Re: [Dataloss] Study: About One-Fifth ofBreached Entities Were PCI-Compliant

[Alex Hutton <alex () alexhutton com>]

Discussion inline.

Hi Al

On Sun, Aug 29, 2010 at 11:28 PM, Al <macwheel99 () wowway com> wrote:

> If you read the actual Verizon reports,

I'm somewhat familiar with them.


which come out at least annually,
> Verizon is in the business of serving the needs of their customer clients.
>
> We do not have a directory of their customers, other than inference from
> someone whose e-mail address has the word "verizon" in there.
>
> They do not reveal statistics like "We have X million customers of which X
> thousand were knowingly breached."

I think you're confused as to the nature of the data set.  Many/most
of our IR clients are not otherwise Verizon Cybertrust services
customers.  In addition, this year's report includes 3 years of USSS
data.  As such, there is very little information such a statistic
would offer, really.

> They will not reveal any info that could identify which of their customers
> were knowingly breached.
>
> They do not have data on businesses that are not their customers.

Actually, we do.  The data set now includes 3 years of USSS data.

> Their analysis focused primarily on what was wrong, which contributed to the
> known breach at some company, and how easy it would have been to prevent it.

The "easy" stat is subjective and interesting, but not a primary focus IMHO.

> Only secondarily did they inquire if the company was they officially in PCI
> compliance at the time of the known breach.

I'm not sure what you're implying by the term "secondarily", but if
the company had PCI concerns, the IR team is obliged to do a
post-mortem for the card brands.  This is certainly more of a focus
(and less opinionated) than the "easy" stats.

So for example, some site might
> be in PCI compliance at one micro-second, then a second later they get
> breached.

If you buy into the jargon that compliance is the ongoing state of the
security program, and that "validation" is simply the state of nature
assessment - then (and I'm pretty sure I wrote this in the PCI section
of the DBIR) what "compliance" means is that the victim had achieved
validation at last assessment.  It does not mean they were "compliant"
at point of breach (personal note: I *despise* this semantic game -
it's not of our -VZ's- own design, but something our industry does for
some reason).

This means either:
> ·       The PCI is good stuff, they lost their security, then got breached;
> ·       There is something not in PCI standards that should be;
> ·       The PCI audit was flawed;
> ·       Someone is not being truthful.

> It is evident to me from Verizon reports that some of the so-called
> PCI-compliant places that were breached, had either flawed audits, or
> someone is lying.

Or (more likely) they let compliance lapse.  I'm currently working on
another study, and one of the interesting things the data shows us is
year-to-year compliance.  Just because you were validated last year
does not mean you get/will have a clean IROC the next time around.

Finally, there's more wiggle-room.  Many validation exercises use
samples.... We'll leave this for another topic in another thread.

This is irrespective of whether there's room for
> improvement in PCI standards.

And it's too early to say what degree of security the DSS allows.
IMHO there is, however, room for improvement in _all_ our "infosec"
standards :

http://securityblog.verizonbusiness.com/2009/09/22/re-imagining-information-security-standards/

> I kept saying "knowingly breached" because in lots of cases a company did
> not reveal to the world that it got breached, instead it was processing some
> data for some 3rd party, like credit card info, and theft of that data was
> traced back to a company that officially did not know anything was wrong.

Well, you have the Verizon data set and DLDB - what do you mean by
"lots"?  I can tell you that I wouldn't characterize our data set as
having a significant representation of that specific scenario.

> So what are the odds that any company that has not yet been discovered, by
> 3rd party thefts, to be in breach condition?

Almost certain.  44% of our incidents took "months" to "years" to
discover the compromise.

> -
>
> Al Mac
>
> -----Original Message-----
> From: dataloss-discuss-bounces () datalossdb org
> [mailto:dataloss-discuss-bounces () datalossdb org] On Behalf Of Chris Walsh
> Sent: Friday, August 27, 2010 8:41 AM
> To: Jake Kouns; dataloss-discuss
> Subject: Re: [Dataloss-discuss] [Dataloss] Study: About One-Fifth ofBreached
> Entities Were PCI-Compliant
>
> I'd be extremely interested in:
>
> 1) How the population for this survey is defined
>
> 2) What their sample frame is
>
> 3) The response rate
>
> On Aug 7, 2010, at 10:20 AM, Jake Kouns wrote:
>
> >
>
> > Verizon Business is in the midst of doing a similar survey of
>
> > companies subject to PCI that have not been breached.
>
> _______________________________________________
>
> Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
>
> Archived at http://seclists.org/dataloss/
>
> Get business, compliance, IT and security staff on the same page with
>
> CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
>
> from Four Critical Perspectives. The eBook begins with considerations
>
> important to executives and business leaders.
>
> http://www.credant.com/campaigns/ebook-chpt-one-web.php
>
> No virus found in this incoming message.
>
> Checked by AVG - www.avg.com
>
> Version: 9.0.851 / Virus Database: 271.1.1/3101 - Release Date: 08/29/10
> 13:34:00
>
> _______________________________________________
> Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
> Archived at http://seclists.org/dataloss/
>
> Get business, compliance, IT and security staff on the same page with
> CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
> from Four Critical Perspectives. The eBook begins with considerations
> important to executives and business leaders.
> http://www.credant.com/campaigns/ebook-chpt-one-web.php



-- 
Alex Hutton
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php