Radian Compliance Management Services

These tips can help you make sure you are PCI compliant and tell you what it may cost your company if you aren’t.

June 26, 2008 — CIO — CIO.com and CSOonline.com team together to bring you the most pertinent information on PCI compliance. Whether you think you’re already in compliance or you’re in complete denial of the June 30, 2008 deadline, these tips can help you make sure you are compliant and tell you what it may cost your company if you aren’t.

FUD Watch: Vendor Hype Escalates Over PCI Deadline
Monday is the day merchants must be in compliance with PCI DSS Requirement 6.6. That means the security vendor PR machine is in overdrive.

PCI Is Security Simplicity, Not Complexity
Payment card industry data security: the standard that makes people stupid.

All About the PCI Data Security Standard
More than just another data-security standard, the PCI program is corporate America’s most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.

A Guide to Practical PCI Compliance
Myriad merchants find themselves at the end of the PCI compliance barrel and are spending significant amounts of time, money and effort in achieving PCI compliance. Advice from companies that have been there can help smooth your path.

Acceptance Growing for PCI Security Standard
PCI chief says the PCI DSS security requirements have gained considerable momentum in the US and globally.

PCI: Smart or Stupid?
The data security standard isn’t as complex as some would have you believe.

PCI Standards Body Moves Ahead on Payment-Application
PCI Security Standards Council releases list of certified payment applications under Payment Application Data Security Standard.

Does the PCI Standards Council Have a Clue?
In version 1.1. of the PCI DSS (Payment Card Industry Data Security Standard), there are requirements for securing the application layer of a credit card.

The PCI Data Security Standard
Learn about the validation requirements of the payment card industry’s data security standard (PCI DSS), including administrative and technical elements of the program, and the potential sanctions for failure to comply.

Building a Strategic, Comprehensive Solution for PCI-DSS Compliance
Security trends and hacking techniques are continually changing and, as a result, the PCI-DSS continues to evolve. To stay ahead of these trends and prove compliance, your organization needs a powerful solution for collecting and monitoring user activity. Learn more about how you can use compliance as a means of competitive differentiation.

Industry View: Calculating the True Cost of PCI Non-Compliance
Compliance costs, but the cost of non-compliance may be more.

Payment Card Industry Compliance
Ignoring the PCI Data Security Standard is risky business. Here’s how you can prepare for compliance.

Do We Need Whistle-Blower Laws in Security?
Security laws aren’t all black and white.

PCI Is Security Simplicity, Not Complexity
The payment card industry data security standard seems to make relatively smart people instantly dim-witted as they complain about its so-called complexity.

Can Mid-Market Merchants Comply with PCI Standards In Time?
If you want to transact business with credit cards, you have to follow the rules: the payment card industry security standards. Companies that don’t comply face fines or worse. So why aren’t more mid-market merchants already in compliance?

One-third of Visa Merchants Missed Security Deadline
Companies face fines for non-compliance.

Why Should Merchants Keep Credit Card Data?
The retail industry advocates keeping a bare minimum of customer financial information. Just enough to still serve your customers without providing potential thieves what they need.

Crushed by Compliance Tyrants
Are you beset by compliance regulations that just don’t make sense? Cutting back on important security measures to pay for them?.

Tear Down that Silo: Compliance in the Executive Suite
Treating compliance as a one-time project costs far more for IT measures than if you take a proactive and integrated approach.

I’ve Got My CrankyPants on Again
Will PCI’s PA-DSS (Payment Application Data Security Standard) be a mess?
 

© 2008 CXO Media Inc.

New standard will help with information security risk management
ISO/IEC 27005:2008 ‘Information technology – Security techniques – Information security risk management’.
http://www.continuitycentral.com/news04003.htm
•Date: 20th June 2008• Region: World

Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place, according to a comprehensive report issued by Verizon Business. The study also provides key recommendations to help businesses protect themselves and urges them to be proactive.

The ‘2008 Data Breach Investigations Report’ spans four years and more than 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. This first-of-its-kind study, conducted by Verizon Business Security Solutions investigative experts, also found that 73 percent of breaches resulted from external sources versus 18 percent from insider threats, and most breaches resulted from a combination of events rather than a single hack or intrusion.

Some of the findings may be contrary to widely held beliefs, such as that insiders are responsible for most breaches. Key findings include:

- Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a
number that rose five-fold during the course of the period studied.

- Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.

- Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.

- Nine of 10 breaches involved some type of ‘unknown’ including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.

- In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple - if you don’t know where data is, you certainly can’t protect it.

The breaches investigated represent a broad spectrum of industries. The retail and food and beverage industries account for more than half of all cases investigated. By contrast, financial services - an industry with great monetary assets that are also typically well-protected, especially when compared to other sectors - accounted for 14 percent of breaches studied.

The study’s findings show a marked increase in the number and type of international incidents. For example, attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East. Internet protocol (IP) addresses from Eastern Europe and Russia are commonly associated with the compromise of point-of-sale systems.

Pointing to the psychology behind breaches, the reports suggests that data compromise is the easiest, safest and most lucrative way to steal the information necessary to commit identity fraud. By breaking into restricted computer systems and compromising sensitive information stored within them, criminals are able to access systems that contain information on tens of thousands of victims versus just a handful through non-electronic means.

Making this crime even more attractive is the lucrative black market for stolen data. This social network enables criminals to work with one another to find vulnerable systems, compromise data and commit large-scale identity fraud. Within this network, the report finds, criminal conglomerates maintain access to hackers, fraudsters and other organized crime groups.

Recommendations for enterprises

Simple actions, when done diligently and continually, can reap big benefits, the study notes. Key recommendations include:

- Align process with policy. In 59 percent of data breaches, the organization had security policies and procedures established for the system, but these measures were never implemented. Implement,
implement, implement.

- Create a data retention plan. With 66 percent of all breaches involving data that a company did not even know was on their system, it’s critical that an organization knows were data flows and where it resides. Identify data and prioritize its risk to the organization.

- Control data with transaction zones. Investigators concluded that network segmentation can help prevent, or at least partially mitigate, an attack. In other words, wall off data when and where appropriate.

- Monitor event logs. Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Data logs should be continually and systemically monitored and responded to when events are discovered.

- Create an incident response plan. If and when a breach is suspected, the organization must be ready to respond, not only to stop the data compromise but to collect evidence that enables the business to pursue prosecution when necessary.

- Increase awareness. Only 14 percent of data breaches were discovered by employees of the victimized organization, even though employees are the first line of defense in safeguarding data. Educate them to be aware.

- Engage in mock-incident testing: Making sure employees are well-trained to respond to a breach. Run drills and test people’s abilities, judgments and actions during a mock crisis.