SlideShare a Scribd company logo

The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned for Running BASE24 Securely

Thomas Burg
Thomas Burg

In light of the recent security breaches against payment systems (most prominent: Target), running BASE24 securely is becoming even more important than before. This presentation discusses properly the Verizon Data Breach Investigations Report (VDBR) with a focus on the relevance on securing BASE24 systems. It also discusses the (sad!) state of computer security today, how this came about and what can be done about it.

TechnologyBusiness
1 of 32
Download to read offline
As many slides are somewhat empty “by design”, you will find slide notes to the right where required. The preparation for this presentation used mostly the 2012 report, but the 2013 report appeared by now as well; hence the two years in the title copyright (2013, 2014) comForte 21 1
The speaker has a long history in IT security - The first mind-boggling event was a SANS training he attended in Washington in 2002: most of todays “new attack vectors” were discussed in detail back then already - Over the years, he has given probably 100s of presentations on IT security, the topics being SSL, SSH, Single Sign on, on platform security - Sometimes the speaker bores himself - While the players in the HP NonStop world are all good and honest companies, the Verizon Data Breach Investigative Report (VDBR) is coming from real incident data and from a large company in the IT security space - A problem today is that the talk is limited to 30 minutes only – and the speaker would like to talk about the topic for 8 hours - copyright (2013, 2014) comForte 21 IT security is complicated and also counterintuitive here and there VDBR is 80 pager 2
This word map shows word frequency in the various articles the author has written over the past decade: 2001-0910 Securing your NSK system 2003-0708 NonStop Network Security 2005-0910 Secure File Transfer 2006-0102 comForte and mandates 2008-0102 PCI Encryptoin Requirements 2011-0910 SecurData-Tokenization 2012-08 Nightmare on PCI street 2012-0304 SecurData-Auditing 2013-0304 PCI Compliance Deconstructed The HP NonStop platform was formerly known as “Tandem computers” and is the focus of the company comForte; hence the focus of his articles on that platform. The articles are available on the comForte web site at http://www.comforte.com/news/in-the-media/articlesby-comforte/ copyright (2013, 2014) comForte 21 3
Rather than focus on technical details, the goal of this presentation is a mind change of the audience: • • Surprising news! • copyright (2013, 2014) comForte 21 Bad news! Please don’t kill the messenger… 4
copyright (2013, 2014) comForte 21 5
History: - Has been around since about 2005 - Based on actual breaches (!); Verizon team doing forensics. - Anonymized: - No companies being named - Data aggregated - But still based on real stuff - Small sample size (see later) – but it does not get *any* better in terms of honest information - Presentation focusing on 2012 (because speaker has read it in full), 76-pager - 2013 just released, only skimmed so far, 62-pager Note: The author fully acknowledges the copyright of the DBIR, this is a great resource. You can (and should!) download the full report yourself. You’ll find plenty of screenshots in the upcoming slides. copyright (2013, 2014) comForte 21 6
copyright (2013, 2014) comForte 21 7
copyright (2013, 2014) comForte 21 8
copyright (2013, 2014) comForte 21 9
copyright (2013, 2014) comForte 21 10
Note: for BASE24, *neither* is typically being done (PCI 3.4 not addressed; no proper automatic data discovery, event logs not present and/or not fed into company SIEM system) copyright (2013, 2014) comForte 21 11
Note that ‘external agents’ are responsible in nearly all attacks. We shall see later why this is the case. copyright (2013, 2014) comForte 21 12
Note that many attacks go undetected for months (!) and are only detected once the fraudulent transactions resulting of a breach are found out by end customers. This has been the case in the very recent Neimann-Marcus incident (which occurred after this presentation was given). copyright (2013, 2014) comForte 21 13
Todays’ typical breach is not using a single vulnerability any more – that is why prevention involves a full framework of proper measures as set forth i.e. in the PCI standard. Copyright (2013, 2014) comForte 21 14
(graphic from the author) Note the • Shift from “simple” to “complex” viruses • Shift from “for fun”/”hacking” to commercial or state-sponsored interest Beyond this, there is a new quality of the attacks: APT, Advanced Persistent Threats, we cannot talk about this due to time constraints, but APTs are typically qualified by a multi-step attack as shown on the prior slide. copyright (2013, 2014) comForte 21 15
