& cplSiteName &

Verizon: Security Compliance Coming Up Short

Carol Wilson
2/7/2014
50%
50%

If recent, highly publicized data breaches weren't proof enough, a report that Verizon Enterprise Solutions will issue next week shows businesses aren't doing an adequate job of maintaining compliance with security standards by constantly testing their systems.

Verizon issues two annual reports per year, one tracking data breaches and another detailing compliance with the Payment Card Industry (PCI) Data Security Standard. The PCI report, due out next Tuesday, shows that businesses are treating PCI DSS compliance a bit too casually. While a growing number (82%) of businesses meet overall PCI standards, less than one-quarter are doing the required regular security testing and even fewer (17%) the security monitoring that would detect breaches and enable a fast response. (See Verizon Finds Credit Card Security Iffy, Verizon Breaks Down Security Threats by Industry Segment, and Verizon: Hackers Still Using Old Tricks.)

While Verizon isn't commenting on the specific breaches at Target and Nieman-Marcus, that lack of ongoing testing and monitoring would explain why data breaches persisted for weeks or even months before being detected and stopped. "We can see an improvement overall across all industries in PCI compliance, but we also see that security testing is not performing well," says Ciske Van Oosten, an architect of the upcoming report and part of Verizon's PCI Security Practice, which does security assessments, program and project management, and risk assessments for businesses. "We know there is now increased awareness of data breaches but whether that leads to doing right things in terms of internal and external integration testing, we will have to see." (See Verizon Ventures into Risk Management.)

Because attacks are growing both in size and sophistication, and because newer attacks don't yet have signatures to make them detectable by malware prevention programs, it's important that businesses do daily testing and monitoring to maintain PCI compliance, Van Oosten says. Generally following a breach, a review of the invaded company's data logs show red flags indicating suspicious activity that could have been detected earlier and addressed, he adds. But even small companies handle such a volume of data that only automated daily monitoring would be effective.

"The PCI standard requires you to remain up to date -- on a daily basis with log monitoring, and that process needs to be automated, even if you have only a single server," Van Oosten comments. "Compliance in not just reducing the chance of being breached, it can help you respond sooner to it and contain the cost of a breach. But that means ongoing testing."

Most breaches today are detected by law enforcement or third parties, not by the businesses themselves, which catch less than 10% of the breaches.

Companies can also improve their chances against data breaches by using up-to-date software systems, by encrypting information at its point of entry into a company's network, and by maintaining separate secure status for the encryption keys. The latter approach would prevent most data captured in a breach from being used in a criminal way, unless those who steal the data are able to steal the encryption keys separately, he adds.

— Carol Wilson, Editor-at-Large, Light Reading

(15)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Page 1 / 2   >   >>
mendyk
50%
50%
mendyk,
User Rank: Light Sabre
2/11/2014 | 8:52:17 AM
Re: It's all about the Benjamins
Seven -- Agreed -- we should be less concerned about individual dumb users than about people on the inside, whether dumb or corrupt. As your examples point out, internal stupidity and criminality are potentially orders of magnitude more damaging than someone hacking one external user's weak password. I've been hacked twice on credit card accounts, and both times it was obvious that the hacking was an inside job. And of course, there's Mr. Snowden.
MKassner
50%
50%
MKassner,
User Rank: Light Beer
2/11/2014 | 7:50:55 AM
What would constant review have accomplished?
Monday morning quarterbacking is always easy. I dare say that when humans are involved, the bad guys will always have the upper hand. To say that more monitoring would help is a cheap shot by Verizon. What happened to Target would have happened to any company in the retail business. 

Quite simply the bad guys have the money to hire creative pen-testers, and all it takes is one crack to get in. Whereas, the good guys have to do battle against EVERY possible crack. 

 

 
pdonegan67
50%
50%
pdonegan67,
User Rank: Light Sabre
2/11/2014 | 5:00:33 AM
Re: It's all about the Benjamins
I guess it all depends what you call "a lot".

ESET is a credible outfit and they have presented evidence below of some subscribers becoming more self-conscious about their on-line behaviour and hesitating to follow through on impulses where before they wouldn't have.

http://www.welivesecurity.com/podcasts/is-nsa-surveillance-affecting-online-behavior/

As you say, it's perhaps not "a lot" thus far. But the industry has got used to such a ferocious pace of consumption by consumers that even the prospect of a slight slowing in the rate of acceleration hasn't tended to figure much in people plans up until now.


Definitely something to watch verrrry closely I would think.

 
brookseven
50%
50%
brookseven,
User Rank: Light Sabre
2/10/2014 | 6:39:11 PM
Re: It's all about the Benjamins
 

Ladies and Gentlemen,

 

I am providing a link here:

http://gcn.com/articles/2011/06/30/dhs-test-found-thumb-drives-disks-network.aspx?s=gcndaily_010711

To demonstrate that this is actually a lot harder than it may seem.  The biggest single issue in corporate security is users.  They do stupid things.  How many of you don't mouse over links in e-mails before clicking?  One example.  

