Uploaded bygotopaz
PPTX, PDF337 views

2013 PMA Business Security Insights

This document discusses business security insights and highlights key points from the 2012 Verizon Breach Report. It summarizes that small and medium businesses are now the preferred targets for payment card and authentication data theft. Over two-thirds of breaches investigated in 2011 were at small and medium businesses. While outside threats were responsible for most breaches, inside threats like data loss, remote access issues, and human error also pose risks. The document outlines different technical, physical, network, endpoint, and operational security layers businesses should implement and maintain to protect themselves, as well as issues like compliance, costs of prevention versus remediation, and the role of insurance.

Embed presentation

Download to read offline
Business Security Insights Earl.Chen@BankofAmerica.com Lawrence.Godfrey@e-hps.com JHenbest@ptcllc.com Alberto@SureTech.com
What do I need to protect? o Credit Card Data / Personal Info (Identities) o Files o Business Data 2
2012 Verizon Breach Report – Targeted Data For SMB’s Payment Card Data and Authentication Data is the data most targeted. 3
2012 Verizon Breach Report – Target Organization The preferred target now seems to be the SMB’s (small and medium businesses). 570 of the 855 investigations, over 66% of the total investigations. 4
Outside Threats Outside/External threats responsible for 98% of data breaches investigated in 2011 2012 Verizon Breach Report 5
Security Stories Examples 6
Hacking 30 Years Ago 7
Hacking Today Source: www.fbi.gov http://www.fbi.gov/news/stories/2010/octo ber/cyber-banking-fraud/cyber-banking- fraud/?searchterm=cyber%20theft 8
2012 Verizon Breach Report – How do they get in? Much as it has in the past, the most common malware infection vector continues to be installation or injection by a remote attacker. This covers scenarios in which an attacker breaches a system VIA REMOTE ACCESS and then deploys malware or injects code via web application vulnerabilities. 9
Security Experiences Examples 10
Inside Threats o Data Corruption / Loss (Hardware, Operator or Programmatic failures) o Remote Access Tools / Trusted Vendor Security Holes o BYOD – Bring your own device o Human error / Training o Sabotage 11
Other Inside Threats The other internal threats that needs to be considers are; – Hard Drive Crash – Water or fire damage to POS – No backups or lack of testing backup procedures 12
Preparedness, Costs & Risks How to think of Return on Investment: Is security a bottom line cost or a profit center? o What are the financial risks/costs?  Prevention  Remediation o PCI / HIPAA / FINRA / SEC compliance and liabilities 13
PCI-DSS: Why Care? – Protecting your income  Breach consequences for a Tier 4 merchant  Actual Mid-West Steakhouse example: Fines and Costs Breakdown Steakhouse Visa Fines $ 5,000 MasterCard Fines $ 30,000 Forensic Investigation Costs $ 10,322 Visa card compromise program $ 60,000 Chargebacks $ 202,223 Total Direct Breach Costs $307,545 Please Note: Breached merchant must now adhere to Level/Tier 1 Requirements 14
Preparedness, Costs and Risks Disaster Recovery vs. Business Continuity o Backup o Component Redundancy o Enterprise Redundancy 15
Technical Security Layers Physical o Checkpoints, locks, and surveillance o Logging o Force Majeur (fire, earthquakes, etc.) Network Equipment location/locks o Intrusion prevention o Intrusion detection o Access Management and ease of use EndPoint o FireWall o AntiVirus: how did AntiVirus lose the war? Where is the battle now? o OS Updates / Security Patches 16
Basic Elements of Physical Security Questions to consider… Can a visitor to your business pickup a notebook computer and slip out the door easily? What about a cell phone with email records? Is the door to the server room always locked? Are employees trained to ensure guests do not wander? Are employees appropriately limited on where they can go? www.ptcllc.com 17
Basic Elements of Physical Security o Deterrence o Access Control o Detection o Identification www.ptcllc.com 18
www.ptcllc.com 19
Basic Elements of Network Security: o Secure Passwords o Perimeter Firewalls o Intrusion Prevention What to watch: o Intrusion Detection o Logging o Alerting Monitor, monitor, monitor… Always look to improve and enhance as new threats are discovered… www.ptcllc.com 20
www.ptcllc.com 21
Effective network segmentation - PCI DSS requires it to minimize the scope of review… www.ptcllc.com 22
POS Network Wireless Network Office Network www.ptcllc.com 23
Intrusion Prevention www.ptcllc.com 24
Basic Elements of Endpoint Security: o Secure Passwords o OS and Security Patches o Antimalware Protection o Client Firewalls o Mobile Devices www.ptcllc.com 25
Recent study by Imperva (data security firm in California) and Technion-Israel Institute of Technology found success rate of the top 40+ antivirus products to be… Less than 5% Symantec – Not called Antivirus software any longer…. Now Norton Internet Security and Symantec Endpoint Protection Trend Micro, McAfee, and others are doing the same. They are losing the war and they know it. Source: NY Times, Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt – 12/31/2012 www.ptcllc.com 26
Operator Security Layers Operational Controls: o People: non business use, using default passwords etc. o The Myth of Secure Passwords o Reset Password holes (questions, email) o Password manager o Backup o Training o Auditing o Data Integrity Tools o Policies, Training, Enforcement  User Training  Data Silos (Credit Cards, Financial, Customer, Operations) Insurance o What can insurance do for me? 27
28
29
What is next for my business? o Security is complex, multilayered and ever changing. o Being aware of the issues that relate to your business is the first step. o Any solution will require trusted partners and an eye to integration of multiple solutions. 30
Thank you for attending. Earl.Chen@BankofAmerica.com Lawrence.Godfrey@e-hps.com JHenbest@ptcllc.com Alberto@SureTech.com 31