(Graphic from blog with URL) As mentioned before, the timeframe for an attack can easily be weeks or months as the attacks are “multi-staged”. ((Side note: none of these techniques are new; they are know among the security community for 10+ years.)) Note the “targeted server” – the attacker was looking for specific source code and found it. Servers (rather than user workstations) are increasingly becoming the target of attacks. It is only the increased motivation of the attacker which made this possible, this slides digests the attack against the security company RSA in some depth. copyright (2013, 2014) comForte 21 16
copyright (2013, 2014) comForte 21 17
Well, this is the key message – so please pardon the non-subtlety of this slide… The good news is that this can be addressed relatively easily – compared to the cost of running a BASE24 system the “cost to improve the security posture massively” is rather low. copyright (2013, 2014) comForte 21 18
copyright (2013, 2014) comForte 21 19
CEO thoughts (as the author is assuming): Yeah, there is all this ‘hacking stuff’ going on – but it is not going to happen to *us*. After all, we have been PCI audited. And we have increased security spending. By the way, I am very busy on plenty of other, more important, topics. copyright (2013, 2014) comForte 21 20
Your thoughts (?): Well it is kind of amazing what is possible these days; but boy are we increasing our work; I can barely keep up with the bl**dy PCI audits. copyright (2013, 2014) comForte 21 21
This is my view; probably the view of the best auditors as well: Mostly, the attackers have won. It happened to Sony, RSA, NYT. It is not a question of IF but more of WHEN and HOW you’ll be breached. [[Note: that does *not* mean giving up is an option, well talk about that later]] Addendum January 2014: this presentation was prepared and given _before_ the Target breach. copyright (2013, 2014) comForte 21 22
To be honest, this is somewhat of a mystery to the author – after spending 10+ years focusing on IT security. Really. Some suggestions to follow: So why is WHY ON EARTH IS BASE24 *NEVER* PROTECTED PROPERLY – authors’ suggestions: - There is typical a large “Organizational Disconnect” between the CSO, CIO, CFO and CEO - The attackers on the other hand are very well connected and organized - Who owns security anyway: that is a difficult question in every organization: is it the platform owner? The application owner? The CSO? The CIO? The CEO? - Penny pinching IT costs - For banks, IT is typically 6 % of the global budget - IT is often used as asset where saving can be applied whenever the economy is bad - It should be noted that the BASE24 application is *very* profitable – but cost is saved anyway Let’s assume this to be the case for now – If you need convincing, that’ll take an extra 30 min (or more). But the list of companies being breached does speak for itself? copyright (2013, 2014) comForte 21 23
copyright (2013, 2014) comForte 21 24
Question to audience: - Did I reach my goals as stated in the beginning? - copyright (2013, 2014) comForte 21 Any surprises so far? Do you agree that the state of computer security today is somewhat dire? [[Note: we are hoping for a “yes” here – this leads over to the next slide!] 25
Options are to … Ignore the issue or… Hope that it does not happen to you or … Do something copyright (2013, 2014) comForte 21 26
[Note: the presentation now moves on to products comForte is selling] We have two products which will implement: - Data discovery - Encryption of data at rest for your BASE24 system(s). They do _not_ cost a fortune and massively improve your security posture! copyright (2013, 2014) comForte 21 27
Note the two highlighted Requirements 3 and 10 – SecurData can strengthen your footprint in both areas. And unless you have done proper data discovery (i.e. with the PANfinder product), you (1)will not know whether you are really protecting all relevant files on your NonStop (2) will not be able to prove it to your auditor. copyright (2013, 2014) comForte 21 28
This is a suggested order of doing this which takes the following into account: • Ease of implementation • Priority as per PCI priorized approach • budgetary constraints The color of the arrows marks how often this is typically done in the experience of the author with green meaning “most companies do this”. You will notice that there is very little green. copyright (2013) comForte 21 29
This should only be started if Phase 1 has been completed Note: it is absolutely recommend to actually start with Phase 1 rather than trying to combine Phase 1 and Phase 2 into a “big bang” scenario. Your PCI auditor wants to see progress early… Again, the color of the arrows marks how often this is typically done in the experience of the author. There is no green at all here – indicating that Phase 2 is very rarely done in the experience of the author. copyright (2013) comForte 21 30
This is a graphical summary of the presentation today, starting at the upper right, moving in a half-circle counterclockwise. copyright (2013, 2014) comForte 21 31
copyright (2013, 2014) comForte 21 32

