2. 2
Overview
• Today’s Landscape
• What is Blackbaud doing?
• Protection thru technology
• Protection thru people
• Protection thru certifications
• Protection thru process
Blackbaud Confidential
3. Today’s Landscape
3
Breaches in the News
• Banks
• Massive bank hack: What you need to know - CNN
• Retailers
• Home Depot hack could lead to $3 billion in fake
charges – CBS News
• Target store chain security breach
• Healthcare
• There is an epidemic of medical identity theft – USA
Today
• Universities
• Ex-contractor says he hacked into U-Md. databases
to alert others to security flaws – Washington Post
• Governments
• U.S. Probes Hacking of Government Computers at
Personnel Agency – The Wall Street Journal
4. Theft has been Automated and
Targeted
4
A variety of adversaries
• Script Kiddies
• Organized Crime
• Nation States
The value of targeted data is rising
• Cardholder data
• Personally Identifiable Information (“PII”)
• Protected Health Information (“PHI”)
• Social network handles (Twitter, Facebook)
5. 5
Attack Vectors
Zero-Day Vulnerabilities
• Vulnerabilities discovered by criminals within
software, sold in Black Markets to the highest
bidder
Social Engineering
• Targeted campaigns against key resources
within an organization for the purpose of
gaining access to confidential information
Insider Threat
• Disgruntled employees looking to get even
• User mistakes (e.g. bringing data home)
Best source for statistics: Verizon Data Breach Investigations Report
6. How Do Large Credit Card
Breaches Happen?
The Advanced Persistent Threat (“APT”)
6
Recon Infiltration
Delivery &
Exploitation
Exfiltration Monetization
Reconnaissance
Adversaries probe targets for holes and vulnerabilities and/or steal
credentials
Infiltration
Exploit these weaknesses to get inside
Delivery & Exploitation
Hook malware into processing streams
Exfiltration
Get data out as quietly as possible
Monetization
Data sold on the black market
This can occur over months at a time
7. 7
Impact
Reputational
• Brand damage
• Customers will seek alternative choices
Financial and Liability
• Stock price tumbles
• Cost of data breach
• Legal issues
• Post-mortem audits – regulatory (e.g. HIPAA)
or contractual (PCI)
9. Protection thru Technology
9
Strong Perimeter
• Firewalls
• IDS Control
• DDoS
• 2FA
Access Control
• Granted on an as needed basis
• Role separation
Password/Account Management
Environment Awareness
• Log and activity monitoring
Data Centers
• All tier III+ certified
No Special cases
10. Protection thru People
10
Blackbaud Security Team
• Dedicated to Security – complete focus
• All personal heavily trained
• High level of visibility
Training
• All employees receive security training – social engineering & best
practices – annually and NEO
• ITIL training
Certifications
• CISSP, GISM, GSEC, CCNA, CNSS, DoD 85
Partnerships
• PCI/SOC: Brightline CPAs
• Pen-testing: Praetorian (annual rotation)
• PCI validation scans: Qualys
• Ethical hacking and forensics: eMagined Security Consultants
Vendor Management
• all service providers we use are required to meet or exceed our security
standards
11. Protection thru Certifications
11
PCI – Credit Card
• PCI level 1 – Annual Event, Brightline
SSAE16 – PII, Best Practices – risk mitigation
• SOC2, Level 2: based on Security, Availability,
Confidentiality principles - Brightline
• SOC1, Level 2: based on Financial Reporting for
Ledger based products - Brightline
ITIL Based
• Annual Security Audit – 3rd Party, eMagined
Security
• Policy validation and Perimeter testing
• Internal LAN – Ethical hacking;
Credentialed and non-Credentialed
12. Protection thru Process
12
Security Patching – all platforms
• Monthly and on-demand
• Heartbleed, Shellshock
Change Management
• Rigorous process
• Completely documented
• Multi-level management approval
Event and Incident Management
• Complete log and event monitoring and response
• 7X24 NOCC
• eMagined on retainer and used often – false positives
Security Testing
• Vulnerability management (monthly)
• Penetration testing / ethical hacking (annually and after major
changes)
Today’s Security Landscape is dominated by negative news. From major banks to government organizations, not a week goes by before another possible data breach is announced.
Links:
Banks - http://money.cnn.com/2014/08/28/technology/security/bank-hack/
Retailers - http://www.cbsnews.com/news/credit-monitoring-company-home-depot-breach-could-result-in-2b-in-fraud/
Healthcare - http://www.usatoday.com/story/money/personalfinance/2014/09/13/identity-theft-hacking-medical/15345643/
Universities - http://www.washingtonpost.com/local/crime/former-contractor-calls-himself-whistleblower-in-exposing-security-problems-at-u-md/2014/04/10/7312699e-c0b3-11e3-b195-dd0c1174052c_story.html
Governments - http://online.wsj.com/articles/u-s-probes-hacking-of-government-computers-at-personnel-agency-1404970913
How did we get to where we are in the Security Landscape? Who are the main perpetrators when it comes to breaches? 3 main categories of attackers.
Script Kiddies – Unskilled individuals who copy, modify, and use scripts to attack computer systems. Most are simply looking for glory or notoriety. They usually go after low-level hanging fruit Facebook accounts, gaming credentials, etc.
Organized Crime – This group is compromised of highly skilled individuals that are pooling skills, resources and infrastructure for buying, selling, and trading stolen data. - http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/22/hackers-are-getting-better-at-offense-companies-arent-getting-better-at-defense/
Nation States – Countries that can provide unlimited resources to groups of people employed by them to gain access to highly sensitive information on their enemies. - http://www.cnbc.com/id/101845869#.
At the same time, as hacks get more complex and require more resources, the value of data begins to increase. As with all markets, it all depends on supply and demand. “A Twitter account costs more to purchase than a stolen credit card because the former’s account credentials potentially have a greater yield. Immediately after a large breach, freshly acquired credit cards command a higher price—as there is greater possibility for the credit cards to still be active. But after time, prices fall because the market becomes flooded” - http://blogs.wsj.com/corporate-intelligence/2014/03/28/whats-more-valuable-a-stolen-twitter-account-or-a-stolen-credit-card/
PHI is valued in order to exploit the prescription drug market. A user can change their credit card number, but they can’t change their health records
These are the most common. Other attack vectors include:
Weak authentication (e.g. easy to guess or weak passwords)
Unpatched vulnerabilities
Weak cryptography
Wireless network sniffing
Spyware on end user machines (e.g. keyloggers)
Too much access (improper permissions)
Simple user error (e.g. publishing sensitive data to a web site)
Physical attacks (e.g. PoS skimming)
Some notes taken from the “Lessons for SDO document”:
What can we in Blackbaud Service Delivery Operations learn from this to improve our defense in depth?
PCI Compliance is not the end goal; it is just the beginning. Receiving a PCI certification is intended to indicate compliance- and in Target’s case it seemed that wasn’t true either.
Be vigilant for unusual activity. System administrators must learn to recognize social engineering attacks as well as processes and files on systems that don’t belong.
Control access. In Target’s case, two‑factor authentication could have been used for granting remote access by third party vendors, making it more difficult to for the attackers to gain access. Firewalls and DMZs are not enough.
Control networks. Target lacked sufficient security segregation boundaries to contain their vendors. And attackers sent data outward over FTP, indicating outbound well known ports to foreign servers were unblocked at the firewall.
Assume any account can be used for malicious purposes and mitigate accordingly. To mitigate risks, we need to follow password requirements, principle of least privilege, separation of duties, and ensure service accounts cannot be used for login purposes.
Configure technical controls and follow up on alerting. File integrity monitoring and intrusion detection can be effective security tools but we need to configure these appropriately and have the expertise necessary to manage response. In Target’s case, they had outsourced alerting but when escalated back to Target’s Security Operations Team at their US HQ, alerts went ignored.
Protect vendor related information as confidential and proprietary. Target’s vendor information was posted publicly.
Third-party vendors must be held to our security standards. In the case of Target Stores, the HVAC vendor could have disrupted infection using industry standard real-time anti-malware software. Instead, they used free Malwarebytes anti-malware intended for individual consumer use which did not work in real‑time.
The impact of a breach can be measured in two main categories: Customer perception and Company perception.
Target’s customer-perception level dropped to a negative score of 23 following their breach announcement. That means 23% more shoppers have a negative perception of the brand than have a positive perception. - http://blogs.marketwatch.com/behindthestorefront/2013/12/30/targets-reputation-takes-another-hit/
AP Twitter hack causes panic on Wall Street and sends Dow plunging - http://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall
How Main Street will pay for Home Depot’s data breach - http://www.businessweek.com/articles/2014-09-16/home-depot-breach-why-small-merchants-will-pay