Post on 14-Sep-2014
description
Verizon 2014 Data Breach Investigation Report Verizon 2014 Data Breach Investigation Report and The Target Breach
Proactive Approaches to Data Security
Ulf MattssonCTO, Protegrity
Ulf.Mattsson@protegrity.com
Member of PCI Security Standards Council:
• Tokenization Task Force
• Encryption Task Force
• Point to Point Encryption Task Force
• Risk Assessment SIG
Ulf Mattsson, Protegrity CTO
• eCommerce SIG
• Cloud SIG
• Virtualization SIG
• Pre-Authorization SIG
• Scoping SIG
2
The Target Data Breach
Data Security & Threat Landscape
Topics
Think Like A Hacker - Proactive Data Security
New Data Security Technologies & Approaches
3
THE
TARGETDATA BREACHDATA BREACH
4
What can we learn?
First Attack: Fazio Mechanical Services• A 3rd party refrigeration design & maintenance contractor for Target
• Email malware-injecting phishing attack
• Credentials were stolen
Second Attack: Target POS Machines• Used stolen credentials from Fazio Mechanical Services to access
POS machines
How The Breach at Target Went Down
• Installation of malware to collect customer payment data
Aftermath: Malware Data Export• >40 million customer financial records & CCN
• >70 million customer personal information records
• The subsequent file dump containing customer data is reportedly flooding the black market
• Starting point for the manufacture of fake bank cards, or provide data required for identity theft.
Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/5
Memory Scraping Malware – Target Breach
Payment CardTerminal
Point Of Sale Application
Memory Scraping Malware
Authorization,Settlement
…
Web Server
Memory Scraping Malware
Russia
6
Security software picked up on suspicious activity after a cyberattack was launched, but it decided not to take immediate action
Received security alerts on Nov. 30 that
Target Says It Ignored Early Signs of Data Breach
Received security alerts on Nov. 30 that indicated malicious software had appeared in its network
Source: SEC (Securities and Exchange Commission )7
Target Corp. annual report: Massive security breach has hurt its image and business, while spawning dozens of legal actions, and it can't estimate how big the financial tab will end up being.
The FTC is probing the massive hack of credit card information. Target could face federal charges for
Target Data Breach Fallout
failing to protect its customers' data.
“When you see a data breach of this size with clear harm to consumers, it's clearly something that the FTC would be interested in looking at.”
- Jon Leibowitz, former FTC chairman
Source: Bloomberg Businessweek8
Target Data Breach Fallout
Target CIO Beth Jacob resigned
9
WHO IS THE NEXT TARGET?TARGET?
10
Who is the Next Target?
Services
Retailers
11
Healthcare
Government
It’s not like other businesses are using some special network security practices that Target
doesn’t know about.
They just haven’t been hit yet.They just haven’t been hit yet.
No number of walls, traps, bars, or alarms will keep out the determined thief.
12 Source: www.govtech.com/security
New Environments
Big Data and Cloud platforms are presenting new use cases that are incompatible with old security approaches. This makes them vulnerable and ideal targets.
Cloud & Big Data Vulnerabilities Include:
Hackers& APT
RoguePrivileged
Users
UnvettedApplications
OrAd Hoc
Processes
DATA SECURITY & THREAT LANDSCAPETHREAT LANDSCAPE
14
How have the methods of attack shifted?
“It’s clear the bad guys are winning at a faster rate than the good guysare winning, and we’ve
The Bad Guys are Winning
15
Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening
are winning, and we’ve got to solve that.”- 2014 Verizon Data Breach Investigations Report
External Threats are Exploding
16
Source: The 2014 Verizon Data Breach Investigations Report
More, Better Attack Tools
17
Source: The 2014 Verizon Data Breach Investigations Report
Changing Motives
18Source: The 2014 Verizon Data Breach Investigations Report
We Are Losing Ground
“…Even though security is improving, things are getting worse faster, so we're losing ground
19
we're losing ground even as we improve .”- Security expert Bruce Schneier
Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11
Organizations Are Not Protecting Against Cyberattacks
“Cyber attack fallout could cost the global economy $3 trillion by 2020.”
20
Source: McKinsey report on enterprise IT security implications released in January 2014.
2020.”- McKinsey & Company reportRisk & Responsibility in a Hyperconnected World: Implications for Enterprises
Organizations Are Also Bad At Detecting Breaches
21 Verizon 2013 Data-breach-investigations-report & 451 Research
BEWARE MALWAREBEWARE MALWARE
22
New Malware Detections
Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf
23
#17 in 2012 among all types of incidents, rose to a very concerning #4 spot in 2013.
Incidents surged from just 27 in 2012
to 223 in 2013.
The Dramatic Rise of RAM Scraping Malware
to 223 in 2013.
24 Source: Verizon’s 2014 Data Breach Investigations Report
A 10x increasein only ONE YEAR.
