SlideShare a Scribd company logo

The attack against target - how was it done and how has it changed the security landscape

Thomas Burg
Thomas Burg

This talk was given at the PKF (Payment Knowledge Forum) in London on September 30th as part of the 2014 summit. For details about PKF see http://www.thepkf.org, for details about the 2014 summit see http://www.thepkf.org/lon_2014eventinfo.php. It was, once more, a very good event - highly recommended. This presentation has three pieces: (1) How was the attack against Target executed and how could it have been stopped (2) Has the attacked changed the security landscape and if so how (3) Recommendations for going about securing computer systems

1 of 41
Download to read offline
DISCLAIMER: This presentation reflects the opinions and recommendations of the authors only and does not in any way represent the views or endorsements of any other parties. HP NonStop is a trademark of Hewlett-Packard Development Company, L.P. All other trademarks are the property of their respective owners. copyright (2014) comForte 21 1
To be able to look at this presentation offline and without the speakers audio, slide notes have been added to some slides and are shown here, on the right. It is recommended to viewthe presentation in ‘full screen single page at a time’ view, giving you the slide (as presented) in the upper left and the slide notes (to be used when viewing the PDF or slide share view) on the right side. copyright (2014) comForte 21 2
Thomas is… •somewhat of a geek,playing with computers at the age of 13 and now making a living off it •Learning about computer security since about 2000 – classes, reading, …. Learning every day … CISSP 2007 •active on LinkedIn •Privately: active on Facebook (but never posting images of people), Writing his own blog •investing in Bitcoins (!?) . In fact, I mined bitcoins at home and it looks like it ramped up my energy bill. Fortunately I only invest small scale, otherwise I’d be VERY worried about loosing my bitcoins –more on this later •I am also the CTO of comForte –more about the company at the end copyright (2014) comForte 21 3
•Understand how the Target Hack (and, probably, theHome Depot attack and several others) was done •Understand that computer security is, at this point in time, not exactly effective. So we’ll talk about •Why do the bad guys seem to win? In other words, why is securing computer systems HARD •Some old principles which are still important •A new model … •What comForte can do for you copyright (2014) comForte 21 4
•OK, I told you about me andabout my goals for today –time for you to answer some questions… •Who in the audience works for …. •a vendor of computer software (maybe even security software!?) •a consulting company (small or large, one-man shows allowed) •A real “customers” or “users” (having the budget for the sponsors to go after): •Retailers •Banks •Other Fis •Result of quiz: a somewhat even distribution of all of the folks above copyright (2014) comForte 21 5
copyright (2014) comForte 21 6
The URL shown is a rather detailed write-up of the breach –including how the stolen credit card numbers are monetized in the “carder underground”. Highly recommended reading. The diagram “how the hackers broke in” is also from the article –we will now look at the steps in more detail. Download URL is http://www.businessweek.com/printer/articles/189573- missed-alarms-and-40-million-stolen-credit-card- numbers-how-target-blew-it copyright (2014) comForte 21 7
This is the POS acquiring infrastructure at TARGET, showing only the core systems required for the processing of POS transactions. The system on the right is a HP NonStop system, see http://www.hp.com/go/nonstopfor more information about the computing platform. We use the term “NonStop system” in the diagram for brevity. If these were the only systems, the breach at TARGET could not have happened in the same way. Note: the speakergot some heat from a HP NonStop guy because he did not like “breach” and “HP NonStop” in the same sentence –especially if the breach did not happen “on” HP NonStop. Point well taken –however don’t think your NonStop is safe (we’ll get to this bit later). copyright (2014) comForte 21 8
This diagram shows more systems which are part of the larger TARGET infrastructure: Two internal servers are used to process the “backoffice” data collected at the Point of sale systems. Also, an HVAC system (Heating, Ventilation, Air conditioning) is remote-controlled via an external consultant. copyright (2014) comForte 21 9
In the first step of the attack, the “bad guys” took over a web site an employee of the HVAC company was accessing. By doing so, they were able to obtain his username and password for that –unrelated –web site. Unfortunately, the employee used the same password to access the TARGET network for remote HVAC maintenance –and thus the attackers were inside the TARGET network. copyright (2014) comForte 21 10
They then were able to ‘take over’ an internal server present at every TARGET store with direct connectivity to the POS systems running Microsoft Windows. copyright (2014) comForte 21 11
In the next step, they used the internal server to install specifically crafted malware onto the Windows POS system. copyright (2014) comForte 21 12
At this point in time, the malware installed on the POS system was collecting the full data for each and every POS transaction. They used a well-known technique called “memory scraping” to access the data sent from the POS device “through” the Windows POS system to the NonStop system processing the POS data. The final step now is to get the data sent out from the internal TARGET network and the attackers needed to be careful not to raise an alarm by using new connections (an outgoing FTP connection to an unknown host on the Internet would almost certainly have raised alarms immediately). This final step is called “exfiltration”. copyright (2014) comForte 21 13
For exfiltration, the attackers were able to take over another internal server which was already shown on an earlier slide. That server was not in the “critical network zone” and hence not monitored for outgoing data as closely as each TARGET store itself. copyright (2014) comForte 21 14
In the final step, the attackers sent the data from the POS Windows systems to the Internal server on the right where they collected it for a while. They then sent the data to a few servers on the Internet and then downloaded the data to their own systems. copyright (2014) comForte 21 15
