Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Verizon

What Is Your Business’ Greatest Cyber Threat?

WHAT-I~1

Advertisements

Verizon 2012 Data Breach Investigation Report – a summary with a PCI DSS view point

The 2012 Verizon Breach Investigation Report is out and I have attempted to summaries all 80 pages below.

The study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service.

The introduction states,

The online world was rife with the clashing of ideals, taking the form of activism, protests, retaliation, and pranks. While these activities encompassed more than data breaches (e.g., DDoS attacks), the theft of corporate and personal information was certainly a core tactic. This re-imagined and re-invigorated specter of “hacktivism” rose to haunt organizations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined. Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior.

It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property. We certainly encountered many faces, varied tactics, and diverse motives in the past year, and in many ways, the 2012 Data Breach Investigations Report (DBIR) is a recounting of the many facets of corporate data theft.

It wasn’t all protest and lulz, however. Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets

Who is behind the data breaches? See below:

98% stemmed from external agents (+6%)
4% implicated internal employees (-13%)
<1% committed by business partners (<>)
58% of all data theft tied to activist groups
  • Outsiders are still dominating the scene of corporate data theft
  • Organized criminals were up to their typical misdeeds and were behind the majority of breaches in 2011
  • Activist groups created their fair share of misery and mayhem last year as well and they stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches
  • Insider incidents declined yet again this year to a comparatively scant 4%

How do breaches occure?

81% utilized some form of hacking (+31%)
69% incorporated malware (+20%)
10% involved physical attacks (-19%)
7% employed social tactics (-4%)
5% resulted from privilege misuse (-12%)
  • Incidents involving hacking and malware were both up considerably last year, with hacking linked to almost all compromised records.

What commonalities exist?

79% of victims were targets of opportunity (-4%)
96% of attacks were not highly difficult (+4%)
94% of all data compromised involved servers (+18%)
85% of breaches took weeks   or more to discover (+6%)
92% of incidents were discovered by a third party (+6%)
97% of breaches were avoidable through simple or intermediate   controls (+1%)
96% of victims subject to PCI DSS had not achieved compliance (+7%)
  • Findings from the past year continue to show that target selection is based more on opportunity than on choice. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.
  • Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult. Those that were on the more sophisticated side usually exhibited this trait in later stages of the attack after initial access was gained.
  • Most breaches were avoidable without difficult or expensive countermeasures. Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations.

While at least some evidence of breaches often exists, victims don’t usually discover their own incidents.

Percent of relevant organizations in compliance with PCI DSS requirements based on post-breach reviews conducted by Verizon IR team is below



PCI DSS details from the report

  • Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations
  • 96% of victims subject to PCI DSS had not achieved compliance
  • organizations both large and small seem to struggle the most with requirements 3, 7, 10, and 11.
  • When looking at the numbers on a year-over-year basis they see mixed progress:
      • Improved, Requirements 1, 2, 6, 7, and 9
      • Declined, Requirements 3, 5, 8, and 11
      • Remained the same, Requirements 4, 10, and 12
  • The most significant improvement was Requirement 1 (+11%) “Install and maintain a firewall configuration to protect data.”
  • The most significant decline was Requirement 5 (-24%) “Use and regularly update anti-virus software”.

Verizon’s conclusions and recommendations

“Creating a list of solid recommendations gets progressively more difficult every year we publish this report. Think about it; our findings shift and evolve over time but rarely are they completely new or unexpected. Why would it be any different for recommendations based on those findings? Sure, we could wing it and prattle off a lengthy list of to-dos to meet a quota but we figure you can get that elsewhere. We’re more interested in having merit than having many.”

See the Verizon 2011 Payment Industry Compliance Report summary here

.

Last chance to review your PCI readiness before the holiday season

As we enter the busiest period of credit card spending it is probably a good time for a bit of last minute house keeping to ensure your business is meeting the Payment Card Industry Data Security Standard (PCI DSS), or as much of it as you can.

First things first, DO NOT STORE CREDIT CARDS unless you really really have to.

  • If you know you are un-necessarily storing credit cards, delete them and delete them with a deletion tool so there is no way they can come back to haunt you.
  • If you have to retain credit card data make sure they are encrypted and never ever store the CVV/CV2/etc. As a short term fix, to get you through the next couple of weeks encrypt hard drives and put in a plan to have effective credit card encryption and tokenization in place for early 2012. For a better understanding of how tokenization can help you reduce the risks and the scope of PCI DSS download a white paper called  “Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Datahere.
  • Check to see if there are cards being stored that you do not know about. In a recent survey SecurityMetrics found an “8 Percent Increase of Unencrypted Cards”, read the press release here. There are some excellent scanning tools that will scan your network and devices for the existence of credit cards so you can then decide to delete or secure.

You now need to revisit the Payment Card Industry Data Security Standard’s Version 2 to ensure you are meeting as much of the standard as possible. The best place to start is with the PCI DSS Prioritized Approach (find it here). The Prioritized Approach will ensure the efforts you make are directed towards the most important areas with the quickest wins.

The Prioritized approach consists of 6 key milestone and Merchants are advised to start with number 1.

  1. Milestone 1 Remove Sensitive Authentication Data and limit data retention
  2. Milestone 2 Protect the perimeter, internal, and wireless networks
  3. Milestone 3 Secure payment card applications (e.g. PA DSS approved)
  4. Milestone 4 Monitor and control access to your systems
  5. Milestone 5 Protect stored cardholder data
  6. Milestone 6 Finalize remaining compliance efforts, and ensure all controls are in place

Another reason to revisit your PCI DSS posture are revealed in Verizon‘s 2011 Global report which reports that many organisations lose sight of compliance after their initial compliance activity. Some specific findings from the report are below:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

The full review of the Verizon report is here.

