- In the cases investigated there were many instances where administrator and user credentials were very weak or easily guessable; allowing an attacker to brute force the account to gain a foothold onto the system
- Majority of attacks in this study were from external sources
- In the study 40% of all attacks utilised SQL injection as the source of the compromise with an additional 20% on top using SQL injection combined with another vulnerability such as malware
- Majority of the cases undertaken (46%) involve a shared hosting environment being hacked
- Another interesting trend is the increased proportion of website applications being targeted for attack rather than the infrastructure it is hosted upon. The data used for this study shows that in 86% of all attacks, a weakness in a web interface was exploited
- A staggering 81% of the breached organisations had not changed the system defaults throughout their cardholder data environment
- The failure of 100% of the breached organisations to comply with requirement 6 is one of the most telling. Require 6 is "develop and maintain secure systems and applications "
- Whilst many of the organisations investigated actually had firewalls installed, poor configuration of these devices rendered most of them useless.
- The investigations also revealed that none of the organisations met all requirements of the PCI DSS. Indeed, in just over one quarter of the cases, none of the twelve requirements were met. The maximum number of requirements met by an individual organisation was only 6 out of 12, in approximately 4% of cases.
Other than this, the report does not indicate anything earth shattering, theses are the things that we all preach or everyone is aware of. The interesting thing is that many organizations still don't "get it". It is the responsibility of information security practitioners to make organizations and business unit leaders aware and such reports definitely helps convey the message.
Such forensic analysis reports shows more accurate data since they involve real word breaches rather than user surveys or business perceptions.