Search

Brian Pennington

A blog about Cyber Security & Compliance

Month

May 2011

The State of Data Security a report by Sophos

Sophos has published its first report focused on data security, “The State of Data Security”.

The report is excellent read with 25 pages packed full of information and advice.

The report provides advice and guidance to businesses interested in protecting their data, including “Today’s IT and business managers must take a hard look at the risks and costs of potential data loss. Creating a proactive data security plan arms you with the knowledge you need to manage the risk and helps you to stay compliant with data protection rules and regulations.”

Some statistics and quotes from the report:-

  • The U.S. had the highest cost per compromised record at $204, followed by Germany at $177, France at $119, Australia at $114 and the U.K.at $98
  • CSO magazine’s 2011 CyberSecurity Watch Survey found that 81% of respondents’ organizations experienced a security event during the past 12 months, compared with 60% in 2010.Twenty-eight percent of respondents saw an increase in the number of security events as compared with the prior 12 months
  • In a survey of 1,000 people in the U.K., 94% ranked “protecting personal information” as their top concern, equal to their concerns about crime, according to The Telegraph.
  • according to security expert Rebecca Herold, you’ll cover roughly 85 to 90% of compliance regulations if you practice effective data protection
  • About 85% of all U.S. companies have experienced one or more data breaches, according to the Ponemon Institute
  • In 2010, malicious attacks were the root cause of 31% of the data breaches studied, according to the Ponemon Institute – up from 24% in 2009 and 12% in 2008
  • According to the Identity Theft Resource Center, at least 662 data breaches in the U.S. occurred in 2010, which exposed more than 16 million records. Nearly two-thirds of breaches exposed Social Security numbers, and 26% involved credit card or debit card data
  • With over 500 million U.S. records of data breaches and loss since 2005, it’s no surprise that these data loss stories are headline news.

The report can be downloaded here.

.

Advertisements

Serious Disconnect Between Businesses and Mobile Users

Image representing McAfee as depicted in Crunc...
Image via CrunchBase

McAfee have released their report “Mobility and Security: Dazzling Opportunities, Profound Challenges”.

“Devices are no longer just consumer devices or business devices. They are both,” said Richard Power, a CyLab Distinguished Fellow at Carnegie Mellon University, the primary author of the report. “Devices are more than extensions of the computing structure, they are extensions of the user. The way users interact with their personal data mirrors the way they want to interact with corporate data.”

Key Report Findings:

  • Reliance on mobile devices is already significant and accelerating rapidly; the emerging mobile environment is both diverse and freewheeling
  • IT is becoming increasingly consumerized as evidenced by the fact that 63 percent of devices on the network are also used for personal activities.
  • Lost and stolen mobile devices are seen as the greatest security concern for IT professionals and end-users – Four in 10 organizations have had mobile devices lost or stolen and half of lost/stolen devices contain business critical data. More than a third of mobile device losses have had a financial impact on the organization and two-thirds of companies that had mobile devices lost/stolen have increased their device security after this loss.
  • Risky behaviors and weak security postures are commonplace – Although the need for mitigating mobile security risks and threats is acknowledged, fewer than half of device users back up their mobile data more frequently than on a weekly basis. Around half of device users keep passwords, pin codes or credit card details on their mobile devices. One in three users keeps sensitive work-related information on their mobile devices.
  • There is a serious disconnect between the policy and reality – 95 percent of organizations have policies in place in regard to mobile devices
  • Mobile devices are being used by much of the workforce, over extended periods of time, for a significant percentage of tasks previously conducted on desktops.
  • On average, employees use mobile devices for work purposes between 2 and 4.5 hours a day. On average, use of laptops was 4.5 hours per day.

