Seventy percent of all security attacks on retailers are aimed at swiping credit card data, according to RSA Solutions Development Director Robert McMillon.
Even more disturbing, McMillon said many of today’s solutions for merchants don’t work.
“You guys kinda suck at data security. I’m happy to be invited here to tell you that,” added his co-panelist, Securosis CTO Adrian Lane. “There’s a big difference between being compliant and secure.”
He explained there are both noisy and quiet security threats for retailers.
“Most of you spend your budgets on the noisy threats (spam, viruses). If someone is browsing around your database, that doesn’t get attention… There’s not as much interest in data theft,” he said.
Lane said retailers spend money on noisy threats, because they want to avoid negative publicity and high legal expenditures.
Advertisement: Scroll to Continue
The panelists also broke down security tools into the widely deployed solutions (firewalls, anti-virus, signature-based IDS/IPS, vulnerability scanning, encryption, identity management, patch management) and those less frequently used (database security, SIEM, anomaly-based IDS, Web application, tokenization, data loss prevention, GRC).
Yet the panelists again stressed that many of today’s widely deployed solutions are in reality are hardly effective.
“The bad guys have moved onto something new and attacking you in new and interesting ways. We’re not doing a good job of solving tomorrow’s problems, and that’s ’cause there’s so many possibilities of what those problems could be. The bad guys have a lot of smart people who are profit-driven themselves and whose goals are to get around your security,” said McMillon.
He added that 55 percent of all attacks intended to swipe data are highly customized, whether a worm, virus or other form.
The pair touted tokenization as a key solution. Tokenization, they said, is the act of using a substitute value, or token, which has no inherent value in the place of data that has value.
Add as Preferred Source