2013 pma business security insights
TRANSCRIPT
What do I need to protect?
o Credit Card Data / Personal Info
(Identities)
o Files
o Business Data
2
2012 Verizon Breach Report – Targeted Data
For SMB’s Payment Card Data and Authentication Data is the data most targeted.
3
2012 Verizon Breach Report – Target Organization
The preferred target now seems to be the SMB’s (small and medium businesses). 570 of the 855 investigations, over 66% of the total investigations.
4
Outside Threats
Outside/External threats responsible for 98% of data breaches investigated in 2011
5
2012 Verizon Breach Report
Examples
6
Security Stories
Hacking 30 Years Ago
7
Hacking Today
Source: www.fbi.govhttp://www.fbi.gov/news/stories/2010/octo
ber/cyber-banking-fraud/cyber-banking-
fraud/?searchterm=cyber%20theft
8
2012 Verizon Breach Report – How do they get in?
Much as it has in the past, the most common malware infection
vector continues to be installation or injection by a remote
attacker.
This covers scenarios in which an attacker breaches a system
VIA REMOTE ACCESS and then deploys malware or injects code
via web application vulnerabilities.
9
Examples
10
Security Experiences
oData Corruption / Loss (Hardware, Operator
or Programmatic failures)
oRemote Access Tools / Trusted Vendor
Security Holes
oBYOD – Bring your own device
oHuman error / Training
o Sabotage
Inside Threats
11
Other Inside Threats
The other internal threats that needs to be considers are;
– Hard Drive Crash
– Water or fire damage to POS
– No backups or lack of testing backup procedures
12
How to think of Return on Investment: Is
security a bottom line cost or a profit center?
oWhat are the financial risks/costs?
Prevention
Remediation
oPCI / HIPAA / FINRA / SEC compliance and
liabilities
Preparedness, Costs & Risks
13
Fines and Costs Breakdown Steakhouse
Visa Fines $ 5,000 MasterCard Fines $ 30,000Forensic Investigation Costs $ 10,322 Visa card compromise program $ 60,000 Chargebacks $ 202,223
Total Direct Breach Costs $307,545
Breach consequences for a Tier 4 merchant
Actual Mid-West Steakhouse example:
Please Note: Breached merchant must now adhere to Level/Tier 1 Requirements
PCI-DSS: Why Care? – Protecting your income
14
Preparedness, Costs and Risks
Disaster Recovery vs. Business Continuity
o Backup
o Component Redundancy
o Enterprise Redundancy
15
Technical Security Layers
Physical o Checkpoints, locks, and surveillanceo Loggingo Force Majeur (fire, earthquakes, etc.)
Network Equipment location/locks o Intrusion preventiono Intrusion detectiono Access Management and ease of use
EndPointo FireWallo AntiVirus: how did AntiVirus lose the war? Where is the battle
now?o OS Updates / Security Patches
16
www.ptcllc.com
Basic Elements of Physical Security
Questions to consider…
Can a visitor to your business pickup a notebook computer and slip out the door easily? What about a cell phone with email records?
Is the door to the server room always locked?
Are employees trained to ensure guests do not wander?
Are employees appropriately limited on where they can go?
17
www.ptcllc.com
Basic Elements of Physical Securityo Deterrenceo Access Controlo Detectiono Identification
18
www.ptcllc.com19
www.ptcllc.com
Basic Elements of Network Security:o Secure Passwordso Perimeter Firewallso Intrusion Prevention
What to watch:o Intrusion Detectiono Loggingo Alerting
Monitor, monitor, monitor…
Always look to improve and enhance as new threats are discovered…
20
www.ptcllc.com21
www.ptcllc.com
Effective network segmentation - PCI DSS requires it to minimize the scope of review…
22
www.ptcllc.com
POS Network Wireless Network Office Network
23
www.ptcllc.com
Intrusion Prevention
24
www.ptcllc.com
Basic Elements of Endpoint Security:o Secure Passwordso OS and Security Patcheso Antimalware Protectiono Client Firewallso Mobile Devices
25
www.ptcllc.com
Recent study by Imperva (data security firm in California) and Technion-Israel Institute of Technology found success rate of the top 40+ antivirus products to be…
Less than 5%
Source: NY Times, Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt – 12/31/2012
26
Symantec – Not called Antivirus software any longer…. Now Norton Internet Security and Symantec Endpoint Protection
Trend Micro, McAfee, and others are doing the same.
They are losing the war and they know it.
Operational Controls:o People: non business use, using default passwords etc.o The Myth of Secure Passwordso Reset Password holes (questions, email)o Password manager o Backupo Trainingo Auditingo Data Integrity Toolso Policies, Training, Enforcement User Training Data Silos (Credit Cards, Financial, Customer, Operations)
Insuranceo What can insurance do for me?
Operator Security Layers
27
28
29
What is next for my business?o Security is
complex, multilayered and
ever changing.
o Being aware of the issues that
relate to your business is the
first step.
o Any solution will require
trusted partners and an eye to
integration of multiple
solutions.
30
