annual report from Verizon found that while businesses are still doing better to meet payment compliance standards, almost half failed their interim assessment in 2016 – and the company warns that this is directly linked to organisations being open to cyber attacks.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards that organisations handling branded payment cards must adhere to, with a validation assessment taking place once a year.
Verizon is a company that is qualified to carry out PCI assessments, and of the organisations it assessed during the interim period in 2016, 44.6 percent failed to pass. That’s better than 2015 when 51.6 percent of interim assessments failed, but clearly there's still some way to go.
IT services firms fared best, with 61.3 percent passing full compliance, followed by 59.1 percent of financial services companies, 50 percent of retail outfits and 42.9 percent of hospitality organisations.
Compliance covers the whole range of security requirements in an organisation, from technology to people to process, personnel and culture. Naturally, if there's the smallest gap somewhere, then a business can't be considered fully compliant with a standard.
Verizon’s head of continental Europe advisory services for the payments cards industry (PCI) Gabriel Leperlier was on hand at a press briefing in London last week, where he talked through some of the worst-case scenarios the business uncovered when investigating payment card data breaches, from hidden routers, through to secret modems hidden in air force printers.
1. APAC airforce printers
According to Leperlier, an on-the-ball infosec professional noted some unusual network traffic that seemed to be coming from a freshly ordered fleet of printers at a military facility in the Asia-Pacific region.
"A few weeks or months later one of the system admins realised that there was some very strange traffic on the network," says Leperlier. "He said to the firewall team - this is strange, I can see some traffic between the printers and even between printers and other systems."
He dug into the problem himself and found a printer scanning the database and other servers. After cracking a machine open with a screwdriver, he found in just one of the printers a GSM modem that was transmitting everything it could collect on the network to a foreign country.
Verizon's Leperlier says the point is - you might have all the technology and IT security control in place, but without the skills and the right people, that printer might still be running.
2. Connected fishtank
Image: Shirley Hibberd, The Book of the Aquarium and Water Cabinet/Wikipedia
A company that was recently breached had good security in place according to Verizon, but a decorative oversight led to the entire network being breached, including personal data.
Without going into specifics, Leperlier likens it to a connected fishtank: it might look good on reception, but when you start granting network permissions to make the most of the features, that fishtank had better be patched and up to date.
3. Server room access for everybody
Image: Flickr/Sparkfun Electronics
Checking the IT security access on one company's system, Verizon noticed that the CEO, CIO, and other C-suite executives had full access to the server room, plus the cleaning personnel.
Leperlier asked: "Why does the CEO have access to this room? Does the CEO need to have access to this room? I don't think so.
"I also realised the cleaning team had the greatest access - access to all - why? Because they needed access to every room to clean them." It's a point that highlights the need not just for technology, but the full gamut of process, procedure and personnel - and that access should be given on a need-to-know basis.
4. Staff awareness - access card
At a gift shop as part of a wider complex, a Verizon team went on premises to check the access to a payment terminal system.
The terminal was accessed by a badge, and only the manager could access a wider range of more sensitive information. This was explained by two staff members of the gift shop, but when asked where the manager was to check that information, they said the manager was on holiday - and opened a draw containing the access card with more permissions, presumably left there to be helpful but in reality compromising the security of the store.
Leperlier says, the importance of a good working knowledge of security culture at every level of the organisation, from the IT team to operations to managers and even staff on the shop floor.
5. One-character passwords
Three or four years ago,
Leperlier was interviewing an IT security officer who was managing a physical access control system. When he was asked about the process to provide greater levels of system access, he opened up a new security application.
But Leperlier couldn't believe his eyes, and asked the security officer to show him again.
"He went into the machine and went 'tk'! [on the keyboard], and I said can you log in again," Leperlier says. "And I said: is it a one-character password? And he said: 'that's why I don't like people looking at me when I'm logging in. OK, it's one character, but it's a special character.'"
6. Servers in the bathroom
Image: Bathroom in Bayern hotel, Raboe/Wikimedia Commons
A couple of years ago a retail company that had some operations in Mexico suffered a security incident and requested an on-site audit.
Verizon realised they were relying on a service provider, one that was unknown to the team.
When they went to take a look at the offices of that service provider, they found it was a small operation ran entirely within one apartment - and all the servers were stuffed into a bathroom.
"PCI DSS is not just about technology, it's about people and process,"
Leperlier says. "If we didn't go out and see what was going on in Mexico then we wouldn't have seen they were working from home with a server in the bathroom. You need to check!"
7. A hidden router in the server room
One organisation was sure that it didn't have any wireless networks operating in a building, but using scanning technology the compliance team kept coming across a signal.
Eventually they pinpointed this to the server room.
It turned out that the IT offices were three flights of stairs higher than the server room, and rather than head up and down those stairs every time something needed to be checked, someone had installed a router in the server room so that they could access the servers from their desk.