How to Rebuild the Controls andConfidence after Data Exfiltration OccursBrian BlankenshipOperations Information Security O...
Dump truck racing = InfoSec Career
Topics / Agenda  Heartland Payment Systems     – Who is Heartland Payment Systems?     – What Happened in the Heartland Br...
Topics / Agenda  Heartland Payment Systems     – Who is Heartland Payment Systems?     – What Happened in the Heartland Br...
Heartland – A Full Service Payments Processor• Card Processing   • Credit/debit/prepaid cards:        • Process over 10 mi...
Heartland – Our People• HQ: Princeton, NJ• IT: Plano, TX    • 300 employees• Servicing: Louisville, KY    • 800 employees•...
Heartland - 15 Years Ago ... and Today 1997 (1st Trans 6/15/97)      Today• 2,350 clients                255,000 clients• ...
Heartland - Financials         Net Revenue      Net Income           EPS                                                  ...
Heartland – EPS in 2009…           Heartland CEO’s granddaughter
Heartland – The Recovery• 2009    • Total Revenues                $1,652 m (up 6.93%*)    • Net Income                    ...
Topics / Agenda  Heartland Payment Systems     – Who is Heartland Payment Systems?     – What Happened in the Heartland Br...
The ThreatIt’s all about the money ….
What Happened? – The Penetration   Very Late 2007 – SQL Injection via a customer facing web page in our    corporate (non...
What Happened?The Investigation and The Announcement   Late October 2008 – Informed by a card brand that several issuers ...
Why I came to Heartland… • The way the breach was handled • High degree of transparency • Knew that security would be #1 p...
Topics / Agenda  Heartland Payment Systems     – Who is Heartland Payment Systems?     – What Happened in the Heartland Br...
PANIC        DENIALANGER        BARGAININGDEPRESSION        ACCEPTANCEFIX THE PROBLEM
Vectors of Trust  • After any major incident, there are multiple    vectors of trust that have to be rebuilt     –   Trust...
The Real Response   1/20/09 - Call to arms of all Heartland employees to visit clients and talk to    partners   HPY sha...
Topics / Agenda  Heartland Payment Systems     – Who is Heartland Payment Systems?     – What Happened in the Heartland Br...
Industry Security Advancements  • Chip & PIN (EMV)     – Helps authenticate the card  • Tokenization     – Reduces risk of...
Heartland Approach to E3                • End to End EncryptionE3 Security     • Continuous protection of the confidential...
Merchant Bill of Rights,  Sales Professional Bill of Rights, Durbinhttp://www.spbor.com/http://www.merchantbillofrights.or...
Topics / Agenda  Heartland Payment Systems     – Who is Heartland Payment Systems?     – What Happened in the Heartland Br...
Key Risk Mitigations   Data Loss Prevention   Network and Application Penetration Testing   Platform Security   Static...
Topics / Agenda  Heartland Payment Systems     – Who is Heartland Payment Systems?     – What Happened in the Heartland Br...
The New Paradigm• During investigation of Heartland breach   • Found other processors knew of the      breach indicators  ...
Intelligence Sharing – PPISC   Malware signatures currently being shared with input of    Secret Service and other agenci...
Changes in Breach Perceptions • For Heartland, the impact was immediate and   very high • People have come to understand t...
Topics / Agenda  Heartland Payment Systems     – Who is Heartland Payment Systems     – What Happened in the Heartland Bre...
Targeted AttacksIs your company a target…?
SpyEye: targets financial institutionsnortherntrust.com      treasury.pncbank.com             ssl.selectpayment.comsvbconn...
Adversary Attributes• Advanced   •   Well funded adversary   •   Advanced technical capabilities   •   Ability to identify...
Can a system be completely secure? “The only secure system is one that is powered   off, cast in a block of concrete and s...
Getting in can be easy…
The malware code was obfuscated:
Encoded: Zero AV Detection
Decoded: detected by 8 of 43 AV engines
Blackhole Explotation Kit
Social Engineering:• Manipulating people into performing actions  or divulging confidential information• Pretexting: creat...
Example SE scenario… What would you do if… • Receive call from your Helpdesk • Caller ID shows correct number • Said there...