Mobile devices are used in a wide range of job functions

  • Business executives using them most – 56%
  • Sales and others in the mobile workforce – 47%

Mobile phone usage

  • Email – 93%
  • Contacts – 77%
  • Web access – 75%
  • Calendaring – 72%

Four different types of mobile devices are used by at least one-third of employees both for professional and personal use,

  • Laptops – 72%
  • Smartphones – 48%
  • Removable media, including USBs – 46%
  • External hard drive – 33%

Almost Half of Users Keep Sensitive Data on Mobile Devices

  Passwords/Pin Codes Credit Card details
Professional & personal information & data 23% 19%
Only professional information & data 11% 7%
Only personal information & data 17% 15%
I do not use, store or send this information or data using mobile devices 49% 58%

Recommendations for Businesses

  • Mobility is ushering a new computing paradigm into the workplace. With devices eclipsing PCs and virtually every business application being device-ready, mobile computing offers an opportunity to make workers more productive, competitive, and happy. Mobility done right is a major competitive advantage in the workplace.
  • Consumerization of IT is here to stay. Many smart companies are allowing, encouraging, and, in some cases, providing a stipend for,  employee owned technology to work. Businesses need to find ways to enable, secure, and manage employee-owned technology in an optimal way to drive cost savings.
  • Users are changing the way they think about policies. Because employee-owned devices are artifacts of the more entrepreneurial employee-employer relationship, organizations need to apply policies in a nuanced, risk-based way that depends on the industry, the role, and the situational context.
  • Data loss and leakage are of utmost concern to individuals and enterprises, and there is no silver bullet. Classify data, even at a high level, and apply data leakage processes and mechanisms in order to protect corporate data while respecting users’ privacy.
  • User awareness about mobile threats is still nascent. Apply security and management paradigms from laptops and desktops to mobile devices. Educate users about the risks and threats through employee agreements and training. “Businesses must find ways to protect corporate data, and call it back when an employee leaves, while ensuring the privacy of the employee,” says David Goldschlag, vice president of Mobility for McAfee. “Employees are no longer lifelong members of the organization, but rather consumers, who often change jobs every few years. When they do, they come with a kit of stuff, but once they leave, they need to give you back the data that belongs to the company. Businesses need a way to facilitate that process while respecting the ‘kit’ that the employee brings to the company.”

Recommendations for Mobile Users

  • You are part of a computing sea of change. With devices eclipsing PCs, and virtually every app device-ready, mobile computing offers you an opportunity to be entertained, informed and connected wherever you are. Use this to your advantage to be more productive on the go.
  • Driven by users’ desire for device choice and employers’ need for cost savings, individuals are increasingly bringing their own devices to work. Take advantage of your employers’ program and use your technology to be more nimble in your work.
  • Familiarize yourself with your employer’s mobile device policy and the intent behind it, and decide whether it fits your needs. If so, accept the policy and move on; if not, use two devices, one for personal use and one for work.
  • Take steps to secure your device. Install anti-theft technology, and back up your data. Configure your device to auto-lock after a period of time. Don’t store data you can’t afford to lose or have others access on an insecure device.
  • Be aware of mobile device threats. In many ways, they are the same as in the online world. You can be hacked, infected, or phished on a mobile device just as easily (and often more easily) as you can online.

The McAfee White Paper can be found here http://www.mcafee.com/us/about/news/2011/q2/20110523-01.aspx

.

25% of Mobile Network Operators are not PCI DSS Compliant

Vesta Corporation conducted a survey of Mobile Network Operators (MNOs) in the USA and Europe and discovered that over a quarter of them were non-compliant to the Payment Card Industry Data Security Standards (PCI DSS).

Of equal concern are the 35% who did not know of the potential financial penalties they could face in the event of an Account Data Compromise (data breach).

Key findings of the survey

  • 25% of respondents are not currently PCI DSS compliant
  • 35% of respondents unaware of potential penalties for non-compliance
  • The average cost of initial PCI DSS compliance was approximately $700,000 USD
  • Over 50% were spending over $1,390,000 USD annually in PCI compliance maintenance costs.
  • 69% of respondents stated that more than three people in their organization work full time on maintaining PCI compliance.
  • 56% felt that the greatest impact of a security lapse or data breach to their business would be a loss of customer confidence.
  • Over a third of these maintain an internal security group for PCI compliance.
  • Under a quarter of respondents maintain PCI DSS via cross functional teams that receive direction on a group level with local implementation.
  • All respondents regard the touchpoints of live agent, Web and retail as very important to the success of their organization’s PCI compliance.
  • The areas of highest concern mentioned by the operators included ensuring applications and systems are compliant; network monitoring and scanning; and vulnerability management.

“The survey shows that there is clearly room for improvement by the mobile operator community in addressing PCI DSS compliance, and it is critical that operators not yet compliant take appropriate measures to ensure the security of their customer’s sensitive cardholder data,” said Joshua Rush, VP Marketing at Vesta. “However, compliance should not be viewed as a mandatory demand by the card associations but as a competitive sales and marketing differentiator at a time where data security is of paramount concern to subscribers.”

The white paper can be downloaded here.

For more information on PCI DSS visit the PCI resources page here.

.

Fraudsters steal $1.4 Billion from Airlines

Image representing Cybersource as depicted in ...
Image via CrunchBase

CyberSource Corporation’s survey found that while airlines are gaining in their war against fraud, much work remains to be done. Airlines reported a loss of about $1.4 billion USD to online payment fraud in 2010.

Dr. Akif Khan, CyberSource’s Director, Products and Services said: “The good news is that in terms of fraud loss rates, 2010 results showed a 31 percent improvement over 2008. Clearly, airlines have not only recognized the challenge but have made timely adjustments to it.” According to the survey, changes made by airlines in the last two years include higher use of fraud detection tools in automated screening (7.3 on average, compared to 5.8 in 2008), along with rejecting more bookings due to suspicion of payment fraud.

 Selected survey findings

  • Experience counts: airlines with less than three years of online selling experience have higher fraud loss rates, manual review rates, and higher reject rates than their more experienced competitors. For example, airlines with more than ten years of online selling experience manually review 15 percent of their bookings; those with fewer than three years review 53 percent 
  • Airlines may be ignoring a powerful anti-fraud tool: Only three percent of airlines surveyed used public record searches to validate bookings. But those that used the tool felt it was one of their most effective anti-fraud measures. (Public record searches are not universally available). Device fingerprinting and third-party fraud scoring models were among the top tools merchants cited as considerations for future use 
  • Automated review requirements will accelerate: According to the International Air Transport Association, passenger revenue will increase by 7.3 percent in 2011, but nearly 90 percent of airlines surveyed say their manual review staff levels will remain the same. Automation will have to make up the difference.

“Fraudsters will move to the weakest link in the chain,” said Christopher Staab, Managing Partner of Airline Information. “And that weak link is most likely going to be the airlines unfamiliar with how sophisticated fraud can be perpetrated with online ticketing sales. That’s why this type of data is so critical for the airline industry worldwide. There are solutions out there–airlines need to implement them.”

CyberSource report that a typical fraud scenario in the airline industry plays out as follows:

  1. Fraudster illegally obtains credit card data;
  2. Fraudster obtains name, address, and other appropriate information for a genuine customer interested in buying “discount” tickets;
  3. Fraudster buys the ticket in the innocent person’s name, using the stolen credit card number;
  4. Fraudster delivers ticket to the customer and receives payment in cash

CyberSource’s website can be found here

.

PCI Standards Council Announces New Board of Advisors

On the 20th May 2011, the PCI Council announced its new Board of Advisors. More than 600 Participating Organisations elected the Board of Advisors. Participating organisations include merchants, financial institutions and processors from around the world.

The 2011-2013 PCI Board of Advisors will provide strategic and technical guidance to the PCI Security Standards Council that reflects the varied and unique industry perspectives of those across the payment chain. In addition to advising on standards development, the Board of Advisors plays a critical role in soliciting feedback and ideas, leading Special Interest Groups (SIGs); and helping the Council fulfil its mission to raise awareness and the adoption of the PCI Standards.

More than 76 organisations from across the payment industry were nominated for their direct experience and leadership in the field. The 21 seats were distributed within the categories of:

  • Financial Institutions
  • Merchants; Processors
  • Vendors,
  • Others (Industry Associations, etc)

 The new Board of Advisors is comprised of representatives from the following organisations:

  1. Barclaycard
  2. British Airways
  3. Cartes Bancaires
  4. Cielo
  5. Cisco
  6. Citi
  7. Disney
  8. European Payments Council
  9. First Data Corporation
  10. Heartland Payment Systems
  11. Ingenico
  12. International Air Transport Association (IATA)
  13. JPMorgan Chase & Co
  14. McDonald’s, PayPal
  15. RSA
  16. Tesco Stores Limited
  17. TSYS
  18. VeriFone Systems
  19. Wal Mart Stores
  20. Woolworth’s

“Industry participation is crucial to our work here at the Council. I am ecstatic to see the record number of people who were involved in this year’s election process and the breadth of experiences and perspectives that this new Board represents,” said Bob Russo, general manager, PCI Security Standards Council.

“As we continue to strengthen the standards and their adoption globally, this group will play a leading role in the protection of cardholder data against security threats worldwide.

“I am thrilled about the increase in European representation on the Board this term. It is a testimony to the excellent work and collaboration that is taking place in Europe to drive payment security forward,” said Jeremy King, European regional director, PCI Security Standards Council. “With their input, I’m confident that we can continue to make great strides in engaging European stakeholders in this important global initiative.”

 For more information on PCI DSS visit the PCI Resources page here.

.

Mobile Device Vulnerabilities at an all time high

Juniper Networks @ Sunnyvale, CA
Image by DIKESH.com via Flickr

In study commissioned by Juniper Networks the study found that enterprise and consumer mobile devices are being exposed to a record number of security threats.

The study’s key findings Include:

  • App Store Anxiety: The single greatest distribution point for mobile malware is application download, yet the vast majority of Smartphone users are not employing an antivirus solution on their mobile device to scan for malware
  • Wi-Fi Worries: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications
  • The Text Threat: 17 percent of all reported infections were due to SMS Trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise
  • Device Loss and Theft: 1 in 20 Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued
  • Risky Teen Behavior: 20 percent of all teens admit sending inappropriate or explicit material from a mobile device
  • “Droid Distress”: The number of Android malware attacks increased 400 percent since Summer 2010

“These findings reflect a perfect storm of users who are either uneducated on or disinterested in security, downloading readily available applications from unknown and unvetted sources in the complete absence of mobile device security solutions,” said Dan Hoffman, chief mobile security evangelist at Juniper Networks.

“App store processes of reactively removing applications identified as malicious after they have been installed by thousands of users is insufficient as a means to control malware proliferation. There are specifics steps users must take to mitigate mobile attacks. Both enterprises and consumers alike need to be aware of the growing risks associated with the convenience of having the Internet in the palm of your hand.”

“The last 18 months have produced a non-stop barrage of newsworthy threat events, and while most had been aimed at traditional desktop computers, hackers are now setting their sights on mobile devices. Operating system consolidation and the massive and growing installed base of powerful mobile devices is tempting profit-motivated hackers to target these devices”, Jeff Wilson, principle analyst, Security at Infonetics Research.

“In a recent survey of large businesses, we found that nearly 40 percent considered smartphones the device type posing the largest security threat now. Businesses need security tools that provide comprehensive protection: from the core of the network to the diverse range of endpoints that all IT shops are now forced to manage and secure.”

