In light of the recent security breaches against payment systems (most prominent: Target), running BASE24 securely is becoming even more important than before.
This presentation discusses properly the Verizon Data Breach Investigations Report (VDBR) with a focus on the relevance on securing BASE24 systems.
It also discusses the (sad!) state of computer security today, how this came about and what can be done about it.
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned for Running BASE24 Securely
1. As many slides are somewhat empty “by design”, you will find slide
notes to the right where required.
The preparation for this presentation used mostly the 2012 report,
but the 2013 report appeared by now as well; hence the two years in
the title
copyright (2013, 2014) comForte 21
1
2. The speaker has a long history in IT security
-
The first mind-boggling event was a SANS training he attended in
Washington in 2002: most of todays “new attack vectors” were
discussed in detail back then already
-
Over the years, he has given probably 100s of presentations on
IT security, the topics being SSL, SSH, Single Sign on, on
platform security
-
Sometimes the speaker bores himself
-
While the players in the HP NonStop world are all good and
honest companies, the Verizon Data Breach Investigative Report
(VDBR) is coming from real incident data and from a large
company in the IT security space
-
A problem today is that the talk is limited to 30 minutes only – and
the speaker would like to talk about the topic for 8 hours
-
copyright (2013, 2014) comForte 21
IT security is complicated and also counterintuitive here
and there
VDBR is 80 pager
2
3. This word map shows word frequency in the various
articles the author has written over the past decade:
2001-0910 Securing your NSK system
2003-0708 NonStop Network Security
2005-0910 Secure File Transfer
2006-0102 comForte and mandates
2008-0102 PCI Encryptoin Requirements
2011-0910 SecurData-Tokenization
2012-08 Nightmare on PCI street
2012-0304 SecurData-Auditing
2013-0304 PCI Compliance Deconstructed
The HP NonStop platform was formerly known as
“Tandem computers” and is the focus of the
company comForte; hence the focus of his articles
on that platform. The articles are available on the
comForte web site at
http://www.comforte.com/news/in-the-media/articlesby-comforte/
copyright (2013, 2014) comForte 21
3
4. Rather than focus on technical details, the goal of this presentation is
a mind change of the audience:
•
•
Surprising news!
•
copyright (2013, 2014) comForte 21
Bad news!
Please don’t kill the messenger…
4
6. History:
-
Has been around since about 2005
-
Based on actual breaches (!); Verizon team doing forensics.
-
Anonymized:
-
No companies being named
-
Data aggregated
-
But still based on real stuff
-
Small sample size (see later) – but it does not get *any* better in
terms of honest information
-
Presentation focusing on 2012 (because speaker has read it in
full), 76-pager
-
2013 just released, only skimmed so far, 62-pager
Note: The author fully acknowledges the copyright of the DBIR,
this is a great resource. You can (and should!) download the full
report yourself. You’ll find plenty of screenshots in the
upcoming slides.
copyright (2013, 2014) comForte 21
6
11. Note: for BASE24, *neither* is typically being done (PCI 3.4 not
addressed; no proper automatic data discovery, event logs not
present and/or not fed into company SIEM system)
copyright (2013, 2014) comForte 21
11
12. Note that ‘external agents’ are responsible in nearly all attacks. We
shall see later why this is the case.
copyright (2013, 2014) comForte 21
12
13. Note that many attacks go undetected for months (!) and are only
detected once the fraudulent transactions resulting of a breach are
found out by end customers.
This has been the case in the very recent Neimann-Marcus incident
(which occurred after this presentation was given).
copyright (2013, 2014) comForte 21
13
14. Todays’ typical breach is not using a single vulnerability any more –
that is why prevention involves a full framework of proper measures
as set forth i.e. in the PCI standard.
Copyright (2013, 2014) comForte 21
14
15. (graphic from the author)
Note the
•
Shift from “simple” to “complex” viruses
•
Shift from “for fun”/”hacking” to commercial or state-sponsored
interest
Beyond this, there is a new quality of the attacks: APT, Advanced
Persistent Threats, we cannot talk about this due to time constraints,
but APTs are typically qualified by a multi-step attack as shown on
the prior slide.
copyright (2013, 2014) comForte 21
15
16. (Graphic from blog with URL)
As mentioned before, the timeframe for an attack can easily be
weeks or months as the attacks are “multi-staged”. ((Side note: none
of these techniques are new; they are know among the security
community for 10+ years.))
Note the “targeted server” – the attacker was looking for specific
source code and found it. Servers (rather than user workstations) are
increasingly becoming the target of attacks.
It is only the increased motivation of the attacker which made this
possible, this slides digests the attack against the security company
RSA in some depth.
copyright (2013, 2014) comForte 21
16
18. Well, this is the key message – so please pardon the non-subtlety of
this slide…
The good news is that this can be addressed relatively easily –
compared to the cost of running a BASE24 system the “cost to
improve the security posture massively” is rather low.
copyright (2013, 2014) comForte 21
18
20. CEO thoughts (as the author is assuming): Yeah, there is all this
‘hacking stuff’ going on – but it is not going to happen to *us*. After
all, we have been PCI audited. And we have increased security
spending. By the way, I am very busy on plenty of other, more
important, topics.
copyright (2013, 2014) comForte 21
20
21. Your thoughts (?): Well it is kind of amazing what is possible these
days; but boy are we increasing our work; I can barely keep up with
the bl**dy PCI audits.
copyright (2013, 2014) comForte 21
21
22. This is my view; probably the view of the best auditors as well:
Mostly, the attackers have won. It happened to Sony, RSA, NYT. It is
not a question of IF but more of WHEN and HOW you’ll be breached.
[[Note: that does *not* mean giving up is an option, well talk about
that later]]
Addendum January 2014: this presentation was prepared and given
_before_ the Target breach.
copyright (2013, 2014) comForte 21
22
23. To be honest, this is somewhat of a mystery to the author
– after spending 10+ years focusing on IT security.
Really. Some suggestions to follow:
So why is WHY ON EARTH IS BASE24 *NEVER*
PROTECTED PROPERLY – authors’ suggestions:
- There is typical a large “Organizational Disconnect”
between the CSO, CIO, CFO and CEO
- The attackers on the other hand are very well
connected and organized
- Who owns security anyway: that is a difficult question
in every organization: is it the platform owner? The
application owner? The CSO? The CIO? The CEO?
- Penny pinching IT costs
- For banks, IT is typically 6 % of the global
budget
- IT is often used as asset where saving can be
applied whenever the economy is bad
- It should be noted that the BASE24 application
is *very* profitable – but cost is saved anyway
Let’s assume this to be the case for now – If you need
convincing, that’ll take an extra 30 min (or more). But the
list of companies being breached does speak for itself?
copyright (2013, 2014) comForte 21
23
25. Question to audience:
-
Did I reach my goals as stated in the beginning?
-
copyright (2013, 2014) comForte 21
Any surprises so far?
Do you agree that the state of computer security today is
somewhat dire? [[Note: we are hoping for a “yes” here – this
leads over to the next slide!]
25
26. Options are to …
Ignore the issue or…
Hope that it does not happen to you or …
Do something
copyright (2013, 2014) comForte 21
26
27. [Note: the presentation now moves on to products comForte is
selling]
We have two products which will implement:
-
Data discovery
-
Encryption of data at rest
for your BASE24 system(s). They do _not_ cost a fortune and
massively improve your security posture!
copyright (2013, 2014) comForte 21
27
28. Note the two highlighted Requirements 3 and 10 – SecurData can
strengthen your footprint in both areas.