Example SE scenario… • After the scan runs, you are informed that   your system checked out fine. Sorry for the   inconven...
Topics / Agenda  Heartland Payment Systems     – Who is Heartland Payment Systems?     – What Happened in the Heartland Br...
Are attacks on the rise?• Increased media coverage over the last year  – Much like “shark attack” coverage• New motivation...
Are attacks on the rise…???   The number of incidents reported has    been increasing   • 2010 – 800 new compromise incide...
Records Compromised  • The total number of records    compromised annually has declined       2011 – 4 million       201...
Who is behind data breaches?                            • 92% - stemmed from                              external agents ...
How do breaches occur?   • 50% utilized some form of hacking (+10%)   • 49% incorporated malware (+11%)   • 29% involved p...
How do breaches occur? 83% of victims were targets of opportunity 92% of attacks were not highly difficult (+7%) 76% of al...
Where should mitigations be focused?   Eliminate unnecessary data   Ensure essential controls are met   Check the above...
Topics / Agenda  Heartland Payment Systems     – Who is Heartland Payment Systems?     – What Happened in the Heartland Br...
Ever work with a security guy like this?
Information Security Balance   Purpose is to secure assets without    adversely affecting business functions.Ultimate     ...
Information Security Balance
Security Systems    Firewalls    IPS    FIM    Software Agents    Malware Appliances    Static/Dynamic Code Analyzer...
Security Systems  • Purchasing a “checklist” of security    devices is not enough..!  • You need skilled personnel to mana...
Summary• Businesses can recover from a major breach   • HPS has recovered and is growing   • PCI Security Standards Counci...
Thank you!     Brian.Blankenship@e-hps.com
How to Rebuild the Controls and Confidence after Data Exfiltration Occurs
Upcoming SlideShare
Loading in …5
×

How to Rebuild the Controls and Confidence after Data Exfiltration Occurs

631 views

Published on

Presented at InnoTech Dallas on May 17, 2012. All rights reserved.

Published in: Economy & Finance, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
631
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How to Rebuild the Controls and Confidence after Data Exfiltration Occurs

  1. 1. How to Rebuild the Controls andConfidence after Data Exfiltration OccursBrian BlankenshipOperations Information Security OfficerHeartland Payment Systems
  2. 2. Dump truck racing = InfoSec Career
  3. 3. Topics / Agenda Heartland Payment Systems – Who is Heartland Payment Systems? – What Happened in the Heartland Breach? – What Did We Do About It? – What Are We Doing Now? – Key Risk Mitigations – Information Sharing – how it works Is your company a target? – Some current threats – Breach Statistics Information Security Perspective
  4. 4. Topics / Agenda Heartland Payment Systems – Who is Heartland Payment Systems? – What Happened in the Heartland Breach? – What Did We Do About It? – What Are We Doing Now? – Key Risk Mitigations – Information Sharing – how it works Is your company a target? – Some current threats – Breach Statistics Information Security Perspective
  5. 5. Heartland – A Full Service Payments Processor• Card Processing • Credit/debit/prepaid cards: • Process over 10 million transactions a day • Process over 3.9 billion transactions annually• Payroll Processing (PlusOne Payroll)• Check Management (Check 21, ExpressFunds, StopLoss)• Online Payment Processing• MicroPayments – Vending, Laundry, Campus Solutions• Gift Cards and Loyalty Processing• Heartland Gives Back 5
  6. 6. Heartland – Our People• HQ: Princeton, NJ• IT: Plano, TX • 300 employees• Servicing: Louisville, KY • 800 employees• Heartland Cares Foundation
  7. 7. Heartland - 15 Years Ago ... and Today 1997 (1st Trans 6/15/97) Today• 2,350 clients 255,000 clients• 25 employees 3000+ employees• #62 in US #5 processor in U.S.• $0.4 billion portfolio $68 billion portfolio 7
  8. 8. Heartland - Financials Net Revenue Net Income EPS 1.08 41,840 0.90 383,708 35,870 0.71 28,544 294,771 0.50 245,652 0.26 19,093 186,486 137,796 8,855 2004 2005 2006 2007 2008
  9. 9. Heartland – EPS in 2009… Heartland CEO’s granddaughter
  10. 10. Heartland – The Recovery• 2009 • Total Revenues $1,652 m (up 6.93%*) • Net Income -52 m (down 224%) • EPS -1.38 (down 223%)• 2010 • Total Revenues $1,864 m (up 12.8%) • Net Income 35 m (up 167%) • EPS 0.88 (up 163%)• 2011 • Total Revenues $1,996 m (up 7.1%) • Net Income 44 m (up 25.7%) • EPS 1.09 (up 23.9%) *All percentages year-over-year 10
  11. 11. Topics / Agenda Heartland Payment Systems – Who is Heartland Payment Systems? – What Happened in the Heartland Breach? – What Did We Do About It? – What Are We Doing Now? – Key Risk Mitigations – Information Sharing – how it works Is your company a target? – Some current threats – Breach Statistics Information Security Perspective
  12. 12. The ThreatIt’s all about the money ….
