the good, the bad and the ugly of the target data breach

The Good, The Bad and The Ugly of The Target The Good, The Bad and The Ugly of The Target Data Breach

Ulf MattssonCTO, Protegrity

Ulf.Mattsson@protegrity.com

Working with the Payment Card Industry Security Standards Council (PCI SSC):

• PCI SSC Tokenization Task Force - Guidelines

• PCI SSC Encryption Task Force

• PCI SSC Point to Point Encryption Task Force

• PCI SSC Risk Assessment SIG

Ulf Mattsson & PCI Data Security Standards

• PCI SSC eCommerce SIG

• PCI SSC Cloud SIG

• PCI SSC Virtualization SIG

• PCI SSC Pre-Authorization SIG

• PCI SSC Scoping SIG

• PCI SSC 2013 – 2014 Tokenization Task Force – Technical Standard

2

Data security today

The Target breach

New environments bring new vulnerabilities

Topics

New environments bring new vulnerabilities

Thinking like a hacker - proactive data security

New technologies & approaches to properly secure data

3

DATA SECURITY TODAYTODAY

4

How have the methods of attack shifted?

Worries of 800 IT Pros

5

Source: 2014 Trustwave Security Pressures Report

Data Loss Worries IT Pros Most

6

Source: 2014 Trustwave Security Pressures Report

“It’s clear the bad guys are winning at a faster rate than the good guysare winning, and we’ve

The Bad Guys are Winning

7

Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening

are winning, and we’ve got to solve that.”- 2014 Verizon Data Breach Investigations Report

We Are Losing Ground

“…Even though security is improving, things are getting worse faster, so we're losing ground

8

we're losing ground even as we improve .”- Security expert Bruce Schneier

Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11

Organizations are Not Protected Against Cyberattacks

“Cyber attack fallout could cost the global economy $3 trillion by 2020.”

9

Source: McKinsey report on enterprise IT security implications released in January 2014.

2020.”- McKinsey & Company reportRisk & Responsibility in a Hyperconnected World: Implications for Enterprises

TARGET DATA BREACHBREACH

10

What can we learn from the Target breach?

Target Data Breach, U.S. Secret Service & iSIGHT

Target CIO Beth Jacob resigned

11

Memory Scraping Malware – Target Breach

Payment CardTerminal

Point Of Sale Application

Memory Scraping Malware

Authorization,Settlement

…

Web Server

Memory Scraping Malware

Russia

12

Credentials were stolen from Fazio Mechanical in a malware-injecting phishing attack sent to employees of the firm by email

• Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information

• In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers

The data theft was caused by the installation of malware on

How The Breach at Target Went Down

the firm's point of sale machines

The subsequent file dump containing customer data is reportedly flooding the black market

• Starting point for the manufacture of fake bank cards, or provide data required for identity theft.

Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/

13

The FTC is probing the massive hack of credit card information

Target could face federal charges for failing to protect its customers' data from hackers

When you see a data breach of this size with clear harm to consumers, it's clearly something that the

Target May Face Federal Suit Over Privacy Fumble

harm to consumers, it's clearly something that the FTC would be interested in looking at," said Jon Leibowitz, a former FTC chairman

Sen. Richard Blumenthal, a Connecticut Democrat, urged the FTC to investigate the Target hack soon after it became public in December

Source: Bloomberg Businessweek

14

WHO IS THE NEXT TARGET?TARGET?

15

Who Is The Next Target?

16

It’s not like other businesses are using some special network security practices that Target

doesn’t know about.

They just haven’t been hit yet.

No number of traps, bars, or alarms will keep out the determined thief

Source: www.govtech.com/security

17

Who is the Next Target?

Services

Retailers

18

Healthcare

Government

BEWARE MALWAREBEWARE MALWARE

19

FBI uncovered 20 cyber attacks against retailers in the past year that utilized methods similar to Target incident

Believe POS malware crime will continue to grow over the near term

Despite law enforcement and security firms' actions to mitigate it

FBI Memory-Scraping Malware Warning

mitigate it

Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms”

Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping-malware-in-wake-of-Target-breach

20

21

New Malware

Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf

22

Total Malicious Signed Malware

Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf

23

Targeted Malware Topped the Threats

24

Source: 2014 Trustwave Security Pressures Report

US - Targeted Malware Top Threat

25

Source: 2014 Trustwave Security Pressures Report

BIG DATA PROBLEMSPROBLEMS

What effect, if any, does the rise of “Big Data” have on breaches?

26

Has Your Organization Already Invested in Big Data?

27

Source: Gartner

Holes in Big Data…

28

Source: Gartner

Many Ways to Hack Big Data

29

Hackers& APT

RoguePrivileged

Users

UnvettedApplications

OrAd Hoc

Processes

Many Ways to Hack Big Data

MapReduce(Job Scheduling/Execution System)

Pig (Data Flow) Hive (SQL) Sqoop

ETL Tools BI Reporting RDBMS

Avr

o (S

eria

lizat

ion)

Zoo

keep

er (

Coo

rdin

atio

n)

Hackers

UnvettedApplications

OrAd Hoc

Processes

Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase

30

HDFS(Hadoop Distributed File System)

Hbase (Column DB)

Avr

o (S

eria

lizat

ion)

Zoo

keep

er (

Coo

rdin

atio

n)

PrivilegedUsers

Big Data (Hadoop) was designed for data access, not security

Security in a read-only environment introduces new challenges

Massive scalability and performance requirements

Big Data Vulnerabilities and Concerns

Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear

Transparency and data insight are required for ROI on Big Data

31

THINKING LIKE A HACKERHACKER

How can we shift from reactive to proactive thinking?

32

How do hackers think?

Like a business.

Go where the money is

Thinking Like A Hacker

Multiple touches to get in

Easier targets = Higher ROI

The Modern Day Bank Robber

34

COMPLIANCEVS.

SECURITYSECURITY

35

Target was certified as meeting the standard for the payment card industry in September 2013

Compliance can protect us from liability, but whether it actually protects us from loss of business and loss of data is not so clear

Compliance is a minimal deterrent that everyone

Target Breach Lesson: PCI Compliance Isn't Enough

Compliance is a minimal deterrent that everyone has to have in place

If you're driving a car, you're expected to have a driver's license. That doesn't make you a safe driver

Source: TechNewsWorld

36

Protection of cardholder data in memory

Clarification of key management dual control and split knowledge

Recommendations on making PCI DSS business-as-usual and best practices

Security policy and operational procedures added

PCI DSS 3.0

Security policy and operational procedures added

Increased password strength

New requirements for point-of-sale terminal security

More robust requirements for penetration testing

37

TURNING THE TIDE

38

What new technologies and techniques can be used to prevent future attacks?

What if a

Social Security number or

Credit Card Number Credit Card Number

in the Hands of a Criminal

was Useless?

39

Coarse Grained Security

• Access Controls

• Volume Encryption

• File Encryption

Fine Grained Security

Evolution of Data Security Methods

Time

Fine Grained Security

• Access Controls

• Field Encryption (AES & )

• Masking

• Tokenization

• Vaultless Tokenization

40

Old and flawed:

Minimal access

levels so people

can only carry

Access Control

Risk

High –

can only carry

out their jobs

41

AccessPrivilege

LevelI

High

I

Low

Low –

Applying the Protection Profile to the

Structure of each Sensitive Data Fields allows for Sensitive Data Fields allows for

a Wider Range of Granular Authority Options

42

Risk

High –

Old:

Minimal access

levels – Least New :

Much greater

The New Data Protection - Tokenization

AccessPrivilege

LevelI

High

I

Low

Low –

levels – Least

Privilege to avoid

high risks

Much greater

flexibility and

lower risk in data

accessibility

43

Examples: De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized

Name Joe Smith csu wusoj

Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA

Date of Birth 12/25/1966 01/02/1966

Telephone 760-278-3389 760-389-2289

E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org

SSN 076-39-2778 076-28-3390

CC Number 3678 2289 3907 3378 3846 2290 3371 3378

Business URL www.surferdude.com www.sheyinctao.com

Fingerprint Encrypted

Photo Encrypted

X-Ray Encrypted

Healthcare / Financial Services

Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities

Protection methods can be equally applied to the actual data, but not needed with de-identification

44

Use

Case

How Should I Secure Different Data?

Simple –PCI

PII

Encryption

of Files

CardHolder Data

Tokenization of Fields

Personally Identifiable Information

Type of

DataI

Structured

I

Un-structured

Complex – PHI

ProtectedHealth

Information

45

Personally Identifiable Information

Tokenization Research

Tokenization Gets Traction

Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption

Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data

Tokenization users had 50% fewer security-related incidents than tokenization non-users

46

Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/

Security of Different Protection Methods

High

Security Level

I

Format

Preserving

Encryption

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Basic

Data

Tokenization

47

Low

Fine Grained Data Security Methods

Tokenization and Encryption are Different

Used Approach Cipher System Code System

Cryptographic algorithms

Cryptographic keys

TokenizationEncryption

48

Cryptographic keys

Code books

Index tokens

Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY

10 000 000 -

1 000 000 -

100 000 -

10 000 -

Transactions per second*

Speed of Different Protection Methods

10 000 -

1 000 -

100 -I

Format

Preserving

Encryption

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

*: Speed will depend on the configuration

49

Different Tokenization Approaches

Property Dynamic Pre-generated Vaultless

Vault-based

50

Protecting Enterprise Data Flow

123456 123456 1234

CCN/SSNSocial MediaBlogsSmart PhonesMetersSensorsWeb LogsTrading SystemsGPS Signals

Stream

051

123456 999999 1234

Protecting Data Flows – Reducing Attack Surface

Big Data (Hadoop)Aquisition

Analytics & Visualization

Enterprise Data

Warehouse

Current Breach Discovery Methods

52

Verizon 2013 Data-breach-investigations-report & 451 Research

You must assume the systems will be breached.

Once breached, how do you know you've been compromised?

You have to baseline and understand what 'goodness' looks like and look for deviations from goodness

McAfee and Symantec can't tell you what normal looks like in your own systems.

Only monitoring anomalies can do that

CISOs say SIEM Not Good for Security Analytics

Only monitoring anomalies can do that

Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets

Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner

53

Use Big Data to Analyze Abnormal Usage Pattern

Payment CardTerminal

Point Of Sale Application

Memory Scraping Malware

Authorization,Settlement

…

Web Server

Memory Scraping Malware

Moscow, Russia

FireEye

Malware?

Trend - Open Security Analytics Frameworks

55 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture

Enterprise Big Data Lake

ConclusionsChanging threat landscape & challenges to secure da ta:

• Attackers are looking for not just payment data – a more serious problem.

• IDS systems are lacking context needed to catch data theft

• SIEM detection is too slow in handling large amounts of events.

What happened at Target ?• Modern customized malware can be very hard to detect

56

• They were compliant, but not secure

How can we prevent what happened to Target and the next attack against our sensitive data?

• Assume that we are under attack - proactive protection of the data itself

• We need Big Data event information analysis & context to catch modern attackers

• Use security methods that require less cleartext in use, such as tokenization

Thank you!

Questions?

Please contact me for more information

Ulf.Mattsson@protegrity.com