On Sat, 10 Apr 2010 18:00:23 -0000, "Thor (Hammer of God)" said: > According to the 2009 Verizon Business Breach Report, 81% of the attack > victims were not PCI compliant: > > http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Verizon Business has gotten a good reputation for having good hard numbers. I'd have to say their breach reports are probably close to the most accurate numbers we're going to get in this industry. > 81% of victims were not PCI compliant. In and of itself, doesn't say much, but combined with these 3: > 83% of attacks were not highly difficult. > 87% were considered avoidable through simple or intermediate controls. > 99.9% of records were compromised from servers and applications (meaning, not > clients). Sad, ain't it? Over 4 out of 5 times, the hack wasn't hard, and almost 9 out of 10 times, basic hardening would have prevented it. Unfortunately, there's not enough data there to say if the 81% had been compliant, if that would have imposed enough hardening to stop the attacks dead in their tracks. Probably in most of the cases it would have, though.
Attachment:
pgpAe9IYnGRJX.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/