Protecting The
Castle
Michael Scheidell, CCISO
Security Priva(eers®
© 2014 Security Priva(eers®
Michael Scheidell
CCISO, SMIEEE
• Senior Member, IEEE
• Senior Member, ISSA
• Patents and awar...
© 2014 Security Priva(eers®
• Protecting the Castle
• Boiling Frog
• Ostrich
• 2005, TJMAX, 18 months
• 2013, Target, 18 d...
© 2014 Security Priva(eers®
Build up the
Castle Walls
A Network Firewall is like the
Castle Walls.
No one goes in, no one ...
© 2014 Security Priva(eers®
Install a Moat
A moat protects the Firewall
FireEye APT Systems help
identify dangerous inboun...
© 2014 Security Priva(eers®
Guards Protect
the Moat
• 24/7 Monitoring
• Managed Network Security
• SOC (Secure Op Center)
© 2014 Security Priva(eers®
Guards Inside
The Castle
Can’t keep everyone out.
Why bother with Internet?
Once they get in, ...
© 2014 Security Priva(eers®
Boiling Frog
Put a frog in lukewarm water
and heat it up slowly and frog
will stay until it is...
© 2014 Security Priva(eers®
Boiling Frog
Put a frog in lukewarm water
and heat it up slowly and frog
will stay until it is...
© 2014 Security Priva(eers®
Ostrich
When an Ostrich is frightened
it will bury it’s head in the sand
TJMAX knew WiFi had
s...
© 2014 Security Priva(eers®
© 2014 Security Priva(eers®
Protecting the Castle
The castle walls don’t need
protecting
The network doesn’t need
protecti...
© 2014 Security Priva(eers llc®
• July 2005, Two High School Graduates and two dropouts
hack TJ Max’s Wifi Network (WEP en...
© 2014 Security Priva(eers llc®
2013, Target
• June, Target Installs FireEye APT detection System
• Nov 8th, ZDNET Intervi...
© 2014 Security Priva(eers llc®
What did they miss?
• TJMAX saw problems with their WiFi
– They monitored network for 13 m...
© 2014 Security Priva(eers llc®
What would you rather have?
Rookie with a 357 10 Year vet with a 38?
© 2014 Security Priva(eers®
$90 Billion Spent
© 2014 Security Priva(eers®
What is
missing? • People
• Processes
• Procedures
• Training
Without TRAINED
people, followin...
© 2014 Security Priva(eers llc®
CC Details for Sale
© 2014 Security Priva(eers llc®
CC Details for Sale
© 2014 Security Priva(eers®
APT: Advanced Persistent Threat
© 2014 Security Priva(eers®
No Skill
Needed
Can’t Hack?
For $2800 you can buy the
memory scraping software
found at Target...
© 2014 Security Priva(eers llc®
Mag Stripe vs SmartCard
Mag Stripe Card SmartCard with Chip
© 2014 Security Priva(eers llc®
Mag Stripe vs SmartCard
Mag Stripe Card Card with Chip
© 2014 Security Priva(eers®
What’s in
YOUR Wallet?
• Ask for Chip & Signature if
you need a replacement
card.
• Still has ...
© 2014 Security Priva(eers®
Small Business at Risk
• Inventory your business
• Ask IT person what data is
being stored
• A...
© 2014 Security Priva(eers llc®
Small Business at Risk
• Computers
– Patching
– Passwords (weak, old, administrator)
– Gam...
© 2014 Security Priva(eers®
What is
missing?
• People
• Policies
• Processes
• Procedures
• Training
Without TRAINED
peopl...
© 2014 Security Priva(eers llc®
Virtual vs Physical World
• Do you think Virtual Security?
• CCD cameras / Computer Logs
•...
© 2014 Security Priva(eers®
Guard Gate
Do you store information on
visitors?
Name, SS or DL number?
Photo copy of their ID?
© 2014 Security Priva(eers llc®
Frog and Ostrich
• The human is the only animal stupid
enough to let itself be boiled or p...
© 2014 Security Priva(eers llc®
Contact Information
Michael Scheidell, CCISO, SMIEEE
Managing Director, Security Priva(eer...
Upcoming SlideShare
Loading in …5
×

Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME IN AMERICA AND IN 2014 1 IN 7 WILL BE VICTIMS

4,319 views

Published on

(Companion whitepaper here:
http://blog.securityprivateers.com/2014/03/lessons-from-frog-and-ostrich.html )

CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME IN AMERICA AND IN 2014 1 IN 7 WILL BE VICTIMS
Part 1
Target: Retail Credit Card Thefts, Frogs, Ostriches and the barn door: Why we will continue to see credit card thefts.
TJMAX had a major breach in 2005 and didn’t know about for 18 months. The same fundamental problems caused the recent Target breach and will continue to plague government, retail and brick and mortar networks for years to come. Find out why a frog won’t let itself get boiled, and learn why humans are the only ones silly enough to bury their heads in the sand as we look at the core problems facing these institutions today.
Part 2
“I am a small company or just an individual, what do hackers want from me and how do they get it?”.
Think you are safe? You have nothing to lose? Nothing the hackers want? Think again. Turn every computer system you own off or use for 7 days and tell me you have nothing valuable. Hackers are after anything they can sell, from your list of customers to your web browser ‘favorites’ list. Find out several simple steps you can take to keep the hackers (and the government) out of your business.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,319
On SlideShare
0
From Embeds
0
Number of Embeds
3,554
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME IN AMERICA AND IN 2014 1 IN 7 WILL BE VICTIMS

  1. 1. Protecting The Castle Michael Scheidell, CCISO Security Priva(eers®
  2. 2. © 2014 Security Priva(eers® Michael Scheidell CCISO, SMIEEE • Senior Member, IEEE • Senior Member, ISSA • Patents and awards in Network Security • Founded Three South Florida Tech Companies • Honored by South Florida Business Journal • Member FBI’s InfraGard • Member US Secret Service Miami Electronic Crimes Task Force (MECTF)
  3. 3. © 2014 Security Priva(eers® • Protecting the Castle • Boiling Frog • Ostrich • 2005, TJMAX, 18 months • 2013, Target, 18 days • CC Details for sale • Mag Stripe vs SmartCard • What’s in YOUR Wallet • What’s Yours is Mine • Small Business at Risk • Storing Private Details • Virtual vs Physical World Agenda
  4. 4. © 2014 Security Priva(eers® Build up the Castle Walls A Network Firewall is like the Castle Walls. No one goes in, no one goes out without permission If unauthorized access is attempted they are blocked automatically
  5. 5. © 2014 Security Priva(eers® Install a Moat A moat protects the Firewall FireEye APT Systems help identify dangerous inbound attachments, downloaded, em ailed or via USB/CDrom
  6. 6. © 2014 Security Priva(eers® Guards Protect the Moat • 24/7 Monitoring • Managed Network Security • SOC (Secure Op Center)
  7. 7. © 2014 Security Priva(eers® Guards Inside The Castle Can’t keep everyone out. Why bother with Internet? Once they get in, now what? Antivirus Software is like the Guards inside the Castle
  8. 8. © 2014 Security Priva(eers® Boiling Frog Put a frog in lukewarm water and heat it up slowly and frog will stay until it is cooked in boiling water
  9. 9. © 2014 Security Priva(eers® Boiling Frog Put a frog in lukewarm water and heat it up slowly and frog will stay until it is cooked in boiling water Put a frog in boiling water and it will jump out immediately TJMAX suspected Wifi Breach, but the data was taken slowly Target CIO sat in slowly rising temperature from November 2013 till March 2014
  10. 10. © 2014 Security Priva(eers® Ostrich When an Ostrich is frightened it will bury it’s head in the sand TJMAX knew WiFi had security risks but ignored them (didn’t separate out WiFi from corporate network, didn’t encrypt database) Target knew malware was being installed. They paid $1.6M for FireEye APT detection system.
  11. 11. © 2014 Security Priva(eers®
  12. 12. © 2014 Security Priva(eers® Protecting the Castle The castle walls don’t need protecting The network doesn’t need protecting Protect the Crown Jewels Focus on the highest value items
  13. 13. © 2014 Security Priva(eers llc® • July 2005, Two High School Graduates and two dropouts hack TJ Max’s Wifi Network (WEP encryption) • August 2005, They get access to databases, CC details, etc • September 2005, TJMAX upgrades Wifi to WPA, begins monitoring for suspicious activities • December 2006, TJMAX detects intrusion, calls LE • January, 2007, TJMAX makes announcement: 45.7M 2005, TJ MAX Hackers were inside for 18 months