In the case listed (from a couple of years ago), a number of usb flash drives were left in parking lots of DoD offices and contractors.  60% were plugged in.  Yes 6 0 not 6 not .6 but 6 out of 10.

If somebody wants into your network, they will get in.  That is a given.  It is not a question of IF they can get in it is HOW MUCH it will cost and HOW LONG it will take.  Let's use Target.  Imagine giving an IT security guy $1M as a bribe to let a hacker in.  Think you might be able to find someone in your organization disaffected enough to take a substantial bribe?

Then we get to the electronic bits of this.  Networks and systems are probed constantly.  You couldn't actually investigate every attempt as you probably have thousands per second at a major institution.  Most are simple enough to defeat, but the volume of stupid attacks makes finding that needle (aka the one sophisticated hack) a real hard bit to locate.

Security is imperfect in the non-electronic world.  Why do we expect that there is perfection in the electronic version?

 

seven

 
mendyk
50%
50%
mendyk,
User Rank: Light Sabre
2/10/2014 | 6:07:28 PM
Re: It's all about the Benjamins
I'm supposed to be the cynical curmudgeon. You're forcing me out of my comfort zone. Yes, in many ways we are the dull-witted sheeple that some outside observers make us out to be. But even Target has said publicly that the data breach has cost it business.
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
2/10/2014 | 5:59:08 PM
Re: It's all about the Benjamins
Americans have a remarkably short attention span. 
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
2/10/2014 | 5:50:00 PM
Re: It's all about the Benjamins
I am cynical on this subject. I don't see a lot of evidence that businesses and consumers are changing their behavior as a result of data breaches. 
mendyk
50%
50%
mendyk,
User Rank: Light Sabre
2/10/2014 | 5:44:58 PM
Re: It's all about the Benjamins
110 million (!) accounts potentially compromised -- that's close to the total number of US households. Don't see how that can be quickly forgotten.
Carol Wilson
50%
50%
Carol Wilson,
User Rank: Blogger
2/10/2014 | 5:36:31 PM
Re: It's all about the Benjamins
I think it remains to be seen whether Target is  hurt long-term. They had tried to become a one-stop shop for bargain folks with taste (the folks with tight budgets that couldn't stand Walmart) by adding groceries. But from what I'm reading and seeing, folks are thinking twice about relying on their Red Cards to the extent they used to. 

It couild be this is quickly relegated to yesterday's news. At some point, though, consumers are going to balk at never knowing if their credit card data is sescure. 

There is also the issue of ongoing ramifications from the Target breach. People are still getting notified by banks and others than their accounts have been breached. 
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
2/10/2014 | 5:30:54 PM
Re: It's all about the Benjamins
Will Target's brand really suffer long-term damage? Or will this be forgotten soon enough?
Page 1 / 2   >   >>
From The Founder
Download our complete guide to de-risking NFV deployment in 2016, including:
  • An eight-step strategy to deploying NFV safely, based on input from the companies that have already started virtualizing their production networks.
  • Interviews with leading executives at Colt, AT&T, Deutsche Telekom, Cisco, Nokia, ZTE, Ericsson and Heavy Reading.
  • Flash Poll
    Live Streaming Video
    Prepping for the Future: Upskill U Explained
    During this short kick-off video, Doug Webster, Vice President of Service Provider Marketing, Cisco, and Light Reading’s CEO & Founder Steve Saunders give an overview of Upskill U.
    LRTV Interviews
    AT&T Expert on the Key Pillars of UC

    4|29|16   |   03:58   |   (0) comments


    Vishy Gopalakrishnan, AVP of product marketing at AT&T, talks about the three developments that are making unified communications and collaboration secure and reliable for enterprise users.
    LRTV Documentaries
    LRTV Report: Mobile Core Innovation

    4|28|16   |   25:32   |   (0) comments


    Hear from multiple industry experts from Deutsche Telekom, SK Telecom, Heavy Reading, Huawei, Cisco, Ericsson, Nokia, NEC and many more about developments in the mobile core as operators virtualize their IMS and evolved packet core systems and prepare for a 5G world.
    LRTV Huawei Video Resource Center
    NFV World Congress Highlight

    4|26|16   |     |   (0) comments


    The highlight of the NFV World Congress contains exciting telecom news. Join us for an inside look at Huawei's ICT 2020 plan and its latest collaboration with industry leaders.
    LRTV Interviews
    Unified Comms Finds Its Voice

    4|25|16   |   03:44   |   (0) comments


    Peter Quinlan, VP of UCC Product Management at Tata Communications, talks about the evolution of the unified communications and collaboration services sector and how voice is now a big part of current developments.
    LRTV Documentaries
    So... What Do We Do Now?

