PCI Learnings from the Verizon 2017 Data Breach Digest

April 12, 2017 • Published Categories Best Practices Tags , , ,

The story behind the DBD.

Each spring, the information security community looks forward to the release of the latest Verizon Data Breach Investigation Report (DBIR). This year we have some advanced data breach info as we await the DBIR: The Verizon 2017 Data Breach Digest (DBD).

According to Verizon:

The DBD is the DBIR’s alter ego—it complements and supplements the DBIR by bringing data breaches to life through narratives told by breach responders. It’s light on metrics, but heavy on experiences. So use the DBIR to frame your argument for enterprise change; use the DBD to illustrate why such change is needed.

From my perspective, the DBD calls out several payment-security concerns I tend to talk about a lot. These issues don’t always get a great deal of attention, however, so I’d like to highlight them here as “PCI learnings.”

PCI Learning #1: Web applications are a significant vulnerability.

If I had $100 for every time someone told me how secure and bulletproof their web app was, I could… buy something real nice and expensive!

Unfortunately, web applications remain a huge Achilles heel for companies’ cybersecurity posture. That’s because many companies are good at addressing network security, but largely ignore looking for vulnerabilities in their web applications.

Think about all the people who created slick applications before the PCI DSS came about (yes, many of those apps are still in use today!). Or, those who are presently creating web apps and still haven’t heard of—or are ignoring their obligation to—the PCI DSS.

That’s why the DBD calls out the Web Application Firewall (WAF) as a “security imperative.” However, the DBD also says you must pair the WAF technology with “well-designed, secure applications.” But what happens when you can’t? Then you add a layer of protection with a web application security test.

PCI Learning #2: The human element must be thoroughly addressed.

The insider threat is my favorite area to study. It’s no surprise that humans are fallible, and that’s why the PCI DSS has multiple requirements to secure businesses from exploits targeting the human element:

PCI requirements geared toward controls for human mistakes and tampering cover:

  • Malware prevention (requirement 5);
  • Access control (requirements 7-9);
  • Access tracking (requirement 10); and
  • Information security policies and awareness training (requirement 12).

And here’s a statistic of note from the DBD: Cyber criminals used email to carry out their attacks 95% of the time—95% of the time! This tells me that employees’ security awareness is even more essential than anyone realized.

PCI Learning #3: The Internet is a business’s friend—and its enemy.

Like insecure web applications, the innovative force driving today’s Internet of Things (IoT) connectivity means that many products and services are being developed without an understanding of the data security implications.

An “attack of the toasters” is one thing, but how does IoT relate to the everyday business environment? The fact is, IoT is adding complexity to businesses’ IT environments as they expand into mobility, up into the cloud, and across new Internet-connected endpoints.

The most important thing a business can do here is pay close attention to PCI DSS requirements 4, 5 and 6, specifically:

  • Encrypt data used for authentication purposes as well as in payment data transmissions;
  • Actively protect all Internet-connected endpoints against malware; and
  • Segment the card data environment away from unrelated network components.

In the IoT world, securing your endpoints is mission critical.

Yes, there’s a lot to learn.

Keeping up with the security threat environment can seem overwhelming, but as I like to say, just start somewhere! Addressing the three learnings above can be a great place to start. Chances are you’ll learn even more along the way.