And unless you have done proper data discovery (i.e. with the
PANfinder product), you (1)will not know whether you are really
protecting all relevant files on your NonStop (2) will not be able to
prove it to your auditor.
copyright (2013, 2014) comForte 21
28
29. This is a suggested order of doing this which takes the following into
account:
•
Ease of implementation
•
Priority as per PCI priorized approach
•
budgetary constraints
The color of the arrows marks how often this is typically done in the
experience of the author with green meaning “most companies do
this”. You will notice that there is very little green.
copyright (2013) comForte 21
29
30. This should only be started if Phase 1 has been completed
Note: it is absolutely recommend to actually start with Phase 1 rather
than trying to combine Phase 1 and Phase 2 into a “big bang”
scenario. Your PCI auditor wants to see progress early…
Again, the color of the arrows marks how often this is typically done
in the experience of the author. There is no green at all here –
indicating that Phase 2 is very rarely done in the experience of the
author.
copyright (2013) comForte 21
30
31. This is a graphical summary of the presentation today, starting at the
upper right, moving in a half-circle counterclockwise.
copyright (2013, 2014) comForte 21
31
As many slides are somewhat empty “by design”, you will find slide notes to the right where required.The preparation for this presentation used mostly the 2012 report, but the 2013 report appeared by now as well; hence the two years in the title
The speaker has a long history in IT securityThe first mind-boggling event was a SANS training he attended in Washington in 2002: most of todays “new attack vectors” were discussed in detail back then alreadyOver the years, he has given probably 100s of presentations on IT security, the topics being SSL, SSH, Single Sign on, on platform securitySometimes the speaker bores himselfWhile the players in the HP NonStop world are all good and honest companies, the Verizon Data Breach Investigative Report (VDBR) is coming from real incident data and from a large company in the IT security spaceA problem today is that the talk is limited to 30 minutes only – and the speaker would like to talk about the topic for 8 hoursIT security is complicated and also counterintuitive here and thereVDBR is 80 pager
This word map shows word frequency in the various articles the author has written over the past decade:2001-0910 Securing your NSK system2003-0708 NonStop Network Security2005-0910 Secure File Transfer 2006-0102 comForte and mandates 2008-0102 PCI Encryptoin Requirements2011-0910 SecurData-Tokenization 2012-08 Nightmare on PCI street 2012-0304 SecurData-Auditing 2013-0304 PCI Compliance DeconstructedThe HP NonStop platform was formerly known as “Tandem computers” and is the focus of the company comForte; hence the focus of his articles on that platform. The articles are available on the comForte web site at http://www.comforte.com/news/in-the-media/articles-by-comforte/
Rather than focus on technical details, the goal of this presentation is a mind change of the audience:Bad news!Surprising news!Please don’t kill the messenger…
History:Has been around since about 2005Based on actual breaches (!); Verizon team doing forensics.Anonymized:No companies being namedData aggregatedBut still based on real stuffSmall sample size (see later) – but it does not get *any* better in terms of honest informationPresentation focusing on 2012 (because speaker has read it in full), 76-pager2013 just released, only skimmed so far, 62-pagerNote: The author fully acknowledges the copyright of the DBIR, this is a great resource. You can (and should!) download the full report yourself. You’ll find plenty of screenshots in the upcoming slides.
Note: for BASE24, *neither* is typically being done (PCI 3.4 not addressed; no proper automatic data discovery, event logs not present and/or not fed into company SIEM system)
Note that ‘external agents’ are responsible in nearly all attacks. We shall see later why this is the case.
Note that many attacks go undetected for months (!) and are only detected once the fraudulent transactions resulting of a breach are found out by end customers.This has been the case in the very recent Neimann-Marcus incident (which occurred after this presentation was given).
Todays’ typical breach is not using a single vulnerability any more – that is why prevention involves a full framework of proper measures as set forth i.e. in the PCI standard.
