prevention of data breach

Prevention of Data Breach

October, 2014

© 2014 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

2

Speaker Today

Jeff Sanchez is a Managing Director in Protiviti’s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen’s Technology Risk Consulting practice.

Jeff has participated in technical consulting and audit projects primarily in the hospitality, gaming, financial services and retail industries. Jeff leads Protiviti’s global Data Security and Privacy practice and is a subject-matter expert in the Payment Card Industry Data Security Standard. For the last six years, Jeff has concentrated on the design and implementation of security and privacy solutions. Jeff is a CIA, CISM, CISA, PA-QSA, CIPP/US and PMP.

[email protected] Jeffrey Sanchez, Managing Director


3

Agenda

Data Breach Overview 4

Data Breach Methodologies: Social Media and Mobile

11

Best Practices 14

Data Breach Incident Response 18

What You Can Do Today 20

Questions 24


4

Data Breach Overview


5

Large Data Breaches of the Decade

Wyndham Hotels: were sued by the US Federal Government after

sensitive customer data, including credit card numbers and personal information, allegedly were stolen three times in less than two years.

2008

AOL: Data on more than 20 million web inquiries, from more than 650,000 users,

including shopping and banking data were posted

publicly on a web site.

20062005

Google/other Silicon Valley companies: Stolen intellectual

property

2009

Sony's PlayStation Network: 77 million PlayStation

Network accounts hacked; Sony is said to have lost

millions while the site was down for a month.

2011

Monster.com: Confidential

information of 1.3 million job seekers

stolen and used in a phishing scam.

2007

2013

Target Credit and Debit Card data

breach!

CardSystems Solutions: 40 million credit card

accounts exposed. CSS, one of the top payment

processors for Visa, MasterCard, American Express is ultimately

forced into acquisition

“Some of the more obvious results of IS failures include reputational damage, placing the organization at a competitive disadvantage, and contractual noncompliance. These

impacts should not be underestimated.” ― The IIA Research Foundation

2014

Home Depot – new largest credit card

breach!

Source: CNN, NBC, CSO Online

http://www.cnn.com/2012/06/26/travel/wyndham-hacking/index.html

http://www.nbcnews.com/id/43847056/

http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century


6

Data Breach Overview

Source: Online Trust Alliance, Verizon 2013 Report

https://otalliance.org/resources/incident/2014OTADataBreachGuide.pdf


7

Data Breaches Statistics

Number of Breaches in 2013 Number of Identities Exposed in 2013

Overview:

• Targeted attacks increased in January, 2014 reaching their highest levels since August, 2013.

• Small companies of 250 employees or less were targeted in 39% of attacks through organizations with 2500+ employees were targeted more often.

• The .exe file type was the most common attachment, making up 24.7% of email-based targeted attacks that included file attachments.

Targeted Attacks per Day

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC0

50

100

150

200

250

2012 2013 2014

219 501,516,310

Source: Symantec

https://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_01-2014.en-us.pdf


8

Higher Education

• From 2005 to 2013 approximately 1 reported breach per week in education

• 7% of all institutions have had at least 1 breach

• 2% of all institutions have had more than 1 breach

• 36% of educational breaches were malware/hacking related

• Maricopa County Community College District – $12million cost with lawsuits pending

• Source: Educause Center for Analysis and Research: Just in time Research: Data Breaches in Higher Education


9

Profiling Threat Actors

Source: Verizon 2013 Report


10

Best Practices


11

Breach Kill Chain

Persist Undetected

Initial Attach Vector

Establish Foothold

Identify Interesting

Data

Distribute Ongoing

Collection Malware

Exfiltrate Data

Breach Kill Chain

The attack can be disrupted at any point in the kill chain. Ideally, a company will have controls at each point to create a defense in depth strategy. “Cyber kill chain” model shows, cyber attacks can and do incorporate a broad range of malevolent actions, from spear phishing and espionage to malware and data exfiltration that may persist undetected for an indefinite period.


12

Breach Kill Chain Model & PCI

PCI DSS – High Level Overview

PCI DSS Requirement Testing Procedures Kill Chain Phase Disrupted

Build and Maintain a Secure

Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data Initial Attack/ Exfiltrate

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Initial Attack/ Establish Foothold

Protect Cardholder Data

3. Protect stored cardholder data Identify Interesting Data

4. Encrypt transmission of cardholder data across open, public networks Identify Interesting Data

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs Distribute Malware

6. Develop and maintain secure systems and applications Establish Foothold

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know Establish Foothold

8. Identify and authenticate access to system components Establish Foothold / Distribute Malware

9. Restrict physical access to cardholder data Initial Attack

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data Persist Undetected

11. Regularly test security systems and processes Initial Attack / Establish

FootholdMaintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel All

PCI DSS compliance can help organizations disrupt the Intrusion Kill Chain.


13

Australian Signals Directorate Top 4

Mitigation strategy User resistance

Upfront cost (staff,

equipment, technical

complexity)

Maintenance cost (mainly staff)

Helps detect

intrusions

Helps mitigate intrusion stage 1:

code execution

Helps mitigate intrusion stage 2: network

propagation

Helps mitigate intrusion stage 3:

data exfiltration

Application whitelisting of permitted/trusted programs, to prevent execution of malicious or unapproved programs including DLL files, scripts and installers.

Medium High Medium Yes Yes Yes Yes

Patch applications, eg, Java, PDF viewers, Flash, web browsers and Microsoft Office. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days. Use the latest version of applications.