    4|25|16   |   03:24   |   (0) comments


    After a long hiatus, Max Dingman, the CEO of a GeeGhiz, returns for a motivational board room pep talk.
    LRTV Documentaries
    NAB 2016 Highlights

    4|21|16   |     |   (0) comments


    Light Reading's Cable/Video Practice Leader Alan Breznick climbs down from the slots to tell us about the latest news in broadcast technology at NAB 2016 in Las Vegas.
    Between the CEOs
    CEO Chat: Deepfield's Craig Labovitz

    4|21|16   |     |   (0) comments


    In this latest installment of the CEO Chat series, Craig Labovitz, co-founder and CEO of Deepfield, sits down with Light Reading's Steve Saunders in Light Reading's New York City office to discuss how Deepfield fits in with the big data trend and more.
    Shades of Ray
    Leading Lights 2016: Shortlists Announced

    4|20|16   |   0:53   |   (0) comments


    The judging is over and the Leading Lights 2016 shortlists have been published -- you can see who made the cut by clicking on this link.
    LRTV Custom TV
    Introducing MulteFire – Qualcomm at MWC 2016

    4|18|16   |   3.29   |   (0) comments


    MulteFire is the latest option for using LTE in unlicensed spectrum. As oppose to its close 'siblings', LAA and LTE-U, MulteFire operates solely in unlicensed spectrum, which enables it to offer the best of two worlds – LTE-like performance with WiFi-like deployment simplicity. In this interview, Sanjeev Athalye, Sr. Director, Product Management at Qualcomm ...
    Between the CEOs
    CEO Chat: Grant Van Rooyen of Cologix

    4|18|16   |     |   (0) comments


    Grant van Rooyen, president and CEO of Cologix, sits down with Steve Saunders, founder and CEO of Light Reading, in the vendor's New Jersey facility to offer an inside look at the company's success story and discuss the importance of security in the telecom industry.
    LRTV Huawei Video Resource Center
    ONS 2016 – Demonstration of Huawei's NetMatrix Multi-Vendor SDN Orchestrator

    4|15|16   |     |   (0) comments


    This demonstration shows how Huawei's NetMatrix SDN Orchestrator (SDN-O) addresses an operator's core service agility needs for services spanning multi-domain, multivendor networks: it includes a demonstration of:
    - Rapid New Service Design: using YANG to model a complex example of multi-domain, multivendor L3VPN network connectivity service that ...
    LRTV Custom TV
    AT&T Wants to Own North Carolina

    4|15|16   |     |   (1) comment


    Venessa Harrison, president of North Carolina for AT&T, tells how the company will expand its GigaPower service beyond the seven N.C. cities it already serves.

  • This blog, sponsored by AT&T, is the second part of a ten-part series examining next-generation broadband technologies titled "Behind the Speeds."
  • Upcoming Live Events
    May 23, 2016, Austin, TX
    May 23, 2016, Austin Convention Center
    May 24-25, 2016, Austin Convention Center, Austin, TX
    September 13-14, 2016, The Curtis Hotel, Denver, CO
    December 6-8, 2016,
    June 16-18, 2017, Austin Convention Center, Austin, TX
    All Upcoming Live Events
    Infographics
    A new survey conducted by Heavy Reading and TM Forum shows that CSPs around the world see the move to digital operations as a necessary part of their overall virtualization strategies.
    Hot Topics
    Ultra-Broadband Summit, Hong Kong
    Iain Morris, News Editor, 4/27/2016
    WiCipedia: Woman Cards & Bitch Switches
    Sarah Thomas, Director, Women in Comms, 4/29/2016
    FCC Poised to Re-Regulate Wholesale Access
    Carol Wilson, Editor-at-large, 4/28/2016
    Amazon AWS Reports $2.6B Quarterly Revenue, Up a Colossal 64%
    Mitch Wagner, West Coast Bureau Chief, Light Reading, 4/28/2016
    Mitel Asks: What Time of Day Do You Shower?
    Mitch Wagner, West Coast Bureau Chief, Light Reading, 4/25/2016
    Like Us on Facebook
    Twitter Feed
    BETWEEN THE CEOs - Executive Interviews
    In this latest installment of the CEO Chat series, Craig Labovitz, co-founder and CEO of Deepfield, sits down with Light Reading's Steve Saunders in Light Reading's New York City office to discuss how Deepfield fits in with the big data trend and more.
    Grant van Rooyen, president and CEO of Cologix, sits down with Steve Saunders, founder and CEO of Light Reading, in the vendor's New Jersey facility to offer an inside look at the company's success story and discuss the importance of security in the telecom industry.
    Animals with Phones
    Live Digital Audio

    Of all the tech companies in the Valley, Intel has made the most aggressive commitment to building a diverse and inclusive workplace culture. It's doing so by taking concrete, measurable steps, making a large financial investment and through a commitment to complete transparency about its progress. In this radio show, WiC Director Sarah Thomas will be joined by Shlomit Weiss, Intel's Vice President, Data Center Group, and General Manager of Networking Engineering, who will share with us why Intel is tackling this huge challenge, how and to what effect. She will also discuss her unique experiences leading development of Client SOC development in the past and today leading development of all of the chipmaker's silicon hardware for networking IPs and discrete devices and managing a team of 600 engineers across Israel, Europe and the US.