Inside PCI Forensic Investigations: What Every Company & Investigator Needs to Know - Kat Valentine, Walt Conway from the 2011 Computer Forensics Show
Upcoming SlideShare
Loading in...5

Inside PCI Forensic Investigations: What Every Company & Investigator Needs to Know - Kat Valentine, Walt Conway from the 2011 Computer Forensics Show



Every company who stores, processes, or transmits cardholder data needs to follow the rigid (but common sense) security requirements defined by the Payment Card Industry Data Security Standards. ...

Every company who stores, processes, or transmits cardholder data needs to follow the rigid (but common sense) security requirements defined by the Payment Card Industry Data Security Standards. Given the impressive/staggering/imposing costs associated with a data breach, the card brands have solid incentive to make sure the standards are being followed as well as to learn all they can about the threat landscape to keep the standards current and comprehensive. When the card brands identify a company as being the Common Point of Purchase on a set of fraudulently used cards, that company is generally required to obtain a detailed forensic investigation by a PFI agency to uncover the source of the breach. If your company were to ever experience such a breach, this talk should give you some idea of what to expect throughout the investigation process.

The goal is to educate an audience of company stakeholders, IT security professionals, and diverse forensic investigators as to the methodologies of PFI companies and what they look for when investigating compromised cardholder data. The presentation starts with a general overview of the PCI landscape and Data Security Standards and then moves quickly into detailing what a breached entity is likely to experience during a forensic investigation. From there, the talk details initial threat landscape, on-site arrival, collection and investigation, and detailed scientific analysis back at the lab. Finally, it discusses practical ways a company can reduce risk and scope, improve their overall security posture, and hopefully prevent the need to undergo such an investigation in the first place.



Total Views
Views on SlideShare
Embed Views



2 Embeds 163 162 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Inside PCI Forensic Investigations: What Every Company & Investigator Needs to Know - Kat Valentine, Walt Conway from the 2011 Computer Forensics Show Presentation Transcript

