Verizon 2014 data breach investigation report and the target breach


Published on

The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them.
What’s needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
In this webinar, Protegrity CTO and data security thought leader Ulf Mattsson integrates new information from the Verizon 2014 Data Breach Investigation Report (DBIR) into his analysis on what is driving data breaches today, and how we can prevent them in the future.
• The changing threat landscape
• The effects of new technologies on breaches
• Analysis of recent breaches, including Target
• Compliance vs. security
• The importance of shifting from reactive to proactive thinking
• Preparing for future attacks with new technology & techniques

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Verizon 2014 data breach investigation report and the target breach

  1. 1. Verizon 2014 Data Breach Investigation ReportVerizon 2014 Data Breach Investigation Report and The Target Breach Proactive Approaches to Data Security Ulf Mattsson CTO, Protegrity
  2. 2. Member of PCI Security Standards Council: • Tokenization Task Force • Encryption Task Force • Point to Point Encryption Task Force • Risk Assessment SIG Ulf Mattsson, Protegrity CTO • eCommerce SIG • Cloud SIG • Virtualization SIG • Pre-Authorization SIG • Scoping SIG 2
  3. 3. The Target Data Breach Data Security & Threat Landscape Topics Think Like A Hacker - Proactive Data Security New Data Security Technologies & Approaches 3
  4. 4. THE TARGET DATA BREACHDATA BREACH 4 What can we learn?
  5. 5. First Attack: Fazio Mechanical Services • A 3rd party refrigeration design & maintenance contractor for Target • Email malware-injecting phishing attack • Credentials were stolen Second Attack: Target POS Machines • Used stolen credentials from Fazio Mechanical Services to access POS machines How The Breach at Target Went Down • Installation of malware to collect customer payment data Aftermath: Malware Data Export • >40 million customer financial records & CCN • >70 million customer personal information records • The subsequent file dump containing customer data is reportedly flooding the black market • Starting point for the manufacture of fake bank cards, or provide data required for identity theft. Source: Brian Krebs and 5
  6. 6. Memory Scraping Malware – Target Breach Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Russia 6
  7. 7. Security software picked up on suspicious activity after a cyberattack was launched, but it decided not to take immediate action Received security alerts on Nov. 30 that Target Says It Ignored Early Signs of Data Breach Received security alerts on Nov. 30 that indicated malicious software had appeared in its network Source: SEC (Securities and Exchange Commission )7
  8. 8. Target Corp. annual report: Massive security breach has hurt its image and business, while spawning dozens of legal actions, and it can't estimate how big the financial tab will end up being. The FTC is probing the massive hack of credit card information. Target could face federal charges for Target Data Breach Fallout failing to protect its customers' data. “When you see a data breach of this size with clear harm to consumers, it's clearly something that the FTC would be interested in looking at.” - Jon Leibowitz, former FTC chairman Source: Bloomberg Businessweek8
  9. 9. Target Data Breach Fallout Target CIO Beth Jacob resigned 9
  11. 11. Who is the Next Target? Services Retailers 11 Healthcare Government
  12. 12. It’s not like other businesses are using some special network security practices that Target doesn’t know about. They just haven’t been hit yet.They just haven’t been hit yet. No number of walls, traps, bars, or alarms will keep out the determined thief. 12 Source:
  13. 13. New Environments Big Data and Cloud platforms are presenting new use cases that are incompatible with old security approaches. This makes them vulnerable and ideal targets. Cloud & Big Data Vulnerabilities Include: Hackers & APT Rogue Privileged Users Unvetted Applications Or Ad Hoc Processes
  14. 14. DATA SECURITY & THREAT LANDSCAPETHREAT LANDSCAPE 14 How have the methods of attack shifted?
  15. 15. “It’s clear the bad guys are winning at a faster rate than the good guys are winning, and we’ve The Bad Guys are Winning 15 Source: are winning, and we’ve got to solve that.” - 2014 Verizon Data Breach Investigations Report
  16. 16. External Threats are Exploding 16 Source: The 2014 Verizon Data Breach Investigations Report
  17. 17. More, Better Attack Tools 17 Source: The 2014 Verizon Data Breach Investigations Report
  18. 18. Changing Motives 18 Source: The 2014 Verizon Data Breach Investigations Report
  19. 19. We Are Losing Ground “…Even though security is improving, things are getting worse faster, so we're losing ground 19 we're losing ground even as we improve.” - Security expert Bruce Schneier Source:
  20. 20. Organizations Are Not Protecting Against Cyberattacks “Cyber attack fallout could cost the global economy $3 trillion by 2020.” 20 Source: McKinsey report on enterprise IT security implications released in January 2014. 2020.” - McKinsey & Company report Risk & Responsibility in a Hyperconnected World: Implications for Enterprises
  21. 21. Organizations Are Also Bad At Detecting Breaches 21 Verizon 2013 Data-breach-investigations-report & 451 Research
  23. 23. New Malware Detections Source: 23
