The Good, The Bad and The Ugly of The TargetThe Good, The Bad and The Ugly of The Target
Data Breach
Ulf Mattsson
CTO, Pro...
Working with the Payment Card Industry Security Standards
Council (PCI SSC):
• PCI SSC Tokenization Task Force - Guideline...
Data security today
The Target breach
New environments bring new vulnerabilities
Topics
New environments bring new vulnera...
DATA SECURITY
TODAYTODAY
4
How have the methods of attack shifted?
Worries of 800 IT Pros
5
Source: 2014 Trustwave Security Pressures Report
Data Loss Worries IT Pros Most
6
Source: 2014 Trustwave Security Pressures Report
“It’s clear the bad guys
are winning at a faster
rate than the good guys
are winning, and we’ve
The Bad Guys are Winning
7...
We Are Losing Ground
“…Even though security
is improving, things are
getting worse faster, so
we're losing ground
8
we're ...
Organizations are Not Protected Against Cyberattacks
“Cyber attack fallout
could cost the global
economy $3 trillion by
20...
TARGET DATA
BREACHBREACH
10
What can we learn from the Target breach?
Target Data Breach, U.S. Secret Service & iSIGHT
Target CIO Beth Jacob
resigned
11
Memory Scraping Malware – Target Breach
Payment Card
Terminal
Point Of Sale Application
Memory Scraping Malware
Authorizat...
Credentials were stolen from Fazio Mechanical in a malware-
injecting phishing attack sent to employees of the firm by
ema...
The FTC is probing the massive hack of credit card
information
Target could face federal charges for failing to
protect it...
WHO IS THE NEXT
TARGET?TARGET?
15
Who Is The Next Target?
16
It’s not like other businesses are using some
special network security practices that Target
doesn’t know about.
They just...
Who is the Next Target?
Services
Retailers
18
Healthcare
Government
BEWARE MALWAREBEWARE MALWARE
19
FBI uncovered 20 cyber attacks against retailers in the
past year that utilized methods similar to Target incident
Believe...
21
New Malware
Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf
22
Total Malicious Signed Malware
Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf
23
Targeted Malware Topped the Threats
24
Source: 2014 Trustwave Security Pressures Report
US - Targeted Malware Top Threat
25
Source: 2014 Trustwave Security Pressures Report
BIG DATA
PROBLEMSPROBLEMS
What effect, if any, does the rise of “Big Data” have on breaches?
26
Has Your Organization Already Invested in Big Data?
27
Source: Gartner
Holes in Big Data…
28
Source: Gartner
Many Ways to Hack Big Data
29
Hackers
& APT
Rogue
Privileged
Users
Unvetted
Applications
Or
Ad Hoc
Processes
Many Ways to Hack Big Data
MapReduce
(Job Scheduling/Execution System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Repor...
Big Data (Hadoop) was designed for data access,
not security
Security in a read-only environment introduces new
challenges...
THINKING LIKE A
HACKERHACKER
How can we shift from reactive to proactive thinking?
32
How do hackers think?
Like a business.
Go where the money is
Thinking Like A Hacker
Multiple touches to get in
Easier targ...
The Modern Day Bank Robber
34
COMPLIANCE
VS.
SECURITYSECURITY
35
Target was certified as meeting the standard for the
payment card industry in September 2013
Compliance can protect us fro...
Protection of cardholder data in memory
Clarification of key management dual control and split
knowledge
Recommendations o...
TURNING THE TIDE
38
What new technologies and techniques can be used to
prevent future attacks?
What if a
Social Security number or
Credit Card NumberCredit Card Number
in the Hands of a Criminal
was Useless?
39
Coarse Grained Security
• Access Controls
• Volume Encryption
• File Encryption
Fine Grained Security
Evolution of Data Se...
Old and flawed:
Minimal access
levels so people
can only carry
Access Control
Risk
High –
can only carry
out their jobs
41...
Applying the
Protection Profile to the
Structure of each
Sensitive Data Fields allows forSensitive Data Fields allows for
...
Risk
High –
Old:
Minimal access
levels – Least
New :
Much greater
The New Data Protection - Tokenization
Access
Privilege
...
Examples: De-Identified Sensitive Data
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main...
Use
Case
How Should I Secure Different Data?
Simple – PCI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
...
Tokenization Research
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise
use of tokenization for...
Security of Different Protection Methods
High
Security Level
I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
...
Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Crypt...
10 000 000 -
1 000 000 -
100 000 -
10 000 -
Transactions per second*
Speed of Different Protection Methods
10 000 -
1 000 ...
Different Tokenization Approaches
Property Dynamic Pre-generated Vaultless
Vault-based
50
Protecting Enterprise Data Flow
123456 123456 1234
CCN/SSN
Social Media
Blogs
Smart Phones
Meters
Sensors
Web Logs
Trading...
Current Breach Discovery Methods
52
Verizon 2013 Data-breach-investigations-report & 451 Research
You must assume the systems will be breached.
Once breached, how do you know you've been compromised?
You have to baseline...
Use Big Data to Analyze Abnormal Usage Pattern
Payment Card
Terminal
Point Of Sale Application
Memory Scraping Malware
Aut...
Trend - Open Security Analytics Frameworks
55 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-...
Conclusions
Changing threat landscape & challenges to secure data:
• Attackers are looking for not just payment data – a m...
Thank you!
Questions?
Please contact me for more information
Ulf.Mattsson@protegrity.com
Upcoming SlideShare
Loading in...5
×

The good, the bad and the ugly of the target data breach

523

Published on

The landscape of threats to sensitive data is rapidly changing.  New technologies bring with them new vulnerabilities, and organizations like Target are failing to react properly to the shifts around them. What's needed is an approach equal to the persistent, advanced attacks companies face every day.  The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it. 

This webinar will cover:
Data security today, the landscape, etc.
Discuss a few recent studies and changing threat landscape
The Target breach and other recent breaches
The effects of new technologies on breaches
Shifting from reactive to proactive thinking
Preparing for future attacks with new techniques

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
523
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The good, the bad and the ugly of the target data breach

  1. 1. The Good, The Bad and The Ugly of The TargetThe Good, The Bad and The Ugly of The Target Data Breach Ulf Mattsson CTO, Protegrity Ulf.Mattsson@protegrity.com
  2. 2. Working with the Payment Card Industry Security Standards Council (PCI SSC): • PCI SSC Tokenization Task Force - Guidelines • PCI SSC Encryption Task Force • PCI SSC Point to Point Encryption Task Force • PCI SSC Risk Assessment SIG Ulf Mattsson & PCI Data Security Standards • PCI SSC eCommerce SIG • PCI SSC Cloud SIG • PCI SSC Virtualization SIG • PCI SSC Pre-Authorization SIG • PCI SSC Scoping SIG • PCI SSC 2013 – 2014 Tokenization Task Force – Technical Standard 2
  3. 3. Data security today The Target breach New environments bring new vulnerabilities Topics New environments bring new vulnerabilities Thinking like a hacker - proactive data security New technologies & approaches to properly secure data 3
  4. 4. DATA SECURITY TODAYTODAY 4 How have the methods of attack shifted?
  5. 5. Worries of 800 IT Pros 5 Source: 2014 Trustwave Security Pressures Report
  6. 6. Data Loss Worries IT Pros Most 6 Source: 2014 Trustwave Security Pressures Report
  7. 7. “It’s clear the bad guys are winning at a faster rate than the good guys are winning, and we’ve The Bad Guys are Winning 7 Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening are winning, and we’ve got to solve that.” - 2014 Verizon Data Breach Investigations Report
  8. 8. We Are Losing Ground “…Even though security is improving, things are getting worse faster, so we're losing ground 8 we're losing ground even as we improve.” - Security expert Bruce Schneier Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11
  9. 9. Organizations are Not Protected Against Cyberattacks “Cyber attack fallout could cost the global economy $3 trillion by 2020.” 9 Source: McKinsey report on enterprise IT security implications released in January 2014. 2020.” - McKinsey & Company report Risk & Responsibility in a Hyperconnected World: Implications for Enterprises
  10. 10. TARGET DATA BREACHBREACH 10 What can we learn from the Target breach?
  11. 11. Target Data Breach, U.S. Secret Service & iSIGHT Target CIO Beth Jacob resigned 11
  12. 12. Memory Scraping Malware – Target Breach Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Russia 12
  13. 13. Credentials were stolen from Fazio Mechanical in a malware- injecting phishing attack sent to employees of the firm by email • Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information • In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers The data theft was caused by the installation of malware on How The Breach at Target Went Down the firm's point of sale machines The subsequent file dump containing customer data is reportedly flooding the black market • Starting point for the manufacture of fake bank cards, or provide data required for identity theft. Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/ 13
  14. 14. The FTC is probing the massive hack of credit card information Target could face federal charges for failing to protect its customers' data from hackers When you see a data breach of this size with clear harm to consumers, it's clearly something that the Target May Face Federal Suit Over Privacy Fumble harm to consumers, it's clearly something that the FTC would be interested in looking at," said Jon Leibowitz, a former FTC chairman Sen. Richard Blumenthal, a Connecticut Democrat, urged the FTC to investigate the Target hack soon after it became public in December Source: Bloomberg Businessweek 14
  15. 15. WHO IS THE NEXT TARGET?TARGET? 15
  16. 16. Who Is The Next Target? 16
  17. 17. It’s not like other businesses are using some special network security practices that Target doesn’t know about. They just haven’t been hit yet. No number of traps, bars, or alarms will keep out the determined thief Source: www.govtech.com/security 17
  18. 18. Who is the Next Target? Services Retailers 18 Healthcare Government
  19. 19. BEWARE MALWAREBEWARE MALWARE 19
  20. 20. FBI uncovered 20 cyber attacks against retailers in the past year that utilized methods similar to Target incident Believe POS malware crime will continue to grow over the near term Despite law enforcement and security firms' actions to mitigate it FBI Memory-Scraping Malware Warning mitigate it Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms” Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping- malware-in-wake-of-Target-breach 20
  21. 21. 21
  22. 22. New Malware Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 22
  23. 23. Total Malicious Signed Malware Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 23
  24. 24. Targeted Malware Topped the Threats 24 Source: 2014 Trustwave Security Pressures Report
  25. 25. US - Targeted Malware Top Threat 25 Source: 2014 Trustwave Security Pressures Report
  26. 26. BIG DATA PROBLEMSPROBLEMS What effect, if any, does the rise of “Big Data” have on breaches? 26
  27. 27. Has Your Organization Already Invested in Big Data? 27 Source: Gartner
  28. 28. Holes in Big Data… 28 Source: Gartner
  29. 29. Many Ways to Hack Big Data 29 Hackers & APT Rogue Privileged Users Unvetted Applications Or Ad Hoc Processes
  30. 30. Many Ways to Hack Big Data MapReduce (Job Scheduling/Execution System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS Avro(Serialization) Zookeeper(Coordination) Hackers Unvetted Applications Or Ad Hoc Processes Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase 30 HDFS (Hadoop Distributed File System) Hbase (Column DB) Avro(Serialization) Zookeeper(Coordination) Privileged Users
  31. 31. Big Data (Hadoop) was designed for data access, not security Security in a read-only environment introduces new challenges Massive scalability and performance requirements Big Data Vulnerabilities and Concerns Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear Transparency and data insight are required for ROI on Big Data 31
  32. 32. THINKING LIKE A HACKERHACKER How can we shift from reactive to proactive thinking? 32
  33. 33. How do hackers think? Like a business. Go where the money is Thinking Like A Hacker Multiple touches to get in Easier targets = Higher ROI
  34. 34. The Modern Day Bank Robber 34
  35. 35. COMPLIANCE VS. SECURITYSECURITY 35
  36. 36. Target was certified as meeting the standard for the payment card industry in September 2013 Compliance can protect us from liability, but whether it actually protects us from loss of business and loss of data is not so clear Compliance is a minimal deterrent that everyone Target Breach Lesson: PCI Compliance Isn't Enough Compliance is a minimal deterrent that everyone has to have in place If you're driving a car, you're expected to have a driver's license. That doesn't make you a safe driver Source: TechNewsWorld 36
  37. 37. Protection of cardholder data in memory Clarification of key management dual control and split knowledge Recommendations on making PCI DSS business-as- usual and best practices Security policy and operational procedures added PCI DSS 3.0 Security policy and operational procedures added Increased password strength New requirements for point-of-sale terminal security More robust requirements for penetration testing 37
  38. 38. TURNING THE TIDE 38 What new technologies and techniques can be used to prevent future attacks?
  39. 39. What if a Social Security number or Credit Card NumberCredit Card Number in the Hands of a Criminal was Useless? 39
  40. 40. Coarse Grained Security • Access Controls • Volume Encryption • File Encryption Fine Grained Security Evolution of Data Security Methods Time Fine Grained Security • Access Controls • Field Encryption (AES & ) • Masking • Tokenization • Vaultless Tokenization 40
  41. 41. Old and flawed: Minimal access levels so people can only carry Access Control Risk High – can only carry out their jobs 41 Access Privilege Level I High I Low Low –
  42. 42. Applying the Protection Profile to the Structure of each Sensitive Data Fields allows forSensitive Data Fields allows for a Wider Range of Granular Authority Options 42
  43. 43. Risk High – Old: Minimal access levels – Least New : Much greater The New Data Protection - Tokenization Access Privilege Level I High I Low Low – levels – Least Privilege to avoid high risks Much greater flexibility and lower risk in data accessibility 43
  44. 44. Examples: De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 44
  45. 45. Use Case How Should I Secure Different Data? Simple – PCI PII Encryption of Files Card Holder Data Tokenization of Fields Personally Identifiable Information Type of Data I Structured I Un-structured Complex – PHI Protected Health Information 45 Personally Identifiable Information
  46. 46. Tokenization Research Tokenization Gets Traction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Tokenization users had 50% fewer security-related incidents than tokenization non-users 46 Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
  47. 47. Security of Different Protection Methods High Security Level I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization 47 Low
  48. 48. Fine Grained Data Security Methods Tokenization and Encryption are Different Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys TokenizationEncryption 48 Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
  49. 49. 10 000 000 - 1 000 000 - 100 000 - 10 000 - Transactions per second* Speed of Different Protection Methods 10 000 - 1 000 - 100 - I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data Tokenization *: Speed will depend on the configuration 49
  50. 50. Different Tokenization Approaches Property Dynamic Pre-generated Vaultless Vault-based 50
  51. 51. Protecting Enterprise Data Flow 123456 123456 1234 CCN/SSN Social Media Blogs Smart Phones Meters Sensors Web Logs Trading Systems GPS Signals Stream 051 123456 999999 1234 Protecting Data Flows – Reducing Attack Surface Big Data (Hadoop) Aquisition Analytics & Visualization Enterprise Data Warehouse
  52. 52. Current Breach Discovery Methods 52 Verizon 2013 Data-breach-investigations-report & 451 Research
  53. 53. You must assume the systems will be breached. Once breached, how do you know you've been compromised? You have to baseline and understand what 'goodness' looks like and look for deviations from goodness McAfee and Symantec can't tell you what normal looks like in your own systems. Only monitoring anomalies can do that CISOs say SIEM Not Good for Security Analytics Only monitoring anomalies can do that Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner 53
  54. 54. Use Big Data to Analyze Abnormal Usage Pattern Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Moscow, Russia FireEye Malware?
  55. 55. Trend - Open Security Analytics Frameworks 55 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture Enterprise Big Data Lake
  56. 56. Conclusions Changing threat landscape & challenges to secure data: • Attackers are looking for not just payment data – a more serious problem. • IDS systems are lacking context needed to catch data theft • SIEM detection is too slow in handling large amounts of events. What happened at Target? • Modern customized malware can be very hard to detect 56 • They were compliant, but not secure How can we prevent what happened to Target and the next attack against our sensitive data? • Assume that we are under attack - proactive protection of the data itself • We need Big Data event information analysis & context to catch modern attackers • Use security methods that require less cleartext in use, such as tokenization
  57. 57. Thank you! Questions? Please contact me for more information Ulf.Mattsson@protegrity.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×