The study specifically reports the following:-

  • 400 percent increase in Android malware since summer 2010
  • 1 in 20 mobile devices was lost or stolen, requiring locate, lock, or wipe commands
  • 20% of all teens admit sending inappropriate or explicit pictures or videos of themselves from a mobile device
  • 61% of Juniper Networks-detected malware infections are from spyware
  • 17% of Juniper Networks-detected mobile malware infections are from SMS Trojans
  • Mobile malware grew 250% from 2009 to 2010
  • 1 in 20 mobile devices is lost or stolen, risking loss of confidential and sensitive data.
  • 83% of teens use mobile technology to stay connected with friends and family.
  • 20% of all teens have been cyberbullied through a mobile device.
  • 20% of all teens admit to sending inappropriate or explicit pictures or videos of themselves from a mobile device.
  • 20% of teens admit to having sent inappropriate or explicit pictures or videos from their cell phones
  • 39% of teens admit to sending sexually suggestive messages from their device
  • 29% of teens admit that they are sending suggestive messages, or inappropriate and explicit pictures or videos to someone they have never met
  • 44% of teens admit that it is common for suggestive messages that were received to be shared with someone else

The study recommends the following: 

For Consumers:

  • Install an on-device anti-malware solution to protect against malicious applications, spyware, infected SD cards, and malware-based attacks on the device
  • Use an on-device personal firewall to protect device interfaces
  • Require robust password protection for device access
  • Implement anti-spam software to protect against unwanted voice and SMS/MMS communications
  • For parents, use device usage monitoring software to oversee and control pre-adult mobile device usage and protect against cyberbullying, cyberstalking, exploitative or inappropriate usage, and other threats

For Enterprises, Government agencies and SMBs:

  • Employ on-device anti-malware to protect against malicious applications, spyware, infected SD cards and malware-based attacks against the mobile device
  • Use SSL VPN clients to effortlessly protect data in transit and ensure appropriate network authentication and access rights
  • Centralize locate and remote lock, wipe, backup and restore facilities for lost and stolen devices
  • Strongly enforce security policies, such as mandating the use of strong PINs/Passcodes
  • Leverage tools to help monitor device activity for data leakage and inappropriate use
  • Centralize mobile device administration to enforce and report on security policies

For further details, click here

.

A short history of Android security issues

In its recent study, Juniper Networks uncovered some very interesting facts on the growing risk to Android base mobile devices.

The time line for the development of the threats is as follows

Android Attacks: 2010

  • January 2010: First bank phishing application for Android
  • March 2010: First Android “botnet”
  • July 2010: GPS monitoring embedded in Tap Snake game
  • August 2010: First Android SMS Trojan
  • November 2010: “Angry Birds” proof-of concept malware demonstrated
  • December 2010: First pirated Android application, Geinimi

Android Attacks: 2011

  • January 2011: ADRD and PJApps available in China
  • March 2011: Myournet/DroidDream, the first Android malware available and distributed through Android Market on a large scale, affects 50,000 users.
  • Google’s solution, the Android Market Security Tool, was also pirated and turned into malware in China.
  • April 2011: Walk-and-Text pirate puts egg on users’ faces.
  • April 2011: Research at IU Bloomington results in “Soundminer” proof-of-concept communications interception application.

Overall there was a 400% increase in Android malware since summer 2010

In summary, the bad guys have see the growth of the Smartphone market and are turning their skills into the development of tools and attack vectors for the operating systems on them, including Android.

.

Global Threat Report Quarter 1 2011

Image representing Cisco as depicted in CrunchBase
Image via CrunchBase

The Cisco Quarter 1 2011 Global Threat Report has been released. The Cisco Global Threat Report is a compilation of data collected across the four segments of Cisco Security: ScanSafe, IPS, RMS and IronPort.

The highlights for Quarter 1 2011 include:-.

  • 105,536 unique Web malware were encountered in March 2011, a 46% increase from January 2011
  • Malicious webmail represented 7% of all Web-delivered malware in March 2011, a 391% increase from January 2011
  • 45% of all malicious webmail resulted from Yahoo! mail, 25% from Microsoft Live/Hotmail, and only 2% from Google’s Gmail
  • Search-engine-related traffic resulted in an average of 9% of all Web malware encountered in 1Q11
  • 33% of search engine encounters were via Google search engine results pages (SERPs), with 4% each from Yahoo! and Bing SERPs
  • SERPs and webmail encounters are impacted by the popularity of a particular service and are likely not indicative of any heightened risk specific to that service
  • Likejacking increased significantly during the first quarter of 2011, from 0.54% of all Web malware encounters in January 2011 to 6% in March 2011
  • At 13%, Miley Cyrus–themed likejacking scams beat out all other celebrities and events in March 2011. Likejacking themes for Indian actress Nayantara were at 7%, while Charlie Sheen was at 3%, Justin Bieber at 2%, and Lady Gaga at 1%
  • At 4% of all Web malware encounters in 1Q11, website compromises that attempted to download the Hiloti Trojan were the most frequently encountered, followed by malicious GIF injections (3%). Website compromises related to the Lizamoon series of SQL injection attacks represented just 0.15% of Web malware encounters for the quarter
  • Though far less successful than in years past, SQL injection attempts continued to be the most prevalent event firing (55%) observed by Cisco Remote Management Services in 1Q11
  • Malware activity related to the MyDoom worm was the 10th most frequently RMS-observed IPS event in 1Q11, demonstrating that legacy malware can still pose a threat to unprotected systems
  • As expected, Rustock activity declined significantly over 1Q11, but, interestingly, the sharp decline commenced weeks prior to the botnet takedown
  • Following 4Q10 declines, global spam volume increased and then subsequently decreased during 1Q11, but levels remained above that of December 2010
  • With an increase of 248%, Indonesia overtook the United States as the top spam-sending country in 1Q11
Cisco’s Top 10 Signature Findings Q1 2011  
Generic SQL Injection 55.03%
Web View Script Injection Vulnerability 7.01%
Gbot Command and Control Over HTTP 5.16%
B02K-UDP 5.20%
Cisco Unified Videoconferencing Remote Command Injection 4.91%
Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution 3.27%
Windows MHTML Protocol Handler Script Execution 2.47%
WWW WinNT cmd.exe Access 1.30%
Web Application Security Test/Attack 1.19%
MyDoom Virus Activity 1.16%

Note that the MHTML vulnerability described in Microsoft KB 2501696, IntelliShield alert 22310, and Cisco Intrusion Prevention System (IPS) 6.0 – 33379/0 also appears on the Cisco RMS top 10 signature events list for 1Q11. Microsoft released an update for this former zero-day vulnerability in April 2011 (MS11-026).

While a significantly occurring event in 1Q11, SQL injection attempts remained at a fairly steady pace throughout the quarter with the only notable increase occurring in the latter part of March 2011.

Cisco RMS Top 10 by Port Activity
Port  Percentage
80 69%
40436 2.23%
25 2.17%
161 1.39%
5060 1.27%
123 1.16%
34227 1.13%
443 1.05%
21 1.00%
20 0.71%

Although they represent a relatively small percentage of overall spam, phishing attacks pose a serious risk to security, both from a financial and sensitive information disclosure perspective. In 1Q11, attackers increasingly turned their attention toward phishing Twitter accounts.

This interest in Twitter credentials is likely due in part to Twitter users’ acceptance of shortened URLs. By compromising Twitter accounts, attackers can take advantage of shortened URLs to entice followers to visit malicious links the users might ordinarily view as suspicious. Such attacks are further fuelled by the trust engendered through social networking in general.

The report can be downloaded here

.

eCrime Trends Report Q1 2011 – Phishing Up – Rustock Down

Internet Identity (IID) has released their eCrime Trends Report: First Quarter 2011.

The report is a summary of statistics and news items from this year’s first quarter and serves as a useful reminder of how regularly breaches occur and how easy it is to forget about the last big breach.

Every month seems to have another record for the largest breach, Epsilon was usurped by Sony, who will be next? This is why quarterly reviews are so important.

