Verizon recently released their 2014 PCI Compliance Report. As stated in the introduction:
"This research is based on quantitative data gathered by our qualified security assessors (QSAs) while performing baseline assessments on PCI DSS 2.0 compliance between 2011 and 2013. The companies that we assessed span many industries and countries."
One of the biggest findings? Humans were the cause of almost 70% of the breaches and that user behavior is an important factor in an organizations's overall security posture. These findings were recently confirmed with the recent Target compromise of over 100 million credit cards and identities.
Editor's Note:This guest blog post is from Frank Kim, head of the Developer curriculum at the SANS Institute.
For the second year in a row Jim Bird and I have helped SANS put together a "Survey on Application Security Programs and Practices". We asked some of the same questions as the previous year, just in a different way. Some interesting trends this year, as taken from the executive summary of the soon to be published paper, include the following:
- There was a significant improvement in the number of organizations implementing application security programs and practices. The percentage of organizations that have an active Appsec program increased from 66% last year to 83% this year--and many of the organizations that do not have a program in place yet are at least following some kind of ad hoc security practices.
- Organizations are testing more frequently. In ...
Today we released the February edition of OUCH!, the free, monthly security awareness newsletter. Led by Malware expert and SANS instructor Lenny Zeltser, we explain what Malware is, who is creating it, and how to protect yourself. In addition, we just added Indonesian to this release. OUCH! is now translated into 23 languages. We had several goals with this release.
- The first was to explain what Malware is. We the security community like to use technical terms such as Trojan, Rootkit, Virus, or Worm, each with its own unique (and confusing) definition. These terms no longer matter. Malware is simply software that often combines ...
One of the most common challenges I see with organizations and their security awareness programs is they either are not sure where to start with building a new program, or they have an existing program and are looking to 'pump up the volume'. Either way, SANS MGT433 is the place to go. This intense two day class goes through step-by-step how to build a new security awareness program or reboot an existing one. Based on the lessons learned from over hundreds of organizations, the class goes beyond just just compliance by focusing on impact and changing human behavior. In addition, through a series of labs you will build your own, custom security awareness project plan which you can begin implementing the day you return to the office. If you have any questions about the class or when its being offered, shoot me an email at email@example.com. Below are the dates and locations where the class is offered for the next six months.
At Securing The Human we recently released the latest version of our EndUser security awareness training. Technology, threats and standards are constantly changing, so to should your awareness content. With this release we have several new updates and changes that benefit you and your organization. You can find the full details of all 43 training modules and the changes in our 2013 December Module Descriptions matrix.
New Modules: We added two new modules to our training library; International Travel and Australian Compliance.