In this post, we get insights from Christopher Novak, Director, Investigative Response Verizon RISK Team, Verizon. Here he discusses his presentation “Where Data Breaches Intersect Compliance” from the Europe Community Meeting in Barcelona.
Verizon recently released its Payment Security Report (PSR). Can you discuss the report’s key findings?
Chris Novak: One is – we see a steady uptick in the number of companies meeting all PCI DSS requirements. This means our QSAs were able to provide a Report on Compliance (ROC) and Attestation of Compliance (AOC) with no remediation period required by the company assessed. We call these entities the “masters” and we have seen this population group increase from 48.4% in 2015 to 55.4% in the latest report. That’s a 7% increase.
The second take-away is - for those companies who required a remediation period before our QSAs could provide a ROC and AOC (we call this population the “pursuers”); we saw their control gap increase slightly as well. This means the average number of PCI DSS requirements not met increased as well (from 12.4% in 2015 to 13% in the 2017 report). It will be interesting to watch as we continue to monitor this trend.
Third takeaway - While more organizations achieve and maintain their compliance, they do not necessarily have higher levels of control effectiveness. A significant amount of organizations still do not know how to design and implement security controls that meet the control objectives in a sustainable manner. They lack the in-house proficiency; the skills and experience. This places them at increased risk of control failure, resulting in exposures in their defenses, security breaches and potential data compromise. The Verizon Payment Security Report is raising awareness on this issue by revisiting the fundamentals of security control management, and by introducing the concept of security control lifecycle management.
The study found that organizations still struggle to maintain ongoing compliance. Why is this and what can be done to improve this challenge?
Chris Novak: Maintaining compliance requires variable degrees of effort. The effort required is proportional to the amount of thought the organizations put into the design of their control environment, and the extent to which they simplified the complexities of operating their compliance program.
Achieving consistency and repeatability of the execution and management of key tasks are critical. This is done through consolidation and standardization of processes and automation.
Readers of this year’s report will observe a strong focus on controls sustainability and resilience. This is similar to the Council’s statements about making PCI DSS controls part of “Business as Usual”. In our estimate, those that struggle the most to maintain ongoing compliance are those with a narrow focus i.e. enact PCI DSS controls without full appreciation of the control environment (i.e. business and technology changes). On page 10 of the PSR we suggest a compliance lifecycle to follow. Beyond this – we feel the analysis on controls correctness and effectiveness (Pages 9 and 12) are true gems within the 2017 PSR.
What is the danger in viewing security with a check-box mentality?
Chris Novak: A “check box” mentality involves completing a data protection task with the primary end goal being the completion of the compliance assessment. Check that box and move on to the next item. Checklists are used in many kinds of business processes. This is not a problem per se. The proper use of checklists can certainly improve the quality (repeatability and consistency) of data protection and compliance. It enumerates particular qualities that the output of a process must exhibit in order to "pass inspection."
|“Checklists seem able to defend anyone, even the experienced, against failure in many more tasks than we realized. They catch mental flaws inherent in all of us – flaws of memory and attention and thoroughness.” – Atul Gawande, The Checklist Manifesto|
A “check box mentality” can occur when organizations substitute the use of checklists for judgment and analysis. When the evaluation, design, operation, maintenance and improvement of the control environment is oversimplified, it can shorten the compliance program “to do” list. It may feel spectacular in the moment, but is a sure-fire way to achieve a low return on security investment. Checklists can't substitute for experience and professional judgment. The danger is when checklists encourage compliance in form rather than in substance. We often see this when organizations are unable to explain the function of a security control and which risks it mitigates. There are many organizations that treat PCI DSS controls as a checklist, implementing each control in a “stand-alone” fashion, disregarding the inter-dependence between security controls and the critical need to meet control objectives.
The check-box mentality leads to organizations implementing controls that fail to perform correctly and effectively when the environment changes. Given the rapid changes in business and technology – controls enactment must assume a wide range of hostile actors or actions in changing environments.