Summary:five steps, each time hopping from machine to the next. One should note the complexity of the attack –this is not a simple attack but one that requires careful advance planning as well as a lot of details during the ‘execution’ stage. copyright (2014) comForte 21 16
As companies improve their defenses, attacks are requiring more and more steps to succeed. This is why “defense in depth” is such an important concept –the defender only need to prevent a single step of the attack to thwart it. Here are a few measures which all could have prevented the specific attack carried out successfully against TARGET: • Preventing distribution and installation of the malware onto the POS systems: •Better segmentationof in-store network •Strong authentication for vendor access •Actually looking at the incident logs of the advanced attack tool (“Fireeye”, see business week article for details) •Setting Fireeyeto “block” rather than “alert” • Using end-to-end encryption between the POS reading device and the acquiring system. • Detecting and blocking the outbound traffic in which the confidential data was transferred to servers outside of Target's store network. (Itshould be noted that these measures are by no means a comprehensive security architecture, they are the few pieces of a whole defense-in-depth strategy that would have made the difference) copyright (2014) comForte 21 17
•Who knows what an APT is •Who knew all the gory details of this attack •Who knows what DLP is •Who knows what Data Centric Security is Resultsof quiz: •Who knows what an APT is (few. APT stands forAdvanced Persistent Threat –see presentation http://www.slideshare.net/thomasburg/from-russia- with-love-modern-tools-used-in-cyber-attacks on slide share) •Who knew all the gory details of this attack (about a third of the audience) •Who knows what DLP is (few. It standsfor Data Loss Prevention –in a nutshell this is about avoiding data being leaked via technical means) •Who knows what Data Centric Security is (veryfew. This will be talked about later) copyright (2014) comForte 21 18
copyright (2014) comForte 21 19
Let’s first look at the security landscape before ca. 2005: •The defenders had appropriate tools (Antivirus, Firewalls) •The attackers were mostly harmless and well-meaning copyright (2012) comForte 21 20
Only five years later –but big changes in the ‘realworld’ (!). We’ll talk about CEO perceptions later. •The attackers are plenty, skilled and motivated •No real change on thedefender side •The defenders are very often busy with something else, understaffed and underfunded copyright (2012) comForte 21 21
Only another four years later! •The attackers are plenty, skilled and motivated –much more so (APT) •Again,No real change on thedefender side •Still, The defenders are very often busy with something else, understaffed and underfunded Questionfrom the title “How has the attack on target changed the computer security landscape”. Answer: technically, not at all. Perception: next slide copyright (2012) comForte 21 22
This discussion on LinkedIn started with a rather insightful blog entry (more on this below) and turned out into very interesting reading –I’d recommend to look at the whole thread (which keeps growing, 45 comments as of 29Sep2014). Link to discussion: https://www.linkedin.com/groups/Current-State-PCI- 66587.S.5917749052983771136?view=&gid=66587&item=5917749052983771136&type=member&commentID=discussion%3A5917749052983771136%3Agroup%3A66587&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_FOLLOWED#commentID_discussion%3A5917749052983771136%3Agroup%3A66587 The aforementioned blog entry is at http://www.tenable.com/blog/the-current-state-of-pci. copyright (2014) comForte 21 23
Quoted, with permission from http://www.tenable.com/blog/the-current-state-of-pci. Highly recommended reading! copyright (2014) comForte 21 24
Quoted, with permission from http://www.tenable.com/blog/the- current-state-of-pci.Highly recommended reading! It is paraphrased nicely in the discussion by Mark Faithfull, Interim Technology Leader, Founder & CEO www.textsquirt.com : (quoted) The key section of the article by Jeff Mann is this: The PCI DSS, as a set of security requirements, does not presume that organizations will not be breached, but rather tries to set organizations up for detecting the compromise early, and hopefully minimizing the damage.This is the key message we need to evangelise-to move PCI from being a 'compliance' based project and instead get business leaders thinking more in terms of: We will get breached-we better get ourselves organisedso we can spot it the day it happensTo this end, the PCI framework does provide a lot of helpful guidance for businesses who don't have that security infrastructure in place at the moment. The most telling fact about the recent high profile breaches is the length of time intruders are in the merchant systems before these big breaches are discovered, which to me means the 'business as usual' of living the PCI life is not in place in these organisations. copyright (2014) comForte 21 25
Quoted (with permission)from a LinkedIn discussion in the “PCI Network -The World's Largest Payment Card Industry Group” group The discussion started with the following blog entry http://www.tenable.com/blog/the-current-state-of-pci –highly recommended reading Link to discussion: https://www.linkedin.com/groups/Current-State-PCI- 66587.S.5917749052983771136?view=&gid=66587&item=5917749052983771136&type=member&commentID=discussion%3A5917749052983771136%3Agroup%3A66587&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_FOLLOWED#commentID_discussion%3A5917749052983771136%3Agroup%3A66587 copyright (2014) comForte 21 26
So far we looked at changes in the industry. The speaker believes that while the ATTACK SCENARIOS have radically changed (“improved” from the point of view of the attacker) –the DEFENSE SCENARIOS have not. We’ll look at the ‘defense scenarios’ in second. The speaker has been thinking about this question for years, maybe decades. He still isn’t sure, but he feels he is closing in (?). So, here is the most important slide of this presentation. Why are the bad guys winning? (drum roll, slide still blank) (1)There is a HUGE difference between the perception of computer security among the non-computer-security-geeks (about 99.999 % of the general population) and the computer- security-geeks. The problem is that you have to see the problem you have to be very geeky. There are excellent classes on this by SANS, they will turn you from the 99.999 % to the 0.0001 % within a week –I did this 10 years ago and became a convert. The class SEC401: Security Essentials BootcampStyleis a class I can not recommend too much –it does take a week and it does cost about US$ 5000 –but it is worth every $. See www.sans.org for details. (2)Anyway: here is how most people perceive computer security (image shows): Most importantly, they don’t care. They have a life and other things to worry about. Also, overall it can’t be that bad –my company has not been hacked yet. I have not been hacked yet. The industry will take care. … copyright (2014) comForte 21 27
