Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data Breaches. Are you next? What does the data say?

968 views

Published on

8th Global Airline & Travel Payments Summit - ATPS 2014

Published in: Internet
  • Be the first to comment

Data Breaches. Are you next? What does the data say?

  1. 1. Data Breaches: Are you next? What does the data say? Phil Agcaoili, VP & Chief Information Security Officer, Elavon ATPS Worldwide 3rd-4th December 2014
  2. 2. Fear, uncertainty and doubt (FUD) …Generally a strategic attempt to influence perception by disseminating negative and dubious or false information… The term originated to describe disinformation tactics… FUD is a manifestation of the appeal to fear. Truth Truth is most often used to mean being in accord with fact or reality, or fidelity to an original or to a standard or ideal. FUD and Cyber Security ATPS Worldwide 3rd-4th December 2014
  3. 3. Fact: Worst Travel Day of the Year Fiction: Worst day of the year is the Day Before Thanksgiving ATPS Worldwide 3rd-4th December 2014
  4. 4. //Cyber Security The interconnection and reliance of physical lifeline functions over the Internet (cyberspace) that impacts: • National security, • Public health and safety, and/or our • Economic well-being Information Technology Sector Transportation ATPS Worldwide 3rd-4th December 2014 Systems Sector Commercial Facilities Sector Financial Services Sector Defense Industrial Base Sector
  5. 5. We are All Interconnected ATPS Worldwide 3rd-4th December 2014
  6. 6. Heightened Concerns on Cyber Security Low Barrier of Entry High Damage Potential / Lucrative ATPS Worldwide 3rd-4th December 2014
  7. 7. Cost of Data $102.60 Average black market price for all of the data on a credit card $187.44 Cost of taking control of a bank account $200K Average cost of cyber attach to SMB $1M-$46M Average cost of breach to a large company $169M Target breach clean-up costs $46M The Home Depot breach clean-up costs $350M-1T Global cost of cyber crime ATPS Worldwide 3rd-4th December 2014
  8. 8. //Cyber Crime Global and growing industry Increasing in size and efficiency Targets everyone and every company Leveled playing field for criminal activity Cyber Crime Orgs Professional Hackers Spammers Mafia Military Terrorists ATPS Worldwide 3rd-4th December 2014
  9. 9. //APT - Nation States Hacking and a Cyber Cold War ATPS Worldwide 3rd-4th December 2014
  10. 10. What are your risks? Have you assessed your risks? ATPS Worldwide 3rd-4th December 2014
  11. 11. Airlines and Airport Security Complex ecosystems with advanced IT infrastructures Real-time exchange of sensitive information Scan and monitor passenger flow Complex procedures and rules Security requirements Vulnerable to a multitude of attacks and IT-based emerging threats Information Technology Sector Transportation Systems Sector ATPS Worldwide 3rd-4th December 2014 Commercial Facilities Sector Financial Services Sector Defense Industrial Base Sector
  12. 12. Data Breaches ATPS Worldwide 3rd-4th December 2014
  13. 13. Data Breaches ATPS Worldwide 3rd-4th December 2014
  14. 14. Merchants Under Attack Credit cards What else must be said? ATPS Worldwide 3rd-4th December 2014
  15. 15. Case Studies: The Facts Nothing new here All information presented is based on: Past incidents Reported cyber attacks ATPS Worldwide 3rd-4th December 2014
  16. 16. 2004 Fact: Sasser Worm and British Airways at Heathrow Airport British Airways suffered delays Worm hit Terminal Four at London's Heathrow Airport, Also affected call centers Written by a teenager ATPS Worldwide 3rd-4th December 2014
  17. 17. 2008 Fact: Spanair Flight 5022 Crashed just after take off Over 150 people died Only 18 people survived Accident weakened Spanair's image (reputation risk) Crash exacerbated company’s financial difficulties Ceased operations in 2012 Internal report issued by airline revealed: Malware infected airline's central computer system May have prevented detection of technical problems with aircraft Final report determined crew failure as root cause ATPS Worldwide 3rd-4th December 2014
  18. 18. 2011 Fact: Delhi’s Indira Gandhi International (IGI) Airport Incident Passenger processing system failure Backend server glitch Common Use passengers Processing System (CUPPS) Down for almost 12 hours Approximately 50 flights delayed Passengers had to be manually checked in Central Bureau of Investigation (CBI) of India Virus attack / malicious code on the system Used from an unknown remote location Someone at a remote location operated the system ATPS Worldwide 3rd-4th December 2014
  19. 19. 2011 Fact: Computer Virus Hits U.S. Drone Fleet Virus infected Predator and Reaper drones One of the US military’s most important weapons systems Virus resisted multiple efforts to remove it Remote cockpits are not connected to the Internet Virus believed to have spread through removable drives ATPS Worldwide 3rd-4th December 2014
  20. 20. 2014 Facts: Infected Belgian Charleroi Airport Servers Belgian Charleroi airport network servers infected with malware Turned them into botnet zombies Airport and customer data stolen ATPS Worldwide 3rd-4th December 2014
  21. 21. ATPS Worldwide 3rd-4th December 2014
  22. 22. 2014 Fact: Account Backdoors on Airport Scanners, Default Passwords Blackhat 2014 Backdoor accounts present in airport scanners Many machines deployed at airport security checkpoints have embedded accounts with default passwords that can be abused Attackers may be able to use the accounts as a backdoor to get access to the system ATPS Worldwide 3rd-4th December 2014 Via Billy Rios
  23. 23. 2014 Fact: More Backdoors FTP, Telnet, and Web hardcoded backdoors ~6000 on Internet at major airports Foreign made ATPS Worldwide 3rd-4th December 2014 Via Billy Rios
  24. 24. 2014 Fact: More Backdoors Multiple backdoor accounts ATPS Worldwide 3rd-4th December 2014 Via Billy Rios
  25. 25. Internet of Things (IoT) Embedded systems Devices with an IP stack May or may not be connected to the Internet Think smartphones Drones ATPS Worldwide 3rd-4th December 2014
  26. 26. Address Cyber Security Now Raise visibility to senior leadership and Board of Directors Use a Cyber Risk Framework Invest in Cyber Security Risk Management NIST CSF ATPS Worldwide 3rd-4th December 2014
  27. 27. Your Responsibility Ensure Basic Cyber Hygiene It’s Everyone’s Responsibility Airlines focus: Defense in-depth and anti-malware programs Follow the money Trust, but Verify Especially with embedded devices Supply chain Vendor Management / Third Party Security Overall security Hardcoded backdoors Participate in an Information Sharing & Analysis Center (ISAC) ATPS Worldwide 3rd-4th December 2014
  28. 28. ATPS Worldwide 3rd-4th December 2014 Thanks Phil Agcaoili VP & Chief Information Security Officer, Elavon Contributor, NIST Cybersecurity Framework version 1 Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and CSA Open Certification Framework (OCF) @hacksec https://www.linkedin.com/in/philA

×