Securing Your Point
of Sale Systems
Stopping Malware and
Data Theft
Chris Merritt | Solution Marketing
Source: http://www....
Today’s Agenda

Setting the Stage
Three Attack Vectors
Impacts on Organizations

Top Security Measures to Minimize Risk
Setting the Stage
• Focus on POS Systems, but …
» Need to consider other fixed function
assets which abound, such as ATMs,...
Three Attack Vectors
Threat Environment

Source: Store Systems Security | Preparing for the Paradigm Shift– by IHL Group (Aug-2013)

5
PROPRIET...
Threat Environment

Source: Store Systems Security | Preparing for the Paradigm Shift– by IHL Group (Aug-2013)

6
PROPRIET...
Targeted Assets

Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013)

7
PROPRIETARY & CONFIDENTIAL - NO...
Targeted Assets

Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013)

8
PROPRIETARY & CONFIDENTIAL - NO...
Targeted Assets

Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013)

9
PROPRIETARY & CONFIDENTIAL - NO...
Targeted Assets

Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013)

10
PROPRIETARY & CONFIDENTIAL - N...
Breach Timeline

11
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Security Alerts

12
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Security Alerts

13
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Security Alerts

14
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Three Attack Vectors
Physical Attack
» Examples: Tampering, Beacons
» Impacts Front Line Assets

Network Attack
» Examples...
Impacts on Organizations
US Breach Data (2005 – 2013)

X-axis = Year

Y-axis = Breach Count

17
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIB...
Breaches by Organization Type (2005 – 2013)

18
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Records by Organization Type (2005 – 2013)

19
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Data Breach Costs

20
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Security Measures
Defense-in-Depth
• Multiple layers of Security Controls
» Redundancy in case
Failure or Exploitation
» Covers People, Proc...
Practical Defense-in-Depth

23
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Practical Defense-in-Depth

24
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Practical Defense-in-Depth
Whitelisting

25
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Breach Timeline (IS)

26
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Breach Timeline (Ideal)

27
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Additional Information
Free Security Scanner Tools
» Application Scanner – discover all the apps
being used in your networ...
Global Headquarters
8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255

1.888.725.7828
info@lumension.com

PROPRIETAR...
Upcoming SlideShare
Loading in...5
×

Securing Your Point of Sale Systems: Stopping Malware and Data Theft

459

Published on

Point of Sale (POS) systems have long been the target of financially-motivated crime. And in 2013 the magnitude of cybercrime against POS systems skyrocketed, with 97% of breaches in the retail sector and 47% in the healthcare sector aimed against POS systems. With sensitive financial and personal records getting exposed by the millions, the FBI recently warned that POS systems are under sustained and continued attack.

During this webcast, we will take you into the three critical entry points to POS system attacks. We’ll discuss how the attacks look, the timelines for these breaches, and what proactive security measures you can take to help your organization minimize the risk to your POS systems.

•3 Critical Entry Points to POS System Attacks
•Impacts to an Organization
•Top 3 Security Measures to Minimize Risk

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
459
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Securing Your Point of Sale Systems: Stopping Malware and Data Theft

  1. 1. Securing Your Point of Sale Systems Stopping Malware and Data Theft Chris Merritt | Solution Marketing Source: http://www.wired.com/threatlevel/2014/01/target-hack/ February 20, 2014 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  2. 2. Today’s Agenda Setting the Stage Three Attack Vectors Impacts on Organizations Top Security Measures to Minimize Risk
  3. 3. Setting the Stage • Focus on POS Systems, but … » Need to consider other fixed function assets which abound, such as ATMs, kiosks, self-checkout, etc. » Need to consider the entire chain, including “back office” assets such as servers, workstations, etc. • Focus on Retail Sector, but … » Need to consider other sectors where POS systems and other fixed function assets are heavily used, such as the Healthcare and Financial sectors 3 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  4. 4. Three Attack Vectors
  5. 5. Threat Environment Source: Store Systems Security | Preparing for the Paradigm Shift– by IHL Group (Aug-2013) 5 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  6. 6. Threat Environment Source: Store Systems Security | Preparing for the Paradigm Shift– by IHL Group (Aug-2013) 6 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  7. 7. Targeted Assets Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013) 7 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  8. 8. Targeted Assets Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013) 8 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  9. 9. Targeted Assets Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013) 9 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  10. 10. Targeted Assets Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013) 10 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  11. 11. Breach Timeline 11 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  12. 12. Security Alerts 12 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  13. 13. Security Alerts 13 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  14. 14. Security Alerts 14 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  15. 15. Three Attack Vectors Physical Attack » Examples: Tampering, Beacons » Impacts Front Line Assets Network Attack » Examples: Hacking, Malware » Impacts Front Line and Back Office Assets Supply Chain Attack » Examples: Hacking, Malware » Impacts Back Office Assets 15 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  16. 16. Impacts on Organizations
  17. 17. US Breach Data (2005 – 2013) X-axis = Year Y-axis = Breach Count 17 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION Bubble size = Breach Size
  18. 18. Breaches by Organization Type (2005 – 2013) 18 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  19. 19. Records by Organization Type (2005 – 2013) 19 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  20. 20. Data Breach Costs 20 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  21. 21. Security Measures
  22. 22. Defense-in-Depth • Multiple layers of Security Controls » Redundancy in case Failure or Exploitation » Covers People, Process and Technical Controls » Seeks to delay attack • Endpoint security threats too complex » Need multiple technologies / processes • Successful risk mitigation © Creative Commons / Fidelia Nimmons » Starts with solid Vulnerability Management » Add other Layered Defenses, beyond traditional Blacklist approach » Consider both Network and Physical Vectors 22 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  23. 23. Practical Defense-in-Depth 23 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  24. 24. Practical Defense-in-Depth 24 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  25. 25. Practical Defense-in-Depth Whitelisting 25 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  26. 26. Breach Timeline (IS) 26 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  27. 27. Breach Timeline (Ideal) 27 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  28. 28. Additional Information Free Security Scanner Tools » Application Scanner – discover all the apps being used in your network » Device Scanner – discover all the devices being used in your network https://www.lumension.com/resources/ premium-security-tools.aspx Free Trial (virtual or download) http://www.lumension.com/endpoint-managementsecurity-suite/free-trial.aspx Reports » Targeted Threat Protection for POS Systems https://www.lumension.com/Media_Files/ Documents/Marketing---Sales/Datasheets/ Lumension-Endpoint-Security---Point-ofSale.aspx » Tolly Reports on Application Control vs. Antivirus Performance at http://www.tolly.com/ Server: ~/DocDetail.aspx?DocNumber=213121 Client: ~/DocDetail.aspx?DocNumber=213126 28 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  29. 29. Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 info@lumension.com PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×