In past year, there were at least 20 malware cyber attacks on retail targets similar to Target incident.
“POS malware crime will continue to grow over the near term.”
FBI Memory-Scraping Malware Warning
grow over the near term.”
Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms”
Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping-malware-in-wake-of-Target-breach
25
Export data became the #1 malware threat in 2013, doubling in occurrence from 2012.
Malware represented 60% (12/20) of the top threat actors in the 2014 Verizon DBIR.
The Dramatic Rise of RAM Scraping Malware
threat actors in the 2014 Verizon DBIR.
26 Source: Verizon’s 2014 Data Breach Investigations Report
My conclusion:Malware will continue to proliferate until we secure the sensitive data flow.
THINK LIKE A HACKERHACKER
How can we shift from reactive to proactive thinking?
27
How do hackers think?
Like a business.
Go where the money is
Thinking Like A Hacker
Multiple touches to get in
Easier targets = Higher ROI
The Modern Day Bank Robber
29
Target was certified as meeting the standard for the Payment Card Industry in September 2013
Compliance is minimal protection that everyone has to have in place.
• It can protect from liability.
Target Breach Lesson: Compliance Isn't Enough
• But obviously, it does not actually protect from data loss.
If you're driving a car, you have to wear your seatbelt.
That doesn't make you a safe driver.
Source: TechNewsWorld30
TURNING THE TIDE
31
What new technologies and techniques can be used to prevent future attacks?
Coarse Grained Security
• Access Controls
• Volume Encryption
• File Encryption
Fine Grained Security
Evolution of Data Security Methods
EvolutionFine Grained Security
• Access Controls
• Field Encryption
• Masking
• Tokenization
• Vaultless Tokenization
32
Evolution
Fine Grained (Field-Level) Sensitive Data Security allows for a Wider and allows for a Wider and
Deeper Range of Authority Options
33
Risk
High –
Old:
Minimal access
levels – Least New :
Much greater
The New Fine Grained Data Security
AccessPrivilege
LevelI
High
I
Low
Low –
levels – Least
Privilege to avoid
high risks
Much greater
flexibility and
lower risk in data
accessibility
34
What ifa Credit Card Number
in the Hands of a Criminalwas Useless?
35
De-identification through TokenizationField Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual data, but not needed with de-identification
36
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
TokenizationEncryption
37
Cryptographic keys
Code books
Index tokens
Different Tokenization Approaches
Property Dynamic Pre-generated Vaultless
Vault-based
38
Security of Fine Grained Protection Methods
High
Security Level
I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
39
Low
10 000 000 -
1 000 000 -
100 000 -
10 000 -
Transactions per second*
Speed of Fine Grained Protection Methods
10 000 -
1 000 -
100 -I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
40
Tokenization Research
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption
Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data
Tokenization users had 50% fewer security-related incidents than tokenization non-users
41
Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
Use
Case
How Should I Secure Different Data?
Simple –PCI
PII
Encryption
of Files
CardHolder Data
Tokenization of Fields
Personally Identifiable Information
Type of
DataI
Structured
I
Un-structured
Complex – PHI
ProtectedHealth
Information
42
Personally Identifiable Information
Protecting Enterprise Data Flow
123456 123456 1234
CCN/SSNSocial MediaBlogsSmart PhonesMetersSensorsWeb LogsTrading SystemsGPS Signals
Stream
043
123456 999999 1234
Protecting Data Flows – Reducing Attack Surface
Big Data (Hadoop)
Acquisition
Analytics & Visualization
Enterprise Data
Warehouse
You must assume your perimeter systems will be breached.
How do you know when your systems have been compromised?
You have to baseline and understand what ‘normal' looks like and look for deviations from normal.
McAfee and Symantec can't tell you what normal looks like in your own systems.
Only monitoring anomalies can do that.
CISOs say SIEM Not Good for Security Analytics
Only monitoring anomalies can do that.
Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets
Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner
44
Use Big Data to Analyze Abnormal Usage Pattern
Payment CardTerminal
Point Of Sale Application
Memory Scraping Malware
Authorization,Settlement
…
Web Server
Memory Scraping Malware
Moscow, Russia
FireEye
Malware?
Trend - Open Security Analytics Frameworks
46 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture
Enterprise Big Data Lake
Conclusions
Threats are increasing and attackers are getting more advanced• Sticking your head in the sand will not make it go away
• Malware is everywhere – secure and monitor the data flow
Compliance does not equal security
47
Compliance does not equal security• Everyone must be compliant, but it’s just a starting point
• Assume you’re under attack – proactive security must be a priority
Take advantage of the tools available today• Tokenization provides flexibility to capture, store and use data securely
• Big Data event analysis & context can catch threats early on
Thank you!
Questions?
Please contact us for more information
www.protegrity.com
Ulf.Mattsson@protegrity.com
To Request A Copy of the Presentation
Email: info@protegrity.com