The BBC has a headline story on the second professional athlete to be seriously injured or die on a superpipe in Utah.

The four-time Winter X Games champion crashed on the same superpipe where snowboarder Kevin Pearce suffered a traumatic brain injury during a training accident in late 2009.

[…]

“There are inherent risks in everything,” [Peter Judge, chief executive of Canada’s freestyle team] said prior to her death.

“Freestyle is a very safe sport in large part because we had to build a safe sport in order to get into the Olympics.”

Judge really should explain exactly why he believes the sport is safe instead of using a tautology — saying the same thing twice.

If I were to use similar reasoning as the above I could say this is a brilliant blog post because in order for it to be a blog post it has to be brilliant. What I want to hear is how vulnerabilities and threats are addressed at a reasonable level of detail. The more detailed the scrutiny the more likely improvements can be found; two major accidents by top talent on the same spot in two years (high severity and high frequency) suggests some safety gaps may be at hand.

A strange statement popped out at me in an article called Top 10 PCI Compliance Mistakes.

“PCI DSS 2.0 mandates that even if one VM deals with cardholder data, your entire virtual infrastructure must comply with the standard. The challenge is — the wording in PCI DSS on virtualization is vague and it all depends on the interpretation of the auditors,”

First, your entire virtual infrastructure does not have to comply with the standard if just one VM deals with cardholder data. That must be a misquote. I think what was meant was that a VM with cardholder data brings into scope the infrastructure that supports it (e.g. connected to or hosted on, per the Virtualization Guidelines quoted below). An entire virtual infrastructure can obviously include areas that are unrelated and unconnected to the VM in question. Segmentation is possible.

Second, the PCI assessors (not the same as auditor, but the two terms seem to be interchanged now) always interpret regulations. I say PCI DSS is one of the most prescriptive and therefore least vague. Moreover, it does not all depend on interpretation of the assessors. That is like saying food safety all depends on the health inspector. The Security Standards Council (SSC) for example can clarify or otherwise overrule an assessor’s interpretation.

With that in mind, here are a couple relevant sections.

PCI DSS 2.0:

2.2.1.b If virtualization technologies are used, verify that only one primary function is implemented per virtual system component or device.

PCI DSS 2.0 Information Supplement: PCI DSS Virtualization Guidelines

If any virtual component connected to (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope.

I wrote last year a white paper on PCI compliance mistakes specific to virtual environments that you may find useful: 5 Mistakes Auditing Virtual Environments (You Don’t Want to Make)

I also wrote an earlier post on PCI scope errors.

My RSA Conference 2012 Podcast has been posted

Session DAS-302: Message in a Bottle – Finding Hope in a Sea of Security Breach Data

Breach data is now available from a wide variety of sources and perspectives. This session will explore issues like why some industries receive more attention yet see fewer breaches and how to re-frame the insider/outsider threat model given the rise of mules and hybrid attacks.