Re: Compliance Is Wasted Money, Study Finds

[Valdis.Kletnieks () vt edu]

On Sat, 10 Apr 2010 18:00:23 -0000, "Thor (Hammer of God)" said:

> According to the 2009 Verizon Business Breach Report, 81% of the attack victims were not PCI compliant:
>
> http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Verizon Business has gotten a good reputation for having good hard numbers.
I'd have to say their breach reports are probably close to the most accurate
numbers we're going to get in this industry.

> 81% of victims were not PCI compliant.

In and of itself, doesn't say much, but combined with these 3:

> 83% of attacks were not highly difficult. 
> 87% were considered avoidable through simple or intermediate controls.
> 99.9% of records were compromised from servers and applications (meaning, not clients).  

Sad, ain't it? Over 4 out of 5 times, the hack wasn't hard, and almost 9 out
of 10 times, basic hardening would have prevented it.

Unfortunately, there's not enough data there to say if the 81% had been compliant,
if that would have imposed enough hardening to stop the attacks dead in their
tracks.  Probably in most of the cases it would have, though.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/