The Hannaford data breach was of course all over the news last week. It is reported that Hannaford's internal practices were considered PCI compliant, yet they suffered a massive data breach. It begs the question whether PCI requirements were sufficient.
While many companies still lag behind in terms of achieving PCI compliance, quite a few organizations have gone above and beyond to protect their critical operations. I call those "next practice" adopters (as opposed to best practice). For instance, PCI requires that you scan your computing assets quarterly. Many of the next practice companies would scan their most critical assets weekly or even daily.
So, what should you consider as your critical assets. Here is a list to get you started:
- Web applications (those that handle online transactions)
- Web servers (those that interface with external Web users)
- Database servers
- Application servers that serve up your core applications
In the course of doing research for my upcoming Internet threat report, I came across some worrisome statistics. A Google researcher recently reported approximately 1.3% of all Internet queries would return at least one URL that contain malicious content. A year ago, March 2007, this number was 0.3%. The same report also indicates that 6,000 out of the top 1 million most popular URLs, have been, at one point or another, classified as malicious.
These statistics are indeed worrying. The top one million URLs are the most frequently visited sites, and the fact that a non-trivial percentage of them could be malicious is a previously unknown phenomenon. This underscores the rising difficulty of Web threat detection and defense. The latest statistics from the anti-phishing working group have that the average life time of a phishing site is now at three days (2006 statistic was 4.5 days). Not only are Web threats more wide spread, they are more dynamic as well.
A few days ago, the official Chinese media reported that Shanghai's Intermediate Court sentenced three malware producers, who used Trojan horse software to steal money from victim's bank accounts (all Chinese banks), to between six and a half and eight years of prison time. The three apparently stole more than 100,000 yuan. Considering that the average monthly salary in the affluent first tier cities is approximately 4,000 yuan, it's a pretty hefty sum. Researchers have been noticing an increase of spyware and malware from China. Cyveillance, an Internet threat monitoring company, reported a rapid increase of malware hosting sites in China. An interesting fact is that the majority of world's malware distribution sites are still in US and Europe, but they point to malware hosting sites in Asian countries such as China. This is especially interesting because it points to the fact that hackers from those countries are compromising high traffic Websites in the US and Europe to help distribute malware (the difference between malware distribution and hosting site is that the former typically contains a link or a small amount of code that points to a hosting site). The use of malware distribution and landing sites (as opposed to a straightforward malware hosting site) is a newer and more stealthy way to distribute malware, which only became popular in 2007.