& cplSiteName &

Verizon: Security Compliance Coming Up Short

Carol Wilson
2/7/2014
50%
50%

If recent, highly publicized data breaches weren't proof enough, a report that Verizon Enterprise Solutions will issue next week shows businesses aren't doing an adequate job of maintaining compliance with security standards by constantly testing their systems.

Verizon issues two annual reports per year, one tracking data breaches and another detailing compliance with the Payment Card Industry (PCI) Data Security Standard. The PCI report, due out next Tuesday, shows that businesses are treating PCI DSS compliance a bit too casually. While a growing number (82%) of businesses meet overall PCI standards, less than one-quarter are doing the required regular security testing and even fewer (17%) the security monitoring that would detect breaches and enable a fast response. (See Verizon Finds Credit Card Security Iffy, Verizon Breaks Down Security Threats by Industry Segment, and Verizon: Hackers Still Using Old Tricks.)

While Verizon isn't commenting on the specific breaches at Target and Nieman-Marcus, that lack of ongoing testing and monitoring would explain why data breaches persisted for weeks or even months before being detected and stopped. "We can see an improvement overall across all industries in PCI compliance, but we also see that security testing is not performing well," says Ciske Van Oosten, an architect of the upcoming report and part of Verizon's PCI Security Practice, which does security assessments, program and project management, and risk assessments for businesses. "We know there is now increased awareness of data breaches but whether that leads to doing right things in terms of internal and external integration testing, we will have to see." (See Verizon Ventures into Risk Management.)

Because attacks are growing both in size and sophistication, and because newer attacks don't yet have signatures to make them detectable by malware prevention programs, it's important that businesses do daily testing and monitoring to maintain PCI compliance, Van Oosten says. Generally following a breach, a review of the invaded company's data logs show red flags indicating suspicious activity that could have been detected earlier and addressed, he adds. But even small companies handle such a volume of data that only automated daily monitoring would be effective.

"The PCI standard requires you to remain up to date -- on a daily basis with log monitoring, and that process needs to be automated, even if you have only a single server," Van Oosten comments. "Compliance in not just reducing the chance of being breached, it can help you respond sooner to it and contain the cost of a breach. But that means ongoing testing."

Most breaches today are detected by law enforcement or third parties, not by the businesses themselves, which catch less than 10% of the breaches.

Companies can also improve their chances against data breaches by using up-to-date software systems, by encrypting information at its point of entry into a company's network, and by maintaining separate secure status for the encryption keys. The latter approach would prevent most data captured in a breach from being used in a criminal way, unless those who steal the data are able to steal the encryption keys separately, he adds.

— Carol Wilson, Editor-at-Large, Light Reading

(15)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Page 1 / 2   >   >>
mendyk
50%
50%
mendyk,
User Rank: Light Sabre
2/11/2014 | 8:52:17 AM
Re: It's all about the Benjamins
Seven -- Agreed -- we should be less concerned about individual dumb users than about people on the inside, whether dumb or corrupt. As your examples point out, internal stupidity and criminality are potentially orders of magnitude more damaging than someone hacking one external user's weak password. I've been hacked twice on credit card accounts, and both times it was obvious that the hacking was an inside job. And of course, there's Mr. Snowden.
MKassner
50%
50%
MKassner,
User Rank: Light Beer
2/11/2014 | 7:50:55 AM
What would constant review have accomplished?
Monday morning quarterbacking is always easy. I dare say that when humans are involved, the bad guys will always have the upper hand. To say that more monitoring would help is a cheap shot by Verizon. What happened to Target would have happened to any company in the retail business. 

Quite simply the bad guys have the money to hire creative pen-testers, and all it takes is one crack to get in. Whereas, the good guys have to do battle against EVERY possible crack. 

 

 
pdonegan67
50%
50%
pdonegan67,
User Rank: Light Sabre
2/11/2014 | 5:00:33 AM
Re: It's all about the Benjamins
I guess it all depends what you call "a lot".

ESET is a credible outfit and they have presented evidence below of some subscribers becoming more self-conscious about their on-line behaviour and hesitating to follow through on impulses where before they wouldn't have.

http://www.welivesecurity.com/podcasts/is-nsa-surveillance-affecting-online-behavior/

As you say, it's perhaps not "a lot" thus far. But the industry has got used to such a ferocious pace of consumption by consumers that even the prospect of a slight slowing in the rate of acceleration hasn't tended to figure much in people plans up until now.


Definitely something to watch verrrry closely I would think.

 
brookseven
50%
50%
brookseven,
User Rank: Light Sabre
2/10/2014 | 6:39:11 PM
Re: It's all about the Benjamins
 

Ladies and Gentlemen,

 

I am providing a link here:

http://gcn.com/articles/2011/06/30/dhs-test-found-thumb-drives-disks-network.aspx?s=gcndaily_010711

To demonstrate that this is actually a lot harder than it may seem.  The biggest single issue in corporate security is users.  They do stupid things.  How many of you don't mouse over links in e-mails before clicking?  One example.  

