2015 Check Point Software Technologies Ltd. 1 [Protected]
Non-confidential content Hartford Tech Summit Nuno Sousa | Check
Point Security Engineer Eric OMalley | Check Point Strategic
Account Manager Dan Greco| Iovations Account Manager RETAIL
SECURITY
Slide 2
2015 Check Point Software Technologies Ltd. 2 [Protected]
Non-confidential content Home Depot - Neiman Marcus Michaels -
Sally Beauty - P.F. Chang's Goodwill - Jimmy John's - UPS Dairy
Queen - Kmart Staples BeBe - Yellow Cab - Checker Cab - Shop 'n
Save - Shoppers Food Albertsons Acme - Flagship Car Wash - Cub
Foods - Farm Fresh - Supervalu - Hornbacher's - Jewel-Osco - Shaw's
- Star Market - Taxi Affiliation Services- Dispatch Taxi -
Micrologic Associats - Signature Systems Inc.- Roman Delight -
Antonellis Pizza - Italian Touch - Lost Pizza Co. - Pizza King -
Joe's Pizza and Pasta - Lott - Springdale Pizza - Skin Flints -
Grecco's Pizza - Blue Moon Bakery - SaraBella Pizzeria &
Desserts - Mister Jim's Submarines - Paisano's Pizza - Pizza King -
Angelina's Pizzeria & Restaurant - Giuseppe's Pizza - Piero's
Italian Restaurant - Bagel Boys - Donatis Pizza - Glenside Pizza -
DeNiros Pizza & Subs - Luigis Pizzarama - Warrington Pizza -
Wings to Go - The Pizza Shop II - Spatola's - Casa D'Amico - Wings
to Go - Friends Bar & Grill - Paisano's Kingstowne - Joanie's -
Hambinos Pizza Co - Joe's Pizza - Middle River Pizzeria - Tony's NY
Pizza - Uncle Paul's Pizza - The Corner Caf - Paisano's Pizza -
Pizza Classica - Costello's Italian Ristorante - Uncle Charlie's
Pizza - Joes Pizza & Pasta - Romanellis - Rosatis - Paisano's
Pizza - Uncle Oogie's - Tonelli's - Community Pizza - Fat Boys
Pizza Pizza Tugos - Santucci's - Pizzeria Scotty - Casa D' Mama -
Johnnys Pizza Di Fiores Pizzeria and Italian Restaurant - Uncle
Joe's Pizza - Santucci's - All Town Pizza - Dominick's - Wild West
Pizzeria - Abate Apizza - Rosati's - Abate Restaurant - Austin's
Bar & Grill - Mister P Pizza & Pasta - La Fogata - Mario's
Pizza - Lee's Hoagie House of Horsham - VJ's Diner & Rest -
Apollo Pizza - Epheseus Pizza - Garden City Pizza - Valentino's
Pizza - The Pizza Place and More - Positano's - Bella Pizza -
Rosatis Pizza Pub - Don Franco's - Brother Bruno's - Deniro's -
Dolce Carini- Dominick's Pizza & Carryout - Doreen's Pizzeria
II - Garlicknot - Joes Pizza & Pasta - Oreland Pizza - Papa
Nick's - Royal Pizza - SaraBella - Trattoria Peppino - American
United Taxi - Blue Diamond Taxi - Express Systems - Scrubbs - Matt
and Jeff's Car - Checkerd Flag Hand Carwash - Desert Express -
Atlas Car Wash - Splash Carwash - Mariner Car Wash - Express Car
Wash Legends - Paradise Bay - Classic Auto Spa - Dons Car Wash -
Shield System Carwash - Auto Spa - Key Road Car Wash - Blue Wave
Car Wash - Spotless Auto Laundrine - Personal Touch Car Wash-
Broadway Minute - American Car Wash - Magic Suds Car Wash -
Dynamite Auto Wash - The Car Wash - Quick Quack - Waterworks -
Mister Car Wash - Wiggy Wash - Supersonic Carwash
Slide 3
2015 Check Point Software Technologies Ltd. 3 Cards stolen per
breach continues to rise [Protected] Non-confidential content
Slide 4
2015 Check Point Software Technologies Ltd. 4 Credit Cards
Compromised [Protected] Non-confidential content Mar 30 2013
Schnucks: 2.4M Dec 18 2013 Target: 40M June Carwash POS P.F.
Changs: 7M October Kmart Staples: 1.6M July Jimmy Johns Goodwill:
868K December BeBe January Neiman Marcus: 1.1M Michaels: 3M August
UPS Dairy Queen Supervalu March Taxi POS Sally Beauty: 282K
September Signature Systems Home Depot: 56M Poor security of POS
provider effects hundreds of small businesses.
