Verizon has some good news and some bad news about organizations’ compliance with PCI DSS.
In its 2017 “Payment Security Report,” Verizon analyzed the “compliance patterns and control failures” of organizations subject to PCI DSS. The report also pulled information from Verizon’s annual “Data Breach Investigations Report” and looked at the correlation between the findings of each.
The good news in the report is that more companies reached full compliance with PCI DSS in 2016 than in 2015.
“For the first time, more than half (55.4%) of companies we assessed were fully compliant at interim validation, compared to 48.4% in 2015,” Verizon wrote. “But that means that nearly half of stores, hotels, restaurants, practices and other businesses that take card payments are still failing to maintain compliance from year to year.”
While having more than half of organizations compliant is a positive trend, Verizon also noted that compliance doesn’t necessarily mean security, particularly because organizations tend to “lose focus” once they achieve compliance. The trick, according to the report, is not to focus purely on meeting the compliance requirements, but to “make sustainability and resilience part of their larger security program.”
The bad news is that those organizations not fully in compliance with PCI DSS are missing the mark by a wider margin than before. The companies that failed their compliance assessments in 2015 were missing 12.4% of the required controls, and in 2016, 13% of the controls were missing.
“Many of the security controls that weren’t in place cover fundamental security principles with broad applicability, and their absence could be material to the likelihood of suffering a data breach,” said Verizon.
However, the report said that this isn’t necessarily happening because companies aren’t putting effort into security, but one factor is that the controls they do implement are ineffective. This can be due to controls losing effectiveness over time or to controls that don’t adapt to other changes in the environment. Either way, the problem is significant.
“Over the past five years we’ve analyzed PCI DSS compliance, the proportion of companies achieving 100% has gone up almost fivefold,” Verizon said. “Despite this general improvement, the control gap of companies failing their interim assessment has actually grown worse. Looking at it requirement by requirement, five out of six of the worst performers are the same now as they were in 2012.”
In comparing the data in the “Payment Security Report” to the “Data Breach Investigation Report,” Verizon noticed another significant connection.
“Of all the payment card data breaches that Verizon has investigated between 2010 and 2016 — nearly 300 — not a single organization was fully PCI DSS compliant at the time of the breach.”
So, while compliance with PCI DSS may not guarantee the security of an organization, it likely decreases the odds of it being the victim of a data breach.
In other news:
- The cyber-espionage group Turla has developed a new backdoor attack called WhiteBear. Kaspersky Lab APT Intelligence Reporting has been tracking these attacks that use Gazer — the name given by Eset to the second stage backdoor used in WhiteBear — since 2016. Turla, which is allegedly based in Russia, was targeting computers at various embassies, diplomatic and foreign affairs organization, but has recently turned its focus to defense-relation organizations. “WhiteBear infections appear to be preceded by a condensed spear phishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules,” Kaspersky Lab wrote on its site SecureList. “The exact delivery vector for WhiteBear components is unknown to us, although we have very strong suspicion the group spear phished targets with malicious pdf files.” Turla was also behind the recent plot to use Britney Spears’ Instagram account to conceal and spread malware.
- A firmware update is now available to patients with a radio frequency-enabled St. Jude Medical implantable pacemaker or defibrillator. The devices from St. Jude Medical — now Abbott’s — have a flaw in the firmware that enabled attackers to remotely access them and cause rapid battery depletion and cause dangerous pacing or shocks. The patch was issued in January 2017 after months of drama from St. Jude Medical, which at first denied the existence of the flaw until a security researcher discovered it, allegedly shorted the company’s shares, and then finally went public with it. Now, the FDA has approved the patch and patients can start getting updates that don’t require surgery. However, the FDA does warn that the update has potential issues, including the reloading of an earlier firmware version, the loss of preprogrammed device settings, the loss of diagnostic data, and the complete loss of device functionality.
- A group of security and technology companies banded together to take down the WireX Android DDoS botnet this month. Researchers from Google, Cloudflare, Flashpoint, Akamai, Oracle, RiskIQ and Team Cymru shut down the WireX botnet that at its peak may have infected hundreds of thousands of Android devices with malicious apps. The apps were sending a huge amount of requests to websites through HTTPS, which would deplete the resources of the servers the websites were hosted on. Google found the malware that infected the Android devices in its Play Store and removed the hundreds of infected applications. WireX may have been active as early as Aug. 2, but the attacks on the websites on Aug. 15 are what prompted the companies to work together. A blog post explaining the botnet and the efforts to take it down said that, though the attacks leveraged user apps, the users seemed to not be affected. “The applications that housed these attack functions, while malicious, appeared to be benign to the users who had installed them,” Akamai wrote. The post also praises the collaboration efforts, saying, “These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies and intelligence firms. Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery.”