Though the much larger and comprehensive Verizon Data Breach Investigation Report for 2015 has yet to be released, information security professionals concerned with the payment card industry can view the findings of the PCI Compliance Report now. Of course, we at Cimcor were eager to see what conclusions this year’s document revealed and its pages did not disappoint.
The Opening Salvo
Before even opening to table-of-contents, the title page of the PDF states that 67% of organizations were not adequately testing their in-scope security systems in 2014. It follows up that line by positing that 80% fail during interim assessments - what security controls are put in place are not sustained for long after.
Upon Deeper Inspection
Requirement 11 is of much interest to us, as it is the one that calls for file integrity monitoring. During those interim assessments, it is Requirement 11 that is performing the worst, falling from 40% compliance in 2013 to just a third last year. This is one of the major contributing factors to why companies have difficulty going from “mostly compliant” to “fully compliant”. However, having a change detection mechanism solution like CimTrak in place is one of the fastest methods available to find out that something has occurred on your systems.
Relentless Waves of Malware
Attacks involving malware are rising like the waters of high tide. While using an antivirus solution that is signature-based is great for known threats, it does nothing for zero-day attacks. The report states on page 11 that, “Traditional signature-based protection anti-virus scanners are largely reactive and not sufficiently effective to counter new and emerging threats – such as zero-day” attacks.
Prevention is a smart initiative but cyber attack instances are increasing at an alarming rate and detecting them quickly to remediate the data as well as minimize further damage is vital to the health of your technology systems such as cardholder data environments (CDE). As mentioned earlier, Requirement 11 is critical for detecting unauthorized changes to your IT systems. The report drives home the importance of performing file integrity monitoring to catch those changes.
REALLY EXPENSIVE & HARD TO USE? IS TRIPWIRE THE ONLY GAME IN TOWN?
The PCI report notes that many organizations feel that change-detection mechanisms are expensive or difficult to institute but that’s just not true. Perhaps this is because users are unaware of alternatives to solutions such as Tripwire. Here at Cimcor, we encourage you to demo the CimTrak solution. It is affordable, at a fraction of the cost of competing for technology while being easy to use and highly tunable for your diverse needs and applications.
Let us know when you’d like to see the difference for yourself so that your company and its data can become positive statistics for next year’s Verizon PCI Compliance Report.
