Compliance challenges

As a VeriSign security consultant, Jonathan Care is well placed to see how effective IT departments handle security – and how ineffective ones fail to handle it.

“IT staff are not equipped to resist advanced malware applications, like those that sneak in through social apps,” he says. “But I continually see things like SQL injections (website database hacks) – flaws that have been around for years, because web developers are not security experts.”

Much of Care’s work involves ensuring compliance, particularly in the area of PCI (payment card industry) standards, which sees him working with businesses to satisfy credit card companies that customer financial data is being protected and stored appropriately.

Care analysed 112 PCI assessments conducted by VeriSign Security Consulting to determine the most common causes of compliance failure, finding that inappropriate storage of sensitive data occurred in nearly 80% of PCI compliance failures.

“Sometimes [card numbers] are stored in a contact to a call centre, sometimes a device is left in debug mode and numbers are being written to plain text [rather than encrypted],” he says, adding that “the temperature rises dramatically” if CID (three digit card authentication) numbers are found to be stored in any format.

Other common causes of failure include not regularly testing security processes (74%), inadequate monitoring of transactions such as charge-backs and refunds (71%), and ineffective firewalls (66%).

User account sharing remains an issue, with 71% of businesses failing PCI assessments for not assigning unique IDs to accounts and monitoring access. “It makes tracking and auditing ineffective,” Care explains.

Perhaps of most concern is the widespread use of default passwords, present in 62% of cases – “a very simple thing we see time and time again.”

Care offers three steps he says that those responsible for sensitive data “should do right now.”

“Plan for incidents; ask yourselves, what would you do if your website was hacked or suffered an insider attack this afternoon? Next, initiate a penetration-testing program with internal vulnerability scans. Finally: review the way you manage data, and how you allow third parties to manage it. You’re still responsible even if data handled to third party,” he explains.

Related Topics