2. What do I need to protect?
o Credit Card Data / Personal Info
(Identities)
o Files
o Business Data
2
3. 2012 Verizon Breach Report – Targeted Data
For SMB’s Payment Card Data and Authentication Data is the data most targeted.
3
4. 2012 Verizon Breach Report – Target Organization
The preferred target now seems to be the SMB’s (small and medium businesses).
570 of the 855 investigations, over 66% of the total investigations.
4
9. 2012 Verizon Breach Report – How do they get in?
Much as it has in the past, the most common malware infection
vector continues to be installation or injection by a remote
attacker.
This covers scenarios in which an attacker breaches a system
VIA REMOTE ACCESS and then deploys malware or injects code
via web application vulnerabilities.
9
11. Inside Threats
o Data Corruption / Loss (Hardware, Operator
or Programmatic failures)
o Remote Access Tools / Trusted Vendor
Security Holes
o BYOD – Bring your own device
o Human error / Training
o Sabotage
11
12. Other Inside Threats
The other internal threats that needs to be considers are;
– Hard Drive Crash
– Water or fire damage to POS
– No backups or lack of testing backup procedures
12
13. Preparedness, Costs & Risks
How to think of Return on Investment: Is
security a bottom line cost or a profit center?
o What are the financial risks/costs?
Prevention
Remediation
o PCI / HIPAA / FINRA / SEC compliance and
liabilities
13
14. PCI-DSS: Why Care? – Protecting your income
Breach consequences for a Tier 4 merchant
Actual Mid-West Steakhouse example:
Fines and Costs Breakdown Steakhouse
Visa Fines $ 5,000
MasterCard Fines $ 30,000
Forensic Investigation Costs $ 10,322
Visa card compromise program $ 60,000
Chargebacks $ 202,223
Total Direct Breach Costs $307,545
Please Note: Breached merchant must now adhere to Level/Tier 1 Requirements
14
15. Preparedness, Costs and Risks
Disaster Recovery vs. Business Continuity
o Backup
o Component Redundancy
o Enterprise Redundancy
15
16. Technical Security Layers
Physical
o Checkpoints, locks, and surveillance
o Logging
o Force Majeur (fire, earthquakes, etc.)
Network Equipment location/locks
o Intrusion prevention
o Intrusion detection
o Access Management and ease of use
EndPoint
o FireWall
o AntiVirus: how did AntiVirus lose the war? Where is the battle
now?
o OS Updates / Security Patches
16
17. Basic Elements of Physical Security
Questions to consider…
Can a visitor to your business pickup a notebook computer and slip out the
door easily? What about a cell phone with email records?
Is the door to the server room always locked?
Are employees trained to ensure guests do not wander?
Are employees appropriately limited on where they can go?
www.ptcllc.com
17
18. Basic Elements of Physical Security
o Deterrence
o Access Control
o Detection
o Identification
www.ptcllc.com
18
20. Basic Elements of Network Security:
o Secure Passwords
o Perimeter Firewalls
o Intrusion Prevention
What to watch:
o Intrusion Detection
o Logging
o Alerting
Monitor, monitor, monitor…
Always look to improve and enhance as new threats are discovered…
www.ptcllc.com
20
25. Basic Elements of Endpoint Security:
o Secure Passwords
o OS and Security Patches
o Antimalware Protection
o Client Firewalls
o Mobile Devices
www.ptcllc.com
25
26. Recent study by Imperva (data security firm in California) and Technion-Israel
Institute of Technology found success rate of the top 40+ antivirus products to be…
Less than 5%
Symantec – Not called Antivirus software any longer…. Now Norton Internet
Security and Symantec Endpoint Protection
Trend Micro, McAfee, and others are doing the same.
They are losing the war and they know it.
Source: NY Times, Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt – 12/31/2012
www.ptcllc.com
26
27. Operator Security Layers
Operational Controls:
o People: non business use, using default passwords etc.
o The Myth of Secure Passwords
o Reset Password holes (questions, email)
o Password manager
o Backup
o Training
o Auditing
o Data Integrity Tools
o Policies, Training, Enforcement
User Training
Data Silos (Credit Cards, Financial, Customer, Operations)
Insurance
o What can insurance do for me?
27
30. What is next for my business?
o Security is
complex, multilayered and
ever changing.
o Being aware of the issues that
relate to your business is the
first step.
o Any solution will require
trusted partners and an eye to
integration of multiple
solutions.
30
31. Thank you for attending.
Earl.Chen@BankofAmerica.com Lawrence.Godfrey@e-hps.com JHenbest@ptcllc.com Alberto@SureTech.com
31
Editor's Notes
Earl: – International indictments of a Romanian hacker ring which targeted small retail businesses to steal credit card data. They stole payment card data from over hundreds of retailers by leveraging remote access software and caused over $40MM in losses.This would be a good place to share the story from Mark C.
"We got an order for 6 cases of Dom Perignon 1999. Value was between $5-10k. Customer called in using a service for the hearing-impaired, where presumably he was typing something to the service and they were doing the talking for him...then they’d type our answer back to him. Net effect was that caller id showed the service’s number, not his. He wanted to pay with a credit card...but not until the product was ready for pick-up. He wanted to pick it up with his own service (thus no delivery address). Finally, he asked that when we run the card, we put $200 in cash on it to tip the driver."z
30 years ago the threat was a teenage kid in their parents basement.. The vast majority weren’t as smart as Matthew Broderick ‘s character in War Games; David Lightman
Organized CrimeProfessional Software development organizationsMulti national crime syndicates located off shore Larry: Michael’s/Barnes & Noble: PIN Attacks:In response to these attacks, Michaels disabled the customer facing Signature Pads and Barnes and Noble completely removed their customer facing PIN Pads.
Earl: recent NBC website and iPhone developer site attacks that targeted visitors machines and downloaded malware. This would be a good place to share the remote security camera story and/or Carly’s story. Not sure which would be best because I don’t remember seeing details about Carly’s example.
Earl:recent NBC website and iPhone developer site attacks that targeted visitors machines and downloaded malware.Earl: International indictments of a Romanian hacker ring which targeted small retail businesses to steal credit card data. They stole payment card data from over hundreds of retailers by leveraging remote access software and caused over $40MM in losses.Jack: hack attempt through insecure remote access to cameras