Those companies who are compliant with the PCI data security standard are better at addressing perimeter vulnerabilities.
According to a survey by the NTT Innovation Institute, those companies who perform quarterly external PCI authorised scanning vendor assessments have a more secure vulnerability profile and a faster remediation time, with 27 per cent demonstrating this.
NTT Com global director of security strategy Garry Sidaway told IT Security Guru that often the problem compliance frameworks such as PCI DSS is that it is seen as a tickbox exercise, and the discipline of doing it to taking action on it is the difference.
“You can look at boxes, but there is not much more to it than that; it is not a loose operation that you have got to put it in place. You can do vulnerability scans but if you do not act on it you are just processing lists than risks, he said. “Putting risks into context really makes sense for the business.”
He said that discipline and understanding are “born from best practice”, and this will help the operational process and reduce the risk profile.
The survey also found that 43 per cent of incident response engagements were the result of malware incidents. Sidaway commented that 77 per cent of businesses do not have an incident response programme. He said: “There is a’set and forget’ tendency and while most technology is great, you have got to operate it and most organisations put it in place and do not operate it, and it needs continuous operation.”
John Theobald, CISO of NTT Com, told IT Security Guru that there is a crossover with the business with incident response and the business, as it is not about saying when you get attacked, it is knowing what to do when you are. “Test the process at live events and work through incidents and understand what you need to do now, and understand how the attacker got there in the first place,” he said. “It is cyber security that no one understands or calls for, but with PCI DSS and ISO 27001 put in place people are more savvy.”
The survey also found that anti-virus fails to detect 54 per cent of new malware collected by honeypots, while 71 per cent of new malware collected from sandboxes was undetected by over 40 different anti-virus solutions.