There is a very good article regarding research into 2011 breach statistics by Trustwave over at InfoWorld Security Central. A great source for much IT & Security information, by the way. According to the article, hackers infiltrated 312 businesses making off with customer payment-card information. Their primary access point was through 3rd-party vendor remote-access apps, or VPNs setup for remote systems maintenance. Seventy six percent! These external ingress paths introduced security deficiencies that were exploited by attackers.
The vast majority of the 312 companies were retailers, restaurants or hotels, and they came to Trustwave for incident response help after one of the payment-card organizations traced stolen cards back to their businesses, demanding a forensics investigation within a matter of days. Only 16% of the 312 companies detected the breach on their own!
The businesses hit claimed to be compliant with Payment Card Industry (PCI) security standards, when in reality there were gaps. The remote-access provisions were poorly protected by simple, re-used, shared, and seldom changed passwords.
I will leave the most scary statistics, how long the attackers were able to maintain their ownership of the networks in these cases, for you to seek out yourself on the second page of the article. It is not a happy number!
The lesson to take away from this article is, PCI compliance is the bare minimum that an organization should do, and DOES NOT equate to comprehensive security. A PCI-DSS pass score does not ensure actual compliance either. It is a good starting point to ensure that the bare minimum, common sense, security controls are implemented at a single point of time, but good security practices must spread out from the center. If your security efforts don’t include other servers and the workstations that access them AND the Internet, you are not managing security, you are faking it for compliance sake. Russian roullette with a fully loaded gun.