The highlights of the IID report are below:

IT security firms in the cybercrime crosshairs

  • Breach of HBGary Federal reveals vulnerability of the extended enterprise
  • Internal emails exposed information about partners and clients
  • RSA Security breach

Notorious Rustock botnet goes offline

  • Microsoft and law enforcement cooperate in unprecedented action to shut down and confiscate criminal servers
  • Significant reduction in spam noted worldwide

Phishing attacks

  • National banks saw increase of 11% over Q4 2010
  • Banks outside the U.S. increased most dramatically
  • Recent database breaches could lead to increased spear phishing in the coming quarter
  • Compared to Q4 2010, Phish targeting larger, national banks increased 11%. Much of the growth was seen in non-US based banks, which took three of the top five spots among banks
  • Phishing in Q1 2011 grew 12% over Q1 2010.

Parts of the Internet went dark in Q1 for a variety of reasons

  • Egyptian ISPs ordered to shut down following Internet-led protests
  • Mooo.com seizure by DHS temporarily suspended 80,000 subdomains
  • Rabobank blackholed its own DNS records in an attempt to combat DDoS attack

“As we’ve seen with recent attacks against Sony’s PlayStation Network and Epsilon, cyber criminals now have inside information about tens of millions of customers to use in highly targeted phishing campaigns,” said IID President and CTO Rod Rasmussen.

“The worry is that with all of this specific data, cyber criminals have all they need to convince people to share their highly valuable personal information. Organizations must ensure they are taking every measure to stop these attacks, including blocking access to phishing sites and command and control domains for malware that exfiltrates data. This should be done with e-mail filtering, firewalls and secure domain name system resolvers.” 

Read the full report here.

.

PCI Compliance Risks for Small Merchants and where they are failing

Credit cards
Image via Wikipedia

Trustwave have released a supplement to their 2011 Global Security Report on Payment Card Trends and Risks for Small Merchants report.

According to the report, Merchants fail to achieve PCI DSS compliance in several areas with the Top 6 being:

99.2%   Track / Monitor Network Access
98.4%   Regularly Test Security
97.5%   Maintain a Firewall
95.1%   Maintain Internal Security Policies
92.6%   Assign Unique User Ids
90.9%   Develop Secure Systems and Applications

The report states, “approximately 90% of compromises came from the Level 4 merchant space in 2010.” The PCI DSS categories a Level 4 merchants as a businesses that process less than 20,000 Visa e-commerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually.

The top 5 Industry Sectors that experience a PCI DSS compromise are:

57.0%   Food and Beverage
18.0%   Retail
10.0%   Hospitality
6.0%   Government
6.0%   Financial

Breaches occur in 5 specific areas with the majority occurring because of weaknesses in software:

75.0%   Software POS
11.0%   Employee Workstation
9.0%   e-commerce
3.0%   Payment Processing
2.0%   ATM

The Report has the Top Five Areas where Merchants are Falling Short of Compliance as:

  1. Do you have written security policies and procedures that address the protection of paper with credit card numbers such as receipts and the physical security of your card processing device?
  2. Do you have a formal training program for all relevant employees that teaches them about security as it relates to credit cards, paper with credit card numbers on them and the devices that process credit card transactions?
  3. Do you or does anyone at your business log or record your customers’ credit card numbers in a computer, for example, in a back office computer, a laptop or financial application?
  4. Do you check your store or office for unauthorized wireless access points on at least a quarterly basis?
  5. Do you perform external (Internet) network vulnerability scans at least once per quarter?

Cost of non-compliance

Trustwave’s Report states “Fines have averaged $5,000 to $15,000 per card brand. We see forensic investigations start in the $10,000 to $15,000 range as well. Card re-issuance and fraud loss are dependent on the size of the breach. However, fines can vary greatly depending on a number of factors and can reach into the hundreds of thousands of dollars in some cases”.

Trustware www.trustwave.com

See the PCI Resources page for more details on PCI DSS

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: