Brian Pennington

A blog about Cyber Security & Compliance


Pen Testing

2018 changes to PCI DSS v3.2

Several PCI DSS requirements from version 3.2 come into effect at the end of January, 2018 (that’s just five months from now!).

Here is a list of some of the changes that will come into effect:-

3.5.1: Full documentation of all cryptographic architecture (service providers only)

6.4.6:  Change management processes that include verification of any PCI DSS impact for changes to systems or networks

8.3.x:  MFA for all non-console access to CDE.  This requirement has been the subject of much discussion, and we expect many entities to require remediation.

10.8:   Detection and reporting of all critical security control system failures (service providers only) Penetration testing must now be performed every 6 months, as well as after any segmentation changes. (service providers only)

12.4.1: Executive management must establish PCI responsibilities and compliance program management (service providers only)

12.11.x: Quarterly personnel reviews P&P’s (service providers only)

Office agrees it must do more to protect customer data

The UK Information Commissioner Office (ICO) has warned shoe retailer Office after the personal data of over one million customers was hacking.

The hacker accessed customers’ details and website passwords via an unencrypted database.

Sally-Anne Poole, Group Manager at the Information Commissioner’s Office said:

The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data.

“All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”

“Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details.”

The data breach also highlights the risks associated with customers using the same password for all their online accounts.

Sally-Anne Poole added:

“This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question. It’s important to use a unique, strong password for each separate account; preferably a combination of numbers and letters – not a name or dictionary word.”

Office has agreed to an “undertaking under the Data Protection Act 1998”, the details are here.

65% of organisations have been breached by a SQL Injection attack

Ponemon Institute have released their The SQL Injection Threat Study sponsored by DB Networks. The purpose of the research was to understand how organisations respond to the SQL injection threat and their awareness about different approaches to managing this risk.

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents were familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database.

SQL injections are defined as:-

being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways

Key findings extracted from the report:-

  • The SQL threat is taken seriously because 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
  • 49% of respondents say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals. 46% of respondents are familiar with the term Web Application Firewalls (WAF) bypass. Only 39% of respondents are very familiar or familiar with the techniques cyber criminal use to get around WAF perimeter security devices.
  • BYOD makes understanding the root causes of an SQL injection attack more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of the trend for employees to use their personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers.
  • Expertise and the right technologies are critical to preventing SQL injection attacks. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect a SQL injection attack and 34% agree that they have the technologies or tools to quickly detect a SQL injection attack.
  • Measures to prevent SQL injection attacks are also lacking. Despite concerns about the threat, 52% do not take such precautions as testing and validating third party software to ensure it is not vulnerable to SQL injection attack.
  • Organizations move to a behavioural analysis solution to combat the SQL injection threat. 88% of respondents view behavioural analysis either very favourably or favourably.
  • 44% of respondents say their organization uses professional penetration testers to identify vulnerabilities in their information systems but only 35% of these organizations include testing for SQL injection vulnerabilities.
  • 20% continuously scan active databases, 13% do it daily, 25% scan irregularly and 22% do not scan at all.

The full report can be found here.

Blog at

Up ↑

%d bloggers like this: