Hackers get better, while IT security falls further behind, says Verizon


SAN FRANCISCO -- Hackers are getting better at what they do while the security community is not keeping up, according to preliminary results from the Verizon 2014 Data Breach Investigation Report released this week at the RSA Conference.

The report has nearly tripled the number of contributing organizations from last year's report. This year's report has 50 organizations and 95 countries contributing to the data.

"The attackers are getting better at compromising systems, but the security community is not getting better at monitoring and detecting compromises. We as a community need to do much better," Chris Porter, with the Verizon RISK Team, tells FierceITSecurity.

In addition, Verizon unveiled this month its PCI DSS compliance report, which found that 89 percent of organizations failed their 2013 PCI baseline assessment. This was the first PCI DSS compliance report from Verizon in two years.

"Organizations need to take a more programmatic approach to compliance ... They need to incorporate PCI practices into their regular risk management and security program to maintain security over time," explains Porter.

In particular, businesses struggle to achieve initial compliance in security testing (23.8 percent), security monitoring and the ability to detect and respond to data compromised (17 percent), and protecting stored sensitive data (55.6 percent).

Verizon cites a Nilson Report estimating that global credit card fraud exceeded $11 billion in 2012.

Target's recent breach of 40 million credit and debit card account numbers highlighted the vulnerability of point-of-sale systems. Porter notes that for larger retailers, attackers have a variety of ways to get into their networks. "The larger the organization, the more complex their network environment and the greater difficulty in protecting the network ... Once cybercriminals get a foothold into the organization, they will seek out where the credit card data exists… then they will place malware necessary to capture that sort of information."

Porter notes that state-sponsored attacks are more difficult to detect than attacks by cybercriminals because the cybercriminals usually steal information to carry out fraud. which then raises a red flag. State-sponsored attackers usually target a firm's intellectual property. "If someone is stealing IP, there is no fraud detection algorithm for that," he adds.

For more:
- see Verizon's PCI compliance report release
- read the blog on the preliminary 2014 DBIR

Related Articles:
Detecting APTs: Elementary, my dear Watson
Target breach: A timeline
Does PCI DSS help prevent credit card breaches?