  14. 14. © 2014 Security Priva(eers llc® 2013, Target • June, Target Installs FireEye APT detection System • Nov 8th, ZDNET Interviews Target’s CIO • Nov 27th, Hackers Access Target’s network via HVAC Vendor • Nov 30th, Attack caught by FireEye, Alerts Ignored • Dec 2nd, Export of data started, FireEye Alerts Ignored • Dec 13th, Report by Security Researcher Brian Krebs • Dec 15th, Data export stopped (110m Records enough?) – 40m Credit Card ‘dumps’, 70m other customer records • Dec 18th, Target Reports to LE, uploads to VirusTotal.com • Dec 19th, Target publically acknowledges breach • Dec 21st, JP Morgan notifies customers • Dec 23th, Target General Counsel in Conference Call • Jan 15th, Target Allocates $5M for ‘Consumer Education’ • Feb 6th, HVAC Vendor Identified (weak password, free AV version) • March 5th, CIO Resigns
  15. 15. © 2014 Security Priva(eers llc® What did they miss? • TJMAX saw problems with their WiFi – They monitored network for 13 months • Target Spent $1.6M on FireEye – There were multiple early warnings • Did they both need more security?
  16. 16. © 2014 Security Priva(eers llc® What would you rather have? Rookie with a 357 10 Year vet with a 38?
  17. 17. © 2014 Security Priva(eers® $90 Billion Spent
  18. 18. © 2014 Security Priva(eers® What is missing? • People • Processes • Procedures • Training Without TRAINED people, following specific procedures and processes, anything can happen. If you have no destination, any path will lead you there. Target: Finally looking for a CISO
  19. 19. © 2014 Security Priva(eers llc® CC Details for Sale
  20. 20. © 2014 Security Priva(eers llc® CC Details for Sale
  21. 21. © 2014 Security Priva(eers® APT: Advanced Persistent Threat
  22. 22. © 2014 Security Priva(eers® No Skill Needed Can’t Hack? For $2800 you can buy the memory scraping software found at Target. Even that too hard for you? Can you unplug a USB keyboard? Got an Amazon Prime Account?
  23. 23. © 2014 Security Priva(eers llc® Mag Stripe vs SmartCard Mag Stripe Card SmartCard with Chip
  24. 24. © 2014 Security Priva(eers llc® Mag Stripe vs SmartCard Mag Stripe Card Card with Chip
  25. 25. © 2014 Security Priva(eers® What’s in YOUR Wallet? • Ask for Chip & Signature if you need a replacement card. • Still has Mag Strip • Will work in US and 99% of international • Safer ONLY IF USED IN CHIP ENABLED SYSTEMS
  26. 26. © 2014 Security Priva(eers® Small Business at Risk • Inventory your business • Ask IT person what data is being stored • Are you storing CC numbers? • What about employee payroll information? • Workman’s Comp Faxes? • Red Pill vs Blue Pill?
  27. 27. © 2014 Security Priva(eers llc® Small Business at Risk • Computers – Patching – Passwords (weak, old, administrator) – Game programs, malware, spyware • Web sites – Patching – Passwords – Temp files (Office docs with PPI)
  28. 28. © 2014 Security Priva(eers® What is missing? • People • Policies • Processes • Procedures • Training Without TRAINED people, following specific procedures and processes, anything can happen. • Inform your employees • Train them on privacy • Have written policies • Hire right • Lead by example
  29. 29. © 2014 Security Priva(eers llc® Virtual vs Physical World • Do you think Virtual Security? • CCD cameras / Computer Logs • Guard, ID / Login & Password • Safe Storage / Encryption • Cover your Tracks / Shreader
  30. 30. © 2014 Security Priva(eers® Guard Gate Do you store information on visitors? Name, SS or DL number? Photo copy of their ID?
  31. 31. © 2014 Security Priva(eers llc® Frog and Ostrich • The human is the only animal stupid enough to let itself be boiled or put its head in the sand • The frog jumps out as soon as temperature increases 2 degrees • Ostriches are searching for food • One of the fastest runners in nature
  32. 32. © 2014 Security Priva(eers llc® Contact Information Michael Scheidell, CCISO, SMIEEE Managing Director, Security Priva(eers IT Risk Assessments / IT Security Consulting Retained Chief Information Security Officer michael@securityprivateers.com @Scheidell/ (561) 948-1305 http://www.securityprivateers.com

×