  13. 13. What Happened? – The Penetration  Very Late 2007 – SQL Injection via a customer facing web page in our corporate (non-payments) environment. Bad guys were in our corporate network.  Early 2008 – Hired largest approved QSA to perform penetration testing of corporate environment  Spring 2008 – CEO learned of Sniffer Attack on Hannaford’s , Created a Dedicated Chief Security Officer Position and filled that position  April 30, 2008 – Passed 6th Consecutive “Annual Review” by Largest QSA  Very Late 2007 – Mid-May 2008 – Unknown period but it is possible that bad guys were studying the corporate network  Mid-May 2008 – Penetration of our Payments Network
  14. 14. What Happened?The Investigation and The Announcement  Late October 2008 – Informed by a card brand that several issuers suspected a potential breach of one or more processors. We received sample fraud transactions to help us determine if there was a problem in our payments network. Many of these transactions never touched our payments network.  No evidence could be found of an intrusion despite vigorous efforts by HPS employees and then two forensics companies to find a problem.  January 9, 2009 – We were told by QIRA that “no problems were found” and that a final report reflecting that opinion would be forthcoming.  January 12, 2009 – January 20, 2009 – Learned of breach, notified card brands, notified law enforcement and made public announcement.
  15. 15. Why I came to Heartland… • The way the breach was handled • High degree of transparency • Knew that security would be #1 priority • Heartland was changing the perception of breaches, and how they should be handled
  16. 16. Topics / Agenda Heartland Payment Systems – Who is Heartland Payment Systems? – What Happened in the Heartland Breach? – What Did We Do About It? – What Are We Doing Now? – Key Risk Mitigations – Information Sharing – how it works Is your company a target? – Some current threats – Breach Statistics Information Security Perspective
  17. 17. PANIC DENIALANGER BARGAININGDEPRESSION ACCEPTANCEFIX THE PROBLEM
  18. 18. Vectors of Trust • After any major incident, there are multiple vectors of trust that have to be rebuilt – Trust from your customers – Trust from your investors – Trust from your own employees – Trust from your competitors • Heartland has worked hard to rebuild these
  19. 19. The Real Response  1/20/09 - Call to arms of all Heartland employees to visit clients and talk to partners  HPY share price drops from $15.16 on 1/16 to $8.18 on 1/22  HPY 4Q08 Earnings Call – HPY drops to $3.43 on March 12; a 77.6% drop since the breach announcement  3/14/09 – Delisted from Visa list of approved vendors  4/30/09 – Certified PCI compliant by VeriSign and reinstated on Visa list of approved vendors  5/11/12 – HPY Closed at $30.41
  20. 20. Topics / Agenda Heartland Payment Systems – Who is Heartland Payment Systems? – What Happened in the Heartland Breach? – What Did We Do About It? – What Are We Doing Now? – Key Risk Mitigations – Information Sharing – how it works Is your company a target? – Some current threats – Breach Statistics Information Security Perspective
  21. 21. Industry Security Advancements • Chip & PIN (EMV) – Helps authenticate the card • Tokenization – Reduces risk of storing card data • Both help, but don’t address data in transit
  22. 22. Heartland Approach to E3 • End to End EncryptionE3 Security • Continuous protection of the confidentiality and integrity of Model transmitted information by encrypting at the origin and decrypting at the destination. • Build devices that use Tamper Resistant Security Modules E3 Device to encrypt payment data at the point of swipe or data entry. • Collaborate with existing device vendors and encryption Strategy solution providers. • Protect cardholder and merchant data wherever it E3 Data resides on Heartland’s systems. • Directly influence industry security standards and Strategy practices to strengthen data protection.
