Data Breaches, Credit Card Fraud, Front Page News …...Chang’s, Sally Beauty, Michael’s and Neiman Marcus • Solak et al v. The Home Depot, Inc., Case No. 1:2014-cv-02856, filed

www.eidebai l ly.com

Calvin Weeks EnCE, CEDS, CRISC, CISSP, CISM

Computer Forensics Manager

Data Breaches, Credit Card Fraud, Front Page News …Are You Next?

1


Home Depot Breach

• CBS News • 2,200 stores compromised • Up to 60 million customers

• Only 10% to 15% will see fraud activity • As much as $3 billion in bogus purchases

• Krebs on Security • Variant of the code from the Target attack • Compromised CC #’s were first sold on Ukraine

website

2


Lawsuits / Lawyers and Settlements

• Retailers not prepared for hack attacks

• Companies breached include UPS, Goodwill, P.F. Chang’s, Sally Beauty, Michael’s and Neiman Marcus

• Solak et al v. The Home Depot, Inc., Case No. 1:2014-cv-02856, filed September 4, 2014 at The Eleventh Circuit, Georgia Northern District Court

3


How did the Breach occur?

• All compromises were a direct result of human failure at all levels

• Not one compromise has been attributed to hardware, operating system or application failures

4


Complaints with Loss Statistics

106079

114908

115903

100000 102000 104000 106000 108000 110000 112000 114000 116000 118000

COMPLAINTS WITH LOSS

Complaints with Financial Loss FBI Internet Crime Report

2011 2012 2013

5


Total Loss Statistics

$574

$525

$485

$440 $460 $480 $500 $520 $540 $560 $580 $600

TOTAL LOSS IN MILLIONS

Total Financial Loss FBI Internet Crime Report

2011 2012 2013

6


Why is Data Security Important?

The DATA has VALUE

• Many organizations feel they have nothing worth stealing or they are too small and invisible.

• Your data has value to an attacker.

• 40M records X $2/record = $80M attacker profit.

7


All Data Has Value

Recent Breaches • Goodwill (Sept. 2014 – 330 stores in 20 states) • Home Depot (Sept. 2014 – 56,000,000 cards) • P.F. Chang (pre-June, 2014 – 33 locations) • Sally Beauty Supply (March 2014 – 25,000 records) • Target (2013 – 70,000,000 customers’ data) • Sony (2011 – 100,000,000 customers’ data) • Heartland Payment Systems (2009 – 130,000,000

accounts) • TJX (2007 – 90,000,000 accounts) • Card Systems (2005 – 40,000,000 accounts)

8


Data Value

9


Frameworks

• PCI • Build and Maintain a Secure

Network • Firewall • No vendor-supplied defaults

(passwords/parameters) • Protect CHD

• Stored (at rest) • Encrypted transmission across

open, public networks • Maintain Vulnerability

Management Program • Protect against malware, update

AV • Develop/maintain secure systems

and applications

• Implement Strong Access Control Measures • Restrict access to CHD by need-

to-know • Identify/authenticate access to

system components • Restrict physical access

• Regularly Monitor and Test Networks • Track/monitor all access to

network resources and CHD • Regularly test security systems

and processes • Maintain Information Security

Policy • Address information security for

all personnel

10


Other Frameworks - NIST Critical Infrastructure Cybersecurity

Table 1: Function and Category Unique Identifiers

Function Unique

Identifier Function

Category Unique

Identifier Category

ID Identify

ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy

PR Protect

PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security

PR.IP Information Protection Processes and Procedures

PR.MA Maintenance PR.PT Protective Technology

DE Detect DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes

RS Respond

RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements

RC Recover RC.RP Recovery Planning RC.IM Improvements RC.CO Communications

11

Preventative

Detective

Corrective


How about Compliance?