  • 1. Inside PCI Forensic Investigations:What Every Company & Investigator Needs to KnowPresented by Kat Valentine and Walter Conway Computer Forensics Show October 2011
  • 2. Goals and Takeaways  Discussing cardholder data breaches – what really happens?  Merchants: We want you to never need our services  How to best prepare for this scenario  Law Enforcement Officers (LEOs): Helpful to know what the merchant is about to go through and what their requirements are  Forensic Analysts: Theres a whole other industry made up of investigators who are not LEOs  The card brands care about your response to the incident and what/who caused the breach
  • 3. Agenda  Who are we?  What is the PCI Data Security Standard (DSS)?  What is a PFI?  Common attack vectors  You’ve been breached… now what?  Incident Response and Forensic Investigation detailed  Protecting yourself by preventing this scenario  Really uncomfortable merchant situations  Up for debate  Questions?
  • 4. Who is 403 Labs, LLC?  Full-service information security consulting firm  Specializes in the Payment Card Industry (PCI) space  PCI Forensic Investigator in addition to being a QSA, PA-QSA and an ASV  Helps clients protect critical business and customer data  Provides a full suite of security services including assessments and penetration testing  Works forensic cases of all types, criminal and civil  Interacts with all levels of law enforcement – local, state, and federal  Assists in prosecutions
  • 5. What is the PCI DSS?  Payment Card Industry Data Security Standard  Set of security practices to protect card data  Unified security standards from individual card brands  Affects anyone taking cardholder data from small merchants to globally recognized brands  Required for all entities that process, store or transmit cardholder data, regardless of transaction volume  12 common-sense security requirements  Meant to provide guidance in the creation of a secure network  Over 280 specific sub-requirements  Some requirements in place with forensic investigations in mind
  • 6. What is the PCI DSS?  PCI compliance is not enough to avoid being breached, but makes the merchant a harder target  Difference between compliance and security  Newer attack vectors and “zero-days” may not be covered by existing security controls  PCI DSS only a minimum set of requirements -- one size does not fit all  Many PCI assessments lack proper scoping and rigor  Assessments are merely a snapshot in time  Compliance and security need to be ongoing efforts
  • 7. What is a PFI?  Payment Card Industry Forensic Investigator  Forensic agency that specializes in credit card breaches  Approved and governed by PCI SSC  Required to be both a QSA and PA-QSA firm  Evolved from Visa’s Qualified Incident Response Assessor (QIRA) program
  • 8. What is a PFI?  PFI program replaced QIRA program October 2010  Investigates incidents on-site  Assures acquired data is forensically sound and could be used in court of law  Identifies cardholder data (CHD) environment and compromised hosts/networks/devices  Oversees remediation  Provides final assurance to card brands that breached entities have been secured and returned to a compliant state  As of today, 14 companies approved to be PFI firms  Only nine PFI firms approved for the United States  All 10 firms from QIRA program grandfathered into PFI program
  • 9. What is a PFI?  Actual guidelines PFIs need to follow to get approved by PCI Council  Must have designated core forensic investigators  Cannot take on cases where the firm was a QSA for breached entity; can take cases as the PA-QSA for breached entitys point of sale (POS) device -- must maintain independence  PCI Council checks your forensic procedures and references  For every geographic zone you wish to do work for (service markets), need to have Certified Forensic Investigator (CFI) for that market
  • 10. Players with a stake in the investigation:  Card brands  VISA, MasterCard, AMEX, Discover, JCB International  Processor / Merchant bank  Gateways  Your QSA  Your POS’s PA-QSA  Vendors  Hardware/Software and Implementation companies
  • 11. Who answers to whom?  Processing bank answers to card brands  Compromised merchant answers to bank  Hardware / software vendors = complicated  Implementation vendors = also complicated
  • 12. How are the majority of CHD breaches discovered? Fun fact: <1% of merchants detect their own breaches *From the Verizon 2011 Data Breach Investigations Report
  • 13. Common Attack Vectors - Physical  Installing rogue WAP  Attaching wireless devices to networks  USB w/ malware, keyloggers, etc.  Attaching external devices to capture keystrokes or drop malware to the POS  Attaching recording devices to phones for mail order or telephone order (MOTO) transactions  Theft of endpoints (laptops) or back-office server POS
  • 14. Really Interesting Physical Attack!  “Burn” phone + Arduino + Lithium batteries + unmonitored public terminals = MONTHS of CHD!  Drop and walk  Burn phone texts or e-mails CHD at the swipe *Photo by Mikko Hypponen
  • 15. Common Attack Vectors - Logical  Logical vectors (illegal access to systems)  Wireless  Malware  Remote access  Really weak passwords  Web applications  Storage of CHD  POS flaws
  • 16. Common Attack Vectors *From the Verizon 2011 Data Breach Investigations Report
  • 17. You’ve been breached… Now what? (50 ft.) 1. Merchant identified as Common Point of Purchase (CPP)  All stolen cards were used at this merchant location before fraud activity  Identified by Merchant ID (MID) -- usually tied to one physical location, even if there are multiple locations 2. Merchant directed by card brands to get a PFI involved  Has to go to a PCI Council-blessed PFI firm, not just any forensic agency
  • 18. You’ve been breached… Now what? (50 ft.) 3. Merchant contacts PFI agency; initial scope is defined  Processor / card brands play a part in determining scope, but scope might get bigger in time  Documentation? (Network diagram, data flow and storage diagram, etc.)  Any public-facing POS terminals or pay-at-the-pump / Redbox devices?  Provide analyst with make/model of unattended devices so we can come prepared with stock photographs and identify any differences  Any cameras on sensitive areas?
  • 19. You’ve been breached… Now what? (50 ft.) 3. Merchant contacts PFI agency; initial scope is defined (continued)  Multiple locations? Multiple POS solutions? Inventory system?  Stand-alone POS?  Integrated inventory system?  Mode of connectivity for the POS?  Are multiple locations connected to one another?  Sometimes cheapest option might be to send someone from PFI onsite and forego interview process  Sometimes IT staff is POS vendor  Sometimes IT staff doesnt have an inventory or a clue
