The good, the bad and the ugly of the target data breach
-
Upload
ulf-mattsson -
Category
Technology
-
view
107 -
download
1
description
Transcript of The good, the bad and the ugly of the target data breach
![Page 1: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/1.jpg)
The Good, The Bad and The Ugly of The Target The Good, The Bad and The Ugly of The Target Data Breach
Ulf MattssonCTO, Protegrity
![Page 2: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/2.jpg)
Working with the Payment Card Industry Security Standards Council (PCI SSC):
• PCI SSC Tokenization Task Force - Guidelines
• PCI SSC Encryption Task Force
• PCI SSC Point to Point Encryption Task Force
• PCI SSC Risk Assessment SIG
Ulf Mattsson & PCI Data Security Standards
• PCI SSC eCommerce SIG
• PCI SSC Cloud SIG
• PCI SSC Virtualization SIG
• PCI SSC Pre-Authorization SIG
• PCI SSC Scoping SIG
• PCI SSC 2013 – 2014 Tokenization Task Force – Technical Standard
2
![Page 3: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/3.jpg)
Data security today
The Target breach
New environments bring new vulnerabilities
Topics
New environments bring new vulnerabilities
Thinking like a hacker - proactive data security
New technologies & approaches to properly secure data
3
![Page 4: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/4.jpg)
DATA SECURITY TODAYTODAY
4
How have the methods of attack shifted?
![Page 5: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/5.jpg)
Worries of 800 IT Pros
5
Source: 2014 Trustwave Security Pressures Report
![Page 6: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/6.jpg)
Data Loss Worries IT Pros Most
6
Source: 2014 Trustwave Security Pressures Report
![Page 7: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/7.jpg)
“It’s clear the bad guys are winning at a faster rate than the good guysare winning, and we’ve
The Bad Guys are Winning
7
Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening
are winning, and we’ve got to solve that.”- 2014 Verizon Data Breach Investigations Report
![Page 8: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/8.jpg)
We Are Losing Ground
“…Even though security is improving, things are getting worse faster, so we're losing ground
8
we're losing ground even as we improve .”- Security expert Bruce Schneier
Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11
![Page 9: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/9.jpg)
Organizations are Not Protected Against Cyberattacks
“Cyber attack fallout could cost the global economy $3 trillion by 2020.”
9
Source: McKinsey report on enterprise IT security implications released in January 2014.
2020.”- McKinsey & Company reportRisk & Responsibility in a Hyperconnected World: Implications for Enterprises
![Page 10: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/10.jpg)
TARGET DATA BREACHBREACH
10
What can we learn from the Target breach?
![Page 11: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/11.jpg)
Target Data Breach, U.S. Secret Service & iSIGHT
Target CIO Beth Jacob resigned
11
![Page 12: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/12.jpg)
Memory Scraping Malware – Target Breach
Payment CardTerminal
Point Of Sale Application
Memory Scraping Malware
Authorization,Settlement
…
Web Server
Memory Scraping Malware
Russia
12
![Page 13: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/13.jpg)
Credentials were stolen from Fazio Mechanical in a malware-injecting phishing attack sent to employees of the firm by email
• Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information
• In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers
The data theft was caused by the installation of malware on
How The Breach at Target Went Down
the firm's point of sale machines
The subsequent file dump containing customer data is reportedly flooding the black market
• Starting point for the manufacture of fake bank cards, or provide data required for identity theft.
Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/
13
![Page 14: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/14.jpg)
The FTC is probing the massive hack of credit card information
Target could face federal charges for failing to protect its customers' data from hackers
When you see a data breach of this size with clear harm to consumers, it's clearly something that the
Target May Face Federal Suit Over Privacy Fumble
harm to consumers, it's clearly something that the FTC would be interested in looking at," said Jon Leibowitz, a former FTC chairman
Sen. Richard Blumenthal, a Connecticut Democrat, urged the FTC to investigate the Target hack soon after it became public in December
Source: Bloomberg Businessweek
14
![Page 15: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/15.jpg)
WHO IS THE NEXT TARGET?TARGET?
15
![Page 16: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/16.jpg)
Who Is The Next Target?
16
![Page 17: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/17.jpg)
It’s not like other businesses are using some special network security practices that Target
doesn’t know about.
They just haven’t been hit yet.
No number of traps, bars, or alarms will keep out the determined thief
Source: www.govtech.com/security
17
![Page 18: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/18.jpg)
Who is the Next Target?
Services
Retailers
18
Healthcare
Government
![Page 19: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/19.jpg)
BEWARE MALWAREBEWARE MALWARE
19
![Page 20: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/20.jpg)
FBI uncovered 20 cyber attacks against retailers in the past year that utilized methods similar to Target incident
Believe POS malware crime will continue to grow over the near term
Despite law enforcement and security firms' actions to mitigate it
FBI Memory-Scraping Malware Warning
mitigate it
Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms”
Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping-malware-in-wake-of-Target-breach
20
![Page 21: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/21.jpg)
21
![Page 22: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/22.jpg)
New Malware
Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf
22
![Page 23: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/23.jpg)
Total Malicious Signed Malware
Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf
23
![Page 24: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/24.jpg)
Targeted Malware Topped the Threats
24
Source: 2014 Trustwave Security Pressures Report
![Page 25: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/25.jpg)
US - Targeted Malware Top Threat
25
Source: 2014 Trustwave Security Pressures Report
![Page 26: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/26.jpg)
BIG DATA PROBLEMSPROBLEMS
What effect, if any, does the rise of “Big Data” have on breaches?
26
![Page 27: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/27.jpg)
Has Your Organization Already Invested in Big Data?
27
Source: Gartner
![Page 28: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/28.jpg)
Holes in Big Data…
28
Source: Gartner
![Page 29: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/29.jpg)
Many Ways to Hack Big Data
29
Hackers& APT
RoguePrivileged
Users
UnvettedApplications
OrAd Hoc
Processes
![Page 30: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/30.jpg)
Many Ways to Hack Big Data
MapReduce(Job Scheduling/Execution System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
Avr
o (S
eria
lizat
ion)
Zoo
keep
er (
Coo
rdin
atio
n)
Hackers
UnvettedApplications
OrAd Hoc
Processes
Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase
30
HDFS(Hadoop Distributed File System)
Hbase (Column DB)
Avr
o (S
eria
lizat
ion)
Zoo
keep
er (
Coo
rdin
atio
n)
PrivilegedUsers
![Page 31: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/31.jpg)
Big Data (Hadoop) was designed for data access, not security
Security in a read-only environment introduces new challenges
Massive scalability and performance requirements
Big Data Vulnerabilities and Concerns
Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear
Transparency and data insight are required for ROI on Big Data
31
![Page 32: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/32.jpg)
THINKING LIKE A HACKERHACKER
How can we shift from reactive to proactive thinking?
32
![Page 33: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/33.jpg)
How do hackers think?
Like a business.
Go where the money is
Thinking Like A Hacker
Multiple touches to get in
Easier targets = Higher ROI
![Page 34: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/34.jpg)
The Modern Day Bank Robber
34
![Page 35: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/35.jpg)
COMPLIANCEVS.
SECURITYSECURITY
35
![Page 36: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/36.jpg)
Target was certified as meeting the standard for the payment card industry in September 2013
Compliance can protect us from liability, but whether it actually protects us from loss of business and loss of data is not so clear
Compliance is a minimal deterrent that everyone
Target Breach Lesson: PCI Compliance Isn't Enough
Compliance is a minimal deterrent that everyone has to have in place
If you're driving a car, you're expected to have a driver's license. That doesn't make you a safe driver
Source: TechNewsWorld
36
![Page 37: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/37.jpg)
Protection of cardholder data in memory
Clarification of key management dual control and split knowledge
Recommendations on making PCI DSS business-as-usual and best practices
Security policy and operational procedures added
PCI DSS 3.0
Security policy and operational procedures added
Increased password strength
New requirements for point-of-sale terminal security
More robust requirements for penetration testing
37
![Page 38: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/38.jpg)
TURNING THE TIDE
38
What new technologies and techniques can be used to prevent future attacks?
![Page 39: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/39.jpg)
What if a
Social Security number or
Credit Card Number Credit Card Number
in the Hands of a Criminal
was Useless?
39
![Page 40: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/40.jpg)
Coarse Grained Security
• Access Controls
• Volume Encryption
• File Encryption
Fine Grained Security
Evolution of Data Security Methods
Time
Fine Grained Security
• Access Controls
• Field Encryption (AES & )
• Masking
• Tokenization
• Vaultless Tokenization
40
![Page 41: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/41.jpg)
Old and flawed:
Minimal access
levels so people
can only carry
Access Control
Risk
High –
can only carry
out their jobs
41
AccessPrivilege
LevelI
High
I
Low
Low –
![Page 42: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/42.jpg)
Applying the Protection Profile to the
Structure of each Sensitive Data Fields allows for Sensitive Data Fields allows for
a Wider Range of Granular Authority Options
42
![Page 43: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/43.jpg)
Risk
High –
Old:
Minimal access
levels – Least New :
Much greater
The New Data Protection - Tokenization
AccessPrivilege
LevelI
High
I
Low
Low –
levels – Least
Privilege to avoid
high risks
Much greater
flexibility and
lower risk in data
accessibility
43
![Page 44: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/44.jpg)
Examples: De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address [email protected] [email protected]
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare / Financial Services
Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities
Protection methods can be equally applied to the actual data, but not needed with de-identification
44
![Page 45: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/45.jpg)
Use
Case
How Should I Secure Different Data?
Simple –PCI
PII
Encryption
of Files
CardHolder Data
Tokenization of Fields
Personally Identifiable Information
Type of
DataI
Structured
I
Un-structured
Complex – PHI
ProtectedHealth
Information
45
Personally Identifiable Information
![Page 46: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/46.jpg)
Tokenization Research
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption
Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data
Tokenization users had 50% fewer security-related incidents than tokenization non-users
46
Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
![Page 47: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/47.jpg)
Security of Different Protection Methods
High
Security Level
I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
47
Low
![Page 48: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/48.jpg)
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
TokenizationEncryption
48
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
![Page 49: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/49.jpg)
10 000 000 -
1 000 000 -
100 000 -
10 000 -
Transactions per second*
Speed of Different Protection Methods
10 000 -
1 000 -
100 -I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
49
![Page 50: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/50.jpg)
Different Tokenization Approaches
Property Dynamic Pre-generated Vaultless
Vault-based
50
![Page 51: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/51.jpg)
Protecting Enterprise Data Flow
123456 123456 1234
CCN/SSNSocial MediaBlogsSmart PhonesMetersSensorsWeb LogsTrading SystemsGPS Signals
Stream
051
123456 999999 1234
Protecting Data Flows – Reducing Attack Surface
Big Data (Hadoop)Aquisition
Analytics & Visualization
Enterprise Data
Warehouse
![Page 52: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/52.jpg)
Current Breach Discovery Methods
52
Verizon 2013 Data-breach-investigations-report & 451 Research
![Page 53: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/53.jpg)
You must assume the systems will be breached.
Once breached, how do you know you've been compromised?
You have to baseline and understand what 'goodness' looks like and look for deviations from goodness
McAfee and Symantec can't tell you what normal looks like in your own systems.
Only monitoring anomalies can do that
CISOs say SIEM Not Good for Security Analytics
Only monitoring anomalies can do that
Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets
Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner
53
![Page 54: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/54.jpg)
Use Big Data to Analyze Abnormal Usage Pattern
Payment CardTerminal
Point Of Sale Application
Memory Scraping Malware
Authorization,Settlement
…
Web Server
Memory Scraping Malware
Moscow, Russia
FireEye
Malware?
![Page 55: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/55.jpg)
Trend - Open Security Analytics Frameworks
55 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture
Enterprise Big Data Lake
![Page 56: The good, the bad and the ugly of the target data breach](https://reader033.fdocuments.us/reader033/viewer/2022051613/54c687ac4a7959fb258b45a3/html5/thumbnails/56.jpg)
ConclusionsChanging threat landscape & challenges to secure da ta:
• Attackers are looking for not just payment data – a more serious problem.
• IDS systems are lacking context needed to catch data theft
• SIEM detection is too slow in handling large amounts of events.
What happened at Target ?• Modern customized malware can be very hard to detect
56
• They were compliant, but not secure
How can we prevent what happened to Target and the next attack against our sensitive data?
• Assume that we are under attack - proactive protection of the data itself
• We need Big Data event information analysis & context to catch modern attackers
• Use security methods that require less cleartext in use, such as tokenization