The hospitality industry was found to score the lowest of any industry for achieving full PCI DSS compliance at their interim validation. Why do you think this is and where are the critical areas for improvement?
Chris Novak: In our estimate, the hospitality industry, particularly the hoteliers, have some of the most complex environments in terms of the number of stakeholders exchanging or handling credit card data (global distribution systems, online travel agencies, call centers, seasonal employees, etc.). For hospitality, we observed requirement 3 (protect stored credit card data) to be the area of greatest challenge. With that many card data handlers, undoubtedly – there is a storage proliferation and this becomes hard to manage.
To improve, we implore the hospitality industry to reduce and consolidate the storage repositories of credit card data (including paper-based forms) as well as embrace technologies such as tokenization and point to point encryption.
Hospitality organizations struggle with Security Testing (Requirement 11), and Logging and Monitoring (Requirement 10).
It is also worth noting that it is mainly hospitality organizations in Europe that dragged the global average compliance for the industry down. For example, the industry average control gap for hospitality organizations in the Americas (1.6%) is significantly lower compared to the Retail industry (17.6% gap). Yet, in 2016 only a quarter (25%) of hospitality organizations in the America’s achieved full compliance during their interim compliance validation, compared to 50% in Europe and 80% in Asia-Pacific.
Verizon’s Data Breach Investigation Report (DBIR) shows that most attacks are not advanced and that organizations are still missing basic security practices. Why is this and what can organizations do to better protect themselves against these attacks?
Chris Novak: Organizations have a challenging task of remaining a step-ahead of attackers. Organizations do not need to feel overwhelmed by this. Taking care of the basics will go a very long way to reduce security breaches and to effectively prevent data compromises. Many organizations are still relying on defenses that are out of date. It’s tempting, especially if you didn’t suffer a major incident, to keep the same defenses from year to year. The Verizon DBIR beats the same security drum each year: Many of these attacks could have been prevented with basic security hygiene.
Few organizations have an active data protection performance management program in place for continuously improving organizational effectiveness in the accomplishment of corporate data protection. In short, organizations need to actively measure and report the actual effectiveness of their controls and their internal control environment. This is an activity that goes beyond merely demonstrating the existence of a security control for compliance purposes.
Throughout the past ten years, each edition of the Verizon Data Breach Investigations Report provided valuable insight on where organizations can apply their focus to reduce their data breach exposure. Attackers often exploit something very simple — close those doors and many cyber criminals will move on to a more vulnerable target. Taking care of areas such as patch management and authentication will already prevent a sizeable amount of security breaches. It’s hard to believe, but these two vulnerabilities (patching and passwords) still play a part in 80% of data breaches. Techniques to combat these threats are well-established and often inexpensive.
Additionally, organizations are slow to adapt. The same problems have existed for years. For example, just 10 vulnerabilities accounted for 85% of successful exploitations in 2015. In addition, 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published. While the goal with patch management is to be as comprehensive as possible, prioritizing patching the big guns can drastically reduce your risk.
Every year Verizon's researchers point out that password insecurity is a significant problem, and that hasn't changed. The two most common forms of hacking rely on weaknesses in authentication; stealing credentials — often by tricking users into revealing them — or allowing users to set passwords that are easy to crack with brute-force methods. Verizon found that 81 percent of hacking-related breaches succeeded through stolen passwords, default or weak passwords. That's an 18 percent increase from last year's report, suggesting that rather than getting better, password security is getting worse. Multifactor authentication has been shown to make it harder for attackers to break in, yet a distressingly large number of sites still don't use it.
What are you most looking forward to at this year’s Europe Community Meeting?
Chris Novak: Interaction with industry peers at the Community Meeting, seeking out opportunities to further the discussions on how the industry as a collective can move the needle forward achieving higher levels of proficiency. There are exciting advancements in the field of data protection and compliance. Besides the emerging trends in technology and threat landscapes, we look forward to discussions on the use of data analytics and exploring the psychology behind information security behavior to create a robust security culture that puts risk into context to promote compliance. I look forward to some engaging discussions at our exhibitor booth.