  • 20. You’ve been breached… Now what? (50 ft.) 4. On-site data collection / acquisition  Interviews  Confirm initial scope  Sweep to look for physical intrusions  Documentation of the environment (pictures, video)  Live memory acquisition  Network captures  Drive acquisition  Digital Media Evidence (DME) collection (think DVR system)
  • 21. You’ve been breached… Now what? (50 ft.) 5. Analysis  Chain of custody maintained  Working copy created  Analysis in PCI SSC-approved lab  Live memory  Running processes  Active network connections  Network captures  Drives  Unallocated space  Malware analysis  Timeline of events – Piecing it together
  • 22. You’ve been breached… Now what? (50 ft.) 6. Write and submit to bank / card brands  Preliminary report  Type of account data exposed (PAN, track, CVV2, etc.)  Steps taken in investigation thus far  Initial thoughts on nature of the breach  Forensic report  How the breach occurred  Number of compromised cards confirmed  Merchants PCI DSS compliance status at the time of the breach  Verifying eradication and recovery efforts were effective  Verification merchant is now compliant with PCI DSS
  • 23. You’ve been breached… Now what? (50 ft.) 7. Follow-up investigations if scope widens  Potential for further investigations  Potential for penetration test, pre- and post-eradication  Potential for additional PCI assessment by QSA to identify any gaps in compliance and prescribe a detailed remediation plan
  • 24. Incident Response and PFI in Detail  Incident Response (IR) 1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned
  • 25. Incident Response and PFI in Detail  Incident Response asides:  PCI DSS doesn’t really provide detailed guidelines regarding incident handling  Card brands REALLY care about IR  Some requirements apply to preparation and identification to aid in forensic investigations, so your PFI has valuable data to analyze  Card brands have specific requirements for containment, eradication and recovery phases
  • 26. IR: Preparation  Goal: Get the company ready to handle different security incidents per PCI DSS before any incidences occur  Card brands have different security compliance programs and different approaches to deal with a security breach  Get familiar with them and keep in mind - they change  Lack of prep results in additional fines by the brands -they take IR VERY seriously
  • 27. IR: Preparation  Investigate who you want to work with before an incident occurs  PFI firms  Your processor is a good source of unbiased information (...maybe) -- they know the players and have had exposure to several breaches and thus, several PFI agencies  Call & interview them!  Lawyers  Ask if they have an on-staff forensic investigator and experience with data breach scenarios  PR firms
  • 28. IR: Preparation  Identify scenarios where breach should be reported to LEOs and have an idea of specific law enforcement agencies for specific situations  Local for physical intrusions  FBI and Secret Service for major data intrusions  Know what getting an LEO involved means for business  Identify internal staff who know everything about everything  Can your own company conduct its own internal investigation without corrupting valuable data?
  • 29. IR: Preparation  Business continuity versus forensic integrity  Have a backup plan, whether it’s parallel networks or simple dial- up terminals  Made more difficult with POS/inventory integration  Payment systems / environment  Shut down? Disconnect from network? Business as usual?  Depends on specific scenarios – start imagining now  Lean on the PFI for guidance – we know you have a business to run!
  • 30. IR: Preparation  But whatever you do…  Don’t cover up a breach – well find evidence of that, and it wont be pretty (regarding card brands)  Regularly test IR plans (12.9)  Know how your POS works before a breach  Make sure you get an implementation guide... AND READ IT  Disable debug logs -- POSs put stupid data in debug logs, like track data from memory dumps  Encryption key rotation – Do you handle that? Do they handle that? Nobody handles it?
  • 31. IR: Preparation  PCI DSS requirements establish a foundation for effective incident handling and forensic investigation process  Documentation  Network diagram  Standard system builds / configs  Change control documentation  Digital Media Evidence  Audit trails  Processes  Security awareness program / training  Log reviews
  • 32. IR: Preparation -/- Documentation  Network Diagrams – Requirement 1.1.2a and b  Quick and dirty picture of CHD environment  Always need to be up-to-date and accurate  Pretty important, as it could slow identification of scope, re-work and eradication of the breach cause  Include dataflow information in the network diagram  In motion – Internal and external connections to CHD environment  Resting data repositories – Depict databases and files containing CHD
  • 33. IR: Preparation -/- Documentation  Documentation and business justification for services, protocols, and ports allowed – Requirement 1.1.5  During PFI, all firewall and router configs to be reviewed  Investigators want business justification for services and protocols allowed if involved in breach (most cases it is)  Also to be identified and included in the report = non-approved rules and access control lists (ACLs)  Was poor firewall and router config responsible?  Were their firewall or router config changed or compromised?
  • 34. IR: Preparation -/- Documentation  Documentation of standard system builds/configs – Requirements 2.2.a, b and c  Identification of normal applications and processes that should be running on system -- helps in identifying potential malware used in attack  Current information contributes to the IR process by providing assurance that OS and apps were not altered  Requirement 2.2 – Industry-accepted system hardening standards  Change control documentation – Req. 6.4  Change control processes the org can trust
  • 35. IR: Preparation -/- Documentation  Audit trails of all system components in the CHD environment – Requirement 10  Good idea -- logs exported from live systems to secured server to avoid alterations from hackers attempting to cover their tracks  90 days available immediately... one year available from backup/storage  While we’re at it – Consistent time across all systems via Network Time Protocol (NTP)  Antivirus audit logs  Did AV detect malware used by attackers?  Make sure AV is configured to quarantine, not just eradicate
  • 36. IR: Preparation -/- Documentation  Video camera data (or Digital Media Evidence / DME) – Requirement 9  Can be critical in investigations where physical compromise was a factor  Potential to identify rogue access points, modem deployments, custom hardware deployments, skimming by employees, etc.  Three months of footage to be immediately accessible; one year stored
  • 37. IR: Preparation -/- Processes  Daily log reviews to immediately detect potential breaches – Requirements 12.2, 10.6, 12.5.2 and 12.5.5  Daily operational security procedures to cut time between when breach occurred and when breach was discovered  Fun fact (again): <1% of merchants detect their own breaches  Its obvious whether or not youre doing daily security reviews via who identifies you as a CPP
  • 38. IR: Preparation -/- Processes  Key management processes related to CHD encryption – Requirement 3  CHD must be unreadable anywhere it is stored  Encryption often the last layer of defense  PFIs and LEOs need to know how encryption keys are handled to verify if they have been compromised  Generation  Distribution  Storage  Destruction  Revocation  Replacement  Re-encryption?
  • 39. IR: Preparation -/- Processes  Formal security awareness program (12.6)  Annual risk assessments (12.1.2)  Annual penetration tests (11.2)  External and internal vulnerability scanning (11.3)  Mailing lists and security newsletters from your vendors (6.2.b)  Ongoing IR training  Electronic evidence preservation best practices for internal employees  Legal ramifications and legal considerations
  • 40. IR: Identification  Goal: Identify scope and containment / eradication next- steps  The clock starts when card brands confirm you to be a CPP  Merchant may have as few as three days to sign with a PFI  In some cases, if the merchant refuses, Visa will hire one and charge the merchant  Preliminary report - Five days after first day on-site  Contains findings thus far and suspected / potentially compromised account details  Final report – Ten days after analysis in the lab completed
  • 41. IR: Identification  Within 10 business days, Visa wants a list of all known compromised cards  Visa then shares potential compromised cards with issuing banks  Issuing banks monitor / confirm activity  While monitoring is going on, investigation starts happening  PFI firm to acquire live memory, network captures and disk images  PFI agency to analyze acquired data -- determine cause from forensically sound data  Document all events into timeline and correlate
  • 42. IR: Identification  Merchants, I know it’s tempting, but don’t start eradication just yet!  Dont access or alter confirmed compromised systems without guidance from your PFI  Dont change passwords – tips off attackers, compromise new password  Isolate compromised systems (unplug network cable if you have to)  Know the type of CHD at risk (account numbers, expiration dates, forbidden fruit, a.k.a. track data?)  Log all actions taken internally (court)  In case of WAP, change the service set identifier (SSID) ASAP and document the change  Potential: set up honeypot  Be on high alert
  • 43. IR: Containment, Recovery and Eradication  Contain  Segmentation  Recovery  Follow business continuity plan  Keep in mind: Is it possible to rebuild on the existing network? Potential game-changers like switching POS vendors  Eradication  Happens AFTER investigation -- you need to know what’s affected first, so don’t eradicate yet -- Could ruin chances of figuring out the full scope  Examples: Discover / destroy malware, harden systems, etc.
  • 44. Repercussions of CHD Breach  Associated costs  Card brands assess fines  Trickle-down – card brands --> processors --> gateway --> merchant  Fines are a trade secret – can’t know for sure  Fines per location / Merchant ID (MID)  Under 10k cards exposed – things get loose and brands may assess fairly minor fines that are defined based on situation  Over 10k cards exposed… good luck!  Fines = reissue of cards, data protection services for customers (credit watch), merchant punishment, overhead costs, etc.
  • 45. Repercussions of CHD Breach  Associated costs  Fraud transactions charged to compromised cards -- those transactions, at the discretion of the card brands, get handed off to the CPP  Hiring PFI firm and the investigation itself  PCI assessment costs (post-incident)  Legal fees  PR costs  Loss of employee productivity  Failing to report the breach:  Additional fines (of course)  Reporting it actually makes your company look good – shows you had requirements in place to identify breaches
  • 46. Protecting Yourself by Preventing This:  PCI DSS is the minimum -- Do at least that  Avoid storing CHD  Know your scope  Merchants shocked to learn their VoIP call center may be in scope  Reduce entry points while reducing scope  Monitor physical controls  Look for changes via line of sight and weight  Watch for social engineering (SE) tricks  A guy in a jumpsuit saying they need to change hardware out  Web presence -- Consider your databases (DB)  Is that public-facing, low-priority DB connected to the CHD DB?
  • 47. Really Uncomfortable Merchant Situation:  A lot of the time, it’s not the card brands who first discover you’re a CPP  Really common to get notified by issuing / processing banks  Creates several weeks of limbo between the merchant being notified by a reliable source that theyve been breached and the card brands actually mandating the PFI  During this limbo time, merchants go to their POS vendors... which may or may not have had a hand in the breach  While merchant and processing bank try to guess if the breach will require a PFI, time to acquire meaningful data elapses
  • 48. Up for Debate:  Business continuity versus forensic integrity  Very difficult to juggle  Backup plan to continue business?  From PFI perspective, doesnt matter if you catch the crook, but... you might want to recover damages and have card brands go a little easier on you  What happens when cloud computing needs a forensic investigation?  .vmdk file might make things easier? …Maybe?
  • 49. Questions? Thank you! Kat Valentine, ASV, CCNA – kvalentine[at]403labs[dot]com Researcher & Forensic Analyst Walter Conway, QSA – wconway[at]403labs[dot]com Manager, Author 403 Labs, LLC 877.403.LABS