Recommended

The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...Thomas Burg
 
The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...Thomas Burg
 
From Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksFrom Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksThomas Burg
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Moving enterprise IT to the cloud
Moving enterprise IT to the cloudMoving enterprise IT to the cloud
Moving enterprise IT to the cloudJan Wiersma
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in production2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in productionThomas Burg
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 

Recommended

The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...Thomas Burg
 
The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...Thomas Burg
 
From Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksFrom Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksThomas Burg
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Moving enterprise IT to the cloud
Moving enterprise IT to the cloudMoving enterprise IT to the cloud
Moving enterprise IT to the cloudJan Wiersma
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 
2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in production2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in productionThomas Burg
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxjeffevans62972
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxodiliagilby
 
Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
Software engineering unit 1
Software engineering unit 1Software engineering unit 1
Software engineering unit 1Sumit Paul
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)setuid0
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Dinis Cruz
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
Security In The Public Cloud
Security In The Public CloudSecurity In The Public Cloud
Security In The Public Cloudnine
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Db2z bp security_transcript
Db2z bp security_transcriptDb2z bp security_transcript
Db2z bp security_transcriptCésar Medina Corona
 
IT600_FinalProject_ErikWHouse
IT600_FinalProject_ErikWHouseIT600_FinalProject_ErikWHouse
IT600_FinalProject_ErikWHouseErik House
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteSandraPaiva
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing InvestmentsCaston Thomas
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Reham Maher El-Safarini
 
232 a7d01
232 a7d01232 a7d01
232 a7d01SMK PRASASTI KARANG BERAHI JAMBI
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop Thomas Burg
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACThomas Burg
 

More Related Content

Similar to The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned for Running BASE24 Securely

Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxjeffevans62972
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxodiliagilby
 
Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
Software engineering unit 1
Software engineering unit 1Software engineering unit 1
Software engineering unit 1Sumit Paul
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)setuid0
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Dinis Cruz
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
Security In The Public Cloud
Security In The Public CloudSecurity In The Public Cloud
Security In The Public Cloudnine
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
IT600_FinalProject_ErikWHouse
IT600_FinalProject_ErikWHouseIT600_FinalProject_ErikWHouse
IT600_FinalProject_ErikWHouseErik House
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteSandraPaiva
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing InvestmentsCaston Thomas
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationPECB
 
Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Reham Maher El-Safarini
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 

Similar to The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned for Running BASE24 Securely (20)

Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docx
 
Written by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docxWritten by Mark Stanislav and Tod Beardsley September 2015.docx
Written by Mark Stanislav and Tod Beardsley September 2015.docx
 
Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020Ivanti Patch Tuesday for April 2020
Ivanti Patch Tuesday for April 2020
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.
 
Software engineering unit 1
Software engineering unit 1Software engineering unit 1
Software engineering unit 1
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
Security In The Public Cloud
Security In The Public CloudSecurity In The Public Cloud
Security In The Public Cloud
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 
Db2z bp security_transcript
Db2z bp security_transcriptDb2z bp security_transcript
Db2z bp security_transcript
 
IT600_FinalProject_ErikWHouse
IT600_FinalProject_ErikWHouseIT600_FinalProject_ErikWHouse
IT600_FinalProject_ErikWHouse
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference Keynote
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments7.5 steps to overlaying BYoD & IoT on Existing Investments
7.5 steps to overlaying BYoD & IoT on Existing Investments
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
 
Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.Global threat-landscape report by fortinet.
Global threat-landscape report by fortinet.
 