More Related Content

PPTX
Rothke rsa 2013 - the five habits of highly secure organizations
byBen Rothke
 
PDF
Reality of cybersecurity 11.4.2017
byjapijapi
 
PPTX
Rothke rsa 2013 - deployment strategies for effective encryption
byBen Rothke
 
PDF
Item46763
bymadunix
 
PDF
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
byPrecisely
 
PPTX
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
byBen Rothke
 
PDF
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
byGabriel Dusil
 
PDF
Securing your presence at the perimeter
byBen Rothke
 
Rothke rsa 2013 - the five habits of highly secure organizations
byBen Rothke
 
Reality of cybersecurity 11.4.2017
byjapijapi
 
Rothke rsa 2013 - deployment strategies for effective encryption
byBen Rothke
 
Item46763
bymadunix
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
byPrecisely
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
byBen Rothke
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
byGabriel Dusil
 
Securing your presence at the perimeter
byBen Rothke
 

What's hot

PPT
Maximizing Security Training ROI
bySymosis Security (Previously C-Level Security)
 
PDF
Case study financial_services
byG. Subramanian
 
PDF
Choosing the Right Data Security Solution
byProtegrity
 
PDF
Fundamentals of-information-security
bymadunix
 
PDF
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
byDFLABS SRL
 
PDF
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"
bySouth Tyrol Free Software Conference
 
PDF
Enterprise cyber security
bynsheel
 
PDF
Identifying Code Risks in Software M&A
byMatt Tortora
 
PDF
GDPR: The Application Security Twist
bySecurity Innovation
 
PDF
ITrust Company Overview EN
byITrust - Cybersecurity as a Service
 
PDF
Cyber Risk for Construction Industry
byBrianHuntMSFCPACRISC
 
PDF
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
byPriyanka Aash
 
PPTX
Threat modeling web application: a case study
byAntonio Fontes
 
Maximizing Security Training ROI
bySymosis Security (Previously C-Level Security)
 
Case study financial_services
byG. Subramanian
 
Choosing the Right Data Security Solution
byProtegrity
 
Fundamentals of-information-security
bymadunix
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
byDFLABS SRL
 
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"
bySouth Tyrol Free Software Conference
 
Enterprise cyber security
bynsheel
 
Identifying Code Risks in Software M&A
byMatt Tortora
 
GDPR: The Application Security Twist
bySecurity Innovation
 
ITrust Company Overview EN
byITrust - Cybersecurity as a Service
 
Cyber Risk for Construction Industry
byBrianHuntMSFCPACRISC
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
byPriyanka Aash
 
Threat modeling web application: a case study
byAntonio Fontes
 

Similar to 2013 PMA Business Security Insights

PDF
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
byAndris Soroka
 
PPTX
Ulf mattsson webinar jun 7 2012 slideshare version
byUlf Mattsson
 
PPTX
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
byUlf Mattsson
 
PPTX
ISACA New York Metro April 30 2012
byUlf Mattsson
 
PDF
A6704d01
bymudigonda
 
PDF
Security Awareness Training
byDaniel P Wallace
 
PPTX
Risk Management Practices for PCI DSS 2.0
byUlf Mattsson
 
PDF
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
byUlf Mattsson
 
PPTX
Security and control in mis
byGurjit
 
PPTX
Combating "Smash and Grab" Hacking with Tripwire Cybercrime Controls
byTripwire
 
PPTX
Gainful Information Security 2012 services
byCade Zvavanjanja
 
PPTX
Issa Charlotte 2009 Patching Your Users
byMike Murray
 
PDF
Designing your applications with a security twist 2007
byBlue Slate Solutions
 
PPTX
Information Security Basics for Businesses and Individuals
byJosh Moulin, MSISA,CISSP
 
