& cplSiteName &

Verizon: Security Compliance Coming Up Short

Carol Wilson
2/7/2014
50%
50%

If recent, highly publicized data breaches weren't proof enough, a report that Verizon Enterprise Solutions will issue next week shows businesses aren't doing an adequate job of maintaining compliance with security standards by constantly testing their systems.

Verizon issues two annual reports per year, one tracking data breaches and another detailing compliance with the Payment Card Industry (PCI) Data Security Standard. The PCI report, due out next Tuesday, shows that businesses are treating PCI DSS compliance a bit too casually. While a growing number (82%) of businesses meet overall PCI standards, less than one-quarter are doing the required regular security testing and even fewer (17%) the security monitoring that would detect breaches and enable a fast response. (See Verizon Finds Credit Card Security Iffy, Verizon Breaks Down Security Threats by Industry Segment, and Verizon: Hackers Still Using Old Tricks.)

While Verizon isn't commenting on the specific breaches at Target and Nieman-Marcus, that lack of ongoing testing and monitoring would explain why data breaches persisted for weeks or even months before being detected and stopped. "We can see an improvement overall across all industries in PCI compliance, but we also see that security testing is not performing well," says Ciske Van Oosten, an architect of the upcoming report and part of Verizon's PCI Security Practice, which does security assessments, program and project management, and risk assessments for businesses. "We know there is now increased awareness of data breaches but whether that leads to doing right things in terms of internal and external integration testing, we will have to see." (See Verizon Ventures into Risk Management.)

Because attacks are growing both in size and sophistication, and because newer attacks don't yet have signatures to make them detectable by malware prevention programs, it's important that businesses do daily testing and monitoring to maintain PCI compliance, Van Oosten says. Generally following a breach, a review of the invaded company's data logs show red flags indicating suspicious activity that could have been detected earlier and addressed, he adds. But even small companies handle such a volume of data that only automated daily monitoring would be effective.

"The PCI standard requires you to remain up to date -- on a daily basis with log monitoring, and that process needs to be automated, even if you have only a single server," Van Oosten comments. "Compliance in not just reducing the chance of being breached, it can help you respond sooner to it and contain the cost of a breach. But that means ongoing testing."

Most breaches today are detected by law enforcement or third parties, not by the businesses themselves, which catch less than 10% of the breaches.

Companies can also improve their chances against data breaches by using up-to-date software systems, by encrypting information at its point of entry into a company's network, and by maintaining separate secure status for the encryption keys. The latter approach would prevent most data captured in a breach from being used in a criminal way, unless those who steal the data are able to steal the encryption keys separately, he adds.

— Carol Wilson, Editor-at-Large, Light Reading

(15)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Page 1 / 2   >   >>
mendyk
50%
50%
mendyk,
User Rank: Light Sabre
2/11/2014 | 8:52:17 AM
Re: It's all about the Benjamins
Seven -- Agreed -- we should be less concerned about individual dumb users than about people on the inside, whether dumb or corrupt. As your examples point out, internal stupidity and criminality are potentially orders of magnitude more damaging than someone hacking one external user's weak password. I've been hacked twice on credit card accounts, and both times it was obvious that the hacking was an inside job. And of course, there's Mr. Snowden.
MKassner
50%
50%
MKassner,
User Rank: Light Beer
2/11/2014 | 7:50:55 AM
What would constant review have accomplished?
Monday morning quarterbacking is always easy. I dare say that when humans are involved, the bad guys will always have the upper hand. To say that more monitoring would help is a cheap shot by Verizon. What happened to Target would have happened to any company in the retail business. 

Quite simply the bad guys have the money to hire creative pen-testers, and all it takes is one crack to get in. Whereas, the good guys have to do battle against EVERY possible crack. 

 

 
pdonegan67
50%
50%
pdonegan67,
User Rank: Light Sabre
2/11/2014 | 5:00:33 AM
Re: It's all about the Benjamins
I guess it all depends what you call "a lot".

ESET is a credible outfit and they have presented evidence below of some subscribers becoming more self-conscious about their on-line behaviour and hesitating to follow through on impulses where before they wouldn't have.

http://www.welivesecurity.com/podcasts/is-nsa-surveillance-affecting-online-behavior/

As you say, it's perhaps not "a lot" thus far. But the industry has got used to such a ferocious pace of consumption by consumers that even the prospect of a slight slowing in the rate of acceleration hasn't tended to figure much in people plans up until now.


Definitely something to watch verrrry closely I would think.

 
brookseven
50%
50%
brookseven,
User Rank: Light Sabre
2/10/2014 | 6:39:11 PM
Re: It's all about the Benjamins
 

Ladies and Gentlemen,

 

I am providing a link here:

http://gcn.com/articles/2011/06/30/dhs-test-found-thumb-drives-disks-network.aspx?s=gcndaily_010711

To demonstrate that this is actually a lot harder than it may seem.  The biggest single issue in corporate security is users.  They do stupid things.  How many of you don't mouse over links in e-mails before clicking?  One example.  

In the case listed (from a couple of years ago), a number of usb flash drives were left in parking lots of DoD offices and contractors.  60% were plugged in.  Yes 6 0 not 6 not .6 but 6 out of 10.

If somebody wants into your network, they will get in.  That is a given.  It is not a question of IF they can get in it is HOW MUCH it will cost and HOW LONG it will take.  Let's use Target.  Imagine giving an IT security guy $1M as a bribe to let a hacker in.  Think you might be able to find someone in your organization disaffected enough to take a substantial bribe?

Then we get to the electronic bits of this.  Networks and systems are probed constantly.  You couldn't actually investigate every attempt as you probably have thousands per second at a major institution.  Most are simple enough to defeat, but the volume of stupid attacks makes finding that needle (aka the one sophisticated hack) a real hard bit to locate.

Security is imperfect in the non-electronic world.  Why do we expect that there is perfection in the electronic version?

 

seven

 
mendyk
50%
50%
mendyk,
User Rank: Light Sabre
2/10/2014 | 6:07:28 PM
Re: It's all about the Benjamins
I'm supposed to be the cynical curmudgeon. You're forcing me out of my comfort zone. Yes, in many ways we are the dull-witted sheeple that some outside observers make us out to be. But even Target has said publicly that the data breach has cost it business.
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
2/10/2014 | 5:59:08 PM
Re: It's all about the Benjamins
Americans have a remarkably short attention span. 
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
2/10/2014 | 5:50:00 PM
Re: It's all about the Benjamins
I am cynical on this subject. I don't see a lot of evidence that businesses and consumers are changing their behavior as a result of data breaches. 
mendyk
50%
50%
mendyk,
User Rank: Light Sabre
2/10/2014 | 5:44:58 PM
Re: It's all about the Benjamins
110 million (!) accounts potentially compromised -- that's close to the total number of US households. Don't see how that can be quickly forgotten.
Carol Wilson
50%
50%
Carol Wilson,
User Rank: Blogger
2/10/2014 | 5:36:31 PM
Re: It's all about the Benjamins
I think it remains to be seen whether Target is  hurt long-term. They had tried to become a one-stop shop for bargain folks with taste (the folks with tight budgets that couldn't stand Walmart) by adding groceries. But from what I'm reading and seeing, folks are thinking twice about relying on their Red Cards to the extent they used to. 

It couild be this is quickly relegated to yesterday's news. At some point, though, consumers are going to balk at never knowing if their credit card data is sescure. 

There is also the issue of ongoing ramifications from the Target breach. People are still getting notified by banks and others than their accounts have been breached. 
Mitch Wagner
50%
50%
Mitch Wagner,
User Rank: Lightning
2/10/2014 | 5:30:54 PM
Re: It's all about the Benjamins
Will Target's brand really suffer long-term damage? Or will this be forgotten soon enough?
Page 1 / 2   >   >>
Light Reading’s Upskill U is a FREE, interactive, online educational resource that delivers must-have education on themes that relate to the overall business transformation taking place in the communications industry.
NEXT COURSE
Wednesday, July 27, 1:00PM EDT
The Changing Face of the Data Center World
Rodney M. Elder, Senior Solutions Architect, Equinix
UPCOMING COURSE SCHEDULE
Wednesday, August 3, 1:00PM EDT
The Central Office Re-Architected as a Data Center
Guru Parulkar, Executive Director, Open Networking Research Center, Open Networking Lab
Wednesday, August 10, 1:00PM EDT
Telcos & Open Source 101
Phil Robb, Senior Technical Director, OpenDaylight
Friday, August 12, 1:00PM EDT
The Role of Open Source in NFV
Jim Fagan, Director, Cloud Practice, Telstra
in association with:
From The Founder
The more things change, the more they stay the same for Juniper's next-gen comms solutions, and that's a good thing.
Flash Poll
Live Streaming Video
Charting the CSP's Future
Six different communications service providers join to debate their visions of the future CSP, following a landmark presentation from AT&T on its massive virtualization efforts and a look back on where the telecom industry has been and where it's going from two industry veterans.
LRTV Custom TV
NetScout: Maximizing Enterprise Cloud for Digital Transformation

7|20|16   |   04:53   |   (0) comments


Light Reading Editor Mitch Wagner talks to NetScout CMO Jim McNiel about maximizing the benefits of enterprise cloud and digital transformation while minimizing potential pitfalls with a proper monitoring and instrumentation strategy.
Women in Comms Introduction Videos
Ciena's VP Offers a Career Crash Course

7|20|16   |   4:14   |   (0) comments


How did Ciena's Vice President of Sales, Angela Finn, carve out her career path? Simple, she tells WiC. She stayed true to her company, customers and principles. She shares her advice for women on how to be authentic and credible, as well as for companies that want to make a real change to their culture and practices.
LRTV Custom TV
NFV in 2016: Part 2 – Climbing the Virtualization Maturity Curve

