The cost of gaining PCI compliance is a significant one. Averaging $3.5M per year according to a study by the Ponemon Institute. Also companies are saying “the average cost for organizations that experience non-compliance-related problems is far higher — $9.4M.” This suggest that compliance initiatives are a good investment but is this about improving security or meeting compliance requirements to avoid fines or expensive legal disputes?
And in this report from Network World almost 50% of the IT security professional’s time is taken up with meeting regulatory compliance initiatives.
What is clear is that regulatory compliance is a key driver in the IT security business.
The legality of responding to malicious attacks was recently the conversation at BlackHat DC prompting Network World to pen an article intriguingly titled Is retaliation the answer to cyber attacks?. Maybe the legality is more easily defined if we split the types of counter-measures in two. The first type of response is an “aggressive” retaliation, similar to what the Stuxnet is supposed to have achieved against Iran’s nuclear infrastructure. Clearly there are legal ramifications for aggressively damaging property and corporations are not going to require this type of retaliation. The second type of response is a “protective” retaliation such as blocking the active connection or breaking the web application for that identified hacker. Or how about sending the hacker a warning? Is that a counter-measure that is too aggressive? Most companies would clearly see the difference and are comfortable with a more proactive protective response.
The arrest of two hackers seems to indicate that the days of hacking for fun are very much history. The Wall Street Journal reports the arrests, stating that AT&T acknowledged in June that a flaw in its website made it possible for iPad users’ email addresses to be revealed and said it had fixed the problem. If AT&T and all its resources can be the victim of web application abuse, then what chance do companies with less resources have?
Now the next question is were the alleged hackers white hat, black hat or somewhere in between? SC Magazine has a strong quote:
U.S. Attorney Paul Fishman said in a statement said that other researchers should think twice before using their technical skills for illegal purposes.
“Hacking is not a competitive sport, and security breaches are not a game,” U.S. Attorney Paul Fishman said in a statement. “Those who use technological expertise for malicious purposes take note: Your activities in cyberspace can have serious consequences for you in the real world.”
Dark Reading recently wrote about the weaknesses of firewalls and illustrate the problems of firewall proliferation in a very interesting way. There are four main problems:
- Rules Management: Firewalls require rules and the configuration of these rules are time-consuming and ever-changing. Changing one rule may affect another already configured. Rules management is a burden on IT Security staff and increasingly the reason firewalls don’t work is because they are configured incorrectly.
- Firewall Proliferation and Sprawl: More firewalls that reside within an enterprise require more rules to configure resulting in either more configuration errors or the likelihood that the firewall is configured to provide the least amount of possible security, possibly even letting all traffic through.
- The Security Myth of Firewalls: Audits for PCI or SOX compliance are more likely to uncover a mis-configured firewall than either a hacker or the overworked IT security department charged with managing the device.
- Application Ignorance: The majority of firewalls are ignorant about what they are protecting and do not understand what is the correct behavior of a normal user. Application-aware firewalls will become more important.
And another article lauds the three major tenets of PCI requirements. Companies holding customer data should:
- Use a Web application firewall
- Develop software using secure practices
- And focus on whitelisting technologies for key servers.
With the Verizon Data Breach Report stating that 94% of compromised records involved a flaw in a web application, something is wrong. If firewalls are not being configured correctly and almost all records are stolen using a web application flaw, why is it a PCI requirement to use a Web application firewall?
Is a proactive defensive solution, protecting web applications that is application aware, and doesn’t require signatures, or cumbersome rules management, the next key solution?
Below is a copy of the slides used in our Webinar titled ‘How Web Applications are Attacked’.
To watch the fascinating content, go to this page and complete the form to view the Webinar file at your leisure.
A report released by McAfee has put a number on the size of the financial problem from web application abuse - in this case it’s called ‘Web 2.0 breaches’. And that number is $1.1Billion. Over 60% of respondents reported losses of $2Million from their business. Now that is a significant problem. The interesting fact is that 79% of the respondents have increased firewall protection since introducing Web applications into their business. Looks like all the firewall protection is missing $2Million worth of abuse. How big does this financial impact need to be before business people people start questioning the nature of security around web applications? And the final interesting part is that only 40% of businesses had budget allocated to securing Web 2.0 applications. This problem is not fully understood as a business problem. The scale of the problem may be much larger. It’s not often that you get to wonder is $1.1Billion in losses just the tip of the iceberg?
Kelly Jackson Higgins from Dark Reading wrote an interesting article titled Accepting The Inevitability Of Attack.
The crucial idea that security involves three different components of prevention, detection and response is important for understanding next generation security and particularly Web application abuse. Traditional security methods have focused primarily on prevention – from implementing secure development lifecycles, pre-and post development code scans and blocking traffic using Web Application Firewalls. But what of detection and response? Detecting a malicious user of your web application in real-time before the damage is done is more valuable to many of today’s on-line companies. And how valuable is a response to that malicious user in order to protect the business and make sure a future attack doesn’t affect a normal user? It’s not just companies that are affected by Web abuse – normal paying users of the site area also affected by poor performance of Web applications.