(graphic from the author)Note theShift from “simple” to “complex” virusesShift from “for fun”/”hacking” to commercial or state-sponsored interestBeyond this, there is a new quality of the attacks: APT, Advanced Persistent Threats, we cannot talk about this due to time constraints, but APTs are typically qualified by a multi-step attack as shown on the prior slide.
(Graphic from blog with URL)As mentioned before, the timeframe for an attack can easily be weeks or months as the attacks are “multi-staged”. ((Side note: none of these techniques are new; they are know among the security community for 10+ years.))Note the “targeted server” – the attacker was looking for specific source code and found it. Servers (rather than user workstations) are increasingly becoming the target of attacks.It is only the increased motivation of the attacker which made this possible, this slides digests the attack against the security company RSA in some depth.
Well, this is the key message – so please pardon the non-subtlety of this slide… The good news is that this can be addressed relatively easily – compared to the cost of running a BASE24 system the “cost to improve the security posture massively” is rather low.
CEO thoughts (as the author is assuming):Yeah, there is all this ‘hacking stuff’ going on – but it is not going to happen to *us*. After all, we have been PCI audited. And we have increased security spending. By the way, I am very busy on plenty of other, more important, topics.
Your thoughts (?): Well it is kind of amazing what is possible these days; but boy are we increasing our work; I can barely keep up with the bl**dy PCI audits.
This is my view; probably the view of the best auditors as well:Mostly, the attackers have won. It happened to Sony, RSA, NYT. It is not a question of IF but more of WHEN and HOW you’ll be breached. [[Note: that does *not* mean giving up is an option, well talk about that later]]Addendum January 2014: this presentation was prepared and given _before_ the Target breach.
To be honest, this is somewhat of a mystery to the author – after spending 10+ years focusing on IT security. Really. Some suggestions to follow:So why is WHY ON EARTH IS BASE24 *NEVER* PROTECTED PROPERLY – authors’ suggestions:There is typical a large “Organizational Disconnect” between the CSO, CIO, CFO and CEOThe attackers on the other hand are very well connected and organizedWho owns security anyway: that is a difficult question in every organization: is it the platform owner? The application owner? The CSO? The CIO? The CEO?Penny pinching IT costsFor banks, IT is typically 6 % of the global budgetIT is often used as asset where saving can be applied whenever the economy is badIt should be noted that the BASE24 application is *very* profitable – but cost is saved anywayLet’s assume this to be the case for now – If you need convincing, that’ll take an extra 30 min (or more). But the list of companies being breached does speak for itself?
Question to audience:Any surprises so far?Did I reach my goals as stated in the beginning?Do you agree that the state of computer security today is somewhat dire? [[Note: we are hoping for a “yes” here – this leads over to the next slide!]
Options are to …Ignore the issue or…Hope that it does not happen to you or …Do something
[Note: the presentation now moves on to products comForte is selling]We have two products which will implement:Data discoveryEncryption of data at restfor your BASE24 system(s). They do _not_ cost a fortune and massively improve your security posture!
Note the two highlighted Requirements 3 and 10 – SecurData can strengthen your footprint in both areas.And unless you have done proper data discovery (i.e. with the PANfinder product), you (1)will not know whether you are really protecting all relevant files on your NonStop (2) will not be able to prove it to your auditor.
This is a suggested order of doing this which takes the following into account:Ease of implementationPriority as per PCI priorized approachbudgetary constraintsThe color of the arrows marks how often this is typically done in the experience of the author with green meaning “most companies do this”. You will notice that there is very little green.
This should only be started if Phase 1 has been completedNote: it is absolutely recommend to actually start with Phase 1 rather than trying to combine Phase 1 and Phase 2 into a “big bang” scenario. Your PCI auditor wants to see progress early…Again, the color of the arrows marks how often this is typically done in the experience of the author. There is no green at all here – indicating that Phase 2 is very rarely done in the experience of the author.
This is a graphical summary of the presentation today, starting at the upper right, moving in a half-circle counterclockwise.