, not kills. This means players who can score chains of kills and drop artillery or call in defensive perks get even more powerful/useful because they can influence the score more than someone with the same number of kills but not able to string them all together for rewards. Honestly, this assumption goes against 20 years of FPS game scoring, and it’s just weird.
  • Not many maps. I’m likely spoiled by all the map packs in COD games, but so far MOH has very few maps to play.
  • Because of issues with map flow and quickness, the special sniper ability to lay down an IED and detonate it is useless other than if that’s all you want to do. MOH really should have allowed trip-wired claymores instead of something you have to actually trigger. That way you can benefit from it, but yet still dig in and shoot your gun.
  • Melee kills are underwhelming. COW:WaW had a *great* feel to them, and COD:MW2 was ok as well. Hatchet and knife kills in MOH are buggy, annoying, and have zero visceral feedback to them.

That’s a huge fucking list of complaints, but not everything is bad!

  • No COD voice chatter. No, seriously, MOH games have been largely quiet that I’ve played in. No kids or rednecks or gangsters or trailer trash or toddlers droning on about the most idiotic things like you hear, constantly, in COD. Over the weekend, I think I heard maybe 6 other players actually talk. That’s out of many hundreds I played with.
  • Physically, every player is on the same footing in game. There are no perks to run faster or have camoflage or quiet footsteps. The unlocks all pertain to weapons and gear, but not physical perks like COD. I like that.
  • Unlimited running ability. No reason for soldiers to be winded after 10 steps!
  • You can reload while running. We’ve obviously gotten more coordinated at Tier 1.
  • You can change your weapons/class/loadout mid-game while dead.
  • Minimap icons of enemies show which direction they’re facing.
  • Unlike COD games, missile launchers, bazookas, and grenade launchers don’t feel as cheap and powerful in MOH. Despite the fact that 2 of the 3 classes almost always have them available on their person.

And one undecided item: In hardcore team assault modes, you can kill your teammates, but it often takes *lots* of shots to do so. Part of playing hardcore is to be much more careful in what you do, and that includes friendly fire. Now, this does eliminate morons who just go and kill everyone, but COD:MW2 has already demonstrated how to properly handle them quite nicely. And I will fully admit that I do sometimes pick out particularly whiney people who seem like the kinds of people who will blow up at me if I kill them, to actually kill them when they’re on my team. I’m rarely wrong, and am far too entertained by such demonstrations by hot-tempered persons.

In the end, this game is making for a nice break between COD titles, but without a lot of polish and hot-patching, it leaves a large gap that needs work before it feels like a fun way to spend my time.

not surprised at the top sec concerns and top sec spends

Andy has another post I wanted to highlight, which itself echoes a post from Gunnar Peterson. They both cite a survey that shows:
top security purchases:

  • firewalls
  • antivirus
  • authentication
  • anti-malware

top security concerns:

  • mobile computing
  • social networks
  • cloud computing

I’m not surprised by this mismatch. In fact, I’d even go so far as to say this isn’t something that will ever change, nor should we get all steamed up about changing it. In 10 years, we’ll still have bleeding edge, complex items in the biggest concerns list, and the things we’re finally getting around to understanding will be the major parts of our spending.

Now, Gunnar and Andy both have excellent points, specifically about IT teams seeing IT problems and solving them with IT solutions; in fact, I’m positive their points hold merit.

But I think there are other ideas that trump those (I did comment on their blogs about it, and later decided I should just blog here). Those top 3 concerns are bleedingly new such that:

  • we fear new things because we don’t understand them, or don’t understand them because they’re new.
  • they’re too new for us to have solid approaches to handling them.
  • they’re too new for us to know if we should be worried or not! we tend to default to paranoid/worried, which is good!
  • too new to have obvious budget items assigned to them. Can I buy a box or some software that provide “cloud security” or “social media security?”
  • they’re so new the business doesn’t even know how to use them or what they want out of them. Let alone how we can secure them while still meeting or at least not stomping all over business needs. If the business doesn’t even know how to use them yet, I’m not sure security is in any position to guide that usage securely.

It also should be mentioned that these new things are being largely pushed via consumerland and into the business, with IT as a sort of, “Oh yeah,” thought. Firewalls, AV, AM, Auth are all IT responses to typically IT issues. Of course there is a difference there. They’re also very subjective issues, as opposed to very objective items like firewalls, known malicious bits, behaviors, signatures, ports. Business presents very complex issues that are often involving people (which we can’t patch) and that often don’t fit nicely into blanket rules. Even if we turned away from technical solutions and devoted our time into solving these problems, they are still not going to be neatly solved. Likewise, when push comes to shove, can you have and meet goals with firewalls? Can you show improvement? All of this flows from the rather subjective non-technical aspect of those issues. Sort of the difference between a child’s report card and the feedback you get from a parent-teacher conference. If you have a child, which one would you be most inclined to disagree with or not necessarily believe? (The answer is the subjective one!)

