17. Security Breaches Today
• Primary data breach targets…
– Financial
– Retail
– Government
• 43% of all companies experienced a data breach in the
last year
– Of these, 27% had no response plan in place
– 80% had root cause in employee negligence
• Membership organizations emerging
– Controversial missions/philosophies
– Play to self‐anointed judgment of “hacktivists”
– Least likely to have protections in place
18. Security Breaches Today
• Cyber risk and liability
– Target® breach of 2013…40M compromised records,
potential company liability of $90/exposed record =
$3.6B
– Target ® directors and officers also facing derivative suits
– Home Depot ® breach of 2014…56M compromised PCI
records, liability to exceed $3B
– JPMorgan Chase breach of 2014…83M compromised PII
accounts
– Anthem breach of 2015…80M compromised PHI records
– Data loss not typically covered under corporate
insurance policies…cyber liability insurance required to
cover corporate costs of a breach
19. Security Breaches Today
• Cyber risk and liability
– Brand value drops 17‐31% after a breach
– Data loss not typically covered under corporate
insurance policies…cyber liability insurance required
to cover corporate costs of a breach
– Software vendors mostly protected by liability limits
clauses in their EULAs
– Custom developed software and software
implementation is another story…
– Any technology company associated with a breach is
open to litigation
22. Security Breaches Today
• Weak credentials
– Default credential provisioning
– Susceptible to brute force attacks
• System misconfiguration
– Accidental exposure of administrative consoles
– Stood up systems outside of policy
– Firewall errors/complexity
• Service/Software vulnerability
– Heartbleed, Shellshock
– Third party software
• Web application vulnerability
– Most commonly exploited
– Custom code developed without security
• Social engineering
– Phishing, link clicking
25. Attack Vector Mitigation ‐ Business
• Train staff and elevate cyber security awareness
• Engage outside help when needed
• Ensure compliance with all regulatory and
certification security requirements
• Respond clearly and deliberately to any critical
incident…focus on maintaining stakeholder
confidence
• Benchmark your cyber security program in
relation to your peers
28. Secure Web Implementation
• GreenSQL ‐ a unified, ready‐to‐use database
security solution for all organizations. Easy to
install, use and maintain
– Hides and secures databases
– Monitors all incoming and outgoing SQL queries
– Alerts and blocks signature‐based query attacks
– Maintains database security policy in real‐time
– Protects against known and unknown database
exploits
32. Penetration Testing
• Automated testing tools
– Pros – covers a lot of ground very fast, cost efficient,
consistent and repeatable, best suited for rapidly
evolving web applications
– Cons – can frequently flag false positives, only as good
as the latest signature database of known exploits
• Adaptive (manual) testing techniques
– Pros – follows the black hat mindset, uncovers
application‐specific combinatorial vulnerabilities,
leverages non‐related tools, much more rigorous
– Cons – labor‐intensive, not easily repeatable, money
sink
33. Penetration Testing
• ASI committed to conducting self penetration testing
– iMIS 20‐100/200 and 20‐300 platforms
– Integral to pre‐EA/GA regression testing
– Employ Netsparker tool as a start, will likely expand to
others
• ASI engaged independent penetration testing services
in 2014
– Currently GA iMIS 20‐100 and 20‐300 platforms
– Adaptive pen testing techniques and methodology
– No critical vulnerabilities found
– Secure coding practices strongly recommended
41. PCI DSS v3 Changes
Definitions of Change
Change Type Definition Number of Changes
Clarification Clarifies intent of requirement. Ensures that
concise wording in the standard portrays
the desired intent of requirements.
74 changes
Additional
guidance
Explanation, definition and/or instruction
to increase understanding or provide
further information or guidance on a
particular topic.
5 changes
Evolving
Requirement
Changes to ensure that the standards are
up to date with emerging threats and
changes in the market.
19 changes
47. Tips & Tricks
1. Read the PCI‐DSS v3.
2. Leverage your entire employee base.
3. Read InfoSec News.
4. Keep the conversation going.
5. Be able to show proof.
6. Stay on top of documentation.
7. Standardize and remove risk.
8. Know your compliance anniversary date.
9. Start your assessment early.
10.Establish your current Merchant Level.
59. Engagement Management
• Integrate Web and Data Quickly
• Flexibility to adapt to deliver new services
• Complete 360° view of your constituents in
ONE system
• Interact with constituents on Any Device
• Measure member interaction
64. Learning with an EMS
• Integrate Web and Data Quickly
• Flexibility to adapt to deliver new services
• Complete 360° view of your constituent in
ONE system
• Interact with constituents on Any Device
• Measure interaction