So here is what the “security geeks” are perceiving… Drum roll… Image appears I spent the last 14 years of my life learning about computer security. I am still learning every day. Why do I think this way? (1)In most life scenarios, getting “99 % right” is good. In computer security it can be disastrous (2)There is no silver bullet. Repeat after me: there is no silver bullet. It is hard. (3)Translation of “it is hard”: (1)It will be expensive. Ramp up the budget (2)It is beyond products (although some vendors might tell you so) (3)It is an arms race. New attacks are coming out every day (4)Most of us have a life and other things to do than securing their computers… Back to the bitcoin story: If I had EUR 100,000 k in Bitcoins…. I’d sell them real fast  But let’s say I couldn’t –what would I do?Here’s what: -Buy a new computer. Most probably not Windows or Mac -Set up a bitcoin wallet -Take it off the Internet and never connect it again (!!!) -Move data only through freshly formatted USB sticks -Side note : Modern bitcoin wallets allow to do just that copyright (2014) comForte 21 28
copyright (2014) comForte 21 29
Let’s take a moment tothink aboutthe message so far. Shouldn’t we simply give up hope? copyright (2013) comForte 21 30
Ignore the issue or… Hope that it does not happen to you or … Do something Nope–there are ways to cope  copyright (2012) comForte 21 31
About 20 years ago, users would connect to “big iron” (mainframe type of computers) using dedicated terminals which had no other functionality than to access the system. Today, PCs are used to connect to HP NonStop systems and administer them. The big problem with this is that many core security principles are based on so-called “user authentication” –making sure the NonStop knows which user name is currently connecting. Historically, there have been many means on using this information for “Authorization” –namely deciding who can do what (and who can NOT do what). This has worked well over the years –but most attacks including the on TARGET show that attackers are able to “0wn” (Hacker lingo for “own”) any PC or midrange server in the organization. An “0wned” PC is effectively remote-controlled by the bad guys –and with that user authentication is broken and should not be relied on as strongly as so far. This knowledge is widely spread in the security community –but unfortunately it is not that widely spread in non-security realm. copyright 2014 comForte 21 33
https://en.wikipedia.org/wiki/Tootsie_Roll , supposedlythis is “Hard on the outside, chewy on the inside” Imagecredits: See Wikipedia link above and/or https://upload.wikimedia.org/wikipedia/commons/thumb/0/02/Tootsie-Roll-WU.jpg/220px-Tootsie-Roll-WU.jpg [[Tootsie-Roll-WUCC BY-SA 3.0Evan-Amos-Own work]] Badly broken!!! (Look at Target attack…) copyright (2014) comForte 21 34
See also http://technodrone.blogspot.com/2014/07/m- snickers-and-security-in-cloud.htmlor http://networkingnerd.net/2014/07/15/security- dessert-models/ Or see http://www.computer.org/csdl/mags/sp/2005/05/j5004. pdf-a white paper from 2005 (sic!) Image credit: see https://en.wikipedia.org/wiki/File:Snickers_wrapped.jpg copyright (2014) comForte 21 35
IMHO, "we", the IT geeks and/or the industry have horribly failed in making executives aware of what is at stake. Also, I am *not* aware of a proper translation of "IT risk" and "protective technical measures" into "value from C-level view". That said, I just came upon a most wonderful white paper from IBM, Elevating the Discussion on Security Management The Data Centric Paradigm downloadable at https://www.google.fi/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCEQFjAA&url=http%3A%2F%2Fwww.researchgate.net%2Fpublication%2F4257215_Elevating_the_Discussion_on_Security_Management_The_Data_Centric_Paradigm%2Flinks%2F0deec51b8afeb363fe000000&ei=LxQoVPDHIcHkaoL7gKgJ&usg= AFQjCNGAqVHURFbcqxwnCt54C5tWDPDj6w&bvm=bv.76247554,d.d2s(if you find an easier link, let me know at t.burg@comforte.com ) This is the best on this topic I have read in about a decade. Finally there might be hope for C-levels folks to "get it" ??? copyright (2014) comForte 21 36
Comments on that paper very welcome ... copyright (2014) comForte 21 36
Quoted,with permission from https://securosis.com/blog/trends-in-data-centric- security-new-series copyright (2014) comForte 21 37
From the aforementionedwhite paper… copyright (2014) comForte 21 38
copyright (2014) comForte 21 39
We focus on HPNonStop platform. In fact, we just wrote a book about the platform –you can get it at http://www.comforte.com/ns4dummies Along with many products for this platform, we have a product for data-centric-security (You didn’t think you’d be getting away without a sales pitch, did you ). It is about enabling existing (“legacy”) applications to replace PANs with tokens on HP NonStop. It is relatively new but do we have folks in production. Wearing my vendor hat for a moment, I think that we are best equipped within the NonStop market to make this possible for legacy applications. Why is that: -We have been doing this for a couple of years by now -We have an open architecture, allowing you to use our own tokenization engine (which is blazingly fast!). Or any (!) Enterprise tokenization engine. For more information about the product, please go to www.comforte.com/securdataor (recommended even more) look at our Youtubevideo series at http://youtu.be/-bnxPrdS0-0 copyright (2014) comForte 21 40
If you think you are secure –think again. You are not. Sorry. Please do not kill the messenger. It is all about getting the perception right –and to spend money wisely and to see this as a process… We need to move from Tootsie roll security model (“hard on the outside, chewy on the inside”) to Snickers security model (“crunchy on the inside” –data driven!). comForte: -HP NonStop for Dummies, just out –get it at http://www.comforte.com/ns4dummies -Lots of expertise around HP NonStop system -Product for data-centric security for HP NonStop (“SecurData”, click on Image). It also helps with PCI compliance . For more information about the product, please go to www.comforte.com/securdataor (recommended even more) look at our Youtubevideo series at http://youtu.be/-bnxPrdS0-0 -And,of course http://www.comforte.com copyright (2014) comForte 21 41

Recommended

OS Security Evolution & Latest Attack Vectors By Jacob Torrey
OS Security Evolution & Latest Attack Vectors By Jacob TorreyOS Security Evolution & Latest Attack Vectors By Jacob Torrey
OS Security Evolution & Latest Attack Vectors By Jacob Torrey
Priyanka Aash
 
2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in production2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in production
Thomas Burg
 
BASE24 classic - modernization options
BASE24 classic - modernization optionsBASE24 classic - modernization options
BASE24 classic - modernization options
Thomas Burg
 
The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...
Thomas Burg
 
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
Thomas Burg
 
From Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksFrom Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber Attacks
Thomas Burg
 
CS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityCS155 Computer Security at Stanford University
CS155 Computer Security at Stanford University
Rick Patterson
 
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar RazCODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
CODE BLUE
 

Recommended

OS Security Evolution & Latest Attack Vectors By Jacob Torrey
OS Security Evolution & Latest Attack Vectors By Jacob TorreyOS Security Evolution & Latest Attack Vectors By Jacob Torrey
OS Security Evolution & Latest Attack Vectors By Jacob Torrey
Priyanka Aash
 
2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in production2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in production
Thomas Burg
 
BASE24 classic - modernization options
BASE24 classic - modernization optionsBASE24 classic - modernization options
BASE24 classic - modernization options
Thomas Burg
 
The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...The attack on TARGET: how was it done - lessons learned for protecting HP Non...
The attack on TARGET: how was it done - lessons learned for protecting HP Non...
Thomas Burg
 
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
Thomas Burg
 
From Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksFrom Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber Attacks
Thomas Burg
 
CS155 Computer Security at Stanford University
CS155 Computer Security at Stanford UniversityCS155 Computer Security at Stanford University
CS155 Computer Security at Stanford University
Rick Patterson
 
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar RazCODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
CODE BLUE
 
Impacts of ICT on social effects
Impacts of ICT on social effectsImpacts of ICT on social effects
Impacts of ICT on social effects
Nandhini Sathiyanarayanan
 
linkedin brainies
linkedin brainieslinkedin brainies
linkedin brainiesVincent lefebvre
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
Business of Software Conference
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
Hackfest Communication
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
SensePost
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)
setuid0
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
Priyanka Aash
 
iGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICTiGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICT
jonspav
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
Felipe Prado
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)
Wail Hassan
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
TzahiArabov
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutions
Jan Seidl
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
Sunghun Kim
 