  23. 23. Merchant Bill of Rights, Sales Professional Bill of Rights, Durbinhttp://www.spbor.com/http://www.merchantbillofrights.org/http://getyourdurbindollars.com/
  24. 24. Topics / Agenda Heartland Payment Systems – Who is Heartland Payment Systems? – What Happened in the Heartland Breach? – What Did We Do About It? – What Are We Doing Now? – Key Risk Mitigations – Information Sharing – how it works Is your company a target? – Some current threats – Breach Statistics Information Security Perspective
  25. 25. Key Risk Mitigations  Data Loss Prevention  Network and Application Penetration Testing  Platform Security  Static and Dynamic Code Analysis
  26. 26. Topics / Agenda Heartland Payment Systems – Who is Heartland Payment Systems? – What Happened in the Heartland Breach? – What Did We Do About It? – What Are We Doing Now? – Key Risk Mitigations – Information Sharing – how it works Is your company a target? – Some current threats – Breach Statistics Information Security Perspective
  27. 27. The New Paradigm• During investigation of Heartland breach • Found other processors knew of the breach indicators • Several had seen or know about them • No one shared that information• Started the PPISC (Payment Processors Information Sharing Council) in 2009 • Charter – bring processors to table to discuss threat indicators and tactics • Avoid any discussion on business related topics to avoid anti-trust • Everyone brings to table topics that they are seeing through their various intel sources (internal and external) 27
  28. 28. Intelligence Sharing – PPISC  Malware signatures currently being shared with input of Secret Service and other agencies  Participation in threat exercises (CAPP – Cyber Attack Against Payment Processes)
  29. 29. Changes in Breach Perceptions • For Heartland, the impact was immediate and very high • People have come to understand that any company can be breached • Acceptance becoming the norm
  30. 30. Topics / Agenda Heartland Payment Systems – Who is Heartland Payment Systems – What Happened in the Heartland Breach – What Did We Do About It? – What Are We Doing Now? – Key Risk Mitigations – Information Sharing – how it works Is your company a target? – Some current threats – Breach Statistics Information Security Perspective
  31. 31. Targeted AttacksIs your company a target…?
  32. 32. SpyEye: targets financial institutionsnortherntrust.com treasury.pncbank.com ssl.selectpayment.comsvbconnect.com onlinebanking.banksterling.com texascapitalbank.comweb-access.com nashvillecitizensbank.com singlepoint.usbank.comsso.unionbank.com commercial.wachovia.com wellsoffice.wellsfargo.commandtbank.com online.corp.westpac.com paymentech.comappliedbank.com heartlandmerchantcenter.com reporting.worldpay.usfirstnational.com merchante-solutions.com portal.mercurypay.com1fbusa.com logon.merrickbank.com mybmwcard.comgotomycard.com cardmemberservices.net nordstromcard.comstatefarm.com tnbonlinebanking.com accountcentralonline.comchase.com wellsfargofinancialcards.com credit.compassbank.comrcam.target.com partnercardservices.com accessmycardonline.comcreditcards.citi.com commercebank.com hsbccreditcard.comneteller.com mypremiercreditcard.com penfed.orgbankofamerica.com hsbc.com huntington.comusaa.com citibank.com paypal.com
  33. 33. Adversary Attributes• Advanced • Well funded adversary • Advanced technical capabilities • Ability to identify zero-day exploits • Weaponize exploits • Trained professionals • Backing of nation state or organized crime• Persistent • Sustained presence with target organization • Remains undetected • Takes time needed reach objective and exfiltrate information• Threat • Covert threat or alteration of sensitive information • Political or military advantage • Strategic or tactical advantage • Economic advantage or financial gain 34
  34. 34. Can a system be completely secure? “The only secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.” Gene Spafford – Purdue University
  35. 35. Getting in can be easy…
  36. 36. The malware code was obfuscated:
  37. 37. Encoded: Zero AV Detection
  38. 38. Decoded: detected by 8 of 43 AV engines
  39. 39. Blackhole Explotation Kit
