13 March 2015

COMPLIANCE vs SECURITY: MUSINGS ON THE VERIZON PCI COMPLIANCE REPORT 2015

Well, it’s the start of all those analytical reports for 2015 and I'm glad that this one is out to give us an account on PCI across the world…
In this year’s report, for an account of breaches in 2014, we have a new addition on the analysis of usage of compensating controls and compliance sustainability… Interestingly, whilst compliance across the case load showed an increase of 80% for companies that validated compliance, it still represented only 20% of organisations assessed, and unfortunately, many fall out of compliance rather rapidly with nearly a third of organisations falling out of compliance less than a year after successful validation… It’s the old potato again: those organisations that haven’t embedded security in their DNA will only ever treat it as a compliance exercise and forget about it until the next time an assessment is due...


One encouraging trend however is the fact that compliance across all 12 requirements went up for all but one of the 12 DSS controls:


In other words, this is where companies have been mostly spending their efforts:


This left me pondering for a minute or two, given that 2014 gave us very substantial breaches that involved lost credentials, and that those very same breaches had in common the fact that they took a long time to discover and all organisations were notified of those breaches by third parties…

I was therefore forced to deduce the following:
  1. Whilst organisations spent more on identity and access management (36% increase) and restricting access to cardholder data (29%) they have spent very little (6%) on restricting physical access to cardholder data (which partly cancels out some of the improvements). In addition, it proves something I have long believed: Role-Based Access Control (RBAC)  (and static access control lists, and identity based access control) is no longer sufficient in our increasingly changing technology landscape with a proliferation of end-point that cannot always be trusted. The report recognises this on page 9. It is also a fact that RBAC is difficult to implement properly and no longer fit for purpose in the increasingly connected world as allowing user access to systems or applications depends ultimately on line management decision… If you’re a manager, wouldn't you allow your staff as much access as you think they need, just in case?...
    Moving to Attribute-Based Access Control (ABAC) and other newer methods as well as reviewing processes will be a long and arduous road that we all need to start travelling now…
  2. Again, on the subject of access, we must remember that the most publicised breaches of 2014 started with successful phishing attacks… So regardless how sophisticated access management is within a given organisation, if criminals can gain access to your systems by obtaining legitimate credentials through social engineering, that’s game over isn't it? No surprise there give that hardly any money was spent on staff awareness and policies and third party due diligence (4% for Requirement 12, and I remind you of the importance of 12.6 and 12.8 – and on that last one, remember that the Target breach started at a refrigeration company…)
    One final point before I leave that well trodden subject alone: whilst companies spent the most on requirement 8, I can’t help thinking, given what we know, that they didn't spend that much on 12.3 (two-factor authentication), which could have prevented a lot of heartache...
  3. The second highest spend was on tracking and monitoring access (32% increase), that’s good news. This means that organisations have spent more on logging and monitoring of the logs. But logging and monitoring is about having the intelligence that enables the discovery that something has gone askew. So once we know something’s not right, what do we do with that information? Of course, we escalate it through our incident response process...
    Cue requirement 11 for testing of security systems and processes (7% decrease in spend), and 12 (Policy/ Awareness) with the 2nd lowest spend at 4%, most particularly 12.5.2-3 (staff allocation to incident monitoring duties) and my favourite 12.10 (Incident Response). Conclusion: we may be gathering the data more efficiently, but we haven’t got a clue what to do with it! Don’t believe me? Remember that security personnel at Target knew of their data breach months before it happened… I rest my case.

All in all, we can deduce the following points:
  • Increased spending has been mostly in security technology.
  • Limited spending took place in some process related areas but decreased on many and there is still a long way to go.
  • Very little was spent on people (including awareness) and in some cases spend decreased substantially.

Unfortunately, this means that good efforts were cancelled out and businesses continue to think that information security is a technology matter.... Let's remind ourselves of that oldie but goodie:

PEOPLE, PROCESS, TECHNOLOGY:
AN INFORMATION SECURITY STRATEGY MUST BE TRILATERAL.


Until next time,
neirajones