BreachExchange mailing list archives
Re: [Dataloss] Study: About One-Fifth ofBreached Entities Were PCI-Compliant
From: "Al" <macwheel99 () wowway com>
Date: Mon, 30 Aug 2010 18:05:21 -0500
Thanks for corrections to my understandings. It is evident that we are talking about multiple reports and data sets, from which different conclusions may be drawn. I have not looked at ALL the Verizon reports, but I think it was last year they said that PCI was NOT the purpose of the report, it was to analyze how the places got breached, which they had insider data on. The PCI perspective there was kind of an after-thought, because of high public interest in that dimension. That's what I meant by "secondarily." There's a lot of places at risk of breaches, with absolutely no obligation to have PCI, because they do not handle credit card data. The VA for example. Social Security #s on every USA veteran got breached. PCI not relevant. Whose data set is that in? Inspector General for that Agency. There's places that got breached in recent years, in my community, which I have knowledge of, which never made it into the news media, and PCI not required. At the time of the breaches, there was no legal requirement to report the incident, except for the last one on this list. * State of Indiana Tax System Hacked. I found out because the quarterly filings of data and tax $ from my employer was one of the data sets and $ which got absconded. * An insurance company whose medical records got breached. I found out because MY records included in being accessed by unknown volume of 3rd parties, which they believe could include any of their customers, and anyone who breached any of them. * A series of hacking incidents where I have had running battles with management regarding our security policies, and am extremely constrained in what I may say about situation. We are operating with minimum stuff of each OS. Security Logs are a pain to decipher by IT people, let alone non-technical management. Security consultants challenged some of my interpretations, I showed them evidence, then they told management that my interpretations not only correct, situation worse than I had painted due to confluence of multiple risks. I had reported them individually. Consultants confirmed each and explained combination impact. * I downloaded an FBI annual report, then later was notified by CSI. Sorry, the info they asked from me, to register for downloads, that info got breached. * A distributor of goods to grocery chains. I found out because the IT leadership involved gave a "lessons learned" seminar that I attended. Their financial records for payroll and bank accounts were drained. The FBI did apprehend a mule. They had called the FBI because the names of employees were being used in distant cities to make substantial withdrawals. * There was also a test breach, where the federal gov hacked into local public utility company, then blasted the company for not reporting the hack promptly. I learned about that from a similar "lessons learned" seminar at a local business computer association, for IT people. This was the ONLY local breach I am aware of where there was ANY obligation to report to any government authority. We got to see in Verizon reports that some places took what most people would consider reasonable minimum precautions such as anti-virus, firewall, regularly updated, encryption, internal reviews to catch violations, etc. and they still got breached. We also got to see that some breached places had not taken such minimum precautions. There was also statistics on HOW the breach got in ... what kinds of attacks most prevalent. There are confidentiality agreements, where a place that got breached is not going to let investigators go public with who they are, and how they screwed up, unless there's court order demanding they do so, because it just opens the door to more lawsuits. I also recall that one of the breaches to a retailer occurred on the exact same day the PCI auditors were on the premises, giving the retailer a passing grade. The PCI auditors did not catch it. It was a case of back tracking a breach & finding out when it happened. I don't think we found out in that case what company the PCI auditors were from, or if any auditors would be likely to do any different. Cases reported to Secret Service or FBI tend to be distorted sub-set, where amount of $ is considerable documented, certain crimes suspected in first place. - Al Mac -----Original Message----- From: Alex Hutton [mailto:alex () alexhutton com] Sent: Monday, August 30, 2010 4:21 PM To: Al Cc: Chris Walsh; Jake Kouns; dataloss-discuss Subject: Re: [Dataloss-discuss] [Dataloss] Study: About One-Fifth ofBreached Entities Were PCI-Compliant Discussion inline. Hi Al On Sun, Aug 29, 2010 at 11:28 PM, Al <macwheel99 () wowway com> wrote:
If you read the actual Verizon reports,
I'm somewhat familiar with them. which come out at least annually,
Verizon is in the business of serving the needs of their customer clients. We do not have a directory of their customers, other than inference from someone whose e-mail address has the word "verizon" in there. They do not reveal statistics like "We have X million customers of which X thousand were knowingly breached."