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
eLiberatica
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop
Thomas Burg
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RAC
Thomas Burg
 

More Related Content

Similar to The attack against target - how was it done and how has it changed the security landscape

Impacts of ICT on social effects
Impacts of ICT on social effectsImpacts of ICT on social effects
Impacts of ICT on social effects
Nandhini Sathiyanarayanan
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
Business of Software Conference
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
Hackfest Communication
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
SensePost
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
amiable_indian
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)
setuid0
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
Priyanka Aash
 
iGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICTiGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICT
jonspav
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
Felipe Prado
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)
Wail Hassan
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
TzahiArabov
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutions
Jan Seidl
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
Sunghun Kim
 
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
eLiberatica
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
Phillip Maddux
 

Similar to The attack against target - how was it done and how has it changed the security landscape (20)

Impacts of ICT on social effects
Impacts of ICT on social effectsImpacts of ICT on social effects
Impacts of ICT on social effects
 
linkedin brainies
linkedin brainieslinkedin brainies
linkedin brainies
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)
 
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...
 
iGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICTiGCSE Theory Unit 6 – Effects of Using ICT
iGCSE Theory Unit 6 – Effects of Using ICT
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutions
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
"BitDefender - What's Next" by Alexandru Balan @ eLiberatica 2008
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 

More from Thomas Burg

HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop
Thomas Burg
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RAC
Thomas Burg
 
HP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-inHP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-in
Thomas Burg
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
Thomas Burg
 
comForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStopcomForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStop
Thomas Burg
 
2014 02 comForte SecurTape product
2014 02 comForte SecurTape product2014 02 comForte SecurTape product
2014 02 comForte SecurTape product
Thomas Burg
 
Survival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todaySurvival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications today
Thomas Burg
 

More from Thomas Burg (7)

HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RAC
 
HP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-inHP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-in
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
 
comForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStopcomForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStop
 
2014 02 comForte SecurTape product
2014 02 comForte SecurTape product2014 02 comForte SecurTape product
2014 02 comForte SecurTape product
 
Survival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todaySurvival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications today
 

Recently uploaded

To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 

Recently uploaded (20)

To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 

The attack against target - how was it done and how has it changed the security landscape

  • 1. DISCLAIMER: This presentation reflects the opinions and recommendations of the authors only and does not in any way represent the views or endorsements of any other parties. HP NonStop is a trademark of Hewlett-Packard Development Company, L.P. All other trademarks are the property of their respective owners. copyright (2014) comForte 21 1
  • 2. To be able to look at this presentation offline and without the speakers audio, slide notes have been added to some slides and are shown here, on the right. It is recommended to viewthe presentation in ‘full screen single page at a time’ view, giving you the slide (as presented) in the upper left and the slide notes (to be used when viewing the PDF or slide share view) on the right side. copyright (2014) comForte 21 2
  • 3. Thomas is… •somewhat of a geek,playing with computers at the age of 13 and now making a living off it •Learning about computer security since about 2000 – classes, reading, …. Learning every day … CISSP 2007 •active on LinkedIn •Privately: active on Facebook (but never posting images of people), Writing his own blog •investing in Bitcoins (!?) . In fact, I mined bitcoins at home and it looks like it ramped up my energy bill. Fortunately I only invest small scale, otherwise I’d be VERY worried about loosing my bitcoins –more on this later •I am also the CTO of comForte –more about the company at the end copyright (2014) comForte 21 3
  • 4. •Understand how the Target Hack (and, probably, theHome Depot attack and several others) was done •Understand that computer security is, at this point in time, not exactly effective. So we’ll talk about •Why do the bad guys seem to win? In other words, why is securing computer systems HARD •Some old principles which are still important •A new model … •What comForte can do for you copyright (2014) comForte 21 4
  • 5. •OK, I told you about me andabout my goals for today –time for you to answer some questions… •Who in the audience works for …. •a vendor of computer software (maybe even security software!?) •a consulting company (small or large, one-man shows allowed) •A real “customers” or “users” (having the budget for the sponsors to go after): •Retailers •Banks •Other Fis •Result of quiz: a somewhat even distribution of all of the folks above copyright (2014) comForte 21 5
  • 7. The URL shown is a rather detailed write-up of the breach –including how the stolen credit card numbers are monetized in the “carder underground”. Highly recommended reading. The diagram “how the hackers broke in” is also from the article –we will now look at the steps in more detail. Download URL is http://www.businessweek.com/printer/articles/189573- missed-alarms-and-40-million-stolen-credit-card- numbers-how-target-blew-it copyright (2014) comForte 21 7
  • 8. This is the POS acquiring infrastructure at TARGET, showing only the core systems required for the processing of POS transactions. The system on the right is a HP NonStop system, see http://www.hp.com/go/nonstopfor more information about the computing platform. We use the term “NonStop system” in the diagram for brevity. If these were the only systems, the breach at TARGET could not have happened in the same way. Note: the speakergot some heat from a HP NonStop guy because he did not like “breach” and “HP NonStop” in the same sentence –especially if the breach did not happen “on” HP NonStop. Point well taken –however don’t think your NonStop is safe (we’ll get to this bit later). copyright (2014) comForte 21 8
  • 9. This diagram shows more systems which are part of the larger TARGET infrastructure: Two internal servers are used to process the “backoffice” data collected at the Point of sale systems. Also, an HVAC system (Heating, Ventilation, Air conditioning) is remote-controlled via an external consultant. copyright (2014) comForte 21 9
  • 10. In the first step of the attack, the “bad guys” took over a web site an employee of the HVAC company was accessing. By doing so, they were able to obtain his username and password for that –unrelated –web site. Unfortunately, the employee used the same password to access the TARGET network for remote HVAC maintenance –and thus the attackers were inside the TARGET network. copyright (2014) comForte 21 10
  • 11. They then were able to ‘take over’ an internal server present at every TARGET store with direct connectivity to the POS systems running Microsoft Windows. copyright (2014) comForte 21 11
  • 12. In the next step, they used the internal server to install specifically crafted malware onto the Windows POS system. copyright (2014) comForte 21 12
  • 13. At this point in time, the malware installed on the POS system was collecting the full data for each and every POS transaction. They used a well-known technique called “memory scraping” to access the data sent from the POS device “through” the Windows POS system to the NonStop system processing the POS data. The final step now is to get the data sent out from the internal TARGET network and the attackers needed to be careful not to raise an alarm by using new connections (an outgoing FTP connection to an unknown host on the Internet would almost certainly have raised alarms immediately). This final step is called “exfiltration”. copyright (2014) comForte 21 13
  • 14. For exfiltration, the attackers were able to take over another internal server which was already shown on an earlier slide. That server was not in the “critical network zone” and hence not monitored for outgoing data as closely as each TARGET store itself. copyright (2014) comForte 21 14
  • 15. In the final step, the attackers sent the data from the POS Windows systems to the Internal server on the right where they collected it for a while. They then sent the data to a few servers on the Internet and then downloaded the data to their own systems. copyright (2014) comForte 21 15
  • 16. Summary:five steps, each time hopping from machine to the next. One should note the complexity of the attack –this is not a simple attack but one that requires careful advance planning as well as a lot of details during the ‘execution’ stage. copyright (2014) comForte 21 16