Low High High No Yes Possible No

Patch operating system vulnerabilities. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days. Use the latest suitable operating system. Avoid Windows XP.

Low Medium Medium No Yes Possible No

Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing.

Medium Medium Low No Possible Yes No


14

Best Practices – Network Security

Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network.

Segregate payment processing networks from other networks.

Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks.

Create strict ACLs segmenting public - facing systems and back - end database systems that house payment card data.

Implement data leakage prevention/detection tools to detect and help prevent data ex-filtration.

Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials).


15

Best Practices – Administrative Access

Use two - factor authentication when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate key-logger or credential dumping attacks.

Limit administrative privileges for users and applications.

Periodically review systems (local and domain controllers) for unknown and dormant users.


16

End to End Encryption


17

End-to-End Encryption

How does it work?

• State of the art encrypted magnetic card readers scan and encrypt cardholder information at first card swipe, prior to performing an electronic payment transaction.

• These devices securely encrypt cardholder data for transport over a network rendering it unreadable and as a result valueless to data thieves who frequently attempt to intercept the data while it is in transit to the processor.

• Each encrypted card reader is injected with an encryption key, unique to the processor, to allow for the decryption of the data once securely transmitted to the processor.

• Since these keys are unique and cannot be shared amongst processors, merchants are required to get new hardware when switching processing providers in order to continue to process transactions using end to end encryption.

Becoming PCI compliant involves the use of advanced technology and tight security standards to keep customers’ sensitive credit card data safe from fraud and security breaches. End-to-End Encryption (E2EE) is at the top of the list when it comes to emerging technologies that protect information and help merchants meet PCI requirements. PCI DSS 3.0 requires encrypting transmission of cardholder data across open, public networks.


18

PCI End to End Encryption Solutions

The Chase Paymentech E2E solution is designed for in‐store terminals, although it can also handle manually entered card‐not‐present transactions and accept input from mobile terminals. The E2E solution can also be used on any brand of POS terminal.

Chase Paymentech

• Elavon offers multiple point‐to‐point encryption solutions and tokenization products that are available throughout North America.• Point‐to‐point encryption/decryption solutions are provided to protect data during the transaction; additionally, tokenization solutions are

available for pre‐authorization and/or post‐authorization

Elavon

• BAMS/First Data Corporation has on the market TransArmor, a secure transaction management solution, which is point‐to‐point encryption and tokenization.

BAMS/First Data Corporation

• Processor independent P2PE with 4Go or UTG. Shift4 is a leader in P2PE solutions in the hospitality industry.

Shift 4


19

Data Breach Incident Response


20

The First 24 Hours Checklist

Notify law enforcement, if needed, after consulting with legal counsel and upper management.

Record the date and time when the breach was discovered, as well as the current date and time when response efforts begin, i.e. when someone on the response team is alerted to the breach.

Interview those involved in discovering the breach and anyone else who may know about it. Document your investigation.

Stop additional data loss. Take affected machines offline but do not turn them off or start probing into the computer until your forensics team arrives.

Secure the premises around the area where the data breach occurred to help preserve evidence.

Alert and activate everyone on the response team, including external resources, to begin executing your preparedness plan.

Document everything known thus far about the breach: Who discovered it, who reported it, to whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what systems are affected, what devices are missing, etc.

Review protocols regarding disseminating information about the breach for everyone involved in this early stage.

Assess priorities and risks based on what you know about the breach

Bring in your forensics firm to begin an in-depth investigation.

Source: Experian

http://www.experian.com/assets/data-breach/brochures/response-guide.pdf


21

What You Can Do Today


22


• Audit retail hosts for a rogue "POSWDS" service• Look for rogue applications in memory that may attempt to masquerade as svchost and/or other

programs on terminals and servers• Look for a rogue data manager application on internal LAN servers

Forensics analysis on sample of systems looking for malware and signs of intrusion1

• Audit networks for possible rogue PING messages that contain custom text messages• Look for unauthorized FTP exfiltration on Internet-accessible hosts/servers• Looks for Suspicious network traffic

Traffic analysis on sample of networks looking for suspicious traffic2


23


At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in their Strategies to Mitigate Targeted Cyber Intrusions:• Use application whitelisting to help prevent malicious software and unapproved programs

from running• Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office• Patch operating system vulnerabilities• Restrict administrative privileges to operating systems and applications based on user duties.

http://www.asd.gov.au/infosec/top35mitigationstrategies.htm

Alignment to NIST, VISA, and Australian Signals Directorate best practices3




24


• Logging and monitoring– Implement tools to detect anomalous network traffic and anomalous behavior by

legitimate users (compromised credentials)– Offload logs to a dedicated server in a secure location where unauthorized users can't

tamper with them– Aggregates events and logs from network devices and applications– Uses intelligence to analyze and uncover malicious behavior on the network

• Network architecture – FW outbound restrictions• Secure remote access• Implement data leakage prevention/detection tools to detect and help prevent data exfiltration• Incident Response Plans

– Invest in a dedicated incident response team (IRT) that has the knowledge, training and certification to respond to a breach. For more information on IRT training, visit the SANS Institute website.

– Test and document incident response plans to identify and remediate any gaps prior to an attack.

– Plans should be updated periodically to address emerging threats.– Look at controls relative to Breach Kill Chain

Alignment to NIST, VISA, and BAMs best practices (Contd.)3


25

Questions


26

Contact Us

Powerful Insights. Proven Delivery.™

Phone: [email protected]

Jeffery SanchezManaging Director

Los Angeles, CA

prevention of data breach

Documents