PPTX
Protecting Your Business - All Covered Security Services
byAll Covered
 
PDF
Unit 08: Security for Web Applications
byDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
PPTX
IT Security for Nonprofits 101
byseanericwatson
 
PDF
Issa chicago next generation tokenization ulf mattsson apr 2011
byUlf Mattsson
 
PDF
Preventing The Next Data Breach Through Log Management
byNovell
 
PPT
Security Lifecycle Management Process
byBill Ross
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
byAndris Soroka
 
Ulf mattsson webinar jun 7 2012 slideshare version
byUlf Mattsson
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
byUlf Mattsson
 
ISACA New York Metro April 30 2012
byUlf Mattsson
 
A6704d01
bymudigonda
 
Security Awareness Training
byDaniel P Wallace
 
Risk Management Practices for PCI DSS 2.0
byUlf Mattsson
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
byUlf Mattsson
 
Security and control in mis
byGurjit
 
Combating "Smash and Grab" Hacking with Tripwire Cybercrime Controls
byTripwire
 
Gainful Information Security 2012 services
byCade Zvavanjanja
 
Issa Charlotte 2009 Patching Your Users
byMike Murray
 
Designing your applications with a security twist 2007
byBlue Slate Solutions
 
Information Security Basics for Businesses and Individuals
byJosh Moulin, MSISA,CISSP
 
Protecting Your Business - All Covered Security Services
byAll Covered
 
Unit 08: Security for Web Applications
byDSBW 2011/2002 - Carles Farré - Barcelona Tech
 
IT Security for Nonprofits 101
byseanericwatson
 
Issa chicago next generation tokenization ulf mattsson apr 2011
byUlf Mattsson
 
Preventing The Next Data Breach Through Log Management
byNovell
 
Security Lifecycle Management Process
byBill Ross
 

2013 PMA Business Security Insights

  • 1.
    Business Security Insights Earl.Chen@BankofAmerica.com Lawrence.Godfrey@e-hps.com JHenbest@ptcllc.com Alberto@SureTech.com
  • 2.
    What do Ineed to protect? o Credit Card Data / Personal Info (Identities) o Files o Business Data 2
  • 3.
    2012 Verizon BreachReport – Targeted Data For SMB’s Payment Card Data and Authentication Data is the data most targeted. 3
  • 4.
    2012 Verizon BreachReport – Target Organization The preferred target now seems to be the SMB’s (small and medium businesses). 570 of the 855 investigations, over 66% of the total investigations. 4
  • 5.
    Outside Threats Outside/External threatsresponsible for 98% of data breaches investigated in 2011 2012 Verizon Breach Report 5
  • 6.
  • 7.
  • 8.
    Hacking Today Source: www.fbi.gov http://www.fbi.gov/news/stories/2010/octo ber/cyber-banking-fraud/cyber-banking- fraud/?searchterm=cyber%20theft 8
  • 9.
    2012 Verizon BreachReport – How do they get in? Much as it has in the past, the most common malware infection vector continues to be installation or injection by a remote attacker. This covers scenarios in which an attacker breaches a system VIA REMOTE ACCESS and then deploys malware or injects code via web application vulnerabilities. 9
  • 10.
  • 11.
    Inside Threats o DataCorruption / Loss (Hardware, Operator or Programmatic failures) o Remote Access Tools / Trusted Vendor Security Holes o BYOD – Bring your own device o Human error / Training o Sabotage 11
  • 12.
    Other Inside Threats Theother internal threats that needs to be considers are; – Hard Drive Crash – Water or fire damage to POS – No backups or lack of testing backup procedures 12
  • 13.
    Preparedness, Costs &Risks How to think of Return on Investment: Is security a bottom line cost or a profit center? o What are the financial risks/costs?  Prevention  Remediation o PCI / HIPAA / FINRA / SEC compliance and liabilities 13
  • 14.
    PCI-DSS: Why Care?– Protecting your income  Breach consequences for a Tier 4 merchant  Actual Mid-West Steakhouse example: Fines and Costs Breakdown Steakhouse Visa Fines $ 5,000 MasterCard Fines $ 30,000 Forensic Investigation Costs $ 10,322 Visa card compromise program $ 60,000 Chargebacks $ 202,223 Total Direct Breach Costs $307,545 Please Note: Breached merchant must now adhere to Level/Tier 1 Requirements 14
  • 15.
    Preparedness, Costs andRisks Disaster Recovery vs. Business Continuity o Backup o Component Redundancy o Enterprise Redundancy 15
  • 16.
    Technical Security Layers Physical o Checkpoints, locks, and surveillance o Logging o Force Majeur (fire, earthquakes, etc.) Network Equipment location/locks o Intrusion prevention o Intrusion detection o Access Management and ease of use EndPoint o FireWall o AntiVirus: how did AntiVirus lose the war? Where is the battle now? o OS Updates / Security Patches 16
  • 17.
    Basic Elements ofPhysical Security Questions to consider… Can a visitor to your business pickup a notebook computer and slip out the door easily? What about a cell phone with email records? Is the door to the server room always locked? Are employees trained to ensure guests do not wander? Are employees appropriately limited on where they can go? www.ptcllc.com 17
  • 18.
    Basic Elements ofPhysical Security o Deterrence o Access Control o Detection o Identification www.ptcllc.com 18
  • 19.
  • 20.
    Basic Elements ofNetwork Security: o Secure Passwords o Perimeter Firewalls o Intrusion Prevention What to watch: o Intrusion Detection o Logging o Alerting Monitor, monitor, monitor… Always look to improve and enhance as new threats are discovered… www.ptcllc.com 20
  • 21.
  • 22.
    Effective network segmentation- PCI DSS requires it to minimize the scope of review… www.ptcllc.com 22
  • 23.
    POS Network Wireless Network Office Network www.ptcllc.com 23
  • 24.
    Intrusion Prevention www.ptcllc.com 24
  • 25.
    Basic Elements ofEndpoint Security: o Secure Passwords o OS and Security Patches o Antimalware Protection o Client Firewalls o Mobile Devices www.ptcllc.com 25
  • 26.
    Recent study byImperva (data security firm in California) and Technion-Israel Institute of Technology found success rate of the top 40+ antivirus products to be… Less than 5% Symantec – Not called Antivirus software any longer…. Now Norton Internet Security and Symantec Endpoint Protection Trend Micro, McAfee, and others are doing the same. They are losing the war and they know it. Source: NY Times, Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt – 12/31/2012 www.ptcllc.com 26
  • 27.
    Operator Security Layers OperationalControls: o People: non business use, using default passwords etc. o The Myth of Secure Passwords o Reset Password holes (questions, email) o Password manager o Backup o Training o Auditing o Data Integrity Tools o Policies, Training, Enforcement  User Training  Data Silos (Credit Cards, Financial, Customer, Operations) Insurance o What can insurance do for me? 27
  • 28.
  • 29.
  • 30.
    What is nextfor my business? o Security is complex, multilayered and ever changing. o Being aware of the issues that relate to your business is the first step. o Any solution will require trusted partners and an eye to integration of multiple solutions. 30
  • 31.
    Thank you forattending. Earl.Chen@BankofAmerica.com Lawrence.Godfrey@e-hps.com JHenbest@ptcllc.com Alberto@SureTech.com 31