7|19|16   |   06:56   |   (0) comments


Many of the initial use case implementations are single-vendor and self-contained. The industry is still climbing the virtualization maturity curve, needing further clarity and stability in the NFV infrastructure (NFVi) and greater availability and choice of virtualized network functions (VNFs). Interoperability between NFVis and VNFs from different vendors ...
Telecom Innovators Video Showcase
Versa Networks' Kumar Mehta on SD-WAN Managed Services

7|19|16   |     |   (0) comments


In Silicon Valley, Steve Saunders sits down with Versa's Kumar Mehta for an interview focused on why service providers are building SD-WAN managed services, and how Versa's telco customers are innovating.
LRTV Custom TV
Juniper Networks & The Evolution of NFV

7|19|16   |   06:01   |   (0) comments


Senior Juniper Networks executives talk to Light Reading Founder & CEO Steve Saunders about NFV developments and the recent independent evaluation by test lab EANTC of Juniper's Cloud CPE solution.
LRTV Interviews
CenturyLink Goes Beyond Managed WiFi

7|19|16   |     |   (0) comments


CenturyLink's managed WiFi allows enterprises, such as retailers and resorts, to track guest WiFi usage in order to help them better communicate with customers.
LRTV Interviews
AT&T Launches Network Functions on Demand

7|17|16   |   05:26   |   (0) comments


Roman Pacewicz, Senior Vice President, Offer Management & Service Integration, AT&T Business Solutions, discusses the operator's launch of its Network Functions on Demand service.
LRTV Interviews
Enterprise Pitch for Ciscosson

7|14|16   |   04:43   |   (0) comments


After seven months of near silence, Cisco and Ericsson executives publicly discussed details on their extensive partnership. Among the tidbits shared by Martin Zander, VP, group strategy programs, Ericsson, and Doug Webster, VP service provider marketing, Cisco: The partnership was initially launched to serve the service provider market, but is already gaining ...
Wagner’s Ring
Cisco Faces Up to Hypercloud Threat

7|13|16   |   02:42   |   (0) comments


Facebook, Amazon and Google mostly don't buy branded technology for their networks – they build their own. That's a threat to Cisco – and its competitors too – which face potentially dwindling demand for their product. Is Cisco up to the challenge? Light Reading went to the annual Cisco Live conference to find out.
LRTV Huawei Video Resource Center
Building a Better Connected Russia

7|13|16   |     |   (0) comments


At UBBS World Tour 2016, Alla Shabelnikova of Ovum shares the findings of a white paper outlining the challenges and opportunities of broadband rollout in Russia.
LRTV Huawei Video Resource Center
The Global Video Business

7|13|16   |     |   (0) comments


At UBBS World Tour 2016, Roger Feng of Huawei shares insights on the future of video business.
LRTV Huawei Video Resource Center
UBBS World Tour Moscow Highlights

7|13|16   |     |   (0) comments


At UBBS World Tour 2016 at Moscow, Huawei showcases its outstanding progress in video technology.
Upcoming Live Events
September 13-14, 2016, The Curtis Hotel, Denver, CO
September 27, 2016, Philadelphia, PA
November 3, 2016, The Montcalm Marble Arch, London
November 30, 2016, The Westin Times Square, New York City
December 6-8, 2016,
May 16-17, 2017, Austin Convention Center, Austin, TX
All Upcoming Live Events
Infographics
Five of the Top 10 most targeted countries in Check Point Software Technologies' global Malware & Threat Index for Q1 2016 are in Africa.
Hot Topics
SoftBank Muscles In on ARM in $32B Deal
Iain Morris, News Editor, 7/18/2016
Ericsson 'Doubles' Savings Goal as Sales Slump
Iain Morris, News Editor, 7/19/2016
Kevin Lo's Move to Facebook: Sign of Things to Come?
Patrick Donegan, Chief Analyst, Heavy Reading, 7/20/2016
Verizon's Next With VNFs
Carol Wilson, Editor-at-large, 7/21/2016
Facebook Gets Its Drone On
Ray Le Maistre, Editor-in-chief, 7/22/2016
Like Us on Facebook
Twitter Feed
BETWEEN THE CEOs - Executive Interviews
There's no question that, come 2020, 5G technology will turn the world's conception of what mobile networking is on its head. Within the world of 5G development, Dr. ...
I've enjoyed interviewing many interesting people since I rejoined Light Reading, but William A. "Bill" Owens certainly takes the biscuit, as we say where I come from.
Live Digital Audio

Our world has evolved through innovation from the Industrial Revolution of the 1740s to the information age, and it is now entering the Fourth Industrial Revolution, driven by technology. Technology is driving a paradigm shift in the way digital solutions deliver a connected world, changing the way we live, communicate and provide solutions. It can have a powerful impact on how we tackle some of the world’s most pressing problems. In this radio show, Caroline Dowling, President of Communications Infrastructure & Enterprise Computing at Flex, will join Women in Comms Director Sarah Thomas to discuss the impact technology has on society and how it can be a game-changer across the globe; improving lives and creating a smarter world. Dowling, a Cork, Ireland, native and graduate of Harvard Business School's Advanced Management Program, will also discuss her experience managing an international team focused on innovation in an age of high-speed change.