232 a7d01
232 a7d01232 a7d01
232 a7d01
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 

More from Thomas Burg

HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop Thomas Burg
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACThomas Burg
 
HP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-inHP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-inThomas Burg
 
BASE24 classic - modernization options
BASE24 classic - modernization optionsBASE24 classic - modernization options
BASE24 classic - modernization optionsThomas Burg
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?Thomas Burg
 
comForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStopcomForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStopThomas Burg
 
2014 02 comForte SecurTape product
2014 02 comForte SecurTape product2014 02 comForte SecurTape product
2014 02 comForte SecurTape productThomas Burg
 
Survival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todaySurvival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todayThomas Burg
 

More from Thomas Burg (8)

HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RAC
 
HP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-inHP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-in
 
BASE24 classic - modernization options
BASE24 classic - modernization optionsBASE24 classic - modernization options
BASE24 classic - modernization options
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
 
comForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStopcomForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStop
 
2014 02 comForte SecurTape product
2014 02 comForte SecurTape product2014 02 comForte SecurTape product
2014 02 comForte SecurTape product
 
Survival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todaySurvival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications today
 

Recently uploaded

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Recently uploaded (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned for Running BASE24 Securely

  • 1. As many slides are somewhat empty “by design”, you will find slide notes to the right where required. The preparation for this presentation used mostly the 2012 report, but the 2013 report appeared by now as well; hence the two years in the title copyright (2013, 2014) comForte 21 1
  • 2. The speaker has a long history in IT security - The first mind-boggling event was a SANS training he attended in Washington in 2002: most of todays “new attack vectors” were discussed in detail back then already - Over the years, he has given probably 100s of presentations on IT security, the topics being SSL, SSH, Single Sign on, on platform security - Sometimes the speaker bores himself - While the players in the HP NonStop world are all good and honest companies, the Verizon Data Breach Investigative Report (VDBR) is coming from real incident data and from a large company in the IT security space - A problem today is that the talk is limited to 30 minutes only – and the speaker would like to talk about the topic for 8 hours - copyright (2013, 2014) comForte 21 IT security is complicated and also counterintuitive here and there VDBR is 80 pager 2
  • 3. This word map shows word frequency in the various articles the author has written over the past decade: 2001-0910 Securing your NSK system 2003-0708 NonStop Network Security 2005-0910 Secure File Transfer 2006-0102 comForte and mandates 2008-0102 PCI Encryptoin Requirements 2011-0910 SecurData-Tokenization 2012-08 Nightmare on PCI street 2012-0304 SecurData-Auditing 2013-0304 PCI Compliance Deconstructed The HP NonStop platform was formerly known as “Tandem computers” and is the focus of the company comForte; hence the focus of his articles on that platform. The articles are available on the comForte web site at http://www.comforte.com/news/in-the-media/articlesby-comforte/ copyright (2013, 2014) comForte 21 3
  • 4. Rather than focus on technical details, the goal of this presentation is a mind change of the audience: • • Surprising news! • copyright (2013, 2014) comForte 21 Bad news! Please don’t kill the messenger… 4
  • 5. copyright (2013, 2014) comForte 21 5
  • 6. History: - Has been around since about 2005 - Based on actual breaches (!); Verizon team doing forensics. - Anonymized: - No companies being named - Data aggregated - But still based on real stuff - Small sample size (see later) – but it does not get *any* better in terms of honest information - Presentation focusing on 2012 (because speaker has read it in full), 76-pager - 2013 just released, only skimmed so far, 62-pager Note: The author fully acknowledges the copyright of the DBIR, this is a great resource. You can (and should!) download the full report yourself. You’ll find plenty of screenshots in the upcoming slides. copyright (2013, 2014) comForte 21 6
  • 7. copyright (2013, 2014) comForte 21 7
  • 8. copyright (2013, 2014) comForte 21 8
  • 9. copyright (2013, 2014) comForte 21 9
  • 10. copyright (2013, 2014) comForte 21 10
  • 11. Note: for BASE24, *neither* is typically being done (PCI 3.4 not addressed; no proper automatic data discovery, event logs not present and/or not fed into company SIEM system) copyright (2013, 2014) comForte 21 11
  • 12. Note that ‘external agents’ are responsible in nearly all attacks. We shall see later why this is the case. copyright (2013, 2014) comForte 21 12
  • 13. Note that many attacks go undetected for months (!) and are only detected once the fraudulent transactions resulting of a breach are found out by end customers. This has been the case in the very recent Neimann-Marcus incident (which occurred after this presentation was given). copyright (2013, 2014) comForte 21 13
  • 14. Todays’ typical breach is not using a single vulnerability any more – that is why prevention involves a full framework of proper measures as set forth i.e. in the PCI standard. Copyright (2013, 2014) comForte 21 14
  • 15. (graphic from the author) Note the • Shift from “simple” to “complex” viruses • Shift from “for fun”/”hacking” to commercial or state-sponsored interest Beyond this, there is a new quality of the attacks: APT, Advanced Persistent Threats, we cannot talk about this due to time constraints, but APTs are typically qualified by a multi-step attack as shown on the prior slide. copyright (2013, 2014) comForte 21 15
  • 16. (Graphic from blog with URL) As mentioned before, the timeframe for an attack can easily be weeks or months as the attacks are “multi-staged”. ((Side note: none of these techniques are new; they are know among the security community for 10+ years.)) Note the “targeted server” – the attacker was looking for specific source code and found it. Servers (rather than user workstations) are increasingly becoming the target of attacks. It is only the increased motivation of the attacker which made this possible, this slides digests the attack against the security company RSA in some depth. copyright (2013, 2014) comForte 21 16
  • 17. copyright (2013, 2014) comForte 21 17
  • 18. Well, this is the key message – so please pardon the non-subtlety of this slide… The good news is that this can be addressed relatively easily – compared to the cost of running a BASE24 system the “cost to improve the security posture massively” is rather low. copyright (2013, 2014) comForte 21 18
  • 19. copyright (2013, 2014) comForte 21 19
  • 20. CEO thoughts (as the author is assuming): Yeah, there is all this ‘hacking stuff’ going on – but it is not going to happen to *us*. After all, we have been PCI audited. And we have increased security spending. By the way, I am very busy on plenty of other, more important, topics. copyright (2013, 2014) comForte 21 20
  • 21. Your thoughts (?): Well it is kind of amazing what is possible these days; but boy are we increasing our work; I can barely keep up with the bl**dy PCI audits. copyright (2013, 2014) comForte 21 21
  • 22. This is my view; probably the view of the best auditors as well: Mostly, the attackers have won. It happened to Sony, RSA, NYT. It is not a question of IF but more of WHEN and HOW you’ll be breached. [[Note: that does *not* mean giving up is an option, well talk about that later]] Addendum January 2014: this presentation was prepared and given _before_ the Target breach. copyright (2013, 2014) comForte 21 22
  • 23. To be honest, this is somewhat of a mystery to the author – after spending 10+ years focusing on IT security. Really. Some suggestions to follow: So why is WHY ON EARTH IS BASE24 *NEVER* PROTECTED PROPERLY – authors’ suggestions: - There is typical a large “Organizational Disconnect” between the CSO, CIO, CFO and CEO - The attackers on the other hand are very well connected and organized - Who owns security anyway: that is a difficult question in every organization: is it the platform owner? The application owner? The CSO? The CIO? The CEO? - Penny pinching IT costs - For banks, IT is typically 6 % of the global budget - IT is often used as asset where saving can be applied whenever the economy is bad - It should be noted that the BASE24 application is *very* profitable – but cost is saved anyway Let’s assume this to be the case for now – If you need convincing, that’ll take an extra 30 min (or more). But the list of companies being breached does speak for itself? copyright (2013, 2014) comForte 21 23
  • 24. copyright (2013, 2014) comForte 21 24
  • 25. Question to audience: - Did I reach my goals as stated in the beginning? - copyright (2013, 2014) comForte 21 Any surprises so far? Do you agree that the state of computer security today is somewhat dire? [[Note: we are hoping for a “yes” here – this leads over to the next slide!] 25
  • 26. Options are to … Ignore the issue or… Hope that it does not happen to you or … Do something copyright (2013, 2014) comForte 21 26
  • 27. [Note: the presentation now moves on to products comForte is selling] We have two products which will implement: - Data discovery - Encryption of data at rest for your BASE24 system(s). They do _not_ cost a fortune and massively improve your security posture! copyright (2013, 2014) comForte 21 27
  • 28. Note the two highlighted Requirements 3 and 10 – SecurData can strengthen your footprint in both areas. And unless you have done proper data discovery (i.e. with the PANfinder product), you (1)will not know whether you are really protecting all relevant files on your NonStop (2) will not be able to prove it to your auditor. copyright (2013, 2014) comForte 21 28
  • 29. This is a suggested order of doing this which takes the following into account: • Ease of implementation • Priority as per PCI priorized approach • budgetary constraints The color of the arrows marks how often this is typically done in the experience of the author with green meaning “most companies do this”. You will notice that there is very little green. copyright (2013) comForte 21 29
  • 30. This should only be started if Phase 1 has been completed Note: it is absolutely recommend to actually start with Phase 1 rather than trying to combine Phase 1 and Phase 2 into a “big bang” scenario. Your PCI auditor wants to see progress early… Again, the color of the arrows marks how often this is typically done in the experience of the author. There is no green at all here – indicating that Phase 2 is very rarely done in the experience of the author. copyright (2013) comForte 21 30
  • 31. This is a graphical summary of the presentation today, starting at the upper right, moving in a half-circle counterclockwise. copyright (2013, 2014) comForte 21 31
  • 32. copyright (2013, 2014) comForte 21 32