Slide 5
2015 Check Point Software Technologies Ltd. 5 Global PoS
Malware Infections [Protected] Non-confidential content
Slide 6
2015 Check Point Software Technologies Ltd. 6 Card Fraud goes
International [Protected] Non-confidential content Chip and Pin
Magnet Strip Stolen card numbers from US are used globally Stolen
card numbers from euro are used in US with magnet strips Used for
online fraud globally
Slide 7
2015 Check Point Software Technologies Ltd. 7 [Protected]
Non-confidential content DHS Warns 1000+ US businesses hit by POS
malware
Slide 8
2015 Check Point Software Technologies Ltd. 8 [Protected]
Non-confidential content 2015 Check Point Software Technologies
Ltd. 8 Cost of Card Replacement $1.3 Billion
Slide 9
2015 Check Point Software Technologies Ltd. 9 [Protected]
Non-confidential content Cost of identity theft in US $24.7 Billion
in 2012
Slide 10
2015 Check Point Software Technologies Ltd. 10 [Protected]
Non-confidential content Average victim cost $2,294
Slide 11
2015 Check Point Software Technologies Ltd. 11 Going rates for
stolen POS data [Protected] Non-confidential content Hacker
Products and ServicesPrice in 2013Price in 2014 Visa and Master
Card (US)$4 American Express (US)$7$6 Discover Card (US)$8$6 Visa
and Master Card (UK, CA, AU)$7-8$8 American Express (UK, CA,
AU)$12-13$15 (UK, AU),$12 (CA) Discover Card (AU, CA)$12$15 (AU),
$10(CA) Visa and Master Card (EU, Asia)$15$18-20 Credit Card with
Track I, II Data (US)$12 Credit Card with Track I, II Data
(EU)$19-20 Dell SecureWorks - Underground Economy
2015 Check Point Software Technologies Ltd. 13 Carding As A
Service [Protected] Non-confidential content
Slide 14
2015 Check Point Software Technologies Ltd. 14 Black Friday
Specials on Black Market [Protected] Non-confidential content
Slide 15
2015 Check Point Software Technologies Ltd. 15 [Protected]
Non-confidential content No Free Ride Judge rules lawsuits against
retailors are allowed. Banks can proceed to recoup their
costs.
Slide 16
2015 Check Point Software Technologies Ltd. HOW DID WE GET
HERE? [Protected] Non-confidential content
Slide 17
2015 Check Point Software Technologies Ltd. 17 [Protected]
Non-confidential content
Slide 18
2015 Check Point Software Technologies Ltd. 18 Chip and Pin are
no silver bullet either! [Protected] Non-confidential content
Having plain-text chip/track data in POS memory will be more of the
same problem. While slightly more involved, vulnerabilities are
constantly being found such as the Pre-Play attack and MitM PIN
verification.
Slide 19
2015 Check Point Software Technologies Ltd. 19 Major Risks for
PoS Terminals [Protected] Non-confidential content Similar
configuration challenges as for PCs Old OSs and difficulties
patching vulnerabilities On-device security software often not
implemented Inadequate segmentation from corporate network Moving
to Chip and PIN wont stop malware
Slide 20
2015 Check Point Software Technologies Ltd. 20 Attach Vectors
[Protected] Non-confidential content Multiple breaches performed by
multiple attackers Used customized tools that were tailored to
specific environments Enterprise desktop management systems used to
push attack tools Tens of thousands of security events ignored
Slide 21
2015 Check Point Software Technologies Ltd. 21 A Look At the
Attack Method [Protected] Non-confidential content Installed
malware on PoS devices Spread horizontally until achieved footprint
on PoS network Moved from third-party network to retail store
Reconnaissance found a third-party network connection
2015 Check Point Software Technologies Ltd. 23 Exfiltration
[Protected] Non-confidential content Card data hidden in local.dll
file Malware copied.dll files to network share daily Known
credentials used to access servers Card data moved to external FTP
server
Slide 24
2015 Check Point Software Technologies Ltd. 24 Follow the money
[Protected] Non-confidential content Individual credential theft
using keyloggers Wide scale credential theft using malware Attacks
on bank's databases Attacks on the databases of card
processors
Slide 25
2015 Check Point Software Technologies Ltd. WHAT CAN WE DO
ABOUT IT? [Protected] Non-confidential content
Slide 26
2015 Check Point Software Technologies Ltd. 26 Four Steps to
Improve PoS Security [Protected] Non-confidential content 1 Enforce
network segmentation 2 Restrict device access, limit application
use and secure data 3 Leverage Threat Prevention 4 Integrate
security and event management
Slide 27
2015 Check Point Software Technologies Ltd. 27 A View Towards
Segmentation [Protected] Non-confidential content Highest-end
security throughput Back-end system protected POS TERMINALS CARD
SWIPING DEVICES (DATABASE SERVER) PAYMENT PROCESSING CENTER PoS
systems isolated from rest of network
Slide 28
2015 Check Point Software Technologies Ltd. 28 Use VPNs to
Secure Communications [Protected] Non-confidential content All PoS
traffic is isolated from other inter-segment interactions
Slide 29
2015 Check Point Software Technologies Ltd. 29 Implement
Application Controls With Device Identity Restrictions [Protected]
Non-confidential content Point of Sale systems can communicate only
with specific protocols Logging enabled for forensic purposes
Device identity enforced in the policy
Slide 30
2015 Check Point Software Technologies Ltd. 30 Data Security
[Protected] Non-confidential content Define and enforce the flow of
Credit Card and other critical data to the expected destination Any
deviation will be prevented Generate automated alerts and automated
isolation from the network.
Slide 31
2015 Check Point Software Technologies Ltd. 31 Threat
Prevention is a Must [Protected] Non-confidential content PCI
includes requirements for anti-malware controls primarily for
desktops Recommends but does NOT require additional malware
protections Need to implement Threat Prevention across the network
and not just malware monitoring
Slide 32
2015 Check Point Software Technologies Ltd. 32 [Protected]
Non-confidential content Use integrated event management to follow
and break the kill chain
Slide 33
2015 Check Point Software Technologies Ltd. 33 First View: All
Events [Protected] Non-confidential content Important events
prioritized on a timeline
Slide 34
2015 Check Point Software Technologies Ltd. 34 Same Platform
Enables Incident Management [Protected] Non-confidential content
Prevented DLP incident triggers event log With source and
destination details Event type and identifier of exfiltration
attempt
Slide 35
2015 Check Point Software Technologies Ltd. 35 Aggregation of
Multi-Vector Attack Details [Protected] Non-confidential content
Bot incident also identified Correlates to the same IP address
Enables attribution and identification of method