In the case listed (from a couple of years ago), a number of usb flash drives were left in parking lots of DoD offices and contractors.  60% were plugged in.  Yes 6 0 not 6 not .6 but 6 out of 10.

If somebody wants into your network, they will get in.  That is a given.  It is not a question of IF they can get in it is HOW MUCH it will cost and HOW LONG it will take.  Let's use Target.  Imagine giving an IT security guy $1M as a bribe to let a hacker in.  Think you might be able to find someone in your organization disaffected enough to take a substantial bribe?

Then we get to the electronic bits of this.  Networks and systems are probed constantly.  You couldn't actually investigate every attempt as you probably have thousands per second at a major institution.  Most are simple enough to defeat, but the volume of stupid attacks makes finding that needle (aka the one sophisticated hack) a real hard bit to locate.

Security is imperfect in the non-electronic world.  Why do we expect that there is perfection in the electronic version?

 

seven

 
mendyk
50%
50%
mendyk,
User Rank: Light Sabre
2/10/2014 | 6:07:28 PM
Re: It's all about the Benjamins
I'm supposed to be the cynical curmudgeon. You're forcing me out of my comfort zone. Yes, in many ways we are the dull-witted sheeple that some outside observers make us out to be. But even Target has said publicly that the data breach has cost it business.
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
2/10/2014 | 5:59:08 PM
Re: It's all about the Benjamins
Americans have a remarkably short attention span. 
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
2/10/2014 | 5:50:00 PM
Re: It's all about the Benjamins
I am cynical on this subject. I don't see a lot of evidence that businesses and consumers are changing their behavior as a result of data breaches. 
mendyk
50%
50%
mendyk,
User Rank: Light Sabre
2/10/2014 | 5:44:58 PM
Re: It's all about the Benjamins
110 million (!) accounts potentially compromised -- that's close to the total number of US households. Don't see how that can be quickly forgotten.
Carol Wilson
50%
50%
Carol Wilson,
User Rank: Blogger
2/10/2014 | 5:36:31 PM
Re: It's all about the Benjamins
I think it remains to be seen whether Target is  hurt long-term. They had tried to become a one-stop shop for bargain folks with taste (the folks with tight budgets that couldn't stand Walmart) by adding groceries. But from what I'm reading and seeing, folks are thinking twice about relying on their Red Cards to the extent they used to. 

It couild be this is quickly relegated to yesterday's news. At some point, though, consumers are going to balk at never knowing if their credit card data is sescure. 

There is also the issue of ongoing ramifications from the Target breach. People are still getting notified by banks and others than their accounts have been breached. 
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
2/10/2014 | 5:30:54 PM
Re: It's all about the Benjamins
Will Target's brand really suffer long-term damage? Or will this be forgotten soon enough?
Page 1 / 2   >   >>
From The Founder
Cisco's Conrad Clemson, recently promoted to head up the company's Service Provider Apps & Platforms developments, talks to Light Reading's Founder and CEO Steve Saunders about how he's bringing cloud video, mobile and virtualization together to empower network operators.
Flash Poll
Live Streaming Video
Charting the CSP's Future
Six different communications service providers join to debate their visions of the future CSP, following a landmark presentation from AT&T on its massive virtualization efforts and a look back on where the telecom industry has been and where it's going from two industry veterans.
LRTV Huawei Video Resource Center
You Mobile Enhances Customer Experience With Huawei BSS

2|28|17   |     |   (0) comments


James Weng, CEO of You Mobile, shares the experience of enhancing customer experience in Spain and trying to establish the best Chinese community based on Huawei BSS.
LRTV Interviews
Ericsson's CEO on 5G, Trucks & More

2|28|17   |   04:57   |   (0) comments


At MWC 2017 Ericsson CEO Börje Ekholm talks about early 5G developments, the importance of partnerships and more.
LRTV Custom TV
Introducing OrbTV: Netscout's MWC Day 1 Recap

2|27|17   |   8:35   |   (0) comments


The executive team of Netscout reviews the first day of Mobile World Congress in Barcelona. Stay tuned for OrbTV -- Light Reading and Netscout's full coverage of the show. We'll have daily show recaps, service provider interviews and tours of the show floor.
LRTV Custom TV
Innovation at MWC: Low-Power IoT for Scottish Sea Lions

2|27|17   |   6:32   |   (0) comments


Light Reading's Liz Coyne tours the GSMA's Innovation City at Mobile World Congress 2017. A key theme of this year's event is how low-power or no-power IoT devices could become a part of our everyday lives. Imagine a world in which over 15 billion shipping pallets communicate with cellular networks down the entire supply chain. Or a parka that reveals your ...
LRTV Huawei Video Resource Center
Huawei Will Accelerate the Spread of the Video Business

2|27|17   |     |   (0) comments


What is the future of the booming video business? What changes will happen to the video industry chain in the future? Hunter Hu, VP of Huawei Video Product Line, shares his viewpoints and explains how Huawei can be an enabler and accelerate the spread of the video business.
LRTV Huawei Video Resource Center
Frost & Sullivan's Jonas Zelba on Going Beyond Connectivity

2|27|17   |     |   (0) comments


Telecom operators across the globe are trying to understand what can they offer beyond connectivity. Operators are already introducing new and innovative services but they are faced with challenges due to unclear business models. Jonas highlights that no one operator can offer all the services itself. Operators in the Middle East should look within their ecosystem ...
LRTV Huawei Video Resource Center
IDC's Paul Black on Cloudification

2|27|17   |     |   (0) comments


Paul Black from IDC shares his insights on how cloudification is expected to combile all aspects of digital transformation.
LRTV Huawei Video Resource Center
Industry Expert Michael Howard Talks About Cloud Native

2|27|17   |     |   (0) comments


Cloud Native is a really nice term and a lot of people are using it. But most of them have their own definition of what Cloud Native means. Michael Howard offers his take on the terminology.
LRTV Custom TV
4.5G Evolution: Peter Zhou on Advanced MIMO Technologies & 5G Business Prep

2|25|17   |     |   (0) comments


In the process of service transformation, operators need to catch three major opportunities and start deploying in 4.5G networks, such as video, household broadband access and digital transformation of vertical industries. 5G is coming. Operators don't need to wait for it to happen but should progressively deploy 4.5G networks by introducing 5G-oriented ...
LRTV Custom TV
What WTTX Can Deliver

2|23|17   |     |   (0) comments


Mohamed Madkour explains the benefits of WTTX while Dimitris Mavrakis discusses the challenges of delivering home broadband access.
LRTV Custom TV
Huawei on Mobile Broadband

2|23|17   |     |   (0) comments


Mohamed Madkour shares his vision on MBB for the next three years.
LRTV Custom TV
Analysys Mason Talks About the Future of Digital Operations

2|23|17   |     |   (0) comments


The future of digital operations has three key aspects: 1. Highly automated operations for both service and network; 2. Highly converged BSS/OSS for business and resources; 3. Highly merged management and control for real-time cloud native operations.
Upcoming Live Events
March 21-22, 2017, The Curtis Hotel, Denver, CO
March 22, 2017, The Curtis Hotel, Denver, CO
March 22, 2017, The Curtis Hotel, Denver, CO
May 15-17, 2017, Austin Convention Center, Austin, TX
May 15, 2017, Austin Convention Center - Austin, TX
June 6, 2017, The Joule Hotel, Dallas, TX
All Upcoming Live Events
Infographics
With the mobile ecosystem becoming increasingly vulnerable to security threats, AdaptiveMobile has laid out some of the key considerations for the wireless community.
Hot Topics
Uber's HR Nightmare: Company Investigates Sexual Harassment Claims
Sarah Thomas, Director, Women in Comms, 2/21/2017
Broadband Has a Problem on the Pole
Mari Silbey, Senior Editor, Cable/Video, 2/21/2017
Verizon to Start Fixed 5G Customer Trials in April
Dan Jones, Mobile Editor, 2/22/2017
Cloud Rains on HPE Earnings
Mitch Wagner, Editor, Enterprise Cloud, 2/24/2017
Verizon Fixed 5G Tests to Top 3Gbit/s?
Dan Jones, Mobile Editor, 2/23/2017
Like Us on Facebook
Twitter Feed
BETWEEN THE CEOs - Executive Interviews
Light Reading founder and CEO Steve Saunders chats with Sportlogiq CEO Craig Buntin about sports data analysis.
Eyal Waldman, CEO of Mellanox Technologies, speaks to Steve Saunders, CEO of Light Reading, for an exclusive interview about the 100 GB cable challenge, cybersecurity and much more.
Animals with Phones
Gotta Get the Best Angle Click Here
To maximize the rolls...
Live Digital Audio

Playing it safe can only get you so far. Sometimes the biggest bets have the biggest payouts, and that is true in your career as well. For this radio show, Caroline Chan, general manager of the 5G Infrastructure Division of the Network Platform Group at Intel, will share her own personal story of how she successfully took big bets to build a successful career, as well as offer advice on how you can do the same. We’ll cover everything from how to overcome fear and manage risk, how to be prepared for where technology is going in the future and how to structure your career in a way to ensure you keep progressing. Chan, a seasoned telecom veteran and effective risk taker herself, will also leave plenty of time to answer all your questions live on the air.