I think you're confused as to the nature of the data set. Many/most of our IR clients are not otherwise Verizon Cybertrust services customers. In addition, this year's report includes 3 years of USSS data. As such, there is very little information such a statistic would offer, really.
They will not reveal any info that could identify which of their customers were knowingly breached. They do not have data on businesses that are not their customers.
Actually, we do. The data set now includes 3 years of USSS data.
Their analysis focused primarily on what was wrong, which contributed to
the
known breach at some company, and how easy it would have been to prevent
it. The "easy" stat is subjective and interesting, but not a primary focus IMHO.
Only secondarily did they inquire if the company was they officially in
PCI
compliance at the time of the known breach.
I'm not sure what you're implying by the term "secondarily", but if the company had PCI concerns, the IR team is obliged to do a post-mortem for the card brands. This is certainly more of a focus (and less opinionated) than the "easy" stats. So for example, some site might
be in PCI compliance at one micro-second, then a second later they get breached.
If you buy into the jargon that compliance is the ongoing state of the security program, and that "validation" is simply the state of nature assessment - then (and I'm pretty sure I wrote this in the PCI section of the DBIR) what "compliance" means is that the victim had achieved validation at last assessment. It does not mean they were "compliant" at point of breach (personal note: I *despise* this semantic game - it's not of our -VZ's- own design, but something our industry does for some reason). This means either:
. The PCI is good stuff, they lost their security, then got
breached;
. There is something not in PCI standards that should be; . The PCI audit was flawed; . Someone is not being truthful.
It is evident to me from Verizon reports that some of the so-called PCI-compliant places that were breached, had either flawed audits, or someone is lying.
Or (more likely) they let compliance lapse. I'm currently working on another study, and one of the interesting things the data shows us is year-to-year compliance. Just because you were validated last year does not mean you get/will have a clean IROC the next time around. Finally, there's more wiggle-room. Many validation exercises use samples.... We'll leave this for another topic in another thread. This is irrespective of whether there's room for
improvement in PCI standards.
And it's too early to say what degree of security the DSS allows. IMHO there is, however, room for improvement in _all_ our "infosec" standards : http://securityblog.verizonbusiness.com/2009/09/22/re-imagining-information- security-standards/
I kept saying "knowingly breached" because in lots of cases a company did not reveal to the world that it got breached, instead it was processing
some
data for some 3rd party, like credit card info, and theft of that data was traced back to a company that officially did not know anything was wrong.
Well, you have the Verizon data set and DLDB - what do you mean by "lots"? I can tell you that I wouldn't characterize our data set as having a significant representation of that specific scenario.
So what are the odds that any company that has not yet been discovered, by 3rd party thefts, to be in breach condition?
Almost certain. 44% of our incidents took "months" to "years" to discover the compromise.
- Al Mac
<snip>
_______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Study: About One-Fifth of Breached Entities Were PCI-Compliant Jake Kouns (Aug 12)
- Re: [Dataloss] Study: About One-Fifth of Breached Entities Were PCI-Compliant Chris Walsh (Aug 29)
- Re: [Dataloss] Study: About One-Fifth of Breached Entities Were PCI-Compliant Alex Hutton (Aug 30)
- Re: [Dataloss] Study: About One-Fifth ofBreached Entities Were PCI-Compliant Al (Aug 30)
- Re: [Dataloss] Study: About One-Fifth ofBreached Entities Were PCI-Compliant Alex Hutton (Aug 30)
- Re: [Dataloss] Study: About One-Fifth ofBreached Entities Were PCI-Compliant Al (Aug 30)
- Re: [Dataloss] Study: About One-Fifth of Breached Entities Were PCI-Compliant Chris Walsh (Aug 29)