“People are studying for the test. Passing the compliance assessment and then leaving things open. They’re being careless,” said Bob Russo (@BobRussoPCI), General Manager of the PCI Security Standards Council in our conversation at the 2014 RSA Conference in San Francisco.
Russo was speaking of the continued problem we see with breaches. While breaches are going down to the lowest level we’ve seen in 20 years, the bigger breaches are garnering huge headlines, said Russo.
Even though the PCI Security Standards Council still doesn’t know the details of these breaches, Russo said it appears the companies affected were covered one way or another in the PCI standards. But if they learn something new, then they will update the standards accordingly.
I asked Russo about the ongoing debate of compliance not equaling security. Russo agreed and said, “Compliance is asking you to put a lock on the door. Security is making sure you lock it every day.”
As for what are the most common causes for these breaches, Russo said it’s a collection of really common exploits such as malware getting in through simple exploits in the perimeter and SQL injections. But the most damaging are default passwords.
“If we could do away with default passwords 90 percent of the breaches we see would be alleviated,” said Russo.
Watch for more video interviews from David Spark with an array of subject matter experts on a wide variety of security-related issues that are key to the decisions you will be facing as the year rolls on.
If you missed the RSAC event, the following articles provide summaries and reviews by attendees of some of the more popular sessions that were available, as well as review of the Cloud Security Alliance event and some more fun videos from the show:
- Twenty Biggest Enterprise Security Mistakes
- Do Security Professionals Have to Rely on Magic?
- Why Doesn’t the Business Align Better with Security?
- What is Your Security Nightmare?
- What is the Most Annoying Security Request You Have Ever Received?
- RSA Conference: Day One Highlights
- Day Two Highlights from the RSA Conference
- RSA Conference: Day Three Highlights
- Highlights for the RSA Conference Day Four
- RSA Conference 2014: End of Show Report
- Cloud Security Alliance Summit 2014: In Global Clouds We Trust?
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock