The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them.
What’s needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
In this webinar, Protegrity CTO and data security thought leader Ulf Mattsson integrates new information from the Verizon 2014 Data Breach Investigation Report (DBIR) into his analysis on what is driving data breaches today, and how we can prevent them in the future.
KEY TOPICS INCLUDE:
• The changing threat landscape
• The effects of new technologies on breaches
• Analysis of recent breaches, including Target
• Compliance vs. security
• The importance of shifting from reactive to proactive thinking
• Preparing for future attacks with new technology & techniques
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Verizon 2014 data breach investigation report and the target breach
1. Verizon 2014 Data Breach Investigation ReportVerizon 2014 Data Breach Investigation Report
and The Target Breach
Proactive Approaches to Data Security
Ulf Mattsson
CTO, Protegrity
Ulf.Mattsson@protegrity.com
2. Member of PCI Security Standards Council:
• Tokenization Task Force
• Encryption Task Force
• Point to Point Encryption Task Force
• Risk Assessment SIG
Ulf Mattsson, Protegrity CTO
• eCommerce SIG
• Cloud SIG
• Virtualization SIG
• Pre-Authorization SIG
• Scoping SIG
2
3. The Target Data Breach
Data Security & Threat Landscape
Topics
Think Like A Hacker - Proactive Data Security
New Data Security Technologies & Approaches
3
5. First Attack: Fazio Mechanical Services
• A 3rd party refrigeration design & maintenance contractor for Target
• Email malware-injecting phishing attack
• Credentials were stolen
Second Attack: Target POS Machines
• Used stolen credentials from Fazio Mechanical Services to access
POS machines
How The Breach at Target Went Down
• Installation of malware to collect customer payment data
Aftermath: Malware Data Export
• >40 million customer financial records & CCN
• >70 million customer personal information records
• The subsequent file dump containing customer data is
reportedly flooding the black market
• Starting point for the manufacture of fake bank cards, or provide data
required for identity theft.
Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/
5
6. Memory Scraping Malware – Target Breach
Payment Card
Terminal
Point Of Sale Application
Memory Scraping Malware
Authorization,
Settlement
…
Web Server
Memory Scraping Malware
Russia
6
7. Security software picked up on suspicious
activity after a cyberattack was launched, but it
decided not to take immediate action
Received security alerts on Nov. 30 that
Target Says It Ignored Early Signs of Data Breach
Received security alerts on Nov. 30 that
indicated malicious software had appeared in
its network
Source: SEC (Securities and Exchange Commission )7
8. Target Corp. annual report: Massive security breach
has hurt its image and business, while spawning
dozens of legal actions, and it can't estimate how big
the financial tab will end up being.
The FTC is probing the massive hack of credit card
information. Target could face federal charges for
Target Data Breach Fallout
failing to protect its customers' data.
“When you see a data breach of this size with clear
harm to consumers, it's clearly something that the FTC
would be interested in looking at.”
- Jon Leibowitz, former FTC chairman
Source: Bloomberg Businessweek8
11. Who is the Next Target?
Services
Retailers
11
Healthcare
Government
12. It’s not like other businesses are using some
special network security practices that Target
doesn’t know about.
They just haven’t been hit yet.They just haven’t been hit yet.
No number of walls, traps, bars, or alarms will
keep out the determined thief.
12 Source: www.govtech.com/security
13. New Environments
Big Data and Cloud platforms are presenting new use cases
that are incompatible with old security approaches. This
makes them vulnerable and ideal targets.
Cloud & Big Data Vulnerabilities Include:
Hackers
& APT
Rogue
Privileged
Users
Unvetted
Applications
Or
Ad Hoc
Processes
14. DATA SECURITY &
THREAT LANDSCAPETHREAT LANDSCAPE
14
How have the methods of attack shifted?
15. “It’s clear the bad guys
are winning at a faster
rate than the good guys
are winning, and we’ve
The Bad Guys are Winning
15
Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening
are winning, and we’ve
got to solve that.”
- 2014 Verizon Data Breach Investigations Report
16. External Threats are Exploding
16
Source: The 2014 Verizon Data Breach Investigations Report
17. More, Better Attack Tools
17
Source: The 2014 Verizon Data Breach Investigations Report
19. We Are Losing Ground
“…Even though security
is improving, things are
getting worse faster, so
we're losing ground
19
we're losing ground
even as we improve.”
- Security expert Bruce Schneier
Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11
20. Organizations Are Not Protecting Against Cyberattacks
“Cyber attack fallout
could cost the global
economy $3 trillion by
2020.”
20
Source: McKinsey report on enterprise IT security implications released in January 2014.
2020.”
- McKinsey & Company report
Risk & Responsibility in a Hyperconnected World:
Implications for Enterprises
21. Organizations Are Also Bad At Detecting Breaches
21 Verizon 2013 Data-breach-investigations-report & 451 Research
24. #17 in 2012 among all types of incidents,
rose to a very concerning #4 spot in 2013.
Incidents surged from just 27 in 2012
to 223 in 2013.
The Dramatic Rise of RAM Scraping Malware
to 223 in 2013.
24 Source: Verizon’s 2014 Data Breach Investigations Report
A 10x increase
in only ONE YEAR.
25. In past year, there were at least 20 malware cyber
attacks on retail targets similar to Target incident.
“POS malware crime will continue to
grow over the near term.”
FBI Memory-Scraping Malware Warning
grow over the near term.”
Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms”
Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping-
malware-in-wake-of-Target-breach
25
26. Export data became the #1 malware threat in
2013, doubling in occurrence from 2012.
Malware represented 60% (12/20) of the top
threat actors in the 2014 Verizon DBIR.
The Dramatic Rise of RAM Scraping Malware
threat actors in the 2014 Verizon DBIR.
26 Source: Verizon’s 2014 Data Breach Investigations Report
My conclusion:
Malware will continue to proliferate
until we secure the sensitive data
flow.
30. Target was certified as meeting the standard for the
Payment Card Industry in September 2013
Compliance is minimal protection that everyone has to
have in place.
• It can protect from liability.
Target Breach Lesson: Compliance Isn't Enough
• But obviously, it does not actually protect from data loss.
If you're driving a car, you have to wear your seatbelt.
That doesn't make you a safe driver.
Source: TechNewsWorld
30
34. Risk
High –
Old:
Minimal access
levels – Least
New :
Much greater
The New Fine Grained Data Security
Access
Privilege
Level
I
High
I
Low
Low –
levels – Least
Privilege to avoid
high risks
Much greater
flexibility and
lower risk in data
accessibility
34
35. What if
a Credit Card Number
in the Hands of a Criminal
was Useless?
35
36. De-identification through Tokenization
Field Real Data Tokenized / Pseudonymized
Name Joe Smith csu wusoj
Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA
Date of Birth 12/25/1966 01/02/1966
Telephone 760-278-3389 760-389-2289
E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org
SSN 076-39-2778 076-28-3390
CC Number 3678 2289 3907 3378 3846 2290 3371 3378
Business URL www.surferdude.com www.sheyinctao.com
Fingerprint Encrypted
Photo Encrypted
X-Ray Encrypted
Healthcare /
Financial
Services
Dr. visits, prescriptions, hospital stays
and discharges, clinical, billing, etc.
Financial Services Consumer Products
and activities
Protection methods can be equally
applied to the actual data, but not
needed with de-identification
36
37. Fine Grained Data Security Methods
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
TokenizationEncryption
37
Cryptographic keys
Code books
Index tokens
39. Security of Fine Grained Protection Methods
High
Security Level
I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
39
Low
40. 10 000 000 -
1 000 000 -
100 000 -
10 000 -
Transactions per second*
Speed of Fine Grained Protection Methods
10 000 -
1 000 -
100 -
I
Format
Preserving
Encryption
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
40
41. Tokenization Research
Tokenization Gets Traction
Aberdeen has seen a steady increase in enterprise
use of tokenization for protecting sensitive data over
encryption
Nearly half of the respondents (47%) are currently
using tokenization for something other than cardholder
data
Tokenization users had 50% fewer security-related
incidents than tokenization non-users
41
Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
42. Use
Case
How Should I Secure Different Data?
Simple – PCI
PII
Encryption
of Files
Card
Holder
Data
Tokenization
of Fields
Personally Identifiable Information
Type of
Data
I
Structured
I
Un-structured
Complex – PHI
Protected
Health
Information
42
Personally Identifiable Information
43. Protecting Enterprise Data Flow
123456 123456 1234
CCN/SSN
Social Media
Blogs
Smart Phones
Meters
Sensors
Web Logs
Trading Systems
GPS Signals
Stream
043
123456 999999 1234
Protecting Data Flows – Reducing Attack Surface
Big Data
(Hadoop)
Acquisition
Analytics &
Visualization
Enterprise
Data
Warehouse
44. You must assume your perimeter systems will be breached.
How do you know when your systems have been compromised?
You have to baseline and understand what ‘normal' looks like and
look for deviations from normal.
McAfee and Symantec can't tell you what normal looks like in your
own systems.
Only monitoring anomalies can do that.
CISOs say SIEM Not Good for Security Analytics
Only monitoring anomalies can do that.
Monitoring could be focused on a variety of network and end-user
activities, including network flow data, file activity and even going
all the way down to the packets
Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner
44
45. Use Big Data to Analyze Abnormal Usage Pattern
Payment Card
Terminal
Point Of Sale Application
Memory Scraping Malware
Authorization,
Settlement
…
Web Server
Memory Scraping Malware
Moscow, Russia
FireEye
Malware?
46. Trend - Open Security Analytics Frameworks
46 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture
Enterprise Big Data Lake
47. Conclusions
Threats are increasing and attackers are getting
more advanced
• Sticking your head in the sand will not make it go away
• Malware is everywhere – secure and monitor the data flow
Compliance does not equal security
47
Compliance does not equal security
• Everyone must be compliant, but it’s just a starting point
• Assume you’re under attack – proactive security must be a priority
Take advantage of the tools available today
• Tokenization provides flexibility to capture, store and use data securely
• Big Data event analysis & context can catch threats early on
48. Thank you!
Questions?
Please contact us for more information
www.protegrity.com
Ulf.Mattsson@protegrity.com
To Request A Copy of the Presentation
Email: info@protegrity.com