  • 17. As companies improve their defenses, attacks are requiring more and more steps to succeed. This is why “defense in depth” is such an important concept –the defender only need to prevent a single step of the attack to thwart it. Here are a few measures which all could have prevented the specific attack carried out successfully against TARGET: • Preventing distribution and installation of the malware onto the POS systems: •Better segmentationof in-store network •Strong authentication for vendor access •Actually looking at the incident logs of the advanced attack tool (“Fireeye”, see business week article for details) •Setting Fireeyeto “block” rather than “alert” • Using end-to-end encryption between the POS reading device and the acquiring system. • Detecting and blocking the outbound traffic in which the confidential data was transferred to servers outside of Target's store network. (Itshould be noted that these measures are by no means a comprehensive security architecture, they are the few pieces of a whole defense-in-depth strategy that would have made the difference) copyright (2014) comForte 21 17
  • 18. •Who knows what an APT is •Who knew all the gory details of this attack •Who knows what DLP is •Who knows what Data Centric Security is Resultsof quiz: •Who knows what an APT is (few. APT stands forAdvanced Persistent Threat –see presentation http://www.slideshare.net/thomasburg/from-russia- with-love-modern-tools-used-in-cyber-attacks on slide share) •Who knew all the gory details of this attack (about a third of the audience) •Who knows what DLP is (few. It standsfor Data Loss Prevention –in a nutshell this is about avoiding data being leaked via technical means) •Who knows what Data Centric Security is (veryfew. This will be talked about later) copyright (2014) comForte 21 18
  • 20. Let’s first look at the security landscape before ca. 2005: •The defenders had appropriate tools (Antivirus, Firewalls) •The attackers were mostly harmless and well-meaning copyright (2012) comForte 21 20
  • 21. Only five years later –but big changes in the ‘realworld’ (!). We’ll talk about CEO perceptions later. •The attackers are plenty, skilled and motivated •No real change on thedefender side •The defenders are very often busy with something else, understaffed and underfunded copyright (2012) comForte 21 21
  • 22. Only another four years later! •The attackers are plenty, skilled and motivated –much more so (APT) •Again,No real change on thedefender side •Still, The defenders are very often busy with something else, understaffed and underfunded Questionfrom the title “How has the attack on target changed the computer security landscape”. Answer: technically, not at all. Perception: next slide copyright (2012) comForte 21 22
  • 23. This discussion on LinkedIn started with a rather insightful blog entry (more on this below) and turned out into very interesting reading –I’d recommend to look at the whole thread (which keeps growing, 45 comments as of 29Sep2014). Link to discussion: https://www.linkedin.com/groups/Current-State-PCI- 66587.S.5917749052983771136?view=&gid=66587&item=5917749052983771136&type=member&commentID=discussion%3A5917749052983771136%3Agroup%3A66587&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_FOLLOWED#commentID_discussion%3A5917749052983771136%3Agroup%3A66587 The aforementioned blog entry is at http://www.tenable.com/blog/the-current-state-of-pci. copyright (2014) comForte 21 23
  • 24. Quoted, with permission from http://www.tenable.com/blog/the-current-state-of-pci. Highly recommended reading! copyright (2014) comForte 21 24
  • 25. Quoted, with permission from http://www.tenable.com/blog/the- current-state-of-pci.Highly recommended reading! It is paraphrased nicely in the discussion by Mark Faithfull, Interim Technology Leader, Founder & CEO www.textsquirt.com : (quoted) The key section of the article by Jeff Mann is this: The PCI DSS, as a set of security requirements, does not presume that organizations will not be breached, but rather tries to set organizations up for detecting the compromise early, and hopefully minimizing the damage.This is the key message we need to evangelise-to move PCI from being a 'compliance' based project and instead get business leaders thinking more in terms of: We will get breached-we better get ourselves organisedso we can spot it the day it happensTo this end, the PCI framework does provide a lot of helpful guidance for businesses who don't have that security infrastructure in place at the moment. The most telling fact about the recent high profile breaches is the length of time intruders are in the merchant systems before these big breaches are discovered, which to me means the 'business as usual' of living the PCI life is not in place in these organisations. copyright (2014) comForte 21 25
  • 26. Quoted (with permission)from a LinkedIn discussion in the “PCI Network -The World's Largest Payment Card Industry Group” group The discussion started with the following blog entry http://www.tenable.com/blog/the-current-state-of-pci –highly recommended reading Link to discussion: https://www.linkedin.com/groups/Current-State-PCI- 66587.S.5917749052983771136?view=&gid=66587&item=5917749052983771136&type=member&commentID=discussion%3A5917749052983771136%3Agroup%3A66587&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_FOLLOWED#commentID_discussion%3A5917749052983771136%3Agroup%3A66587 copyright (2014) comForte 21 26
  • 27. So far we looked at changes in the industry. The speaker believes that while the ATTACK SCENARIOS have radically changed (“improved” from the point of view of the attacker) –the DEFENSE SCENARIOS have not. We’ll look at the ‘defense scenarios’ in second. The speaker has been thinking about this question for years, maybe decades. He still isn’t sure, but he feels he is closing in (?). So, here is the most important slide of this presentation. Why are the bad guys winning? (drum roll, slide still blank) (1)There is a HUGE difference between the perception of computer security among the non-computer-security-geeks (about 99.999 % of the general population) and the computer- security-geeks. The problem is that you have to see the problem you have to be very geeky. There are excellent classes on this by SANS, they will turn you from the 99.999 % to the 0.0001 % within a week –I did this 10 years ago and became a convert. The class SEC401: Security Essentials BootcampStyleis a class I can not recommend too much –it does take a week and it does cost about US$ 5000 –but it is worth every $. See www.sans.org for details. (2)Anyway: here is how most people perceive computer security (image shows): Most importantly, they don’t care. They have a life and other things to worry about. Also, overall it can’t be that bad –my company has not been hacked yet. I have not been hacked yet. The industry will take care. … copyright (2014) comForte 21 27
  • 28. So here is what the “security geeks” are perceiving… Drum roll… Image appears I spent the last 14 years of my life learning about computer security. I am still learning every day. Why do I think this way? (1)In most life scenarios, getting “99 % right” is good. In computer security it can be disastrous (2)There is no silver bullet. Repeat after me: there is no silver bullet. It is hard. (3)Translation of “it is hard”: (1)It will be expensive. Ramp up the budget (2)It is beyond products (although some vendors might tell you so) (3)It is an arms race. New attacks are coming out every day (4)Most of us have a life and other things to do than securing their computers… Back to the bitcoin story: If I had EUR 100,000 k in Bitcoins…. I’d sell them real fast  But let’s say I couldn’t –what would I do?Here’s what: -Buy a new computer. Most probably not Windows or Mac -Set up a bitcoin wallet -Take it off the Internet and never connect it again (!!!) -Move data only through freshly formatted USB sticks -Side note : Modern bitcoin wallets allow to do just that copyright (2014) comForte 21 28
  • 30. Let’s take a moment tothink aboutthe message so far. Shouldn’t we simply give up hope? copyright (2013) comForte 21 30
  • 31. Ignore the issue or… Hope that it does not happen to you or … Do something Nope–there are ways to cope  copyright (2012) comForte 21 31
  • 32. About 20 years ago, users would connect to “big iron” (mainframe type of computers) using dedicated terminals which had no other functionality than to access the system. Today, PCs are used to connect to HP NonStop systems and administer them. The big problem with this is that many core security principles are based on so-called “user authentication” –making sure the NonStop knows which user name is currently connecting. Historically, there have been many means on using this information for “Authorization” –namely deciding who can do what (and who can NOT do what). This has worked well over the years –but most attacks including the on TARGET show that attackers are able to “0wn” (Hacker lingo for “own”) any PC or midrange server in the organization. An “0wned” PC is effectively remote-controlled by the bad guys –and with that user authentication is broken and should not be relied on as strongly as so far. This knowledge is widely spread in the security community –but unfortunately it is not that widely spread in non-security realm. copyright 2014 comForte 21 33
  • 33. https://en.wikipedia.org/wiki/Tootsie_Roll , supposedlythis is “Hard on the outside, chewy on the inside” Imagecredits: See Wikipedia link above and/or https://upload.wikimedia.org/wikipedia/commons/thumb/0/02/Tootsie-Roll-WU.jpg/220px-Tootsie-Roll-WU.jpg [[Tootsie-Roll-WUCC BY-SA 3.0Evan-Amos-Own work]] Badly broken!!! (Look at Target attack…) copyright (2014) comForte 21 34
  • 34. See also http://technodrone.blogspot.com/2014/07/m- snickers-and-security-in-cloud.htmlor http://networkingnerd.net/2014/07/15/security- dessert-models/ Or see http://www.computer.org/csdl/mags/sp/2005/05/j5004. pdf-a white paper from 2005 (sic!) Image credit: see https://en.wikipedia.org/wiki/File:Snickers_wrapped.jpg copyright (2014) comForte 21 35
  • 35. IMHO, "we", the IT geeks and/or the industry have horribly failed in making executives aware of what is at stake. Also, I am *not* aware of a proper translation of "IT risk" and "protective technical measures" into "value from C-level view". That said, I just came upon a most wonderful white paper from IBM, Elevating the Discussion on Security Management The Data Centric Paradigm downloadable at https://www.google.fi/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCEQFjAA&url=http%3A%2F%2Fwww.researchgate.net%2Fpublication%2F4257215_Elevating_the_Discussion_on_Security_Management_The_Data_Centric_Paradigm%2Flinks%2F0deec51b8afeb363fe000000&ei=LxQoVPDHIcHkaoL7gKgJ&usg= AFQjCNGAqVHURFbcqxwnCt54C5tWDPDj6w&bvm=bv.76247554,d.d2s(if you find an easier link, let me know at t.burg@comforte.com ) This is the best on this topic I have read in about a decade. Finally there might be hope for C-levels folks to "get it" ??? copyright (2014) comForte 21 36
  • 36. Comments on that paper very welcome ... copyright (2014) comForte 21 36
  • 37. Quoted,with permission from https://securosis.com/blog/trends-in-data-centric- security-new-series copyright (2014) comForte 21 37
  • 38. From the aforementionedwhite paper… copyright (2014) comForte 21 38
  • 40. We focus on HPNonStop platform. In fact, we just wrote a book about the platform –you can get it at http://www.comforte.com/ns4dummies Along with many products for this platform, we have a product for data-centric-security (You didn’t think you’d be getting away without a sales pitch, did you ). It is about enabling existing (“legacy”) applications to replace PANs with tokens on HP NonStop. It is relatively new but do we have folks in production. Wearing my vendor hat for a moment, I think that we are best equipped within the NonStop market to make this possible for legacy applications. Why is that: -We have been doing this for a couple of years by now -We have an open architecture, allowing you to use our own tokenization engine (which is blazingly fast!). Or any (!) Enterprise tokenization engine. For more information about the product, please go to www.comforte.com/securdataor (recommended even more) look at our Youtubevideo series at http://youtu.be/-bnxPrdS0-0 copyright (2014) comForte 21 40
  • 41. If you think you are secure –think again. You are not. Sorry. Please do not kill the messenger. It is all about getting the perception right –and to spend money wisely and to see this as a process… We need to move from Tootsie roll security model (“hard on the outside, chewy on the inside”) to Snickers security model (“crunchy on the inside” –data driven!). comForte: -HP NonStop for Dummies, just out –get it at http://www.comforte.com/ns4dummies -Lots of expertise around HP NonStop system -Product for data-centric security for HP NonStop (“SecurData”, click on Image). It also helps with PCI compliance . For more information about the product, please go to www.comforte.com/securdataor (recommended even more) look at our Youtubevideo series at http://youtu.be/-bnxPrdS0-0 -And,of course http://www.comforte.com copyright (2014) comForte 21 41