Editor's Notes

  1. As many slides are somewhat empty “by design”, you will find slide notes to the right where required.The preparation for this presentation used mostly the 2012 report, but the 2013 report appeared by now as well; hence the two years in the title
  2. The speaker has a long history in IT securityThe first mind-boggling event was a SANS training he attended in Washington in 2002: most of todays “new attack vectors” were discussed in detail back then alreadyOver the years, he has given probably 100s of presentations on IT security, the topics being SSL, SSH, Single Sign on, on platform securitySometimes the speaker bores himselfWhile the players in the HP NonStop world are all good and honest companies, the Verizon Data Breach Investigative Report (VDBR) is coming from real incident data and from a large company in the IT security spaceA problem today is that the talk is limited to 30 minutes only – and the speaker would like to talk about the topic for 8 hoursIT security is complicated and also counterintuitive here and thereVDBR is 80 pager
  3. This word map shows word frequency in the various articles the author has written over the past decade:2001-0910 Securing your NSK system2003-0708 NonStop Network Security2005-0910 Secure File Transfer 2006-0102 comForte and mandates 2008-0102 PCI Encryptoin Requirements2011-0910 SecurData-Tokenization 2012-08 Nightmare on PCI street 2012-0304 SecurData-Auditing 2013-0304 PCI Compliance DeconstructedThe HP NonStop platform was formerly known as “Tandem computers” and is the focus of the company comForte; hence the focus of his articles on that platform. The articles are available on the comForte web site at http://www.comforte.com/news/in-the-media/articles-by-comforte/
  4. Rather than focus on technical details, the goal of this presentation is a mind change of the audience:Bad news!Surprising news!Please don’t kill the messenger…
  5. History:Has been around since about 2005Based on actual breaches (!); Verizon team doing forensics.Anonymized:No companies being namedData aggregatedBut still based on real stuffSmall sample size (see later) – but it does not get *any* better in terms of honest informationPresentation focusing on 2012 (because speaker has read it in full), 76-pager2013 just released, only skimmed so far, 62-pagerNote: The author fully acknowledges the copyright of the DBIR, this is a great resource. You can (and should!) download the full report yourself. You’ll find plenty of screenshots in the upcoming slides.
  6. Note: for BASE24, *neither* is typically being done (PCI 3.4 not addressed; no proper automatic data discovery, event logs not present and/or not fed into company SIEM system)
  7. Note that ‘external agents’ are responsible in nearly all attacks. We shall see later why this is the case.
  8. Note that many attacks go undetected for months (!) and are only detected once the fraudulent transactions resulting of a breach are found out by end customers.This has been the case in the very recent Neimann-Marcus incident (which occurred after this presentation was given).
  9. Todays’ typical breach is not using a single vulnerability any more – that is why prevention involves a full framework of proper measures as set forth i.e. in the PCI standard.
  10. (graphic from the author)Note theShift from “simple” to “complex” virusesShift from “for fun”/”hacking” to commercial or state-sponsored interestBeyond this, there is a new quality of the attacks: APT, Advanced Persistent Threats, we cannot talk about this due to time constraints, but APTs are typically qualified by a multi-step attack as shown on the prior slide.
  11. (Graphic from blog with URL)As mentioned before, the timeframe for an attack can easily be weeks or months as the attacks are “multi-staged”. ((Side note: none of these techniques are new; they are know among the security community for 10+ years.))Note the “targeted server” – the attacker was looking for specific source code and found it. Servers (rather than user workstations) are increasingly becoming the target of attacks.It is only the increased motivation of the attacker which made this possible, this slides digests the attack against the security company RSA in some depth.
