• On CHOW: Can girls use the guys' bathroom?

Security

Read all 'Imperva' posts in Security
September 24, 2009 7:18 AM PDT

Survey: Half of businesses don't secure personal data

by Lance Whitney
  • 18 comments

The personal information you give to businesses may not be as secure as you hope, according to a new survey.

Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of more than 500 companies released Wednesday by Imperva and Ponemon Institute.

The survey was conducted to determine how many companies are complying with PCI DSS, the Payment Card Industry's Data Security Standard. PCI DSS tries to ensure that businesses take specific measures to secure their Web sites, databases, and other systems that process and store credit card information.

Of the companies surveyed, 71 percent acknowledged not making data security a top initiative, despite the fact that 79 percent of them said they've been hit by one or more data breaches. In fact, Ponemon and Imperva noted that since the PCI DSS standard was enacted in 2005, the number of breaches and cases of credit card fraud has actually risen.

(Credit: Imperva)

Cost and lack of resources were the biggest factors cited for not focusing on PCI DSS compliance. For those reasons, larger firms fared better than smaller ones. Only 28 percent of businesses with 501 to 1,000 employees were compliant as opposed to 70 percent of companies with 75,000 or more employees.

"Companies devote 35 percent of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies," Amichai Shulman, Imperva's chief technology officer, said in a statement. "This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs."

Another problem stems from the priorities of the organization itself. Of those questioned, 55 percent didn't feel their CEO strongly supports PCI DSS compliance, while 52 percent said their company is not proactive in managing privacy or security risks.

On the positive side, PCI DSS compliance has found a certain measure of success. Around 75 percent of those surveyed said their company has achieved some level of compliance, with 28 percent compliant for most of their applications and databases and 25 percent compliant for some apps and databases. Only 22 percent reported being fully compliant.

(Credit: Imperva)

Conducted by Ponemon and sponsored by Imperva, the survey questioned 517 U.S. and multinational IT security professionals who work on PCI compliance efforts for their companies.

Over the past few years, data breaches at large organizations such as T.J. Maxx and Marshalls parent company TJX and Maine-based Hannaford Supermarkets have highlighted the need for better security for credit card and customer records.

Topics:
Privacy and data protection,
Vulnerabilities and attacks
Tags:
data security,
PCI DSS,
Payment Card Industry's Data Security Standard,
Imperva,
Ponemon Institute
Share:
Digg
Del.icio.us
Reddit
April 27, 2009 4:23 PM PDT

Puerto Rico sites redirected in DNS attack

by Elinor Mills
  • 12 comments

An attack on the main domain name system registrar in Puerto Rico led to the local Web sites of Google, Microsoft, Yahoo, Coca-Cola, and other big companies being redirected for a few hours on Sunday to sites that were defaced, according to security firm Imperva.

Those sites and others including PayPal, Nike, Dell, and Nokia, were redirected to sites that were black except for messages in hacker lingo saying that the sites had been hacked. However, the sites themselves were not hacked, Amichai Shulman, chief technology officer at Imperva, said on Monday.

A group calling itself the "Peace Crew" claimed that they used a SQL injection attack to break into the Puerto Rico registrar's management system, he said. "We're seeing more and more of these DNS-related attacks and seeing them scale up," he added.

While the sites that visitors were redirected to were obviously not the legitimate sites, DNS redirects could be used to send unsuspecting Web surfers to phishing sites pretending to be banks where they would be prompted to provide sensitive information.

People should use the SSL (Secure Sockets Layer) protocol for encrypting communications with sensitive sites and use anti-phishing technology in the browser that colors part of the URL address bar green or red based on the safety level of the site being visited.

Calls to Gauss Research Lab, the organization that manages Puerto Rico's top-level domain, were not answered late on Monday.

This is the message the hackers left on sites affected by the DNS redirect attack, according to mirrors of the defacements captured by Zone-H.org.

(Credit: Zone-H.org)
Topics:
Vulnerabilities and attacks
Tags:
DNS redirect,
Imperva,
Google,
Microsoft,
Yahoo,
Peace Crew
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement

Google's mobile hopes go beyond Nexus One

The world may have thrilled to the potential for a Google Phone, but what Google actually unveiled is its plan for a new smartphone world order.
• Photos: Unboxing Nexus One

Using your smartphone safely

faq Worms, Trojans, and SMS attacks are risks for mobile phones, but the biggest practical threat to users is losing the device.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

Most Discussed



advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET