This white paper provides an overview of foundational compliance requirements, including those for PCI and the Health Insurance Portability and Accountability Act (HIPAA). It is important to consider while differences emerge among specific compliance mandates, many of the common mistakes and challenges associated with each will apply to all compliance efforts.
Many media observers have called both 2013 and 2014 “the year of the data breach.” In 2013, much of the focus of malware attacks was on individuals. Attacks such as the ransomware CryptoLocker held users’ data hostage and attempted to extract a fee from affected individuals. In 2014, however, many of the attacks impacted a wide range of targets, from individuals to small, medium and large businesses. For example, the ShellShock bug often first breached Web servers and then spread onto other devices connected to the network, enabling it to steal personal data.
ShellShock and other malwares present severe threats to organizations’ cybersecurity, but the historical tactics of these attacks are also useful for understanding where some of the common gaps in compliance lie. In 2014 for example, attackers attempted to breach Yahoo’s servers with a modified version of the ShellShock bug. This threat was successfulin infiltrating a small number of devices. However, Yahoo was able to mitigate the threat by ensuring that its customers’ data was isolated from the rest of the network.
The measures utilized by Yahoo in this instance align with one of the 12 major requirements of the Payment Card Industry Data Security Standard (PCI-DSS), which relates to restricting access to cardholder data. Yet many organizations falter when it comes to meeting compliance requirements such as those outlined by PCI-DSS.