SlideShare a Scribd company logo

How the Target Data Breach Occurred

Thomas Burg
Thomas Burg

This presentation has three parts: Part 1: The mechanics of the attack against Target where 40 million full records of a POS transaction were stolen Part 2: The state of computer security with a focus on HP NonStop systems: the need for a new paradigm Part 3: Recommendations to secure HP NonStop systems

TechnologyBusiness
1 of 30
Download to read offline
DISCLAIMER: This presentation reflects the opinions and recommendations of the authors only and does not in any way represent the views or endorsements of any other parties. HP NonStop is a trademark of Hewlett-Packard Development Company, L.P. All other trademarks are the property of their respective owners. copyright (2014) comForte 21 1
To be able to look at this presentation offline and without the speakers audio, slide notes have been added to some slides and are shown here, on the right. copyright (2014) comForte 21 2
copyright (2014) comForte 21 3
In the first part of the presentation, we look at how exactly the attack against Target was carried out, following each of the multiple steps copyright (2014) comForte 21 4
The URL shown is a rather detailed write-up of the breach – including how the stolen credit card numbers are monetized in the “carder underground”. Highly recommended reading. The diagram “how the hackers broke in” is also from the article – we will now look at the steps in more detail. copyright (2014) comForte 21 5
This is the POS acquiring infrastructure at TARGET, showing only the core systems required for the processing of POS transactions. The system on the right is a HP NonStop system, see http://www.hp.com/go/nonstop for more information about the computing platform. We use the term “NonStop system” in the diagram for brevity. If these were the only systems, the breach at TARGET could not have happened in the same way. copyright (2014) comForte 21 6
This diagram shows more systems which are part of the larger TARGET infrastructure: Two internal servers are used to process the “backoffice” data collected at the Point of sale systems. Also, an HVAC system (Heating, Ventilation, Air conditioning) is remote-controlled via an external consultant. copyright (2014) comForte 21 7
In the first step of the attack, the “bad guys” took over a web site an employee of the HVAC company was accessing. By doing so, they were able to obtain his username and password for that – unrelated – web site. Unfortunately, the employee used the same password to access the TARGET network for remote HVAC maintenance – and thus the attackers were inside the TARGET network. copyright (2014) comForte 21 8
They then were able to ‘take over’ an internal server present at every TARGET store with direct connectivity to the POS systems running Microsoft Windows. copyright (2014) comForte 21 9
In the next step, they used the internal server to install specifically crafted malware onto the Windows POS system. copyright (2014) comForte 21 10
At this point in time, the malware installed on the POS system was collecting the full data for each and every POS transaction. They used a well-known technique called “memory scraping” to access the data sent from the POS device “through” the Windows POS system to the NonStop system processing the POS data. The final step now is to get the data sent out from the internal TARGET network and the attackers needed to be careful not to raise an alarm by using new connections (an outgoing FTP connection to an unknown host on the Internet would almost certainly have raised alarms immediately). This final step is called “exfiltration”. copyright (2014) comForte 21 11
For exfiltration, the attackers were able to take over another internal server which was already shown on an earlier slide. That server was not in the “critical network zone” and hence not monitored for outgoing data as closely as each TARGET store itself. copyright (2014) comForte 21 12
In the final step, the attackers sent the data from the POS Windows systems to the Internal server on the right where they collected it for a while. They then sent the data to a few servers on the Internet and then downloaded the data to their own systems. copyright (2014) comForte 21 13
Let’s take a moment to think about the attack: It clearly shows a lot of planning, patience and sophistication. It is a sad fact that many cyber criminals are rather excellent at their “job” and would probably be able to earn a living as a skilled administrator or developer. Unfortunately, cyber crime continues to be the actual choice of many talented “black hat hackers”. For more background on these type of attacks which are also called “Advanced Persistent Threats” please see the following presentation on slideshare: http://www.slideshare.net/thomasburg/from-russia- with-love-modern-tools-used-in-cyber-attacks copyright (2013) comForte 21 14
As companies improve their defenses, attacks are requiring more and more steps to succeed. This is why “defense in depth” is such an important concept – the defender only need to prevent a single step of the attack to thwart it. Here are a few measures which all could have prevented the specific attack carried out successfully against TARGET: • Preventing distribution and installation of the malware onto the POS systems: • Better segmentation of in-store network • Actually looking at the incident logs of the advanced attack tool (“Fireeye”, see business week article for details) • Setting Fireeye to “block” rather than “alert” • Using end-to-end encryption between the POS reading device and the acquiring system. • Detecting and blocking the outbound traffic in which the confidential data was transferred to servers outside of Target's store network. (It should be noted that these measures are by no means a comprehensive security architecture, they are the few pieces of a whole defense-in-depth strategy that copyright (2014) comForte 21 15
would have made the difference) copyright (2014) comForte 21 15
The author of this presentation has followed the computer security industry and trends for over ten years. The attack techniques used in the attack against TARGET are over a decade old (!) – so from a technological standpoint nothing has really changed. What _has_ changed is that the attackers are stepping up their game while the defenders do not. In the next few slides, we will look at the state of computer security on a specific computing platform, namely the HP NonStop platform. copyright (2014) comForte 21 16
This is one of the key messages of this presentation – so please pardon the non-subtlety of this slide… There are hundreds of customers running the ACI BASE24 product world-wide, processing about 50 % of the world-wide POS and ATM transactions (!). Many of these systems have been installed decades ago and quietly hum along in the data center, never loosing a transaction or going down. The fact that the systems never go down is a key benefit of using the BASE24 software on the HP NonStop platform in the first place. However, the world has changed and, to the best of our knowledge, many BASE24 installations are not protected as well as they should. We do know for a fact that BASE24 does _not_ support encryption of data at rest; therefore most of all BASE24 installations world-wide will _not_ be compliant to PCI 3.4. The good news is that this can be addressed relatively easily – compared to the cost of running a BASE24 system the cost to improve the security posture massively is rather low. copyright (2014) comForte 21 17
This is the prior statement generalized to HP NonStop systems in general; again drawing on our experience as vendor in the HP NonStop market place. It should be pointed out that this is _not_ a weakness of the platform at all; it rather is a weakness of either the application or the way the platform is secured. Any computing platform can be secured poorly or well and the HP NonStop platform is no different in that. In fact, the HP NonStop platform has several unique strength when it comes to securing it. copyright (2014) comForte 21 18
To be honest, this is somewhat of a mystery to the author – after spending 10+ years focusing on IT security. Really. Some suggestions to follow: So why is Why are BASE24 or similar applications on HP NonStop *NEVER* PROTECTED PROPERLY? Here are some suggestions: - There is typical a large “Organizational Disconnect” between the CSO, CIO, CFO and CEO - The attackers on the other hand are very well connected and organized - Who owns security anyway: that is a difficult question in every organization: is it the platform owner? The application owner? The CSO? The CIO? The CEO? - Penny pinching of IT costs - For banks, IT is typically 6 % of the global budget - IT is often seen as cost factor (rather than as asset) - where saving can be applied whenever the economy is bad - It should be noted that the BASE24 application is *very* profitable – but cost is saved anyway copyright 2014 comForte 21 19
About 20 years ago, users would connect to “big iron” (mainframe type of computers) using dedicated terminals which had no other functionality than to access the system. Today, PCs are used to connect to HP NonStop systems and administer them. The big problem with this is that many core security principles are based on so-called “user authentication” – making sure the NonStop knows which user name is currently connecting. Historically, there have been many means on using this information for “Authorization” – namely deciding who can do what (and who can NOT do what). This has worked well over the years – but most attacks including the on TARGET show that attackers are able to “0wn” (Hacker lingo for “own”) any PC or midrange server in the organization. An “0wned” PC is effectively remote-controlled by the bad guys – and with that user authentication is broken and should not be relied on as strongly as so far. This knowledge is widely spread in the security community – but unfortunately it is not that widely spread in non-security realm. copyright 2014 comForte 21 20
As explained on the prior slide, you should not trust the fact that no-one will be able to log on as SUPER.SUPER. In fact, it is a good “thought experiment” (http://en.wikipedia.org/wiki/Thought_experiment) to assume that the attacker has penetrated your network and is able to log on to your NonStop system as SUPER.SUPER. Only if your defenses are able to thwart or – at least – detect an attack even under this somewhat bold assumption you should consider your defenses to live up to best practices. Well-known security standards such as the PCI-DSS standard do take this into account – in fact this is most probably the reason why encryption of data at rest is enforced. copyright 2014 comForte 21 21
In this final section, we give some general recommendations on how to properly secure a HP NonStop system. We focus on the PCI-DSS standard. copyright (2014) comForte 21 22
In the comForte experience, the HP NonStop platform is not always well understood by the auditors. As mentioned earlier, the platform has unique strengths – but also some unusual weaknesses (which are due to mostly historic reasons). copyright (2014) comForte 21 23
A PCI project landing on the desk on the HP NonStop platform owner can look like a daunting task and/or unpleasant surprise. Rest assured that other platforms struggle just as well – like in most projects PCI will be about: • Properly allocating budget (Most large companies these days have a “PCI office”) and human resources • Expectation management (mostly towards the auditor) • long term planning – The auditors are coming at least yearly so plan for the long haul It is unlikely that you will get from 0 % compliance to 100 % compliance in a single year – we will talk about the suggested order of things a bit later. copyright (2013) comForte 21 24
Another key principle on the journey to properly protect your systems… While there is most likely software to be procured and installed, the software very often needs to be actively monitored and configured going forward. copyright (2014) comForte 21 25
The PCI 2.0 standard has about 230 “line items” (individual bullet points to comply with) and the 3.0 version will have more than 300. The PCI council has published an Excel sheet attaching priorities to the individual items – this was used for the upcoming recommendation for the order of certain tasks. Another factor going in was how hard or easy a measure is to implement. copyright (2014) comForte 21 26
This is a suggested order of doing this which takes the following into account: • Ease of implementation • Priority as per PCI prioritized approach • budgetary constraints copyright (2013) comForte 21 27
Note: it is recommended to actually start with Phase 1 rather than trying to combine Phase 1 and Phase 2 into a “big bang” scenario. Your PCI auditor wants to see progress early. copyright 2014 comForte 21 28
The two presentations on slide share shown on the left can be accessed via the following URLs: http://www.slideshare.net/thomasburg/from-russia- with-love-modern-tools-used-in-cyber-attacks http://www.slideshare.net/thomasburg/the-verizon- 20122013-data-breach-investigations-report-lessons- learned-for-running-base24-securely (This is the last slide in this presentation) copyright (2014) comForte 21 29

Recommended

Linkit ja vinkit kyberturvallisuudesta kiinnostuneille
Linkit ja vinkit kyberturvallisuudesta kiinnostuneilleLinkit ja vinkit kyberturvallisuudesta kiinnostuneille
Linkit ja vinkit kyberturvallisuudesta kiinnostuneilleAnu Laitila
 
Manual con pantallas para pgp con kleopatra y mailvelope version 1.0
Manual con pantallas para pgp con kleopatra y mailvelope version 1.0Manual con pantallas para pgp con kleopatra y mailvelope version 1.0
Manual con pantallas para pgp con kleopatra y mailvelope version 1.0Jorge Luis Sierra
 
Informaatiovaikuttamisen tunnistaminen somessa
Informaatiovaikuttamisen tunnistaminen somessaInformaatiovaikuttamisen tunnistaminen somessa
Informaatiovaikuttamisen tunnistaminen somessaHarto Pönkä
 
Some- ja pikaviestisovellusten tietosuoja
Some- ja pikaviestisovellusten tietosuojaSome- ja pikaviestisovellusten tietosuoja
Some- ja pikaviestisovellusten tietosuojaHarto Pönkä
 
Tietosuojariskit opetuksen viestinnässä ja etäopetuksessa
Tietosuojariskit opetuksen viestinnässä ja etäopetuksessaTietosuojariskit opetuksen viestinnässä ja etäopetuksessa
Tietosuojariskit opetuksen viestinnässä ja etäopetuksessaHarto Pönkä
 
Il bambino tra i 3 ed i 6 anni
Il bambino tra i 3 ed i 6 anniIl bambino tra i 3 ed i 6 anni
Il bambino tra i 3 ed i 6 anniprogettinrete
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
assiomi comunicazione
assiomi comunicazione assiomi comunicazione
assiomi comunicazioneimartini
 

Recommended

Linkit ja vinkit kyberturvallisuudesta kiinnostuneille
Linkit ja vinkit kyberturvallisuudesta kiinnostuneilleLinkit ja vinkit kyberturvallisuudesta kiinnostuneille
Linkit ja vinkit kyberturvallisuudesta kiinnostuneilleAnu Laitila
 
Manual con pantallas para pgp con kleopatra y mailvelope version 1.0
Manual con pantallas para pgp con kleopatra y mailvelope version 1.0Manual con pantallas para pgp con kleopatra y mailvelope version 1.0
Manual con pantallas para pgp con kleopatra y mailvelope version 1.0Jorge Luis Sierra
 
Informaatiovaikuttamisen tunnistaminen somessa
Informaatiovaikuttamisen tunnistaminen somessaInformaatiovaikuttamisen tunnistaminen somessa
Informaatiovaikuttamisen tunnistaminen somessaHarto Pönkä
 
Some- ja pikaviestisovellusten tietosuoja
Some- ja pikaviestisovellusten tietosuojaSome- ja pikaviestisovellusten tietosuoja
Some- ja pikaviestisovellusten tietosuojaHarto Pönkä
 
Tietosuojariskit opetuksen viestinnässä ja etäopetuksessa
Tietosuojariskit opetuksen viestinnässä ja etäopetuksessaTietosuojariskit opetuksen viestinnässä ja etäopetuksessa
Tietosuojariskit opetuksen viestinnässä ja etäopetuksessaHarto Pönkä
 
Il bambino tra i 3 ed i 6 anni
Il bambino tra i 3 ed i 6 anniIl bambino tra i 3 ed i 6 anni
Il bambino tra i 3 ed i 6 anniprogettinrete
 
Taking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerTaking Splunk to the Next Level - Manager
Taking Splunk to the Next Level - ManagerSplunk
 
assiomi comunicazione
assiomi comunicazione assiomi comunicazione
assiomi comunicazioneimartini
 
The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...Thomas Burg
 
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...Thomas Burg
 
From Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksFrom Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksThomas Burg
 
2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in production2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in productionThomas Burg
 
BASE24 classic - modernization options
BASE24 classic - modernization optionsBASE24 classic - modernization options
BASE24 classic - modernization optionsThomas Burg
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsIRJET Journal
 
linkedin brainies
linkedin brainieslinkedin brainies
linkedin brainiesVincent lefebvre
 
Combating Software Piracy Using Code Encryption Technique
Combating Software Piracy Using Code Encryption TechniqueCombating Software Piracy Using Code Encryption Technique
Combating Software Piracy Using Code Encryption Techniquetheijes
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
ProjectReport_Finalversion
ProjectReport_FinalversionProjectReport_Finalversion
ProjectReport_FinalversionMamoon Ismail Khalid
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsMehrdad Jingoism
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introductionswang2010
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachIBM Security
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)Wail Hassan
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014David Berkelmans
 
Secure client
Secure clientSecure client
Secure clientHai Nguyen
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsSymantec
 
Survival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todaySurvival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todayThomas Burg
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSource Code Control Limited
 
HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop Thomas Burg
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACThomas Burg
 

More Related Content

Similar to How the Target Data Breach Occurred

The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...Thomas Burg
 
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...Thomas Burg
 
From Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksFrom Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksThomas Burg
 
2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in production2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in productionThomas Burg
 
BASE24 classic - modernization options
BASE24 classic - modernization optionsBASE24 classic - modernization options
BASE24 classic - modernization optionsThomas Burg
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsIRJET Journal
 
Combating Software Piracy Using Code Encryption Technique
Combating Software Piracy Using Code Encryption TechniqueCombating Software Piracy Using Code Encryption Technique
Combating Software Piracy Using Code Encryption Techniquetheijes
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsMehrdad Jingoism
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introductionswang2010
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachIBM Security
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)Wail Hassan
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014David Berkelmans
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsSymantec
 
Survival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todaySurvival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todayThomas Burg
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSource Code Control Limited
 

Similar to How the Target Data Breach Occurred (20)

The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...The attack against target - how was it done and how has it changed the securi...
The attack against target - how was it done and how has it changed the securi...
 
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
The Verizon 2012/2013 Data Breach Investigations Reports - Lessons Learned fo...
 
From Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber AttacksFrom Russia with Love - modern tools used in Cyber Attacks
From Russia with Love - modern tools used in Cyber Attacks
 
2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in production2014 11 data at rest protection for base24 - lessons learned in production
2014 11 data at rest protection for base24 - lessons learned in production
 
BASE24 classic - modernization options
BASE24 classic - modernization optionsBASE24 classic - modernization options
BASE24 classic - modernization options
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
 
linkedin brainies
linkedin brainieslinkedin brainies
linkedin brainies
 
Combating Software Piracy Using Code Encryption Technique
Combating Software Piracy Using Code Encryption TechniqueCombating Software Piracy Using Code Encryption Technique
Combating Software Piracy Using Code Encryption Technique
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
ProjectReport_Finalversion
ProjectReport_FinalversionProjectReport_Finalversion
ProjectReport_Finalversion
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypotsCe hv8 module 17 evading ids, firewalls, and honeypots
Ce hv8 module 17 evading ids, firewalls, and honeypots
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introduction
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail Breach
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014
 
Secure client
Secure clientSecure client
Secure client
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
 
Survival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications todaySurvival of the Fittest: Modernize your NonStop applications today
Survival of the Fittest: Modernize your NonStop applications today
 
Supply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoTSupply Chain Security and Compliance for Embedded Devices & IoT
Supply Chain Security and Compliance for Embedded Devices & IoT
 

More from Thomas Burg

HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop Thomas Burg
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACThomas Burg
 
HP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-inHP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-inThomas Burg
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?Thomas Burg
 
comForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStopcomForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStopThomas Burg
 
2014 02 comForte SecurTape product
2014 02 comForte SecurTape product2014 02 comForte SecurTape product
2014 02 comForte SecurTape productThomas Burg
 

More from Thomas Burg (6)

HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop HPE NonStop GTUG Berlin - 'Yuma' Workshop
HPE NonStop GTUG Berlin - 'Yuma' Workshop
 
Comparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RACComparing the TCO of HP NonStop with Oracle RAC
Comparing the TCO of HP NonStop with Oracle RAC
 
HP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-inHP NonStop applications: Modernization from the Ground-up and the User-in
HP NonStop applications: Modernization from the Ground-up and the User-in
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
 
comForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStopcomForte CSL: a messaging middleware framework for HP NonStop
comForte CSL: a messaging middleware framework for HP NonStop
 
2014 02 comForte SecurTape product
2014 02 comForte SecurTape product2014 02 comForte SecurTape product
2014 02 comForte SecurTape product
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

How the Target Data Breach Occurred

  • 1. DISCLAIMER: This presentation reflects the opinions and recommendations of the authors only and does not in any way represent the views or endorsements of any other parties. HP NonStop is a trademark of Hewlett-Packard Development Company, L.P. All other trademarks are the property of their respective owners. copyright (2014) comForte 21 1
  • 2. To be able to look at this presentation offline and without the speakers audio, slide notes have been added to some slides and are shown here, on the right. copyright (2014) comForte 21 2
  • 4. In the first part of the presentation, we look at how exactly the attack against Target was carried out, following each of the multiple steps copyright (2014) comForte 21 4
  • 5. The URL shown is a rather detailed write-up of the breach – including how the stolen credit card numbers are monetized in the “carder underground”. Highly recommended reading. The diagram “how the hackers broke in” is also from the article – we will now look at the steps in more detail. copyright (2014) comForte 21 5
  • 6. This is the POS acquiring infrastructure at TARGET, showing only the core systems required for the processing of POS transactions. The system on the right is a HP NonStop system, see http://www.hp.com/go/nonstop for more information about the computing platform. We use the term “NonStop system” in the diagram for brevity. If these were the only systems, the breach at TARGET could not have happened in the same way. copyright (2014) comForte 21 6
  • 7. This diagram shows more systems which are part of the larger TARGET infrastructure: Two internal servers are used to process the “backoffice” data collected at the Point of sale systems. Also, an HVAC system (Heating, Ventilation, Air conditioning) is remote-controlled via an external consultant. copyright (2014) comForte 21 7
  • 8. In the first step of the attack, the “bad guys” took over a web site an employee of the HVAC company was accessing. By doing so, they were able to obtain his username and password for that – unrelated – web site. Unfortunately, the employee used the same password to access the TARGET network for remote HVAC maintenance – and thus the attackers were inside the TARGET network. copyright (2014) comForte 21 8
  • 9. They then were able to ‘take over’ an internal server present at every TARGET store with direct connectivity to the POS systems running Microsoft Windows. copyright (2014) comForte 21 9
  • 10. In the next step, they used the internal server to install specifically crafted malware onto the Windows POS system. copyright (2014) comForte 21 10
  • 11. At this point in time, the malware installed on the POS system was collecting the full data for each and every POS transaction. They used a well-known technique called “memory scraping” to access the data sent from the POS device “through” the Windows POS system to the NonStop system processing the POS data. The final step now is to get the data sent out from the internal TARGET network and the attackers needed to be careful not to raise an alarm by using new connections (an outgoing FTP connection to an unknown host on the Internet would almost certainly have raised alarms immediately). This final step is called “exfiltration”. copyright (2014) comForte 21 11
  • 12. For exfiltration, the attackers were able to take over another internal server which was already shown on an earlier slide. That server was not in the “critical network zone” and hence not monitored for outgoing data as closely as each TARGET store itself. copyright (2014) comForte 21 12
  • 13. In the final step, the attackers sent the data from the POS Windows systems to the Internal server on the right where they collected it for a while. They then sent the data to a few servers on the Internet and then downloaded the data to their own systems. copyright (2014) comForte 21 13
  • 14. Let’s take a moment to think about the attack: It clearly shows a lot of planning, patience and sophistication. It is a sad fact that many cyber criminals are rather excellent at their “job” and would probably be able to earn a living as a skilled administrator or developer. Unfortunately, cyber crime continues to be the actual choice of many talented “black hat hackers”. For more background on these type of attacks which are also called “Advanced Persistent Threats” please see the following presentation on slideshare: http://www.slideshare.net/thomasburg/from-russia- with-love-modern-tools-used-in-cyber-attacks copyright (2013) comForte 21 14
  • 15. As companies improve their defenses, attacks are requiring more and more steps to succeed. This is why “defense in depth” is such an important concept – the defender only need to prevent a single step of the attack to thwart it. Here are a few measures which all could have prevented the specific attack carried out successfully against TARGET: • Preventing distribution and installation of the malware onto the POS systems: • Better segmentation of in-store network • Actually looking at the incident logs of the advanced attack tool (“Fireeye”, see business week article for details) • Setting Fireeye to “block” rather than “alert” • Using end-to-end encryption between the POS reading device and the acquiring system. • Detecting and blocking the outbound traffic in which the confidential data was transferred to servers outside of Target's store network. (It should be noted that these measures are by no means a comprehensive security architecture, they are the few pieces of a whole defense-in-depth strategy that copyright (2014) comForte 21 15
  • 16. would have made the difference) copyright (2014) comForte 21 15
  • 17. The author of this presentation has followed the computer security industry and trends for over ten years. The attack techniques used in the attack against TARGET are over a decade old (!) – so from a technological standpoint nothing has really changed. What _has_ changed is that the attackers are stepping up their game while the defenders do not. In the next few slides, we will look at the state of computer security on a specific computing platform, namely the HP NonStop platform. copyright (2014) comForte 21 16
  • 18. This is one of the key messages of this presentation – so please pardon the non-subtlety of this slide… There are hundreds of customers running the ACI BASE24 product world-wide, processing about 50 % of the world-wide POS and ATM transactions (!). Many of these systems have been installed decades ago and quietly hum along in the data center, never loosing a transaction or going down. The fact that the systems never go down is a key benefit of using the BASE24 software on the HP NonStop platform in the first place. However, the world has changed and, to the best of our knowledge, many BASE24 installations are not protected as well as they should. We do know for a fact that BASE24 does _not_ support encryption of data at rest; therefore most of all BASE24 installations world-wide will _not_ be compliant to PCI 3.4. The good news is that this can be addressed relatively easily – compared to the cost of running a BASE24 system the cost to improve the security posture massively is rather low. copyright (2014) comForte 21 17
  • 19. This is the prior statement generalized to HP NonStop systems in general; again drawing on our experience as vendor in the HP NonStop market place. It should be pointed out that this is _not_ a weakness of the platform at all; it rather is a weakness of either the application or the way the platform is secured. Any computing platform can be secured poorly or well and the HP NonStop platform is no different in that. In fact, the HP NonStop platform has several unique strength when it comes to securing it. copyright (2014) comForte 21 18
  • 20. To be honest, this is somewhat of a mystery to the author – after spending 10+ years focusing on IT security. Really. Some suggestions to follow: So why is Why are BASE24 or similar applications on HP NonStop *NEVER* PROTECTED PROPERLY? Here are some suggestions: - There is typical a large “Organizational Disconnect” between the CSO, CIO, CFO and CEO - The attackers on the other hand are very well connected and organized - Who owns security anyway: that is a difficult question in every organization: is it the platform owner? The application owner? The CSO? The CIO? The CEO? - Penny pinching of IT costs - For banks, IT is typically 6 % of the global budget - IT is often seen as cost factor (rather than as asset) - where saving can be applied whenever the economy is bad - It should be noted that the BASE24 application is *very* profitable – but cost is saved anyway copyright 2014 comForte 21 19
  • 21. About 20 years ago, users would connect to “big iron” (mainframe type of computers) using dedicated terminals which had no other functionality than to access the system. Today, PCs are used to connect to HP NonStop systems and administer them. The big problem with this is that many core security principles are based on so-called “user authentication” – making sure the NonStop knows which user name is currently connecting. Historically, there have been many means on using this information for “Authorization” – namely deciding who can do what (and who can NOT do what). This has worked well over the years – but most attacks including the on TARGET show that attackers are able to “0wn” (Hacker lingo for “own”) any PC or midrange server in the organization. An “0wned” PC is effectively remote-controlled by the bad guys – and with that user authentication is broken and should not be relied on as strongly as so far. This knowledge is widely spread in the security community – but unfortunately it is not that widely spread in non-security realm. copyright 2014 comForte 21 20
  • 22. As explained on the prior slide, you should not trust the fact that no-one will be able to log on as SUPER.SUPER. In fact, it is a good “thought experiment” (http://en.wikipedia.org/wiki/Thought_experiment) to assume that the attacker has penetrated your network and is able to log on to your NonStop system as SUPER.SUPER. Only if your defenses are able to thwart or – at least – detect an attack even under this somewhat bold assumption you should consider your defenses to live up to best practices. Well-known security standards such as the PCI-DSS standard do take this into account – in fact this is most probably the reason why encryption of data at rest is enforced. copyright 2014 comForte 21 21
  • 23. In this final section, we give some general recommendations on how to properly secure a HP NonStop system. We focus on the PCI-DSS standard. copyright (2014) comForte 21 22
  • 24. In the comForte experience, the HP NonStop platform is not always well understood by the auditors. As mentioned earlier, the platform has unique strengths – but also some unusual weaknesses (which are due to mostly historic reasons). copyright (2014) comForte 21 23
  • 25. A PCI project landing on the desk on the HP NonStop platform owner can look like a daunting task and/or unpleasant surprise. Rest assured that other platforms struggle just as well – like in most projects PCI will be about: • Properly allocating budget (Most large companies these days have a “PCI office”) and human resources • Expectation management (mostly towards the auditor) • long term planning – The auditors are coming at least yearly so plan for the long haul It is unlikely that you will get from 0 % compliance to 100 % compliance in a single year – we will talk about the suggested order of things a bit later. copyright (2013) comForte 21 24
  • 26. Another key principle on the journey to properly protect your systems… While there is most likely software to be procured and installed, the software very often needs to be actively monitored and configured going forward. copyright (2014) comForte 21 25
  • 27. The PCI 2.0 standard has about 230 “line items” (individual bullet points to comply with) and the 3.0 version will have more than 300. The PCI council has published an Excel sheet attaching priorities to the individual items – this was used for the upcoming recommendation for the order of certain tasks. Another factor going in was how hard or easy a measure is to implement. copyright (2014) comForte 21 26
  • 28. This is a suggested order of doing this which takes the following into account: • Ease of implementation • Priority as per PCI prioritized approach • budgetary constraints copyright (2013) comForte 21 27
  • 29. Note: it is recommended to actually start with Phase 1 rather than trying to combine Phase 1 and Phase 2 into a “big bang” scenario. Your PCI auditor wants to see progress early. copyright 2014 comForte 21 28
  • 30. The two presentations on slide share shown on the left can be accessed via the following URLs: http://www.slideshare.net/thomasburg/from-russia- with-love-modern-tools-used-in-cyber-attacks http://www.slideshare.net/thomasburg/the-verizon- 20122013-data-breach-investigations-report-lessons- learned-for-running-base24-securely (This is the last slide in this presentation) copyright (2014) comForte 21 29