It could be said this is the natural progression of security and technology: from shoring up the technical controls to moving up the stack towards behavior and people. Sure, these 3 top concerns can be said to punch through firewalls and network segments, but that’s the nature of those things (social media “punching” through a firewall is far different than me punching through an SSH connection to bridge my home network; social media is akin to the *way* I use my SSH connection after the hold is already punched because it is needed; i.e. social media is the way port 80 is used.)

Basically, all indications point to not being surprised by this dichotomy. And I don’t think this is some further indication that IT/security is doing it wrong, or isn’t aligned properly with business, or has a technical dark-server-room background. I’m not saying we’re doing things right or we’re properly aligned, but the above isn’t a good argument to support the theory of those deficiencies.

Now for a really big jump. I’d liken the current increase in mobile computing to be as big as the introduction of computers into the business and later the PC/internet into business. Now, I wasn’t around when the former happened, nor was I in the industry when the personal computer revolution swept into business, but I would bet that is the closest comparison so far. I may even say the same for social media. These are damned new and they’re big changes beyond just bringing in Macs or new software or some new business process.

national geographic on the hackers life (defcon)

Via the infosecnews mailing list, I belatedly saw this excellent story about DefCon from a National Geographic reporter.

This is an example of what happens every year at the DefCon hacker conference in Las Vegas. Passionate hackers present their knowledge and capabilities, often times skirting the very fringes of legality. However, if you think that this is a convention for geek criminals, then you’ve been watching too much NBC.

I really wish the article had been Wired-feature-like in length (i.e. 5 more pages), but still the author gets his point across and is worth the quick read.

The attendees at DefCon are pioneers on a myriad of levels. Socially they challenge convention on every strata. Fashion-wise there are no boundaries and norms, just personal styles that clothe intelligent minds. In the realm of the internet, communications and other security genres, there is no equal.

windows credentials editor (pass-the-hash) tool released

This was tossed out this week across some mailing lists: Windows Credentials Editor v1.0 has been released. Scroll down on the link a bit to find more details, but basically this is a quick CLI executable that you can run and snag or edit (think: pass-the-hash) stored hashes on a Windows system. Sexxeh!

As usual, run strange executables in a responsible manner at your own risk!

complex apathy won’t go away

AndyITGuy has a piece up on his blog: No incentive to end apathy. I agree with some of what he says, but I’ll also take a hastily-composed counterpoint for the sake of it!

In it, he says, “In many other parts of our life we are expected to know and do the right thing and if we mess up we pay.”

…unless you want to sue someone and make *them* pay! We have a very ‘point-fingers-first’ attitude when things go wrong, these days. I’m not saying that’s healthy, but that’s what I see, largely pimped by mainstream media.

Andy ultimately takes the position that we have a problem where users are not taking personal responsibility for their online activities because entities like the banks are removing the incentives to do so. (I’d say that’s like expecting children to learn proper behavior when you never actually punish them for anything…except I have no children so I better not go there!)

I always get back to my two core analogies: car maintenance and home security. I’ll try not to belabor those examples, but the core idea is that these topics are not difficult to think about, to attempt to solve, or understand the costs/risks. Yet still, many people put both their car (and lives/others) and their personal safety at risk.

And we want to think they can understand and ever act accordingly online? I don’t think so. One thing I continue to need to come to terms with is my proximity to all things cyber since I was 15 years old or so, or more appropriately, being interested in security since about 23. So many of my family, friends, coworkers still just don’t understand it. And by it I mean both security and how the Internet works, or the dangers therein, or how attackers can do things. These are still advanced topics to those who barely grasp the fundamentals.

Even setting that aside at the moment, the problem gets ever more disheartening when someone does some commonly smart things to protect themselves, but then makes one mistake and they’re pwned. They hop on a wireless network at a con, accidentally click a link that takes them somewhere, or legitimately click a link to a place they wanted to visit but didn’t know is just a flytrap or already pwned themselves. Or they write a sex thesis and think it is just a private joke shared with a couple friends but winds up posted to the world. What is one to do?

I’m certainly not saying it is hopeless to educate the masses, but I can’t envision them ever “getting it” enough to put a dent in the problem. Still, I’m not happy either for the shielding people get for their personal failures. *shrug* This is a thorny topic…admittedly.

I wonder if the Middle Ages had any equivalent problem. “Stop buying that useless ointment from that trickster! It’s making you sicker!” “Stop paying for those pardons, God doesn’t need your money!”

