Verizon 2014 data breach investigation report and the target breach

  • 518 views
Uploaded on

The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them. …

The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them.
What’s needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
In this webinar, Protegrity CTO and data security thought leader Ulf Mattsson integrates new information from the Verizon 2014 Data Breach Investigation Report (DBIR) into his analysis on what is driving data breaches today, and how we can prevent them in the future.
KEY TOPICS INCLUDE:
• The changing threat landscape
• The effects of new technologies on breaches
• Analysis of recent breaches, including Target
• Compliance vs. security
• The importance of shifting from reactive to proactive thinking
• Preparing for future attacks with new technology & techniques

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
518
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
30
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Verizon 2014 Data Breach Investigation ReportVerizon 2014 Data Breach Investigation Report and The Target Breach Proactive Approaches to Data Security Ulf Mattsson CTO, Protegrity Ulf.Mattsson@protegrity.com
  • 2. Member of PCI Security Standards Council: • Tokenization Task Force • Encryption Task Force • Point to Point Encryption Task Force • Risk Assessment SIG Ulf Mattsson, Protegrity CTO • eCommerce SIG • Cloud SIG • Virtualization SIG • Pre-Authorization SIG • Scoping SIG 2
  • 3. The Target Data Breach Data Security & Threat Landscape Topics Think Like A Hacker - Proactive Data Security New Data Security Technologies & Approaches 3
  • 4. THE TARGET DATA BREACHDATA BREACH 4 What can we learn?
  • 5. First Attack: Fazio Mechanical Services • A 3rd party refrigeration design & maintenance contractor for Target • Email malware-injecting phishing attack • Credentials were stolen Second Attack: Target POS Machines • Used stolen credentials from Fazio Mechanical Services to access POS machines How The Breach at Target Went Down • Installation of malware to collect customer payment data Aftermath: Malware Data Export • >40 million customer financial records & CCN • >70 million customer personal information records • The subsequent file dump containing customer data is reportedly flooding the black market • Starting point for the manufacture of fake bank cards, or provide data required for identity theft. Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/ 5
  • 6. Memory Scraping Malware – Target Breach Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Russia 6
  • 7. Security software picked up on suspicious activity after a cyberattack was launched, but it decided not to take immediate action Received security alerts on Nov. 30 that Target Says It Ignored Early Signs of Data Breach Received security alerts on Nov. 30 that indicated malicious software had appeared in its network Source: SEC (Securities and Exchange Commission )7
  • 8. Target Corp. annual report: Massive security breach has hurt its image and business, while spawning dozens of legal actions, and it can't estimate how big the financial tab will end up being. The FTC is probing the massive hack of credit card information. Target could face federal charges for Target Data Breach Fallout failing to protect its customers' data. “When you see a data breach of this size with clear harm to consumers, it's clearly something that the FTC would be interested in looking at.” - Jon Leibowitz, former FTC chairman Source: Bloomberg Businessweek8
  • 9. Target Data Breach Fallout Target CIO Beth Jacob resigned 9
  • 10. WHO IS THE NEXT TARGET?TARGET? 10
  • 11. Who is the Next Target? Services Retailers 11 Healthcare Government
  • 12. It’s not like other businesses are using some special network security practices that Target doesn’t know about. They just haven’t been hit yet.They just haven’t been hit yet. No number of walls, traps, bars, or alarms will keep out the determined thief. 12 Source: www.govtech.com/security
  • 13. New Environments Big Data and Cloud platforms are presenting new use cases that are incompatible with old security approaches. This makes them vulnerable and ideal targets. Cloud & Big Data Vulnerabilities Include: Hackers & APT Rogue Privileged Users Unvetted Applications Or Ad Hoc Processes
  • 14. DATA SECURITY & THREAT LANDSCAPETHREAT LANDSCAPE 14 How have the methods of attack shifted?
  • 15. “It’s clear the bad guys are winning at a faster rate than the good guys are winning, and we’ve The Bad Guys are Winning 15 Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening are winning, and we’ve got to solve that.” - 2014 Verizon Data Breach Investigations Report
  • 16. External Threats are Exploding 16 Source: The 2014 Verizon Data Breach Investigations Report
  • 17. More, Better Attack Tools 17 Source: The 2014 Verizon Data Breach Investigations Report
  • 18. Changing Motives 18 Source: The 2014 Verizon Data Breach Investigations Report
  • 19. We Are Losing Ground “…Even though security is improving, things are getting worse faster, so we're losing ground 19 we're losing ground even as we improve.” - Security expert Bruce Schneier Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11
  • 20. Organizations Are Not Protecting Against Cyberattacks “Cyber attack fallout could cost the global economy $3 trillion by 2020.” 20 Source: McKinsey report on enterprise IT security implications released in January 2014. 2020.” - McKinsey & Company report Risk & Responsibility in a Hyperconnected World: Implications for Enterprises
  • 21. Organizations Are Also Bad At Detecting Breaches 21 Verizon 2013 Data-breach-investigations-report & 451 Research
  • 22. BEWARE MALWAREBEWARE MALWARE 22
  • 23. New Malware Detections Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 23
  • 24. #17 in 2012 among all types of incidents, rose to a very concerning #4 spot in 2013. Incidents surged from just 27 in 2012 to 223 in 2013. The Dramatic Rise of RAM Scraping Malware to 223 in 2013. 24 Source: Verizon’s 2014 Data Breach Investigations Report A 10x increase in only ONE YEAR.
  • 25. In past year, there were at least 20 malware cyber attacks on retail targets similar to Target incident. “POS malware crime will continue to grow over the near term.” FBI Memory-Scraping Malware Warning grow over the near term.” Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms” Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping- malware-in-wake-of-Target-breach 25
  • 26. Export data became the #1 malware threat in 2013, doubling in occurrence from 2012. Malware represented 60% (12/20) of the top threat actors in the 2014 Verizon DBIR. The Dramatic Rise of RAM Scraping Malware threat actors in the 2014 Verizon DBIR. 26 Source: Verizon’s 2014 Data Breach Investigations Report My conclusion: Malware will continue to proliferate until we secure the sensitive data flow.
  • 27. THINK LIKE A HACKERHACKER How can we shift from reactive to proactive thinking? 27
  • 28. How do hackers think? Like a business. Go where the money is Thinking Like A Hacker Multiple touches to get in Easier targets = Higher ROI
  • 29. The Modern Day Bank Robber 29
  • 30. Target was certified as meeting the standard for the Payment Card Industry in September 2013 Compliance is minimal protection that everyone has to have in place. • It can protect from liability. Target Breach Lesson: Compliance Isn't Enough • But obviously, it does not actually protect from data loss. If you're driving a car, you have to wear your seatbelt. That doesn't make you a safe driver. Source: TechNewsWorld 30
  • 31. TURNING THE TIDE 31 What new technologies and techniques can be used to prevent future attacks?
  • 32. Coarse Grained Security • Access Controls • Volume Encryption • File Encryption Fine Grained Security Evolution of Data Security Methods EvolutionFine Grained Security • Access Controls • Field Encryption • Masking • Tokenization • Vaultless Tokenization 32 Evolution
  • 33. Fine Grained (Field-Level) Sensitive Data Security allows for a Wider andallows for a Wider and Deeper Range of Authority Options 33
  • 34. Risk High – Old: Minimal access levels – Least New : Much greater The New Fine Grained Data Security Access Privilege Level I High I Low Low – levels – Least Privilege to avoid high risks Much greater flexibility and lower risk in data accessibility 34
  • 35. What if a Credit Card Number in the Hands of a Criminal was Useless? 35
  • 36. De-identification through Tokenization Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 36
  • 37. Fine Grained Data Security Methods Tokenization and Encryption are Different Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys TokenizationEncryption 37 Cryptographic keys Code books Index tokens
  • 38. Different Tokenization Approaches Property Dynamic Pre-generated Vaultless Vault-based 38
  • 39. Security of Fine Grained Protection Methods High Security Level I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization 39 Low
  • 40. 10 000 000 - 1 000 000 - 100 000 - 10 000 - Transactions per second* Speed of Fine Grained Protection Methods 10 000 - 1 000 - 100 - I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data Tokenization *: Speed will depend on the configuration 40
  • 41. Tokenization Research Tokenization Gets Traction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Tokenization users had 50% fewer security-related incidents than tokenization non-users 41 Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
  • 42. Use Case How Should I Secure Different Data? Simple – PCI PII Encryption of Files Card Holder Data Tokenization of Fields Personally Identifiable Information Type of Data I Structured I Un-structured Complex – PHI Protected Health Information 42 Personally Identifiable Information
  • 43. Protecting Enterprise Data Flow 123456 123456 1234 CCN/SSN Social Media Blogs Smart Phones Meters Sensors Web Logs Trading Systems GPS Signals Stream 043 123456 999999 1234 Protecting Data Flows – Reducing Attack Surface Big Data (Hadoop) Acquisition Analytics & Visualization Enterprise Data Warehouse
  • 44. You must assume your perimeter systems will be breached. How do you know when your systems have been compromised? You have to baseline and understand what ‘normal' looks like and look for deviations from normal. McAfee and Symantec can't tell you what normal looks like in your own systems. Only monitoring anomalies can do that. CISOs say SIEM Not Good for Security Analytics Only monitoring anomalies can do that. Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner 44
  • 45. Use Big Data to Analyze Abnormal Usage Pattern Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Moscow, Russia FireEye Malware?
  • 46. Trend - Open Security Analytics Frameworks 46 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture Enterprise Big Data Lake
  • 47. Conclusions Threats are increasing and attackers are getting more advanced • Sticking your head in the sand will not make it go away • Malware is everywhere – secure and monitor the data flow Compliance does not equal security 47 Compliance does not equal security • Everyone must be compliant, but it’s just a starting point • Assume you’re under attack – proactive security must be a priority Take advantage of the tools available today • Tokenization provides flexibility to capture, store and use data securely • Big Data event analysis & context can catch threats early on
  • 48. Thank you! Questions? Please contact us for more information www.protegrity.com Ulf.Mattsson@protegrity.com To Request A Copy of the Presentation Email: info@protegrity.com