  24. 24. #17 in 2012 among all types of incidents, rose to a very concerning #4 spot in 2013. Incidents surged from just 27 in 2012 to 223 in 2013. The Dramatic Rise of RAM Scraping Malware to 223 in 2013. 24 Source: Verizon’s 2014 Data Breach Investigations Report A 10x increase in only ONE YEAR.
  25. 25. In past year, there were at least 20 malware cyber attacks on retail targets similar to Target incident. “POS malware crime will continue to grow over the near term.” FBI Memory-Scraping Malware Warning grow over the near term.” Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms” Source: malware-in-wake-of-Target-breach 25
  26. 26. Export data became the #1 malware threat in 2013, doubling in occurrence from 2012. Malware represented 60% (12/20) of the top threat actors in the 2014 Verizon DBIR. The Dramatic Rise of RAM Scraping Malware threat actors in the 2014 Verizon DBIR. 26 Source: Verizon’s 2014 Data Breach Investigations Report My conclusion: Malware will continue to proliferate until we secure the sensitive data flow.
  27. 27. THINK LIKE A HACKERHACKER How can we shift from reactive to proactive thinking? 27
  28. 28. How do hackers think? Like a business. Go where the money is Thinking Like A Hacker Multiple touches to get in Easier targets = Higher ROI
  29. 29. The Modern Day Bank Robber 29
  30. 30. Target was certified as meeting the standard for the Payment Card Industry in September 2013 Compliance is minimal protection that everyone has to have in place. • It can protect from liability. Target Breach Lesson: Compliance Isn't Enough • But obviously, it does not actually protect from data loss. If you're driving a car, you have to wear your seatbelt. That doesn't make you a safe driver. Source: TechNewsWorld 30
  31. 31. TURNING THE TIDE 31 What new technologies and techniques can be used to prevent future attacks?
  32. 32. Coarse Grained Security • Access Controls • Volume Encryption • File Encryption Fine Grained Security Evolution of Data Security Methods EvolutionFine Grained Security • Access Controls • Field Encryption • Masking • Tokenization • Vaultless Tokenization 32 Evolution
  33. 33. Fine Grained (Field-Level) Sensitive Data Security allows for a Wider andallows for a Wider and Deeper Range of Authority Options 33
  34. 34. Risk High – Old: Minimal access levels – Least New : Much greater The New Fine Grained Data Security Access Privilege Level I High I Low Low – levels – Least Privilege to avoid high risks Much greater flexibility and lower risk in data accessibility 34
  35. 35. What if a Credit Card Number in the Hands of a Criminal was Useless? 35
  36. 36. De-identification through Tokenization Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 36
  37. 37. Fine Grained Data Security Methods Tokenization and Encryption are Different Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys TokenizationEncryption 37 Cryptographic keys Code books Index tokens
  38. 38. Different Tokenization Approaches Property Dynamic Pre-generated Vaultless Vault-based 38
  39. 39. Security of Fine Grained Protection Methods High Security Level I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization 39 Low
  40. 40. 10 000 000 - 1 000 000 - 100 000 - 10 000 - Transactions per second* Speed of Fine Grained Protection Methods 10 000 - 1 000 - 100 - I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data Tokenization *: Speed will depend on the configuration 40
  41. 41. Tokenization Research Tokenization Gets Traction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Tokenization users had 50% fewer security-related incidents than tokenization non-users 41 Source:
  42. 42. Use Case How Should I Secure Different Data? Simple – PCI PII Encryption of Files Card Holder Data Tokenization of Fields Personally Identifiable Information Type of Data I Structured I Un-structured Complex – PHI Protected Health Information 42 Personally Identifiable Information
  43. 43. Protecting Enterprise Data Flow 123456 123456 1234 CCN/SSN Social Media Blogs Smart Phones Meters Sensors Web Logs Trading Systems GPS Signals Stream 043 123456 999999 1234 Protecting Data Flows – Reducing Attack Surface Big Data (Hadoop) Acquisition Analytics & Visualization Enterprise Data Warehouse
  44. 44. You must assume your perimeter systems will be breached. How do you know when your systems have been compromised? You have to baseline and understand what ‘normal' looks like and look for deviations from normal. McAfee and Symantec can't tell you what normal looks like in your own systems. Only monitoring anomalies can do that. CISOs say SIEM Not Good for Security Analytics Only monitoring anomalies can do that. Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner 44
  45. 45. Use Big Data to Analyze Abnormal Usage Pattern Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Moscow, Russia FireEye Malware?
  46. 46. Trend - Open Security Analytics Frameworks 46 Source: Enterprise Big Data Lake
  47. 47. Conclusions Threats are increasing and attackers are getting more advanced • Sticking your head in the sand will not make it go away • Malware is everywhere – secure and monitor the data flow Compliance does not equal security 47 Compliance does not equal security • Everyone must be compliant, but it’s just a starting point • Assume you’re under attack – proactive security must be a priority Take advantage of the tools available today • Tokenization provides flexibility to capture, store and use data securely • Big Data event analysis & context can catch threats early on
  48. 48. Thank you! Questions? Please contact us for more information To Request A Copy of the Presentation Email: