SlideShare a Scribd company logo

Window of Compromise

SecurityMetrics
SecurityMetrics

The document discusses how reducing the "window of compromise" can limit damage from data breaches. It defines the window of compromise as starting when an intruder accesses a network and ending when the breach is contained. On average, vulnerabilities exist for 470 days before exploitation, and then card data is captured for another 176 days. The document provides recommendations for organizations to reduce this window through early detection methods like logging, security testing, employee training, and continual protection measures.

Business
1 of 8
Download to read offline
WINDOW OF COMPROMISE White Paper Limit damage caused to your cardholder data environment © 2015 SecurityMetrics
Window of Compromise - 1 CYBER ATTACK PROCESS The cyber attack process is simple. First, the business has a vulnerability, a flaw or weakness that can be exploited. Second, the attacker exploits the vulnerability and accesses the system. Third, the attacker sets up a way to capture cardholder data. Finally, the attacker exfiltrates the data for illegal use. Decreasing the window of compromise time decreases the amount of cardholder data captured and exfiltrated, hope- fully avoiding compromise all together. In recent years data breaches have been highly publicized, especially with so many big brands involved. However, data breaches were by no means limited to the well-publicized large industries. In fact, the Ponemon Institute reported that 43% of all US companies experienced a data breach of some sort in the past year. Based on 2014 data collected by SecurityMet- rics Forensic Investigators, the average breached merchant was vulnerable for 618 days. That’s a lot of time for attackers to find vulnerabilities and exploit them to their benefit. Nearly every business in America is going to experience cyber attacks from a variety of sources. Many merchants are vulnerable (meaning there is a system, environment, software, or website weakness that can be exploited by at- tackers) from the day their environment was set up. In other cases, a merchant becomes vulnerable because they fail to apply a security patch or update, or they make modifications to their systems without also properly updating related security protocols. On average, it took 470 days from a time the merchant had a vulnerability in their environment, to the time an attacker was able to compromise the system (the beginning of the window of compromise). Attackers were then able to capture cardholder data for an average of 176 days. That is plenty of time for an attacker to damage your brand. WINDOW OF COMPROMISE LIMIT DAMAGE CAUSED TO YOUR CARDHOLDER DATA ENVIRONMENT When we refer to the window of compromise, it starts from the date an intruder accesses a business network and ends when the breach is contained by some act of security remediation on part of the merchant.
Window of Compromise - 2 HACKER TRENDS: CARD DATA AGGREGATION The seemingly high number of days that card data was compromised in 2014 (average 176 days) may be attributed to an aggregation method often employed by card data thieves. The aggregation method prevents card brands from flagging Common Points of Purchase (CPP, a method used by card brands and banks to identify potential mali- cious account activity) too early, which would expose the data breach much sooner, thus bringing a quicker end to the card data loss and greatly limiting the use of stolen credit card accounts. Attackers have been known to aggregate card data from scraping or other tools without using or sell- ing the data for four to six months (after six months, some payment card data begins expiring).
Window of Compromise - 3 DECREASE YOUR WINDOW OF COMPROMISE When an environment isn’t actively monitored, breaches are more likely to go undetected for longer periods of time. As such, an ounce of protection really is worth more than a pound of cure. The sooner a breach is detected, the less damage an attacker can do to a business. The goal of each business should be to create and practice the neces- sary procedures to protect against and warn of abnormal behavior in an environment. LOGGING/AUDIT TRAILS AND SUSPICIOUS ACTIVITY From a forensic point of view, logs and audit trails are crucial to proving how, or if an organization was compro- mised. Keeping track of critical actions (e.g., access to files, login attempts, etc.) can help identify key elements of an attack. Logs can track actions to an individual user and can help determine suspicious activity. Assigning unique user identification also helps create an atmosphere of account- ability and can help deter internal system abuse. Once suspicious activity has been defined within an envi- ronment, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be configured to give notifi- cation of suspicious activity that might indicate an attack. Change detection programs, like file integrity monitoring (FIM) are especially useful for ecommerce environments because they track the original state of a file and report any changes, such as when an attacker hides malware within an otherwise legitimate file or application. WINDOW OF COMPROMISE DATA 0 200 400 600 800 1000 Averagenumberofdays Vulnerable Cardholder data was captured Data was exfiltrated 2013 2014
Window of Compromise - 4 Sadly, in a few instances, SecurityMetrics Forensic Inves- tigators have discovered that the investigated merchant previously knew of the vulnerabilities that led to a breach. However, the merchant did not give sufficient priority to enhancing their IT security by spending the necessary time and money to correct it as soon as the weakness was identified. In the end, the merchant paid for the cost of a mandated forensic investigation, fines from their bank, fees from credit card issuers and card brands, as well as paying to bring their IT security up to par. Their failure to correct the weak link in their system when they first learned of it cost them vastly more than if they had made a proactive correction. SECURITY TESTING The two major types of vulnerability testing that should be performed to reduce the window of compromise are penetration testing and vulnerability scans. In the case of custom, in-house applications, code testing and independent internal penetration testing can expose many of the weaknesses commonly found in application code (especially the home-grown varieties) and is the best first line of defense in identifying vulnerabilities before the application is put into use. Having code and function tested by objective third parties helps find vul- nerabilities that otherwise might have been missed. Vulnerability scans are automated, affordable, high-level tests that identify certain weaknesses in network struc- tures. Robust vulnerability scans can identify more than 50,000 unique external weaknesses. In addition to locating and reporting vulnerabilities, typical vulnerability scans also encourage a recurring and reliable process for repair- ing discovered problems. After a scan completes, the need to repair located vulnerabilities goes without saying. DocumentsDocuments
Window of Compromise - 5 SECURITY POLICY AND EMPLOYEE TRAINING One pitfall, of even the most protected environment, involves the introduction of malicious content by human error. Activities as simple as employee email access or unauthorized Internet browsing can allow paths to and from untrusted networks. Merchants often inadvertently introduce malware into their systems through email attachments, downloads, or USB drives by simply opening them; unaware of the threat they just allowed into their system. Creating, instructing on, and enforcing a sound security policy is the best way to secure an environment from employee error that could negate the effectiveness of security measures that might already be in place. RISK-ASSESSMENT AND MANAGEMENT: VULNERABILITY VS. EXPLOITABILITY Creating a vulnerability management plan is central to decreasing the window of compromise. This process will help identify, classify, remediate, and lessen future instances of vulnerabilities. However, just because a system is vulnerable does not mean it is exploitable, or even likely to be exploited. Some vulnerabilities may require such a large number of pre- conditions that the chance of a successful attack occur- ring is virtually none. Identifying (per the guidelines of PCI DSS Requirement 6) the differing levels of exploitability should help an organization prioritize the actions they will take in enhancing their IT security based on each vulnera- bility’s perceived threat and risk level. “No matter the advances in security technology and re- gardless of increased government cyber security initia- tives and regulations, attackers are not going to abandon their pursuit for unprotected payment card data.” –David Ellis, SecurityMetrics Director of Forensic Investigations
Window of Compromise - 6 TAKEAWAYS EARLY DETECTION AND CONTINUAL PROTECTION Carefully tracking and managing an environment will help with early detection of a breach and has the potential to decrease the window of compromise and thereby mitigate damage caused to your environment. To decrease your window of compromise, make sure to: • Perform security testing on environments to identify vulnerabilities. • Develop well-crafted IT security policies to ensure all employees are aware of their responsibilities with respect to the security policy. • Practice a process to address security vulnerabilities by order of importance. • Take the time to maintain detailed logs that can be tracked back to individual users to help identify suspi- cious activity. • Once you’ve collected logs, regularly review them and configure IDS/IPS and FIM to help keep watch over your environment. Remember, if you are actively meeting the Payment Card Industry Data Security Standard requirements you will already be implementing these important security measures.
Window of Compromise - 7 ABOUT SECURITYMETRICS SecurityMetrics has tested over one million payment systems for data security and compliance mandates. Its solutions combine innovative technology that streamlines validation with the personal support you need to fully understand compliance requirements. You focus on the business stuff—we’ve got compliance covered. For questions about your PCI DSS compliance situation, please contact SecurityMetrics: CONSULTING@SECURITYMETRICS.COM OR 801.705.5656

Recommended

VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus Cloud
Swapna Shetye
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
Constantine Karbaliotis
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
newbie2019
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?
CBIZ, Inc.
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
netwealthInvest
 

Recommended

VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus Cloud
Swapna Shetye
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
Constantine Karbaliotis
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
newbie2019
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?
CBIZ, Inc.
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
netwealthInvest
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
Andrew Case
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
Thomas Christopher Ty
 
SME Cyber Insurance
SME Cyber Insurance SME Cyber Insurance
SME Cyber Insurance
Netpluz Asia Pte Ltd
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT Infomagnum
ARUN REDDY M
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Ben Rothke
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
Quick Heal Technologies Ltd.
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data Protection
UthsoNandy
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
David Mai, MBA
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
CMR WORLD TECH
 
You will be breached
You will be breachedYou will be breached
You will be breached
Mike Saunders
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
David Mai, MBA
 
Cybersecurity a short business guide
Cybersecurity a short business guideCybersecurity a short business guide
Cybersecurity a short business guide
larry1401
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
James Ryan, CSyP, EA, PMP
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
banerjeea
 
Information security
Information securityInformation security
Information security
Onkar Sule
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
CSNP
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service
Netpluz Asia Pte Ltd
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
Brian Honan
 
Conflict and Compromise in History
Conflict and Compromise in HistoryConflict and Compromise in History
Conflict and Compromise in History
jonathankettel
 
How to write effectively about encountering conflict
How to write effectively about encountering conflictHow to write effectively about encountering conflict
How to write effectively about encountering conflict
jpinnuck
 

More Related Content

What's hot

Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
banerjeea
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 

What's hot (20)

Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
SME Cyber Insurance
SME Cyber Insurance SME Cyber Insurance
SME Cyber Insurance
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT Infomagnum
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data Protection
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
 
Getting ahead of compromise
Getting ahead of compromiseGetting ahead of compromise
Getting ahead of compromise
 
You will be breached
You will be breachedYou will be breached
You will be breached
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
 
Cybersecurity a short business guide
Cybersecurity a short business guideCybersecurity a short business guide
Cybersecurity a short business guide
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
Information security
Information securityInformation security
Information security
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 

Viewers also liked

Conflict and Compromise in History
Conflict and Compromise in HistoryConflict and Compromise in History
Conflict and Compromise in History
jonathankettel
 
Phenomenology: What is it and where does it fit? - Dave Aldridge
Phenomenology: What is it and where does it fit? - Dave AldridgePhenomenology: What is it and where does it fit? - Dave Aldridge
Phenomenology: What is it and where does it fit? - Dave Aldridge
The Higher Education Academy
 

Viewers also liked (6)

Conflict and Compromise in History
Conflict and Compromise in HistoryConflict and Compromise in History
Conflict and Compromise in History
 
How to write effectively about encountering conflict
How to write effectively about encountering conflictHow to write effectively about encountering conflict
How to write effectively about encountering conflict
 
Phenomenology: What is it and where does it fit? - Dave Aldridge
Phenomenology: What is it and where does it fit? - Dave AldridgePhenomenology: What is it and where does it fit? - Dave Aldridge
Phenomenology: What is it and where does it fit? - Dave Aldridge
 
Compromise Of 1850
Compromise Of 1850Compromise Of 1850
Compromise Of 1850
 
Conflict management
Conflict managementConflict management
Conflict management
 
Phenomenology
PhenomenologyPhenomenology
Phenomenology
 

Similar to Window of Compromise

cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
sraina2
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
EY
 

Similar to Window of Compromise (20)

What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
 
The challenges of Retail Security
The challenges of Retail SecurityThe challenges of Retail Security
The challenges of Retail Security
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 dataset
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 

More from SecurityMetrics

The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
SecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
SecurityMetrics
 

More from SecurityMetrics (20)

Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
 

Recently uploaded

NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
Khaled Al Awadi
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
Workforce Group
 
Cracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptxCracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptx
Workforce Group
 

Recently uploaded (20)

Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlastUnlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
 
Transforming Max Life Insurance with PMaps Job-Fit Assessments- Case Study
Transforming Max Life Insurance with PMaps Job-Fit Assessments- Case StudyTransforming Max Life Insurance with PMaps Job-Fit Assessments- Case Study
Transforming Max Life Insurance with PMaps Job-Fit Assessments- Case Study
 
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
 
Did Paul Haggis Ever Win an Oscar for Best Filmmaker
Did Paul Haggis Ever Win an Oscar for Best FilmmakerDid Paul Haggis Ever Win an Oscar for Best Filmmaker
Did Paul Haggis Ever Win an Oscar for Best Filmmaker
 
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...
 
Pitch Deck Teardown: RAW Dating App's $3M Angel deck
Pitch Deck Teardown: RAW Dating App's $3M Angel deckPitch Deck Teardown: RAW Dating App's $3M Angel deck
Pitch Deck Teardown: RAW Dating App's $3M Angel deck
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
 
TriStar Gold Corporate Presentation May 2024
TriStar Gold Corporate Presentation May 2024TriStar Gold Corporate Presentation May 2024
TriStar Gold Corporate Presentation May 2024
 
LinkedIn Masterclass Techweek 2024 v4.1.pptx
LinkedIn Masterclass Techweek 2024 v4.1.pptxLinkedIn Masterclass Techweek 2024 v4.1.pptx
LinkedIn Masterclass Techweek 2024 v4.1.pptx
 
The Inspiring Personality To Watch In 2024.pdf
The Inspiring Personality To Watch In 2024.pdfThe Inspiring Personality To Watch In 2024.pdf
The Inspiring Personality To Watch In 2024.pdf
 
Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
 
HR and Employment law update: May 2024.
HR and Employment law update: May 2024.HR and Employment law update: May 2024.
HR and Employment law update: May 2024.
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
 
India’s Recommended Women Surgeons to Watch in 2024.pdf
India’s Recommended Women Surgeons to Watch in 2024.pdfIndia’s Recommended Women Surgeons to Watch in 2024.pdf
India’s Recommended Women Surgeons to Watch in 2024.pdf
 
Cracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptxCracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptx
 
Luxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
Luxury Artificial Plants Dubai | Plants in KSA, UAE | ShajaraLuxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
Luxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
 
Understanding UAE Labour Law: Key Points for Employers and Employees
Understanding UAE Labour Law: Key Points for Employers and EmployeesUnderstanding UAE Labour Law: Key Points for Employers and Employees
Understanding UAE Labour Law: Key Points for Employers and Employees
 

Window of Compromise

  • 1. WINDOW OF COMPROMISE White Paper Limit damage caused to your cardholder data environment © 2015 SecurityMetrics
  • 2. Window of Compromise - 1 CYBER ATTACK PROCESS The cyber attack process is simple. First, the business has a vulnerability, a flaw or weakness that can be exploited. Second, the attacker exploits the vulnerability and accesses the system. Third, the attacker sets up a way to capture cardholder data. Finally, the attacker exfiltrates the data for illegal use. Decreasing the window of compromise time decreases the amount of cardholder data captured and exfiltrated, hope- fully avoiding compromise all together. In recent years data breaches have been highly publicized, especially with so many big brands involved. However, data breaches were by no means limited to the well-publicized large industries. In fact, the Ponemon Institute reported that 43% of all US companies experienced a data breach of some sort in the past year. Based on 2014 data collected by SecurityMet- rics Forensic Investigators, the average breached merchant was vulnerable for 618 days. That’s a lot of time for attackers to find vulnerabilities and exploit them to their benefit. Nearly every business in America is going to experience cyber attacks from a variety of sources. Many merchants are vulnerable (meaning there is a system, environment, software, or website weakness that can be exploited by at- tackers) from the day their environment was set up. In other cases, a merchant becomes vulnerable because they fail to apply a security patch or update, or they make modifications to their systems without also properly updating related security protocols. On average, it took 470 days from a time the merchant had a vulnerability in their environment, to the time an attacker was able to compromise the system (the beginning of the window of compromise). Attackers were then able to capture cardholder data for an average of 176 days. That is plenty of time for an attacker to damage your brand. WINDOW OF COMPROMISE LIMIT DAMAGE CAUSED TO YOUR CARDHOLDER DATA ENVIRONMENT When we refer to the window of compromise, it starts from the date an intruder accesses a business network and ends when the breach is contained by some act of security remediation on part of the merchant.
  • 3. Window of Compromise - 2 HACKER TRENDS: CARD DATA AGGREGATION The seemingly high number of days that card data was compromised in 2014 (average 176 days) may be attributed to an aggregation method often employed by card data thieves. The aggregation method prevents card brands from flagging Common Points of Purchase (CPP, a method used by card brands and banks to identify potential mali- cious account activity) too early, which would expose the data breach much sooner, thus bringing a quicker end to the card data loss and greatly limiting the use of stolen credit card accounts. Attackers have been known to aggregate card data from scraping or other tools without using or sell- ing the data for four to six months (after six months, some payment card data begins expiring).
  • 4. Window of Compromise - 3 DECREASE YOUR WINDOW OF COMPROMISE When an environment isn’t actively monitored, breaches are more likely to go undetected for longer periods of time. As such, an ounce of protection really is worth more than a pound of cure. The sooner a breach is detected, the less damage an attacker can do to a business. The goal of each business should be to create and practice the neces- sary procedures to protect against and warn of abnormal behavior in an environment. LOGGING/AUDIT TRAILS AND SUSPICIOUS ACTIVITY From a forensic point of view, logs and audit trails are crucial to proving how, or if an organization was compro- mised. Keeping track of critical actions (e.g., access to files, login attempts, etc.) can help identify key elements of an attack. Logs can track actions to an individual user and can help determine suspicious activity. Assigning unique user identification also helps create an atmosphere of account- ability and can help deter internal system abuse. Once suspicious activity has been defined within an envi- ronment, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be configured to give notifi- cation of suspicious activity that might indicate an attack. Change detection programs, like file integrity monitoring (FIM) are especially useful for ecommerce environments because they track the original state of a file and report any changes, such as when an attacker hides malware within an otherwise legitimate file or application. WINDOW OF COMPROMISE DATA 0 200 400 600 800 1000 Averagenumberofdays Vulnerable Cardholder data was captured Data was exfiltrated 2013 2014
  • 5. Window of Compromise - 4 Sadly, in a few instances, SecurityMetrics Forensic Inves- tigators have discovered that the investigated merchant previously knew of the vulnerabilities that led to a breach. However, the merchant did not give sufficient priority to enhancing their IT security by spending the necessary time and money to correct it as soon as the weakness was identified. In the end, the merchant paid for the cost of a mandated forensic investigation, fines from their bank, fees from credit card issuers and card brands, as well as paying to bring their IT security up to par. Their failure to correct the weak link in their system when they first learned of it cost them vastly more than if they had made a proactive correction. SECURITY TESTING The two major types of vulnerability testing that should be performed to reduce the window of compromise are penetration testing and vulnerability scans. In the case of custom, in-house applications, code testing and independent internal penetration testing can expose many of the weaknesses commonly found in application code (especially the home-grown varieties) and is the best first line of defense in identifying vulnerabilities before the application is put into use. Having code and function tested by objective third parties helps find vul- nerabilities that otherwise might have been missed. Vulnerability scans are automated, affordable, high-level tests that identify certain weaknesses in network struc- tures. Robust vulnerability scans can identify more than 50,000 unique external weaknesses. In addition to locating and reporting vulnerabilities, typical vulnerability scans also encourage a recurring and reliable process for repair- ing discovered problems. After a scan completes, the need to repair located vulnerabilities goes without saying. DocumentsDocuments
  • 6. Window of Compromise - 5 SECURITY POLICY AND EMPLOYEE TRAINING One pitfall, of even the most protected environment, involves the introduction of malicious content by human error. Activities as simple as employee email access or unauthorized Internet browsing can allow paths to and from untrusted networks. Merchants often inadvertently introduce malware into their systems through email attachments, downloads, or USB drives by simply opening them; unaware of the threat they just allowed into their system. Creating, instructing on, and enforcing a sound security policy is the best way to secure an environment from employee error that could negate the effectiveness of security measures that might already be in place. RISK-ASSESSMENT AND MANAGEMENT: VULNERABILITY VS. EXPLOITABILITY Creating a vulnerability management plan is central to decreasing the window of compromise. This process will help identify, classify, remediate, and lessen future instances of vulnerabilities. However, just because a system is vulnerable does not mean it is exploitable, or even likely to be exploited. Some vulnerabilities may require such a large number of pre- conditions that the chance of a successful attack occur- ring is virtually none. Identifying (per the guidelines of PCI DSS Requirement 6) the differing levels of exploitability should help an organization prioritize the actions they will take in enhancing their IT security based on each vulnera- bility’s perceived threat and risk level. “No matter the advances in security technology and re- gardless of increased government cyber security initia- tives and regulations, attackers are not going to abandon their pursuit for unprotected payment card data.” –David Ellis, SecurityMetrics Director of Forensic Investigations
  • 7. Window of Compromise - 6 TAKEAWAYS EARLY DETECTION AND CONTINUAL PROTECTION Carefully tracking and managing an environment will help with early detection of a breach and has the potential to decrease the window of compromise and thereby mitigate damage caused to your environment. To decrease your window of compromise, make sure to: • Perform security testing on environments to identify vulnerabilities. • Develop well-crafted IT security policies to ensure all employees are aware of their responsibilities with respect to the security policy. • Practice a process to address security vulnerabilities by order of importance. • Take the time to maintain detailed logs that can be tracked back to individual users to help identify suspi- cious activity. • Once you’ve collected logs, regularly review them and configure IDS/IPS and FIM to help keep watch over your environment. Remember, if you are actively meeting the Payment Card Industry Data Security Standard requirements you will already be implementing these important security measures.
  • 8. Window of Compromise - 7 ABOUT SECURITYMETRICS SecurityMetrics has tested over one million payment systems for data security and compliance mandates. Its solutions combine innovative technology that streamlines validation with the personal support you need to fully understand compliance requirements. You focus on the business stuff—we’ve got compliance covered. For questions about your PCI DSS compliance situation, please contact SecurityMetrics: CONSULTING@SECURITYMETRICS.COM OR 801.705.5656