Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Quality Policy
    • Security Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

Articles

Home  >  Articles  >  Information Assurance  >  Lessons from 2020 Payment Security Report
NextPrevious

Lessons from 2020 Payment Security Report

Articles, Information Assurance | 5 February, 2021 | 0

In their tenth annual Payment Security Report, Verizon reveals the security trends affecting businesses that seek PCI-DSS compliance and cybersecurity lessons applicable to all organisations.

This year’s 140 page Payment Security Report from Verizon focuses on the role and challenges of the CISO and how this relates to the performance and security of businesses in the Payments space, and beyond.

Key findings in this year’s report include:

Contents

  • 1 Maintaining ongoing security compliance is getting harder
  • 2 Buying another new tool doesn’t help
  • 3 The bad guys appear to be winning
  • 4 Geography (and culture?) Matters when it comes to compliance
  • 5 The three hardest compliance requirements of PCI-DSS

Maintaining ongoing security compliance is getting harder

The report finds that organisations are finding it harder to keep the basic security controls and processes in place. Less than a third of firms achieve 100% compliance during their interim PCI validation in 2019 – down from 37% the previous year and 55% in 2016.  Yet the Requirements within the standard that pose the biggest challenge – the ones most firms fail to achieve – remain the same, namely:

11 – Regularly test security systems and processes

06 – Develop and maintain secure systems and applications

12 – Maintain a policy that addresses information security for all personnel

 

Buying another new tool doesn’t help

The report suggests that one of the challenges organisations face is an over proliferation of different security tools resulting in a lack of expertise and ability to manage a widely diverse portfolio of technical systems.  On average medium sized firms have 50 to 60 different infosec tools in use, and in large firms (over 10,000 employees) this rises to over 130 on average.

Yet, according to Boston Consulting Group: “In our experience, organizations rarely use all the security tools and features they have purchased.”

The bad guys appear to be winning

Reviewing confirmed breaches in PCI-DSS compliant environments, the 2020 report reveals that most of the time the bad guys get into the network and escape with data before they are detected:

  • 53% of attacks successfully infiltrated environments without detection
  • Exfiltration techniques and tactics were successful 67% of the time
  • The size of an organization generally does not correlate to security effectiveness

Geography (and culture?) Matters when it comes to compliance

PCI Compliance varies by geography.  When looking at the level of compliance achieved during interim assessments conducted prior to an organisation’s annual re-assessment, in Asia-Pacific 87% of organisations were still fully compliant whereas in EMEA this figure drops to just 40%.  This means that in the months since their last successful PCI-DSS audit, most firms in EMEA had ceased to maintain compliance. This may indicate that compliance is only achieved by one-off special measures just before the audit and the day to day operations and culture of the organisation had failed to embrace the security requirements as business as usual.

Similarly, ongoing PCI-DSS compliance varies by industry sector with only 40% of IT service companies remaining fully compliant at their interim assessment but less than 17% of retail businesses achieving the same.

The three hardest compliance requirements of PCI-DSS

Looking at the last five years, according to the Verizon report, the PCI requirements that organisations find the hardest to comply with are (starting with the worst performing):

  • Requirement 11 – Test security systems and processes
  • Requirement 12 – Security policies and management
  • Requirement 6 – Develop and maintain secure systems

Further analysis into the Control Gap (how many controls within each PCI requirement that fail to achieve compliance) show that the most significant gap is in Requirement 11 (Test security systems and processes) and the gap is getting wider year after year.

The security controls needed to achieve compliance with Requirement 11 should not be especially onerous in well managed networks and represent good security hygiene that all organisations should consider implementing – not just payment processors and retailers.

The six controls firms find it hardest to demonstrate compliance with under PCI Requirement 11 are:

Test for the presence of wireless access points

If an attacker can connect a rogue wireless access point onto your network, they could then perform remote attacks from outside your premises.  A combination of physical security and regular technical scans is needed to check for the presences of rogue wireless devices on a constant basis.

An Wireless Network Penetration Test will help you understand how vulnerable your network and wireless networks are to compromise by criminals.

 

Run network vulnerability scans

Running vulnerability scans is not enough in and of itself, as the PCI requirement is to achieve a clean scan each quarter with no important or critical vulnerabilities outstanding.  Now if you think about it, achieving a clean scan once every three months should not be too difficult if security patches are being consistently applied each month as part of a regular program.   The key is not to view the scanning as purely a compliance exercise that is left to the last minute but rather build it into the monthly business as usual routine of the system administrators.  According to feedback in the Verizon report, organisations most often fail to achieve compliance here because scans are not run with enough time to resolve any identified vulnerabilities before the reporting deadline or because unsupported (or end-of-life) systems are still in use which have known vulnerabilities which will never be patched.

 

Implement penetration testing

Penetration Testing is a valuable tool in the Security Manager’s toolbox.  By engaging a trusted external expert to safely attempt to breach your network security you will discover flaws and vulnerabilities that your own team was not aware even existed.  PCI-DSS requires that both internal and external penetration testing happens at least annually and whenever a significant change is made to the network.

 

Use Intrusion Detection Systems

An Intrusion Detection System (IDS) is a device or software system that monitors your network and systems for indicators that an attacker may have gained access to your network.  The IDS generates alerts which are gathered into central security logs (See: What is SIEM) for later review.  A poorly tuned IDS can either generate a flood of false positive alerts which swamp security analysts or fail to spot the intrusion and raise no alerts at all.

According to the Mandiant Security Effectiveness Report 2020: Only 9% of attacks received alerts, demonstrating that most organizations and their security teams do not have the visibility they need into serious threats.

Which is amazing when you consider that:  The average security operations team receives over 11,000 alerts per day, and the vast majority must be manually processed, according to a Forrester Consulting thought leadership paper commissioned by Palo Alto Networks, “The State of 2020 Security Operations.”

Of these alerts, on average, a third are ignored, 20% are manually triaged by security analysts and only 17% are handled by automated tools.  Less than half of organisations surveyed said they were able to address most or all security alerts generated each day.

When correctly configured, tuned, and staffed an IDS system can help detect network intrusions. However, a poorly managed IDS is proof that throwing technology at a network does not make it more secure.

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”—Bruce Schneier, public-interest technologist

 

Deploy Change Protection Mechanisms

When attackers initially penetrate a network, they typically perform reconnaissance and attempt to secure a beachhead in order to preserve their access. Attackers will often try to alter system logs to hide evidence of their presence within the network and adjust configuration files in order to provide themselves with persistent access to the network.  Change Protection mechanisms, such as File Integrity Monitoring, will help detect the footprints attackers leave in your network and alert your security team to their presence.

 

Documented Procedures for Monitoring and Testing

You can’t make up your security as you go along. It is a complex and ever-changing subject and only by thinking through and documenting the procedures for monitoring and testing can you be confident that your team will do the right things in the right order in the event of an attack or breach of your network.

The most effective security procedures are the ones that blend seamlessly with the way people carry out their daily duties.

Security Awareness training will ensure new team members learn the approach and attitude that ensures staff always act defensively and follow the policies and procedures that govern your network security.

 

 

The headlines of the 2020 Verizon Payment Security Report reflect the challenging nature of the cybersecurity industry.  CISO’s find it hard to effectively engage with the rest of the organisation’s senior leadership team which contributes to staffing and budget constraints within the security team.  As a result, firms are finding it harder to maintain compliance with PCI-DSS throughout the year and not just during the week of the audit.

Partnering with specialist security firms, like SecureTeam, can helped you ensure good security practices are baked into the way you work and manage your network. Contact us to arrange a free initial discussion.

 

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber security news, Security operations, security testing

Related Post

  • Phishing Attacks That Can Bypass MFA

    By Mark Faithfull

    A large-scale phishing attack campaign has emerged using adversary-in-the-middle (AiTM) to steal credentials and circumvent multi-factor authentication (MFA) needs. Microsoft have released a security blog post regarding the use of these phishing attacks and theRead more

  • Log4Shell (still) actively exploited on VMware Systems

    By Mark Faithfull

    The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) released a joint security advisory last week to warn of the active exploitation of CVE-2021-44228. This vulnerability is commonly knownRead more

  • How the Phone-Wiping Banking Trojan BRATA is Becoming a More Advanced Threat

    By Mark Faithfull

    First discovered in 2019, BRATA malware is contained in a malicious app which victims are tricked into installing on their phones. BRATA is a banking Trojan that gains access to your bank, withdraws your funds,Read more

  • CISA Warn of 40 New Actively Exploited Cybersecurity Vulnerabilities This Month So Far

    By Mark Faithfull

    Last week saw the addition of 39 known exploited cybersecurity vulnerabilities to the CISA catalogue, bringing the total added in June so far to 40. The Cybersecurity and Infrastructure Security Agency (CISA), a branch ofRead more

  • 10 Common Security Weaknesses and How To Defend Against Them

    By Mark Faithfull

    The mistakes we make and how to fix them – a new report co-authored by the NCSC reveals the 10 most common security weaknesses exploited by hackers. A joint security alert from the National CyberRead more

NextPrevious

Recent Posts

  • Amex and Snapchat used in Open Redirect Attacks
  • VMware Patch Critical Authentication Bypass Flaw
  • Critical Confluence Vulnerability Exploited in the Wild
  • LinkedIn the Top Phishing Brand in Q2 2022
  • Microsoft Exchange Servers Open to Backdoor Hack

Recent Comments

    Archives

    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • July 2018
    • June 2018
    • April 2018
    • January 2018
    • October 2017
    BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
    information. secured.
    • Home
    • Our Services
      • Infrastructure Testing
        • Internal Network Penetration Test
        • External Network Penetration Test
        • Wireless Network Penetration Test
        • Vulnerability Assessment
        • Network Segregation Test
        • Voice over IP (VoIP) Penetration Test
      • Application Testing
        • Web Application Penetration Test
        • Mobile Application Penetration Test
        • Desktop Application Security Assessment
        • Citrix Breakout Test
      • Configuration Review
        • Windows Server Build Review
        • Linux Server Build Review
        • Citrix Configuration Review
      • Information Assurance
        • ISO 27001 Gap Analysis
      • Cyber Essentials
    • News
    • Articles
    • About
      • About SecureTeam
      • STORM Appliances
        • Installing a STORM Device
        • Returning a STORM Device
      • White-Label Consultancy
      • Jobs
      • Cookie Policy
      • Quality Policy
      • Security Policy
      • Privacy Notice
      • Website Terms & Conditions
    • Contact Us
    SecureTeam