If you want to look at a range of other documents and guides have a visit to my PCI Resources page here.

Good luck with your Christmas and the New Year business and compliance activities.

.

Only 21% of merchants were compliant and other startling PCI DSS facts from the coal face

Image representing Verizon as depicted in Crun...
Image via CrunchBase

Verizon have recently launched their 2011 Payment Industry Compliance Report, which draws on their experiences as a Qualified Security Advisor (QSA) company, and their previous annual reports.

Below are exerts from their report:-

Unchanged from last year:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies)

The PCI Requirements showed the highest implementation levels:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need to know)
  • 9 (restrict physical access)

Verizon concluded that organizations do not appear to be prioritising their compliance efforts against the PCI DSS Prioritized Approach (The Prioritized Approach is a free spreadsheet that can be download from the PCI Security Standards Council site, find it here).

Organizations that suffered data breaches were less likely to be compliant than a normal population of Verizon PCI clients.

In the pool of assessments performed by Verizon QSAs included in this report:

  • 21% were fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change disappoints Verizon, as many in the industry were hoping to see an increase in overall compliance as PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • 78% met of all test procedures defined in the DSS at the time of their IROC
  • This is down 3% from Verizon’s last report

Verizon deduce that another common Achilles heel of merchants and service providers in the PCI assessment process is overconfidence. “It was painful, but we made it through last year, so this year should be a breeze,” is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake.

When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Verizon believe that complacency and fatigue are two additional drags that make maintaining compliance year over year difficult.

Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.”

When examining the percentage of organizations passing each requirement at the IROC phase

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range
  • Six of the twelve show an increase over last year, and the average is up two points
  • However, the average number of test procedures met within each requirement is down 4%
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that organizations continue to struggle (at varying degrees) in all areas of the DSS

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

The improvement in compliance to Requirement 4 (encrypt transmissions) may indicate that administrators are deciding it is easier to direct all Internet traffic containing credit card data over SSL.

The small improvement in Requirement 7 (logical access) if significant at all could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 1 remains virtually unchanged since last year

  • 44% were compliant
  • 46% in the last report
  • Only 63% of companies met Requirement 1.1.5 regularly

The entire report can be found on the Verizon web site here.

.

Merchants are complacent about PCI DSS, report reveals.

Verizon logo
Image via Wikipedia

Verizon have launched their 2011 Payment Industry Compliance Report which draws on their experiences as a QSA company and previous annual reports.

Extracts from the report are below.

Unchanged from last year, only 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC). Verizon commented with “This is interesting, since most were validated to be in compliance during their prior assessment”.

  • Organizations met an average of 78% of all test procedures at the IROC stage
  • 20% of organizations passed less than half of the DSS requirements
  • 60 % scored above the 80 % mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies).

The PCI Requirements showed the highest implementation levels were:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need-toknow)
  • 9 (restrict physical access)

Organizations do not appear to be prioritizing their compliance efforts based on the PCI DSS Prioritized Approach published by the PCI Security Standards Council even less so than in the previous year.

A mini-study comparing governance practices to the initial compliance score suggests that the way organizations approach compliance significantly factors into their success.

Once again, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients. Analysis of the top threat actions leading to the compromise of payment card data continues to exhibit strong coverage within scope of the PCI DSS. For most of them, multiple layers of relevant controls exist across the standard.

In the pool of assessments performed by Verizon QSAs included in this report

  • 21% were found fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change is a disappointing, as many in the industry were hoping to see an increase in overall compliance as the PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • On average, organizations met 78% of all test procedures defined in the DSS at the time of their IROC.
  • Down 3% from Verizon’s last report; but again, the difference is nominal.

Therefore, the baseline set by the PCI DSS must not reflect the baseline set by the companies themselves. For most organizations, to achieve compliance they must do things they were not previously doing (or maintaining).

Another common Achilles heel of merchants and service providers in the PCI assessment process is over confidence

 “It was painful, but we made it through last year, so this year should be a breeze”

is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake. When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Complacency and fatigue are two additional drags that make maintaining compliance year over year difficult. Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.” But unless someone’s been babysitting a process, such as documenting and justifying all services allowed through the firewalls, things can easily be forgotten in the haste to get business done.

When examining the percentage of organizations passing each requirement at the IROC phase.

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range.
  • Six of the twelve show an increase over last year, and the average is up two points.
  • However, the average number of test procedures met within each requirement is down 4%.
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that
  • organizations continue to struggle (at varying degrees) in all areas of the DSS.

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

Requirement 4 (encrypt transmissions) showed a marked improvement which may indicate that administrators are deciding it’s easier to direct all Internet traffic containing credit card data over SSL.

Requirement 7 (logical access) showed a slight improvement, which could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 11’s low showing reminds us why ‘set and forget is a very bad bet’ should be a core mantra of the security profession. The fact that security policies rank among the lowest of the low is not a good sign since policy drives practice.

Requirement 1 remains virtually unchanged since last year, at 44% compliance, compared to the 46% in the last report. Only 63% of companies met Requirement 1.1.5 regularly

Compliance is the continuous state of adhering to the regulatory standard. In the case of the PCI DSS there are daily (log review), weekly (file integrity monitoring), quarterly (vulnerability scanning), and annual (penetration testing) activities that an organization must perform in order to maintain this continuous state of compliance

The entire report can be found on the Verizon web site here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: