THE WORLD OF CYBERSECURITY UNDERGROUND, HIPAA & PCI · © 2019 RSM US LLP. All Rights Reserved....

© 2019 RSM US LLP. All Rights Reserved. ©2016 RSM US LLP. All Rights Reserved.

THE WORLD OF CYBERSECURITY UNDERGROUND, HIPAA & PCIIowa Optometric Association

March 29, 2019

© 2019 RSM US LLP. All Rights Reserved.

Introductions

Travis Wendling

Manager

Security and Privacy Risk [email protected]

Jonathan Dreasler

Manager

Security and Privacy Risk [email protected]

1


Agenda

• Current Landscape & Challenges• Implementing the Security Change• HIPAA Compliance and Security Frameworks• Shedding Light on the dark web• Understanding the Card Payment Process• Questions & Answers

2

© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.

CURRENT LANDSCAPE &CHALLENGES


The rising criticality of information security

In the current economic, political and social landscape, addressing security has becoming a core necessity for most organizations:

42 31

Privacy and identity theft on the rise and customers demand higher level of security

assurance.

Network espionage on the rise.

Business partners, suppliers, and vendors are

requiring assurance from one another.

Regulators are calling for

organizations to demonstrate due

care with respect to security.

4


What it sells for?

5

Social Security Number

Online Payment Services

Driver License Loyalty Accounts

Diplomas Passports

Credit or Debit Cards

General Non-financial Institution Logins

Subscription Services Medical Records

$1 $20—$200

$20 $20

With CCV #

$5With Bank Info

$15Fullz Info

$30

$1—$10 $1—$1000$100—

$400 $1000 +

$1


Misconceptions

6


Misconceptions

• New world order− Underground markets bringing the two sides together− Motivated attackers place bounties for the skilled

attackers to chase− Skilled attackers breach environments and sell access to

motivated− The underground economy has lowered the knowledge

threshold− Skilled attackers make more money at less risk by selling

their knowledge in packaged form• Kits, automation, subscriptions, malware prepacks, etc.

− Result: Pseudo “Advanced Persistent Threat (APT)” attackers

• a.k.a, “Idiots with nuclear weapons”

7


The more we see the less we know

• Threats to systems and data have shifted rapidly in the last 24 months.

• Many of the standard methods of protection are now being bypassed with ease.

• Attackers have moved from brute force to simplicity, misdirection, abuse of trust.

• Over 90 percent of the incidents we have worked in the last 24 months have come from “the big 3.”− Social Engineering− Client Side Attacks− Custom Malware

• Being aware of these attacks will help you properly manage the risk to your organization.

8


Cybersecurity Threats

• Hacking—Breaking through vulnerability and moving laterally− Network penetration− Data leakage and theft− Social engineering

• APT—“Uninvited Guest”− Arrives into your network and stays there under the radar − Harvesting information over time− Typically not found with anti-virus software− Sophisticated

• Malware—Code that is designed to do bad things− Execution of malicious code on an infrastructure− Escalate unauthorized privileges − Shut down your network (DDOS)− Encrypt key data (ransomware)

9


Cyber claims 2018—causes of loss

10

Hackers22%

Ransomware16%

Malware/Virus11%Lost/stolen laptop

9%

Third Parties3%

Rogue Employees8%

Staff Mistakes6%

Business Email Compromise

5%

Other20%


Cyber claims 2018—by industry

11

Technology7%

Financial Services13%

Health Care18%

Non-Profit8%

Professional Services18%

Retail11%

Other25%

Compiled from:- NetDiligence/RSM 2018 Annual Cyber Claims Study


2018 NetDiligence Compiled from:- NetDiligence/RSM 2018 Annual Cyber Claims Study

12


Data breach—the costs

• NetDiligence results: IBM/Ponemanresults*− Per record costs - Per record costs

• Median = $47.52 Mean = $148• Mean = $169

− Total costs CIFI **• Median = $50,000 - Per Record for FI = $336• Mean = $854,000

*Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC** The impact of Cybersecurity Incidents on Financial Institutions, February 2018

13


Data breach—the odds

The average global probability of a material breach in the next 24 months is 27.9 percent, an increase over last year’s 27.7 percent*

*Benchmark research sponsored by IBM Security independently conducted by Ponemon Institute LLC

14


Data breach—the odds

If 2018 felt bad for breaches in the U.S.—It was!!!*

*Benchmark research sponsored by IBM Security independently conducted by Ponemon Institute LLC

15


Security statistics—trouble with the math?


0

0.5

1

1.5

2

2.5

3

3.5

Average Records Exposed(In Millions)

2011

2012

2013

2014

2015

2016

2017

2018

16


Security statistics—trouble with the math?


0

5

10

15

20

25

Number of Claims by Data Type

PCI

PHI

PII

Files-Critical

Non-card Financial

Other

17


HIPAA COMPLIANCE AND RISK ANALYSIS


HIPAA Compliance

19

Security

• Risk assessment and analysis

• Access management• Incident response• Contingency planning

and backups• Workstation security• Media movement and

destruction• Encryption• Audit controls• Business associates• Training and updates

Breach Notification

• Risk assessment of breach

• Notice to individuals• Notification to media• Notification to

secretary• Notification by BA• Law enforcement delay• Burden of proof

Privacy

• Notice of privacy practices

• Rights to request privacy protection for PHI

• Administrative requirements

• Uses and disclosures of PHI

• Amendment of PHI• Accounting of

disclosures

Risk Analysis


HIPAA compliance approach

20

Central/Enterprise ControlsRisk managementPolicyUser provisioningWorkforce trainingIncident managementDisaster recoverySystem auditing and loggingPhysical and environmental

Risk AnalysisAsset inventoryAsset classificationThreat sourcesControl effectivenessVulnerability assessmentResidual riskCorrective action plans

Site AssessmentsSite profileSite planning and coordinationControl and sampling finalizationSite reporting


Risk analysis

Enterprise Applications

Site Applications, networking,

devices

Physician Applications

and Networking

Data Centers and Server locations

Vendor Access; badging,

computing devices

Mobile Devices

• Marketing applications• Printers and copy machines• Medical devices• Shared drives

Should Include complete lists of:• All Applications• Sites• Vendors• BAAs• Hardware• Software


SECURITY FRAMEWORKS


Security drivers

23

HIPAASO/IEC 27001, 27002, 27799

CFR Part 11 COBIT

NIST SP 800-53r4 NIST SP 800-66

NIST CSF

PCI DSS v3

FTC Red Flags Rule JCAHO IM

HHS Security GuidanceCMS IS ARS

MARS-E v1

THSC 181

TAC 390.2

201 CMR 17.00

NRS 603A

CSA Cloud Control Matrix v1


Security program management

Security Program

Assessments

Risk Analysis

- Defined methodology

- Assessments and actions aligned to frameworks

- Assets Defined- Threats and

vulnerabilities assigned to assets

- CAPs identified and prioritized

- Controls maturity measurement- Locations and functions- Technologies and projects- Pen Testing- Vendors

Assets and Priorities

Direction on what to monitor and how

Feedback on control effectiveness; identification of new risk areas


IMPLEMENTING THE SECURITY CHANGE


What is information security governance?

Framework of established security

elements to protect data

Alignment of cyber security strategy with

business strategy

Establishes risk and asset managements

parameters

Effective and efficient management of cyber

risks

Policies, procedures and guidelines

Oversight to govern critical data assets

Efficient implementation of processes in a cost

effective mannerOrganizational structure

and skills alignmentRoles and

responsibilities

Visibility to risk mitigation, resolution

and remediation efforts

Cyber capability and maturity

Real-time reporting and KPIs

26


LACK OF GOVERNANCE AND COMMONUNDERSTANDING OF RISKS

Questions: Who should own the security for cyber assets and what should be the governance mechanisms in place? Is cyber asset security an IT problem?

CHALLENGE 1

INHERENT ARCHITECTURAL LIMITATIONS

Questions: How do we approach different generations of systems (i.e., legacy systems with inherent limitation and end of life) and consistently apply security controls?

CHALLENGE 4

ASSETS/DEVICE CONTROLS

Questions: Do we have a complete inventory of our assets, their current security state and do we have clearly documented controls for these assets?

CHALLENGE 5

TECHNICAL SECURITY CONTROLS

Questions: How do we implement technical security controls across all the different systems, components and modules?

CHALLENGE 2ONGOING MAINTENANCE THROUGHOUT

THE ASSET LIFECYCLE

Questions: Do we understand the new threat vectors introduced by system changes? Do we always conduct change driven risk assessments?

CHALLENGE 3

LACK OF CENTRALIZED COMPLIANCEMONITORING AND IMPROVEMENT

INITIATIVES

Questions: Do we know how many systems currently comply with security guidelines and how many are vulnerable?

CHALLENGE 6

HIGH RELIANCE ON VENDORS

Questions: Do we understand the way the vendors connect and use our systems?

CHALLENGE 7

Tactical challenges

27


FRAMEWORK ELEMENT DESCRIPTION

A structure through which an organization directs, manages and reports its security management activities. It encompasses clearly defined roles and responsibilities, decision rights, the risk governance operating model, and reporting lines. Further, allows for conscious decision to use risk management to enable the achievement of business plans, goals and strategic objectives. It includes a risk appetite statement supported by risk tolerances, limits and associated breach protocols to control risk levels throughout the organization.

Values and behaviors present throughout an organization that shape security decisions. A security aware culture influences the decisions of management and employees, even if they are not consciously weighing risks and benefits. A strong security culture helps to encourage strategic decisions that are in the long-term best interest of the organization, its shareholders and employees.

People

Over Sight

The activities in place that allow an organization to identify, assess and quantify known and emerging security risks. The risk assessment and measurement processes allow organizations to consider the extent to which potential events may have an impact on achievement of objectives. It encompasses qualitative and quantitative approaches, processes, tools and systems that organizations develop and implement to identify, assess, and measure security risks.

Process

Management of risk data that can be translated into meaningful risk information for stakeholders. It includes the development and deployment of risk management tools, software, databases, technology architecture, and systems that support risk management activities. Technology

Security domains

28


RSM security framework

29

ProcessOver Sight People Technology

Board & Executive Oversight

Security Awareness & Training Identity & Access Management Security Architecture & Design

Security Governance & Strategy

Incident Management

Regulatory & Legislative Compliance

Vulnerability & Malware Management

Public Relations

Sourcing & Vendor Management

Cyber Insurance

Information Asset Management

Litigation & Investigation

Coordination with Law Enforcement

Effective management of Cyber Risk

Understanding of Cyber Threats

Organizational Culture

Communications

Roles & Responsibilities

Security Organization Structure

Security Skills & Competency Application & System Development

Business Continuity

Physical Security

Security Monitoring

Threat Modelling

Intrusion Detection & Prevention

Configuration Management

End Point Security

Data Loss Prevention

RSMs Security Governance Framework


Weak Sustainable Mature Integrated Advanced

Oversight

People

Process

Technology

Example risk maturity continuum

30

Weak Sustainable Mature Integrated Advanced Security governance pre-

requisites for a formal security management framework are not in place.

Security processes and frameworks are siloed.

Undocumented & inconsistent processes are used.

Security activities are not aligned with business strategy.

Security capabilities are dependent on individuals.

Cyber risks are not consistently considered as business decisions are made.

The business does the minimum to meet the expectations of internal and external stakeholders.

Select security activities are defined; some of which are aligned with business strategy.

Security capabilities vary across the “three lines of defense.”

There is limited and inconsistent use of supporting technology. There is limited focus on emerging risks and/or scenario analysis.

The board and executives are increasingly confident that security risks are being effectively managed based on emerging threats, external benchmarking, and the use of risk appetite, tolerances and limits.

Risk management activities are aligned with business strategy. Security management functions demonstrate a level of consistency, but remote operations or business entities are not integrated. Use of technology is not integrated.

Security management capabilities and activities are integrated and coordinated across corporate and remote operations and business entities.

Security management objectives and value proposition are consistently aligned with business strategy.

Common tools and processes are used with enterprise-wide risk monitoring, measurement and reporting.

Risk management activities are fully embedded in strategic planning, capital allocation, and in daily decision-making.

An early warning system is in place to notify the board and management of risks above established thresholds.

Security management serves as a source of competitive advantage.

Incentive compensation formally considers risk management.

RSM’s cyber maturity evaluation methodology is adaptable and will encompass evaluation against industry-leading security standards, e.g. FFIEC, PCI, ISO, NIST, IEC, NERC CIP, SANS etc.


The road to sustainable security

• Standardization of enterprise-wide security processes• Consistent deployment of security standards and initiatives across

the enterprise• Identification of gaps in current skill sets• Incorporating industry-leading practices to secure systems• Enabling senior management to monitor effectiveness of security

controls and processes• Better informing personnel and enhance company-wide security

awareness• Improved security skill sets through targeted training• Increased security of assets and control systems• Reduction or avoidance of noncompliance fines• People and change—a security-minded culture

3131


BREAK

32


SHEDDING LIGHT ON THE DARK WEB

© 2019 RSM US LLP. All Rights Reserved. ©2016 RSM US LLP. All Rights Reserved.

SHEDDING LIGHT ON THE DARK WEB


Quick shout out

35

Wanda Archy− Current: Cyber threat intelligence at RSM− Location: Washington, DC− Background: Dark web investigations− Education: Georgetown University, M.A.,

intelligence, B.S., sci/tech/int’l affairs− Previous: Threat intelligence consultant, financial

institution security analyst− Certifications: CISSP, CEH, Security+− Other: Native Russian speaker, yoga enthusiast

[email protected]/in/wandaarchy

*All screenshots are original.

mailto:[email protected]

http://rsmus.com/linkedin


OVERVIEW & BACKGROUND


What is the “dark web”?

• The dark web is the part of the web that requires anonymizing software to access.

• The dark web is a subset of the deep web, which is unindexed by conventional search engines.

• Where criminals live!

37


Examples of TOR sites

• These include any goods sold on dark web.• (money, drugs, hit men, exploits, “hacker clothes”)Marketplaces

• Discussions are held here.• (lots of valuable intelligence that affects companies)Forums

• Unlike open web paste sites, these data dump treasure chests are not removed.Paste Site

• The Googles and Wikipedias of the dark web help you navigate to where you want to go.Search Engines/Wikis

• Different from forums, here actors can discuss whatever they wish in private.

Social Media, IRC Networks, Chat Rooms

38


Let’s find stuff!

39

Anything—absolutely anything.


Examples of information/items

• Personally Identifiable Information (PII)• Personal Health Information (PHI)• Payment Card Information (PCI)• Company blueprints• Company and customer credentials

Sensitive Information

• Physical goods• Hit men• Drugs• Exploits/vulnerabilities• Hacking tools

Merchandise

• Brand chatter• Imminent threats (e.g., DDoS, SWATing, physical attacks)• Other subversive actions (e.g., theft of merchandise,

possible fraud)

Reputational Damage

40


Threat actor types

41

AdvancedPersistent

Threat (APT)

Criminals Hacktivists Terrorist Sympathizers

Insiders Researchers

Motive Espionage, reconnaissance

Financial gain Political protest Spreading propaganda

Accidents, financial gain, political cause

Curiosity,bounty programs

Attack type Spearphishing, backdoor Trojans

Social engineering, phishing, ransomware

Web defacement, SQLi, XSS

Web defacement

Exfiltration of data

Vulnerability exploits

The dark web is operated by the following adversaries.


Actors are always on!!!

42

Actors are continuously operating on the dark web.


And obviously the crazies are there

43

They’re on Google too though.

Took too many ‘PartyPoppers’


Russian criminal underground

Majority of dark web is русский!!!Lone Hackers Criminal Groups Criminals sponsored by

nation-state-Bored, want more fun-DDoS, spam, SQLi, XSS-Want more $$

Ex:-w0rm-Oleg Nikolaenko

-Organized, very cartel-like-Million dollar profits-Forum administrators

Ex: -ZeuS botnet gang-Russian Business Network

-Group 2 working with Russia’s intelligence agencies (FSB, SVR, GRU)-Advanced Persistent Threats

Ex: -2007 Estonia attacks-2008 Georgia attacks-2014 Ukraine attacks-2016 U.S. election?

44


Are YOU a target today???

45


CASE STUDIES


Data breach example: Ashley Madison

47

Data from Ashley Madison (popular extramarital site) was exposed by Impact Team and later dumped on the dark web. Have you searched the dump for your friends or exes?


Carding forum

48

Joker’s Stash is the most popular “carding” forum on the dark web. Wow, cards for a dollar!


Did you think tax season was over?

49

Not on the dark web…This information is found on the “Wall Street” of the dark web.


Drugs are everywhere

50

But that is in the real world too.


Personal information for sale

51

So much information about you out there, so little time…

Did they really have to steal my Starbucks—FOR FREE?!


Company information for sale

52

Companies across all sectors are targeted.


Feels like Amazon…

53


But isn’t Amazon…

54


Rent-A-Hacker

55

If you can’t do it yourself—have someone do it for you. This guy seems great.


Bad guys need love too

56

Who doesn’t want more friends on social media?

I would do this…

Everyone is looking for friends.


Hacking services

57

Exploits are very common to buy on the dark web.


Health records

58

Rarer to find, but becoming more available. Expensive in comparison to personal information or credit cards.


What happened when President Trump took over?

59

After President Trump’s rise, lots of new forums started popping up…

USA citizenship for $5900Fake IDs, holograms too…

Fake forums advertising leaks from Trump campaign scandal(s)

Weird things…


WHAT DOES MY ORGANIZATION DO NOW?


Five steps for effective cyber threat intelligence

1. Create threat actor profiles to monitor malicious actors.

2. Perform due diligence sweeps across open and closed sources for your data.

3. Perform dark web investigations on an ad hoc basis depending on your sector and industry.

4. Conduct intelligence briefings and C-suite level reporting to keep executives informed.

5. Build out internal threat intelligence capabilities to improve overall cybersecurity strategy and determine exposure risks (see next slide).

61


Determining intelligence criticality

62

Risk Examples

Critical

• Client administrative-level credentials• Sensitive data breach dumps, including full PII, PHI, emails, or company blueprints• Zero-day exploits discovered that are not known by the client• Malicious indicators (IPs, botnets, malware) directly linked to the organization that imply compromise.• Imminent attacks planned by actors• Active company credit cards (corporate and customer) sold on closed sources

High

• Other leaked credentials, such as employee or customer passwords• Company goods (excluding credit cards) sold on closed sources• ”Doxed” information on high-level executives• Potential for company to be linked to a malicious technical indicator that requires further investigation.• Company ID badges (to be used for impersonation)

Medium

• Known exploits or vulnerabilities being used by threat actors to target the organization• Leaked credentials that are not in cleartext or able to be decrypted by the RSM team• Seemingly credible threats against the organization• Technical data dumped to pastesites that requires further analysis.• Inactive company credit cards sold on closed sources

Low• Chatter on closed sources, such as the dark web and IRC networks• Dumps containing only usernames• Company signatures (to be used for social engineering campaigns)

NonIssue/Observation

• Chatter on open sources, such as social media• False positives associated with the company• Company events (to be used for social engineering campaigns)


General cybersecurity recommendations

• Always ask why someone needs your information. − Do you really want spam email anyways? Why are you wearing a nametag?

• Don’t get lazy: Avoid clicking links within unsolicited emails or text messages; go to the legitimate site and type in URL.

− https://www.bankofamerica.com—Correct− http://www.bankofmerica.com—Incorrect

• Use strong passwords and change them often.− We advocate for passphrases.

• Do not use public Wi-Fi (note Pineapple!!).• Start with physical security.

− We do actually “dumpster dive”?

• Avoid geolocation tagging in photos or Tweets.− How many pictures of your cat do I need?

• Make your social media as private as possible.• Don’t talk publicly about your company.

− Happy hours are perfect targets!!63

https://www.bankofamerica.com/

http://www.bankofmerica.com/


UNDERSTANDING THE CARD PAYMENT PROCESS


Payment industry—key terms

• PCI DSS—Payment Card Industry Data Security Standard• Payment cards—the credit card

− Visa− MasterCard Worldwide− American Express− Discover Financial Services− JCB International

• Merchant—entity that accepts payment cards for payment• Acquirer—(merchant bank or acquiring bank) typically a

financial institution that processes payment card transactions for merchants

• Issuing bank—financial institution issuing credit card

65


Payment industry—key terms

• Service provider—business entity not directly involved with processing of payments (e.g. managed firewall service provider)

• Cardholder data environment (CDE)—stores, processes, or transmits cardholder information

• Qualified Security Assessor (QSA)—PCI-trained and certified assessor

• Report on Compliance (ROC)—report generated by QSA for Level 1 assessments

• Self Assessment Questionnaire (SAQ)—reporting for Level 2-4 assessments

• PAN—primary account number or the credit card #

66


Credit Cards—Primary Account Number

1. Major-industry identifier2. Issuer identification number

• Amex—3xxx xx• Visa—4xxx xx• MasterCard—5xxx xx• Discover—6xxx xx

3. Account number4. Check digit/checksum

Often on receipts you may see only the last four digits displayed or the first six and last four digits. All others should be masked.

67


What is the PCI Security Standards Council (SSC)?

• The PCI SSC is an independent industry standards body providing oversight of the development and management of the PCI DSS on a global scenario. The PCI SSC founding payment brands include:

• Visa• MasterCard Worldwide• American Express• Discover Financial Services• JCB International68


PCI Standards

69


What is the PCI DSS?

• The PCI DSS defines the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.

• PCI standards are required by the card brands and administered by the PCI SSC.

• It was created to increase controls around cardholder data to reduce credit card fraud.

70


Why PCI compliance?