Editor's Notes

  • #5 Earl: – International indictments of a Romanian hacker ring which targeted small retail businesses to steal credit card data.  They stole payment card data from over hundreds of retailers by leveraging remote access software and caused over $40MM in losses.This would be a good place to share the story from Mark C.
  • #7 "We got an order for 6 cases of Dom Perignon 1999.  Value was between $5-10k.  Customer called in using a service for the hearing-impaired, where presumably he was typing something to the service and they were doing the talking for him...then they’d type our answer back to him.  Net effect was that caller id showed the service’s number, not his.  He wanted to pay with a credit card...but not until the product was ready for pick-up.  He wanted to pick it up with his own service (thus no delivery address).   Finally, he asked that when we run the card, we put $200 in cash on it to tip the driver."z
  • #8 30 years ago the threat was a teenage kid in their parents basement.. The vast majority weren’t as smart as Matthew Broderick ‘s character in War Games; David Lightman
  • #9 Organized CrimeProfessional Software development organizationsMulti national crime syndicates located off shore Larry: Michael’s/Barnes & Noble: PIN Attacks:In response to these attacks, Michaels disabled the customer facing Signature Pads and Barnes and Noble completely removed their customer facing PIN Pads.
  • #10 Earl: recent NBC website and iPhone developer site attacks that targeted visitors machines and downloaded malware. This would be a good place to share the remote security camera story and/or Carly’s story.  Not sure which would be best because I don’t remember seeing details about Carly’s example.
  • #11 Earl:recent NBC website and iPhone developer site attacks that targeted visitors machines and downloaded malware.Earl: International indictments of a Romanian hacker ring which targeted small retail businesses to steal credit card data.  They stole payment card data from over hundreds of retailers by leveraging remote access software and caused over $40MM in losses.Jack: hack attempt through insecure remote access to cameras
  • #19 Deterrence - Fence, warning signs, windosw stickers, lighting, hedges, trenchesAccess Control - gates, doors, locksDetection - alarms, motion sensors, glass breakage detectorsIdentification - checkin/checkout, video surveillance, badges