is pci broken? presented by: bryan miller syrinx technologies [email protected] 804-539-9154
DESCRIPTION
Is PCI Broken? Presented By: Bryan Miller Syrinx Technologies [email protected] www.syrinxtech.com 804-539-9154. Agenda. Speaker Introduction What is PCI How Compliant Are We What Happened to Target The Aftermath Lessons Learned Summary. Speaker Introduction. B.S., M.S. – VCU - PowerPoint PPT PresentationTRANSCRIPT
ISACA VA Chapter
Is PCI Broken?Presented By:
Bryan MillerSyrinx Technologies
804-539-9154
Is PCI Broken? 2
ISACA VA Chapter
Speaker Introduction What is PCI How Compliant Are We What Happened to Target The Aftermath Lessons Learned Summary
5/1/2014
Agenda
Is PCI Broken? 3
ISACA VA Chapter
B.S., M.S. – VCU Former Adjunct Faculty Member @ VCU CISSP, former Cisco CCIE VA SCAN, ISSA, ISACA,VCU FTEMS speaker Published author with 30 years in the
industry Founded Syrinx Technologies in 2007
5/1/2014
Speaker Introduction
Is PCI Broken? 4
ISACA VA Chapter
5/1/2014
Does anybody ever feel like this?
(Does anybody other than me even remember this movie?)
Is PCI Broken? 5
ISACA VA Chapter
5/1/2014
What Is PCI
Is PCI Broken? 6
ISACA VA Chapter
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
Defined by the Payment Card Industry Security Standards Council (PCI SSC), the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure.
Source: Wikipedia5/1/2014
Definition
Is PCI Broken? 7
ISACA VA Chapter
If you transmit, store or process credit card data you are responsible to protect it.
So….what exactly is “credit card data”?
5/1/2014
OK, one more time in plain English
Is PCI Broken? 8
ISACA VA Chapter
What you can store Primary Account Number (obfuscated) Cardholder Name Expiration Date
What you must NEVER store Magnetic stripe data CVV PIN
5/1/2014
Is PCI Broken? 9
ISACA VA Chapter
12 Requirements summarized by 6 control objectives
Build and Maintain a Secure Network and Systems
Protect Cardholder Data Maintain a Vulnerability Management
Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
5/1/2014
What It Is
Is PCI Broken? 10
ISACA VA Chapter
Began life as the “VISA Digital Dozen” Current version is 3.0, released November 2013 Sponsored by
American Express VISA MasterCard Discover Japan Credit Bureau (JCB)
5/1/2014
What It Is
Is PCI Broken? 11
ISACA VA Chapter
A legal compliance obligation like HIPAA, GLBA, Sarbanes-Oxley
A guarantee that you won’t Have a data breach Suffer financial or reputational damages Be the featured guest in the newspapers and magazines
Remember SECURE <> COMPLIANT
5/1/2014
What It Isn’t
Is PCI Broken? 12
ISACA VA Chapter
5/1/2014
Source: Rapid7
Is PCI Broken? 13
ISACA VA Chapter
5/1/2014
How Compliant Are We
Is PCI Broken? 14
ISACA VA Chapter
5/1/2014
Source: VERIZON 2014 PCI COMPLIANCE REPORT
Is PCI Broken? 15
ISACA VA Chapter
5/1/2014
Source: VERIZON 2014 PCI COMPLIANCE REPORT
Is PCI Broken? 16
ISACA VA Chapter
5/1/2014
Source: VERIZON 2014 PCI COMPLIANCE REPORT
Is PCI Broken? 17
ISACA VA Chapter
5/1/2014
Source: VERIZON 2014 PCI COMPLIANCE REPORT
Is PCI Broken? 18
ISACA VA Chapter
5/1/2014
What Happened to Target
Is PCI Broken? 19
ISACA VA Chapter
Attack began with phishing email attack on HVAC vendor Attack began around 2 months before the
actual breach Malware from phishing allowed attackers to gain
Target network credentials Vendor claimed “…our IT system and security
measures are in full compliance with industry practices.”
Vendor allegedly used free version of malware software
5/1/2014
Is PCI Broken? 20
ISACA VA Chapter
Using credentials obtained from HVAC, attackers expanded to internal Target networks Unclear whether or not 2-factor authentication
required by PCI was employed by HVAC vendor
Initial compromise between Nov. 27 – Dec. 15
Target announced breach December 195/1/2014
Is PCI Broken? 21
ISACA VA Chapter
What about warning signs? Target allegedly warned two months before breach
by internal security employees that its systems were not sufficiently secure (ignored?)
At the time Target was updating POS software
FireEye installed six months earlier Security monitoring performed by a team in
Bangalore Reported findings November 30 (apparently ignored) Malware updated December 2
5/1/2014
Is PCI Broken? 22
ISACA VA Chapter
5/1/2014
Is PCI Broken? 23
ISACA VA Chapter
5/1/2014
Supplier Portal Home Page – no credentials required
Is PCI Broken? 24
ISACA VA Chapter
5/1/2014
Facilities Management Home Page – no credentials required
Is PCI Broken? 25
ISACA VA Chapter
5/1/2014
Supplier Download Page – no credentials required
Is PCI Broken? 26
ISACA VA Chapter
5/1/2014
Metadata Obtained from Files Harvested from Downloads Page
Is PCI Broken? 27
ISACA VA Chapter
5/1/2014
Is PCI Broken? 28
ISACA VA Chapter
5/1/2014
The Aftermath
Is PCI Broken? 29
ISACA VA Chapter
January in-store and online traffic drops from 43% to 33% of US households
Target spent $61 million during Q4 related to breach
Estimated 5-10% will never shop there again
March 5 – Target replaces CIO and hires two additional positions Chief Security Officer Chief Compliance Officer
5/1/2014
Is PCI Broken? 30
ISACA VA Chapter
Lawsuits (at least 53) filed by multiple banks, including several in Target’s home state
Target’s PCI auditing firm Trustwave Holdings also named in lawsuits
Estimated losses could reach $18 billion
Estimated 110 million cardholders affected5/1/2014
Is PCI Broken? 31
ISACA VA Chapter
Security engineer who first broke the story could soon be the subject of a Hollywood movie
Target accelerating plan to offer upgraded credit cards with chip technology Current goal to release updated REDcards in
early 2015
5/1/2014
Is PCI Broken? 32
ISACA VA Chapter
5/1/2014
Lessons Learned
Is PCI Broken? 33
ISACA VA Chapter
Four Questions the CIO Must Answer
Do we have an ISO/CISO providing direction?
Do we have an incident response plan?
Which alerts can we safely ignore?
What are we overlooking as insignificant?
5/1/2014
Is PCI Broken? 34
ISACA VA Chapter
Steps Every Organization Can Take1. Accept that you have a problem.2. Diagram credit card data flows in, through and out.3. Ensure you have a tested incident response plan.4. Clean up the “low hanging fruit”.5. Invest in and maintain quality monitoring systems.6. Review contracts with vendors, partners, clients, etc.7. Create build lists for all systems to ensure consistency.8. Limit the systems in PCI scope.9. Build security audits into every project.10. Provide feedback to all departments on progress.
5/1/2014
Is PCI Broken? 35
ISACA VA Chapter
5/1/2014
Summary
Is PCI Broken? 36
ISACA VA Chapter
PCI compliance (and security in general) should not be ignored or seen as just another business expense.
Start building monitoring systems and trust them when they report incidents.
Continue practicing due diligence. Security is a never ending issue.
5/1/2014
Is PCI Broken? 37
ISACA VA Chapter
5/1/2014
Q&A