• Hackers and large international organized crime targeting merchants and their payment channels

• High fees for noncompliance with PCI DSS• The fallouts of a card data breach:

− The resulting costs can be significant, including fines/penalties, termination of your ability to accept payment cards, lost customer confidence, legal costs, settlements and judgments, fraud losses, etc.

− Breach could result in an average cost of $200 per card number lost− Long-term reputational effects to your company

• Payment cards were the most frequently exposed data in 2017, but over the past year or so has fallen and only account for 9 percent of total records exposed in 2018, according to the RSM and NetDiligence 2018 Cyber Claims Study.

71


PCI DSS requirements

72


PCI DSS validation levels

• Merchant levels− Defined by the payment brands based on transaction

volume− Transaction volume is determined by the acquirer

• Service provider levels− Defined by the payment brands based on transaction

volume and/or type of service provider− Determined by the payment brands or acquirer and,

in some cases, the service provider• Compliance validation requirements will vary by

the payment brand

73


PCI levels—merchant (in general)

74

Level Annual Transactions Validation Actions Validated By

1 6 to 20 million • Annual on-site security audit (ROC)

** AND **• Quarterly network

scan

• Independent assessor (QSA) or IA with PCI training

• Scans conducted by ASV

2 1 to 6 million• Annual SAQ

** AND **• Quarterly network

scan• Merchant (Self

Assessment)• Scans conducted

by ASV

3 20,000 to 1 million

4 20,000 or less • Annual SAQ and network scan recommended


PCI SAQ

• The SAQ is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS.

• There are multiple versions of the PCI DSS SAQ to meet various scenarios.

• The SAQ is a validation tool for merchants and service providers that are not required to submit an on-site data security assessment ROC.

75


PCI SAQ types

• The type of SAQ depends on the type of merchant environment:− A: card not present merchants (e-commerce or mail/telephone

order)− A-EP: e-commerce merchants who outsourced payment

processing to third parties− B: merchants using a) imprint machines, or b) stand-alone, dial-

out terminals− B-IP: standalone, PTS-approved payment terminals− C-VT: manually enter a single transaction at a time virtual

payment (not e-commerce)− C: payment applications connected to the internet; no electronic

cardholder data storage− P2PE: hardware payment terminals managed by P2PE solution

(not e-commerce)− D: all merchants not included in the above

76


ROC vs. SAQ

• The merchant’s bank or card brand will determine the level (1 through 4).

• Level 1 merchants must have a ROC completed by a PCI QSA (independent assessment).

• Other levels (2 through 4) can have a SAQ.

77

ROC SAQ

The acquirer can require a full ROC for a level 2 through 4 merchant.


PCI levels—service providers (in general)

78

Level Validation Actions Validated By

1Payment Gateways and

Processors

• Annual on-site security audit

** AND **• Quarterly network scan

• Independent assessor (QSA) or IA with PCI training


2(storage/transmission/pro

cess above 1million transactions)

• Annual SAQ

** AND **

• Quarterly network scan

• Self Assessment


3(storage/transmission/pro

cess below 1million transactions)


Service providers

• A business that is not a payment brand and is directly involved in the processing, storage or transmission of cardholder data

• Performs these duties on behalf of another entity• Includes companies that provide services to merchants, other

service providers, or other entities which control or could impact the security of card holder data

• Examples include:− Data centers− Transaction processors− Managed service providers (MSP)− Payment gateways− Vendors that provide POS maintenance

• Level 1 do ROC, Levels 2 & 3 do SAQ D (in general)

79


CURRENT THREATS AND TRENDS IN PAYMENT CARD SECURITY


Payment card theft

• Stolen card: Card is physically stolen and attempted to be used.

• Online fraud: Card information is stolen and used by the thief to make purchases with the stolen card.

• Skimming: An illegal device is used to collect the information from the magnetic stripe on your ATM, debit or credit card.

81


Skimming

• A skimming device is a camouflaged counterfeit card reader to record the card’s information.

• It will still allow the card holder to perform their transaction.

• It is used at ATM machines, retail stores, restaurants and taxis.

• Can sometimes be a hand-held skimmer small enough to fit into a pocket.

82


It’s not always malicious

• 25 percent of breaches were due to insiders• Of those, 19 percent were unintentional

83


Lack of PCI compliance can cost

84


85

THE WORLD OF CYBERSECURITY UNDERGROUND, HIPAA & PCI · © 2019 RSM US LLP. All Rights Reserved....

Documents

Transcript of THE WORLD OF CYBERSECURITY UNDERGROUND, HIPAA & PCI · © 2019 RSM US LLP. All Rights Reserved....