New Research Suggests Current Approach to Misconfiguration Detection in Commercial Critical National Infrastructure (CNI) Networks Results in Unquantifiable Levels of Compliance Risk
WORCESTER, UK and ARLINGTON, VA, March 29, 2023 – Titania, specialists in continuous network security and compliance, today launched a new independent research report that explores Payment Card Industry Data Security Standard (PCI DSS) 4.0 risk within U.S. commercial critical national infrastructure (CNI) organizations. The study, ‘Organizational approaches to quantifying the levels of security and PCI DSS compliance risks in the US Commercial CNI sector’, highlights that oil and gas, telecommunications, and banking and financial services organizations are prime targets for threat actors that exploit vulnerable network device configurations to scale their attacks. The study also reveals only 37% could ‘very effectively’ categorize and prioritize compliance risks that undermine the security of their networks.
Almost all organizations (96%) reported not analyzing switches and routers when checking for misconfigurations and that checks are typically performed annually. However, most agreed that continuous (daily) risk assessment of every firewall, router, and switch is the most robust strategy to secure networks and maintain compliance.
Most (+80%) also agreed that their organization relies on compliance to deliver security. Specifically, all banking and financial services sector respondents are confident that they are meeting their corporate security and external compliance requirements, compared to most oil and gas (98%) and telco respondents (96%). This data demonstrates a disconnect between the perception of network security and compliance, and the reality.
“Complex networks, large customer bases, and long supply chains make these industries highly susceptible to attacks. The study reveals that given the current organizational approaches to network security, companies cannot be continuously compliant, and as a result carry with them unquantified levels of risk to the confidentiality, integrity, and availability of systems and data.” said Phil Lewis, CEO, Titania.
“A determined attacker will try a combination of approaches to access a network until they gain entry, and known vulnerabilities or misconfigurations are an easy way in. Companies must adopt both a Zero Trust mindset and network security best practices, to minimise the attack surface, inhibit lateral movement, and prevent intruders from meeting their goals.” continued Lewis.
The research, which asked how organizations currently detect and mitigate vulnerabilities in the specified part of the network and how confident they are that devices maintain a secure configuration at all times, also revealed:
- 100% of respondents reported that their network security tools meant they could categorize and prioritize compliance risks effectively, but 74% of oil and gas, 67% of telcos, and 67% of banking and financial services respondents listed an inability to prioritize remediation based on risk as a top challenge when meeting security and compliance requirements.
- An overwhelming majority report that while budgets increased year over year, this has little to no impact on the volume of critical misconfigurations detected on their networks. Just 3.4% of IT budgets are allocated to identifying and remediating misconfigurations.
- 45% reported that critical network configuration security risks are responded to and resolved within 1-3 days.
- Banking and Financial Services reported the most frequent checks of all Commercial CNI respondents, with 62% falling in the bi-weekly to once every six months category.
- The oil and gas sector reported the highest misconfigurations detected in the previous 12 months.
- Telecommunications is the only sector that doesn’t have 100% automation of configuration security reporting.
The PCI Security Standards Council recently released the most significant changes to its standard since 2004, promoting effective network segmentation, security as a continuous process, and enhanced validation of compliance to address the increases in risks that commercial enterprises need to mitigate. According to Verizon’s 2022 Payment Security Report, PCI DSS 4.0 Requirement 11, which requires organizations to ‘regularly test security systems and processes’ has been the worst-performing individual requirement for sustainable compliance for the last 10 years running. Just 60% of organizations are able to demonstrate that they fully meet this requirement. This is consistent with the findings of the research study, which also indicates that ‘inaccurate automation’ and an ‘inability to prioritize remediation based on risk’ are the main challenges with meeting corporate security and external compliance requirements for nearly half of all organizations.
About the Research
Titania commissioned an independent B2B research specialist, Coleman Parkes, to conduct the study. The firm surveyed 160 CIOs, Heads of Networks, Network Architects, and other experts across the U.S. federal government and other U.S. critical national infrastructure sectors (military, oil & gas, telecoms, and financial services), for comparison purposes. The survey asked how organizations currently detect and mitigate vulnerabilities in the specified part of the network. And how confident they are that devices always maintain a secure configuration. The full report can be downloaded here: https://info.titania.com/pci-dss-compliance-within-commercial-cni-sectors.
Based in the UK and Arlington, VA, Titania delivers essential cybersecurity automation software to thousands of organizations, including 30+ federal agencies within the US government, global telcos, multinational financial institutions, and the world’s largest oil and gas companies. Specializing in the accurate security and compliance risk assessment and remediation for networking devices – firewalls, switches, and routers – Titania helps organizations defend their networks from preventable attacks by identifying configuration drift and prioritizing the remediation of their most critical risks first. The company is best known for its award-winning solution, Nipper, which also overlays its security risk findings onto RMF assessments to assure compliance for CDM, DISA RMF, NIST, CMMC, and PCI DSS. To meet the growing market need for continuous accurate risk and remediation prioritized assessments, Titania is now focusing on scaling Nipper for enterprises to support their zero trust security strategies. Visit Titania at www.titania.com
For more information, please contact:
CCgroup for Titania
Beth Fichtel/Cassandra Hegarty
T: +1 914.588.2695
E: [email protected]