I will say one thing: If someone mugs me on the street, do I get to blame someone and they will repay my money? Or if my house is broken into, what recompence am I entitled? What if I didn’t opt for suitable insurance? Will I just get a lecture on how I shouldn’t have been walking on that street at night or should have had some guard dogs?

really enjoyed reading the verizon pci report

I previously mentioned Verizon’s new DBIR supplement related primarily to compliance (PCI) efforts they see, and I’ve finally gotten to read this very fine piece of work. So, my thoughts follow! If the report is too wordy for some reason, skip to page 10 and read the 12 requirement sections. (I had some PCI-related reactions to the DBIR already.) I really think this PCI Report (PCIR) is well-written and contains some very realistic and practical observations and information.

Requirement 1 (firewall configuration) – The PCIR sounds pretty accurate in why orgs don’t meet req 1: poor reviews of firewall/router rules, proving those reviews take place, documenting business cases, and poor egress filtering. Poor documentation could be *greatly* helped if firewall products allowed any sort of comment/description field with enough space to be useful. As it is, it seems rare that firewall rules can begin to be documented inside the actual tools. Tracking and reviewing this sort of documentation becomes a huge task when talking about more than a few firewalls/networks.

Requirement 2 (vendor defaults) – I’m not surprised by the 2 of the 3 big reasons for challenges here: harden systems by turning off unneeded services/functions and document why some can’t be turned off. These go into having a very mature system build and configuration process. It’s way too common for people to say, “I’ll harden this system,” but then just look for some magical checklist somewhere that says what to turn off. This is a beast to tackle for the first time.

Requirement 3 (stored data) – Also am not surprised here that the big hang-ups are key management and the encryption of things outside the static databases. Key management is probably foreign to most teams, and not something anyone wants to handle, especially if encryption is done inside the tools and maybe not easily changed. I really think Verizon hit on one issue in the PCI DSS: there is data in transit and data at rest, but I believe there are two subsets of data at rest: data not in use and data actively in use. Obviously the latter is the problem child.

Requirement 4 (encrypted transmission) – I am glad the PCIR mentioned 4.2. I imagine that one is very often compensated for and/or over-looked (or just flat-out specifically ignored as being too small a trickle to be impacting!), despite actually being violated. It is hard to test for, and is entirely encumbent on the host org to expose this. Even an internal IT team can’t really answer this alone without DLP-scanning-type technology, let alone a time-bound/access-bound auditor.

Requirement 5 (AV software) – I’m still partly surprised this isn’t higher, but also surprised this isn’t lower. While everyone should have AV everywhere, I’d be curious how many shops really are staying on top of any systems that get stood up without it being installed or systems with broken agents or outdated sigs for whatever reason…

Requirement 6 (dev and maintenance) – Patching. I wonder how much subjectivity still goes into this? Quarterly updates may be too long for some auditors to recommend. And what about applications, pieces of web applications, and network gear? It is not uncommon for a networking guy to only do updates when necessary as opposed to having an outage every 2 weeks for a new Cisco IOS version actoss 100 switches. Developing web apps securely is something I would still consider a foreign concept to most developers and development teams (inclusive of mgmt/leaders). It is even more foreign for said teams to update third-party pieces *inside* the apps. Hell, most don’t even document their presence! On the flip side, I think this is very hard for an auditor to be truly thorough in checking out.

Requirement 7 (logical access) – I agree with what the Verizon PCIR discussed on this topic. Beware anyone who bandies about the term RBAC. It’s easy on paper, but difficult in practice. Anyone who has managed accounts or Active Directory knows this requirement is nasty if someone gets serious about it. But it is oh-so-refreshingly easy when in place and enforced.

Requirement 8 (unique IDs) – I think the challenge in this item is likely all the web apps and other things with unique IDs, like the PCIR mentions for networking devices. That, and the regular rotation of things like service account passwords. Such tasks are almost always outage-inducing, and business/IT tends away from outages.

Requirement 10 (tracking and monitoring) – I think this whole requirement is often foreign to IT teams. Sure, some do figure out central logging, but that’s really just for operations and troubleshooting. Everything else can be a huge new capital expense or ongoing budget item. And application logging is often done only insomuch as it helps a developer troubleshoot something, and does not adhere to any standard. FIM is also new, and again, a huge beast if someone takes it properly seriously.

Requirement 11 (regular testing) – This requirement falls back into the category: new expense. Not easy for teams to swallow. Even a FIM is not something you just find a checklist for, buy a tool, turn on, and forget. Vuln scans are not turn on and forget. Show me a clean vuln scan and I’ll show you how it is misconfigured. You should have pages upon pages of false positives to deal with, or real issues that need addressed.

Requirement 12 (security policies) – Incident Response is a new item in many SMBs. Likewise, there may be a discrepancy in policy and actual practice partly because of who writes them. Policies can be often written by auditors, management, and outside parties paid to craft them. But they need to be made by, or in close association to, actual IT workers who do the work. I think req 12 is very often just outsourced and then never really followed. Even my own organization falls into this trap with some policies that make me wonder if anyone understands exactly how much work it is for me to ethically adhere to some policies while balancing business needs.