67 Percent Of Organizations Did Not Adequately Test Security: Verizon 2015 PCI Compliance Report

The results of the 2015 Verizon PCI Compliance Report are out and there is a concerning trend.  First off, what is PCI and why should you care?

The Payment Card Industry, or PCI, is an organization that was formed by the big name payment card companies to develop a security standard for their industry.  This standard is known as the PCI Data Security Standard or PCI DSS  which outlines six control objectives supported 12 PCI DSS requirements (see below).

Control Objectives PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

The goal of PCI DSS is to ensure minimum security requirements are in place when merchants process, store, or transmit cardholder data.  Payment card use is growing.  In 2012 global card payments totaled less than $15 trillion dollars and are expected to total more than $25 trillion dollars by 2018.  This creates a fat target for hostile actors as evidenced by losses from payment card fraud nearly tripling over a five-year period reaching $15 billion dollars in 2013.

The 2015 Verizon PCI Compliance Report shows a decline in one of the 12 requirements: the requirement to regularly test security systems and processes.  In addition, the ability to sustain compliance with the requirements in PCI DSS fell to 28% of the entities being fully compliant showing an industry-wide lack of a strong framework of policy, procedure, and testing in most organizations.  Finally, 2014 brought 43 million security incidents and a bumper year for security breaches.  The facts show that current techniques are not stopping hostile actors.

A back slide in testing is an issue.  Why is testing important?  Here is a breakdown of  the requirement that focuses on testing.

PCI DSS Requirement 11: Regularly test security systems and processes. 

11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

Unauthorized wireless access points can be devices placed by a hostile actor to gain remote access into your network and an exfiltration point for your data.  They could also be a device a user places on the network not fully understanding the risk.  Placement of a device by a user could be intended to help users but if it is not documented and secured properly it can be discovered by a hostile actor and used to attack your network.

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

Scanning for vulnerabilities is a check and balance to applying updates and patches.   Running a vulnerability scan every quarter is designed to catch missed patches or updates.  When significant changes are made, a scan ensures that the changes did not accidentally open a hole into your network.

11.3 Implement a methodology for penetration testing that includes the following:

  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results.

Vulnerability scans look for systems that are vulnerable and is a check on work performed.  Vulnerability scans are usually known about by the IT staff and overt in nature.  A penetration test covert in nature and is basically a mock attack on your network.  Penetration tests are designed to provide an indication of everyday security of an organization.  Penetration testing requires special skills and results in a better overall picture of the state of security of an organization.  A penetration test gives a better indication of an organizations security because they are conducted without the knowledge of the IT staff to test detection, response, and mitigation plans and procedures.

11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.

Firewalls provide only a single point of security.  Part of a layered approach to security is the use of Intrusion Detection Systems or Intrusion Prevention Systems (IDS or IPS).  These systems monitor activity on an organization’s network and seek out hostile network activity.  When hostile activity is detected, the IDS or IPS blocks the hostile traffic and notifies technical personnel of the issue.

11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Change-detection does exactly what the term implies.  Antivirus programs are an example of change control most people are familiar with.  Antivirus looks for signatures of known malicious code and changes to files that have become infected.  Recently, more advanced and specialized change-detection software has been created to look for hostile activity as well as accidental changes to important configuration files.  This catches problems before they become disasters.

11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.

Creating policy and procedure is a waste of time if it is not communicated and trained.

Requirement 11 focuses on testing the devices on the network from a few different angles.  Looking for rogue access points, scanning for vulnerabilities, conducting a mock attack, scanning for hostile traffic, and looking for changes all are important to ensuring a higher level of security and a lower risk level.

Part of a regular testing plan should involve an independent third party testing or reviewing internal test results.  This independent test provides clarity on how well your organization is following policy and procedure.  Using an independent third party is the only way to obtain a realistic view of your security posture because it allows you to “trust but verify” the work performed.

The report shows that only 1/3 of the companies performed an adequate level of testing required by PCI DSS.  During a year that has had some of the most high-profile breaches ever, the slide in requirement 11 compliance is cause for concern.  Requirement 11 was designed to help PCI organizations be prepared for the types of attacks 2014 brought.  According to post breach analysis Verizon found that only 9% of organizations that were compromised were compliant with Requirement 11.

Reasons for this slide?  Many organizations were not able to present proof the scans were done.  Others misunderstood how to properly conduct scans.  Finally, many organizations lost track of scanning where personnel moved or responsibility for scanning was not properly transferred.

Of the organizations that are scanning, many waited several months to mitigate these vulnerabilities after discovering severer risk vulnerabilities.  Delaying action left critical holes open to hostile actors and placed their organization in unnecessary risk.

The PCI is an industry that is required to follow the controls and standards of PCI DSS because of the sensitive nature of the data they handle.  Many of these companies have competent and well trained IT departments.  This report shows challenges and problems companies with dedicated security budgets and personnel are facing.  Given the difficulties the PCI has as outlined in the Verizon 2015 Compliance Report, what can one discern regarding the security posture of smaller companies which lack dedicated staff and budgets and do not have a required security framework to follow?

The answer is not good.  Small and Medium sized Businesses (SMBs)are prime targets for hostile actors.  Hostile Actors are hard at work stealing money and intellectual property from SMBs.  Limited budgets, lack of technical talent, and security assessments that are unable to help assess risk are all challenges SMBs face.  Many SMBs ignore security until it is too late and then some go on to never recover.  Security of your company is as important as making sales.

In the upcoming months Protocol46 will be rolling out products and services that are designed to meet the security needs of SMBs while being sensitive to their constraints.  Stay tuned as we launch.

Post by Remote Process