In their tenth annual Payment Security Report, Verizon reveals the security trends affecting businesses that seek PCI-DSS compliance and cybersecurity lessons applicable to all organisations.

This year’s 140 page Payment Security Report from Verizon focuses on the role and challenges of the CISO and how this relates to the performance and security of businesses in the Payments space, and beyond.

Key findings in this year’s report include:

Maintaining ongoing security compliance is getting harder

The report finds that organisations are finding it harder to keep the basic security controls and processes in place. Less than a third of firms achieve 100% compliance during their interim PCI validation in 2019 – down from 37% the previous year and 55% in 2016.  Yet the Requirements within the standard that pose the biggest challenge – the ones most firms fail to achieve – remain the same, namely:

11 – Regularly test security systems and processes

06 – Develop and maintain secure systems and applications

12 – Maintain a policy that addresses information security for all personnel

Buying another new tool doesn’t help

The report suggests that one of the challenges organisations face is an over proliferation of different security tools resulting in a lack of expertise and ability to manage a widely diverse portfolio of technical systems.  On average medium sized firms have 50 to 60 different infosec tools in use, and in large firms (over 10,000 employees) this rises to over 130 on average.

Yet, according to Boston Consulting Group: “In our experience, organizations rarely use all the security tools and features they have purchased.”

The bad guys appear to be winning

Reviewing confirmed breaches in PCI-DSS compliant environments, the 2020 report reveals that most of the time the bad guys get into the network and escape with data before they are detected:

• 53% of attacks successfully infiltrated environments without detection
• Exfiltration techniques and tactics were successful 67% of the time
• The size of an organization generally does not correlate to security effectiveness

Geography (and culture?) Matters when it comes to compliance

PCI Compliance varies by geography.  When looking at the level of compliance achieved during interim assessments conducted prior to an organisation’s annual re-assessment, in Asia-Pacific 87% of organisations were still fully compliant whereas in EMEA this figure drops to just 40%.  This means that in the months since their last successful PCI-DSS audit, most firms in EMEA had ceased to maintain compliance. This may indicate that compliance is only achieved by one-off special measures just before the audit and the day to day operations and culture of the organisation had failed to embrace the security requirements as business as usual.

Similarly, ongoing PCI-DSS compliance varies by industry sector with only 40% of IT service companies remaining fully compliant at their interim assessment but less than 17% of retail businesses achieving the same.

The three hardest compliance requirements of PCI-DSS

Looking at the last five years, according to the Verizon report, the PCI requirements that organisations find the hardest to comply with are (starting with the worst performing):

• Requirement 11 – Test security systems and processes
• Requirement 12 – Security policies and management
• Requirement 6 – Develop and maintain secure systems

Further analysis into the Control Gap (how many controls within each PCI requirement that fail to achieve compliance) show that the most significant gap is in Requirement 11 (Test security systems and processes) and the gap is getting wider year after year.

The security controls needed to achieve compliance with Requirement 11 should not be especially onerous in well managed networks and represent good security hygiene that all organisations should consider implementing – not just payment processors and retailers.

The six controls firms find it hardest to demonstrate compliance with under PCI Requirement 11 are:

Test for the presence of wireless access points

If an attacker can connect a rogue wireless access point onto your network, they could then perform remote attacks from outside your premises.  A combination of physical security and regular technical scans is needed to check for the presences of rogue wireless devices on a constant basis.

An Wireless Network Penetration Test will help you understand how vulnerable your network and wireless networks are to compromise by criminals.

Run network vulnerability scans

Running vulnerability scans is not enough in and of itself, as the PCI requirement is to achieve a clean scan each quarter with no important or critical vulnerabilities outstanding.  Now if you think about it, achieving a clean scan once every three months should not be too difficult if security patches are being consistently applied each month as part of a regular program.   The key is not to view the scanning as purely a compliance exercise that is left to the last minute but rather build it into the monthly business as usual routine of the system administrators.  According to feedback in the Verizon report, organisations most often fail to achieve compliance here because scans are not run with enough time to resolve any identified vulnerabilities before the reporting deadline or because unsupported (or end-of-life) systems are still in use which have known vulnerabilities which will never be patched.

Implement penetration testing

Penetration Testing is a valuable tool in the Security Manager’s toolbox.  By engaging a trusted external expert to safely attempt to breach your network security you will discover flaws and vulnerabilities that your own team was not aware even existed.  PCI-DSS requires that both internal and external penetration testing happens at least annually and whenever a significant change is made to the network.

Use Intrusion Detection Systems

An Intrusion Detection System (IDS) is a device or software system that monitors your network and systems for indicators that an attacker may have gained access to your network.  The IDS generates alerts which are gathered into central security logs (See: What is SIEM) for later review.  A poorly tuned IDS can either generate a flood of false positive alerts which swamp security analysts or fail to spot the intrusion and raise no alerts at all.

According to the Mandiant Security Effectiveness Report 2020: Only 9% of attacks received alerts, demonstrating that most organizations and their security teams do not have the visibility they need into serious threats.

Which is amazing when you consider that:  The average security operations team receives over 11,000 alerts per day, and the vast majority must be manually processed, according to a Forrester Consulting thought leadership paper commissioned by Palo Alto Networks, “The State of 2020 Security Operations.”

Of these alerts, on average, a third are ignored, 20% are manually triaged by security analysts and only 17% are handled by automated tools.  Less than half of organisations surveyed said they were able to address most or all security alerts generated each day.

When correctly configured, tuned, and staffed an IDS system can help detect network intrusions. However, a poorly managed IDS is proof that throwing technology at a network does not make it more secure.

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”—Bruce Schneier, public-interest technologist

Deploy Change Protection Mechanisms

When attackers initially penetrate a network, they typically perform reconnaissance and attempt to secure a beachhead in order to preserve their access. Attackers will often try to alter system logs to hide evidence of their presence within the network and adjust configuration files in order to provide themselves with persistent access to the network.  Change Protection mechanisms, such as File Integrity Monitoring, will help detect the footprints attackers leave in your network and alert your security team to their presence.

Documented Procedures for Monitoring and Testing

You can’t make up your security as you go along. It is a complex and ever-changing subject and only by thinking through and documenting the procedures for monitoring and testing can you be confident that your team will do the right things in the right order in the event of an attack or breach of your network.

The most effective security procedures are the ones that blend seamlessly with the way people carry out their daily duties.

Security Awareness training will ensure new team members learn the approach and attitude that ensures staff always act defensively and follow the policies and procedures that govern your network security.

The headlines of the 2020 Verizon Payment Security Report reflect the challenging nature of the cybersecurity industry.  CISO’s find it hard to effectively engage with the rest of the organisation’s senior leadership team which contributes to staffing and budget constraints within the security team.  As a result, firms are finding it harder to maintain compliance with PCI-DSS throughout the year and not just during the week of the audit.

Partnering with specialist security firms, like SecureTeam, can helped you ensure good security practices are baked into the way you work and manage your network. Contact us to arrange a free initial discussion.