  12. Well, this is the key message – so please pardon the non-subtlety of this slide… The good news is that this can be addressed relatively easily – compared to the cost of running a BASE24 system the “cost to improve the security posture massively” is rather low.
  13. CEO thoughts (as the author is assuming):Yeah, there is all this ‘hacking stuff’ going on – but it is not going to happen to *us*. After all, we have been PCI audited. And we have increased security spending. By the way, I am very busy on plenty of other, more important, topics.
  14. Your thoughts (?): Well it is kind of amazing what is possible these days; but boy are we increasing our work; I can barely keep up with the bl**dy PCI audits.
  15. This is my view; probably the view of the best auditors as well:Mostly, the attackers have won. It happened to Sony, RSA, NYT. It is not a question of IF but more of WHEN and HOW you’ll be breached. [[Note: that does *not* mean giving up is an option, well talk about that later]]Addendum January 2014: this presentation was prepared and given _before_ the Target breach.
  16. To be honest, this is somewhat of a mystery to the author – after spending 10+ years focusing on IT security. Really. Some suggestions to follow:So why is WHY ON EARTH IS BASE24 *NEVER* PROTECTED PROPERLY – authors’ suggestions:There is typical a large “Organizational Disconnect” between the CSO, CIO, CFO and CEOThe attackers on the other hand are very well connected and organizedWho owns security anyway: that is a difficult question in every organization: is it the platform owner? The application owner? The CSO? The CIO? The CEO?Penny pinching IT costsFor banks, IT is typically 6 % of the global budgetIT is often used as asset where saving can be applied whenever the economy is badIt should be noted that the BASE24 application is *very* profitable – but cost is saved anywayLet’s assume this to be the case for now – If you need convincing, that’ll take an extra 30 min (or more). But the list of companies being breached does speak for itself?
  17. Question to audience:Any surprises so far?Did I reach my goals as stated in the beginning?Do you agree that the state of computer security today is somewhat dire? [[Note: we are hoping for a “yes” here – this leads over to the next slide!]
  18. Options are to …Ignore the issue or…Hope that it does not happen to you or …Do something
  19. [Note: the presentation now moves on to products comForte is selling]We have two products which will implement:Data discoveryEncryption of data at restfor your BASE24 system(s). They do _not_ cost a fortune and massively improve your security posture!
  20. Note the two highlighted Requirements 3 and 10 – SecurData can strengthen your footprint in both areas.And unless you have done proper data discovery (i.e. with the PANfinder product), you (1)will not know whether you are really protecting all relevant files on your NonStop (2) will not be able to prove it to your auditor.
  21. This is a suggested order of doing this which takes the following into account:Ease of implementationPriority as per PCI priorized approachbudgetary constraintsThe color of the arrows marks how often this is typically done in the experience of the author with green meaning “most companies do this”. You will notice that there is very little green.
  22. This should only be started if Phase 1 has been completedNote: it is absolutely recommend to actually start with Phase 1 rather than trying to combine Phase 1 and Phase 2 into a “big bang” scenario. Your PCI auditor wants to see progress early…Again, the color of the arrows marks how often this is typically done in the experience of the author. There is no green at all here – indicating that Phase 2 is very rarely done in the experience of the author.
  23. This is a graphical summary of the presentation today, starting at the upper right, moving in a half-circle counterclockwise.