  40. 40. Social Engineering:• Manipulating people into performing actions or divulging confidential information• Pretexting: creating an invented story to engage a target in a way that makes them more likely to divulge the desired information.• Usually involves: sympathy, intimidation, flattery, or fear• Most companies are vulnerable to SE
  41. 41. Example SE scenario… What would you do if… • Receive call from your Helpdesk • Caller ID shows correct number • Said there is suspicious activity coming from your computer, need you to run a scan by visiting the following URL. • http://onlinesecurityscanner.com
  42. 42. Example SE scenario… • After the scan runs, you are informed that your system checked out fine. Sorry for the inconvenience. For more info on Social Engineering: http://social-engineer.org
  43. 43. Topics / Agenda Heartland Payment Systems – Who is Heartland Payment Systems? – What Happened in the Heartland Breach? – What Did We Do About It? – What Are We Doing Now? – Key Risk Mitigations – Information Sharing – how it works Is your company a target? – Some current threats – Breach Statistics Information Security Perspective
  44. 44. Are attacks on the rise?• Increased media coverage over the last year – Much like “shark attack” coverage• New motivations – Political – Limelight / Ego – Embarrassment – Retaliation
  45. 45. Are attacks on the rise…??? The number of incidents reported has been increasing • 2010 – 800 new compromise incidents • 2004-09 - just over 900source: 2011 Verizon DBIR
  46. 46. Records Compromised • The total number of records compromised annually has declined  2011 – 4 million  2010 – 144 million  2009 – 361 millionsource: 2011 Verizon DBIR
  47. 47. Who is behind data breaches? • 92% - stemmed from external agents (+22%) • 17% - implicated insiders (-31%) • <1% - resulted from business partners (-10%)source: 2011 Verizon DBIR
  48. 48. How do breaches occur? • 50% utilized some form of hacking (+10%) • 49% incorporated malware (+11%) • 29% involved physical attacks (+14%) • 17% resulted from privilege misuse (-31%) • 11% employed social tactics (-17%)source: 2011 Verizon DBIR
  49. 49. How do breaches occur? 83% of victims were targets of opportunity 92% of attacks were not highly difficult (+7%) 76% of all data was compromised from servers (-22%) 86% were discovered by a third party (+25%) 96% of breaches were avoidable through simple or intermediate controls 89% of victims subject to PCI-DSS had not achieved compliance (+10%)source: 2011 Verizon DBIR
  50. 50. Where should mitigations be focused?  Eliminate unnecessary data  Ensure essential controls are met  Check the above again  Assess remote access services  Test and review web applications  Audit user accounts and monitor privileged activity  Monitor and mine event logs  Examine ATMs and other payment card input devices for tamperingsource: 2011 Verizon DBIR
  51. 51. Topics / Agenda Heartland Payment Systems – Who is Heartland Payment Systems? – What Happened in the Heartland Breach? – What Did We Do About It? – What Are We Doing Now? – Key Risk Mitigations – Information Sharing – how it works Is your company a target? – Some current threats – Breach Statistics Information Security Perspective
  52. 52. Ever work with a security guy like this?
  53. 53. Information Security Balance Purpose is to secure assets without adversely affecting business functions.Ultimate Needs of aSecurity Business
  54. 54. Information Security Balance
  55. 55. Security Systems  Firewalls  IPS  FIM  Software Agents  Malware Appliances  Static/Dynamic Code Analyzers  Vulnerability Scanners  WAF  DLP  SIEM  Anti-Virus
  56. 56. Security Systems • Purchasing a “checklist” of security devices is not enough..! • You need skilled personnel to manage these devices. • Most of these technologies require a large amount of time to manage effectively.
  57. 57. Summary• Businesses can recover from a major breach • HPS has recovered and is growing • PCI Security Standards Council Board of Advisors • FS-ISAC Board of Directors• Every company is a target, make yours a hard one • Assume you have been compromised • Focus on detection, data elimination• Get involved • Information Sharing (FS-ISAC, PPISC, Infragard) • Local security chapters ISSA, ISACA, OWASP 58
  58. 58. Thank you! Brian.Blankenship@e-hps.com

×