Login|Japanese
September 23, 2009
 Shaking The PCI Security Standards Council Meeting
Share

It's that time of the year again. No, I am not writing about the best time in a quarter (which is approaching very fast). It's time for the annual PCI Security Standards Council community meeting. Two years ago the meeting took place in Toronto. Last year in Miami and now in Las Vegas. It is very encouraging to see how the community evolved into a large, influential group. The number of active members and other participants that are passionate about PCI and data protection in general is growing very nicely. As one can imagine, there is a direct correlation between the number of data breaches and compromised credit card records and the number of PCI professionals :-( 

Hacker
Christopher Novak from Verizon Business provided the (black) color background when he presented the 2009 Data Breach Investigation Report (DBIR), a document that was discussed in detail in different places, including this blog, yet there are some points that should be highlighted as it seems that as PCI gains more momentum we need to continue to educate people about data security challenges:

  1. Most breaches and nearly all records stolen are a result of “external sources” activity.
  2. 90%+ of breached records attributed to organized crime activity. 
  3. Of the 284 million records that were compromised last year, most damages from external sources
(It should be noted however that stats are a funny thing indeed. Conversations I've had with Brian Contos - Imperva's Chief Security Strategist - suggest that a greater number of breaches are actually internally sourced. And if you combine partners along with employees, contractors, etc as  the group considered "insiders" - as they all have elevated levels of trust and access, then the great majority of successful breaches occur from insiders - at least the ones we know about. Brian further suggests that these breaches are a combination of malicious, careless or negligent activity; they aren't all "bad guys."  Finally, Brian sites some stats from InfoSecurityAnalysis.com that show that in many cases - even when the number of attacks from outsiders might be higher, the number of records stolen, and the dollar amounts are much greater when the attack or mistake is from someone within. 

To quote Brian, "When it comes to insiders and outsiders the terms are losing meaning; it's about data security regardless of the source. If we agree that data is valuable and data mostly resides in databases, and we also agree that most users interact with that data via Web applications, then prudence dictates that safeguards be applied at the Web application and database layer."

Okay - so let's get back to Mr. Novack's findings.)


Top 3 techniques hackers are using to penetrate networks are

  1. Unauthorized access
  2. SQL injection
  3. Misconfigured  ACL

Chris made a special comment about SQL injection. In his opinion SQL injection will continue to exist as long as web sites and databases will exist. This is a problem that will not go away easily as it is inherent to the applications. It can not be solved with simple patches he said. Unfortunately, most of the big breaches are a result of SQL injection. 


The audience, mostly auditors and other PCI professionals were shocked when Chris provided statistics showing that many attacks could have been prevented by using patches that were available for over a year or mitigating known vulnerabilities (in other words, excluding zero day attacks).  Even worse, forensic investigations show that in some cases, attacks were successful in environments with 90% patch ratio. In those cases, the 10% of older systems Unix systems or other obscure systems allowed the hacker to penetrate. 


Malware was involved in 38% of breaches but most malware were installed by remote attacker using methods like SQL injection.

Did I write that the audience was shocked? Are you?


Share |

Posted by Sharon Besser at 05:38:20 PM | Guest Bloggers


Feed You can follow this conversation by subscribing to the comment feed for this post.
Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

« Imperva CEO - Shlomo Kramer talks with USA Today about the Ponemon PCI Study | Main | Insider Threat White Paper: The Anatomy of an Insider - Bad Guys Don't Always Wear Black »