+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Lessons from 2020 Payment Security Report

In their tenth annual Payment Security Report, Verizon reveals the security trends affecting businesses that seek PCI-DSS compliance and cybersecurity lessons applicable to all organisations.

This year’s 140 page Payment Security Report from Verizon focuses on the role and challenges of the CISO and how this relates to the performance and security of businesses in the Payments space, and beyond.

Key findings in this year’s report include:

Maintaining ongoing security compliance is getting harder

The report finds that organisations are finding it harder to keep the basic security controls and processes in place. Less than a third of firms achieve 100% compliance during their interim PCI validation in 2019 – down from 37% the previous year and 55% in 2016.  Yet the Requirements within the standard that pose the biggest challenge – the ones most firms fail to achieve – remain the same, namely:

11 – Regularly test security systems and processes

06 – Develop and maintain secure systems and applications

12 – Maintain a policy that addresses information security for all personnel

 

Buying another new tool doesn’t help

The report suggests that one of the challenges organisations face is an over proliferation of different security tools resulting in a lack of expertise and ability to manage a widely diverse portfolio of technical systems.  On average medium sized firms have 50 to 60 different infosec tools in use, and in large firms (over 10,000 employees) this rises to over 130 on average.

Yet, according to Boston Consulting Group: “In our experience, organizations rarely use all the security tools and features they have purchased.

The bad guys appear to be winning

Reviewing confirmed breaches in PCI-DSS compliant environments, the 2020 report reveals that most of the time the bad guys get into the network and escape with data before they are detected:

  • 53% of attacks successfully infiltrated environments without detection
  • Exfiltration techniques and tactics were successful 67% of the time
  • The size of an organization generally does not correlate to security effectiveness

Geography (and culture?) Matters when it comes to compliance

PCI Compliance varies by geography.  When looking at the level of compliance achieved during interim assessments conducted prior to an organisation’s annual re-assessment, in Asia-Pacific 87% of organisations were still fully compliant whereas in EMEA this figure drops to just 40%.  This means that in the months since their last successful PCI-DSS audit, most firms in EMEA had ceased to maintain compliance. This may indicate that compliance is only achieved by one-off special measures just before the audit and the day to day operations and culture of the organisation had failed to embrace the security requirements as business as usual.

Similarly, ongoing PCI-DSS compliance varies by industry sector with only 40% of IT service companies remaining fully compliant at their interim assessment but less than 17% of retail businesses achieving the same.

The three hardest compliance requirements of PCI-DSS

Looking at the last five years, according to the Verizon report, the PCI requirements that organisations find the hardest to comply with are (starting with the worst performing):

  • Requirement 11 – Test security systems and processes
  • Requirement 12 – Security policies and management
  • Requirement 6 – Develop and maintain secure systems

Further analysis into the Control Gap (how many controls within each PCI requirement that fail to achieve compliance) show that the most significant gap is in Requirement 11 (Test security systems and processes) and the gap is getting wider year after year.

The security controls needed to achieve compliance with Requirement 11 should not be especially onerous in well managed networks and represent good security hygiene that all organisations should consider implementing – not just payment processors and retailers.

The six controls firms find it hardest to demonstrate compliance with under PCI Requirement 11 are:

Test for the presence of wireless access points

If an attacker can connect a rogue wireless access point onto your network, they could then perform remote attacks from outside your premises.  A combination of physical security and regular technical scans is needed to check for the presences of rogue wireless devices on a constant basis.

An Wireless Network Penetration Test will help you understand how vulnerable your network and wireless networks are to compromise by criminals.

 

Run network vulnerability scans

Running vulnerability scans is not enough in and of itself, as the PCI requirement is to achieve a clean scan each quarter with no important or critical vulnerabilities outstanding.  Now if you think about it, achieving a clean scan once every three months should not be too difficult if security patches are being consistently applied each month as part of a regular program.   The key is not to view the scanning as purely a compliance exercise that is left to the last minute but rather build it into the monthly business as usual routine of the system administrators.  According to feedback in the Verizon report, organisations most often fail to achieve compliance here because scans are not run with enough time to resolve any identified vulnerabilities before the reporting deadline or because unsupported (or end-of-life) systems are still in use which have known vulnerabilities which will never be patched.

 

Implement penetration testing

Penetration Testing is a valuable tool in the Security Manager’s toolbox.  By engaging a trusted external expert to safely attempt to breach your network security you will discover flaws and vulnerabilities that your own team was not aware even existed.  PCI-DSS requires that both internal and external penetration testing happens at least annually and whenever a significant change is made to the network.

 

Use Intrusion Detection Systems

An Intrusion Detection System (IDS) is a device or software system that monitors your network and systems for indicators that an attacker may have gained access to your network.  The IDS generates alerts which are gathered into central security logs (See: What is SIEM) for later review.  A poorly tuned IDS can either generate a flood of false positive alerts which swamp security analysts or fail to spot the intrusion and raise no alerts at all.

According to the Mandiant Security Effectiveness Report 2020Only 9% of attacks received alerts, demonstrating that most organizations and their security teams do not have the visibility they need into serious threats.

Which is amazing when you consider that:  The average security operations team receives over 11,000 alerts per day, and the vast majority must be manually processed, according to a Forrester Consulting thought leadership paper commissioned by Palo Alto Networks, “The State of 2020 Security Operations.”

Of these alerts, on average, a third are ignored, 20% are manually triaged by security analysts and only 17% are handled by automated tools.  Less than half of organisations surveyed said they were able to address most or all security alerts generated each day.

When correctly configured, tuned, and staffed an IDS system can help detect network intrusions. However, a poorly managed IDS is proof that throwing technology at a network does not make it more secure.

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”—Bruce Schneier, public-interest technologist

 

Deploy Change Protection Mechanisms

When attackers initially penetrate a network, they typically perform reconnaissance and attempt to secure a beachhead in order to preserve their access. Attackers will often try to alter system logs to hide evidence of their presence within the network and adjust configuration files in order to provide themselves with persistent access to the network.  Change Protection mechanisms, such as File Integrity Monitoring, will help detect the footprints attackers leave in your network and alert your security team to their presence.

 

Documented Procedures for Monitoring and Testing

You can’t make up your security as you go along. It is a complex and ever-changing subject and only by thinking through and documenting the procedures for monitoring and testing can you be confident that your team will do the right things in the right order in the event of an attack or breach of your network.

The most effective security procedures are the ones that blend seamlessly with the way people carry out their daily duties.

Security Awareness training will ensure new team members learn the approach and attitude that ensures staff always act defensively and follow the policies and procedures that govern your network security.

 

 

The headlines of the 2020 Verizon Payment Security Report reflect the challenging nature of the cybersecurity industry.  CISO’s find it hard to effectively engage with the rest of the organisation’s senior leadership team which contributes to staffing and budget constraints within the security team.  As a result, firms are finding it harder to maintain compliance with PCI-DSS throughout the year and not just during the week of the audit.

Partnering with specialist security firms, like SecureTeam, can helped you ensure good security practices are baked into the way you work and manage your network. Contact us to arrange a free initial discussion.

 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.