• Being compliant does not mean you're secure, and being secure does not mean you're complaint

• The Truth About Home Depot's Security Breach: Hacking Was Easy - By Jason Abbruzzese Sep 10, 2014

12


Established Standards

• Security standards began in the 50’s with the launch of the Russian Sputnik satellite

• In October 1967 a computer security task force was created

• The results of the task force was published in 1970 and was named the Rand 609 report

• The Rand R-609-1 report was reissued on October 1979

• The standards established are still the same today even as technology advances regularly

13


Further Established Standards

• Manufacturer established standards for specific products

• After 2001 the National Institute of Standards and Technology (NIST) expanded special publications for technology standards

• NIST established Information Systems Management and Operational Standards for executives

14


Basic Security Concept

Cyber Security Operations • Prevent • Monitor/Detect • Respond

15


Prevent

• Establish budgets

• Follow best practices • National Institute of Standards and Technology (NIST)

• Obtain advance training

• Employ appropriate expertise

• Strategize to prevent every ATTEMPT

16


Monitor & Detect

• Establish centralized logging

• Collect logs from all systems, networks, applications and all reported issues

• Correlate and aggregate all logs

• Setup rules and signature databases for alarms and alerts

• Collection should have no filters

• Establish robust search, filtering and reporting capability

• Strategize to detect every ATTEMPT

17


Respond

• Establish a response capability

• Include members from executive, IT, HR, security, legal, public relations and others as appropriate

• Review reports from monitoring activities

• Meet regularly to make informed decisions

• Strategize to respond to every ISSUE

• Making an informed decision to do nothing is acceptable

18


IT/Security Operational Model

19


IT/Security Operational Model

20


Security & Risk Assessments

• Vulnerability Assessments and Penetration Testing are technical options, but do not go far enough

• Just because you are vulnerable and your system and networks can be compromised does not address the business question of what is the priority

• A properly performed security & risk assessment will help you set priorities that match business goals and objectives

21


The Experts

• IT Professionals will help keep your systems and networks up and running

• Security Professionals will help keep your systems and networks protected

• Computer Forensics Professionals will help respond and investigate issues involving technology for HR, Legal and executive purposes

22


IT Professional vs. Forensic Examiner

• IT Professional training does not include handling of evidence

• Primary focus is keeping system up and running • Can be witness on system, network, internet

operations • Not trained or prepared to testify as an expert

• Forensic Examiner understands the rules of evidence

• Primary focus are collecting, preserving and examining relevant data

• Can provide assistance with technical legal strategies • Trained and prepared to testify as an expert

23


Examples

IT Professional vs. Forensic Examiner • A police officer’s daily work involves knowing,

understanding and applying laws, but that does not make them an attorney.

• A bookkeeper knows the accounting of their books and how to apply accounting practices everyday, but this does not make them a CPA.

• An IT Professional knows how to setup, operate and

maintain computer and network systems, but this does not make them qualified to investigate and testify, nor should they.

24


Computer Forensics vs E-Discovery

e-Discovery is Electronic Discovery • Production of known responsive info for litigation • Indexed database searching and filtering • Provides data statistics • Also refers to Federal Rules of Civil Procedures, Process

or Service

Computer Forensics • Investigation and recovery of relevant info • Provides the details in context • Provides transactional details • Scientifically supports or disputes statements made by

parties • Identifies and demonstrates facts about the activities found

on a computer or electronic device

25


Example:

Business Sale Made-up

• A business owner discussed the sale of his business over public internet e-mail. An offer to sell was made in the amount of $1,000,000. After several months without a deal, the purchaser sued and as evidence produced a “PRINTED” copy of a reply e-mail from the seller asking to sell the business in the amount of $100,000.

26


Example:

Employee Non-Compete

Our client had purchased a business and agreed to employ the previous owner as a sales executive. After a year the CEO suspected that the sales executive was funneling clients and work to a competing business, but had no proof. The difficulty was that as the sales executive it was their job to contact clients and nothing was in her company e-mails showing any suspicious activity.

27


Example:

Classified Restrictions

• Our client was in civil litigation for misappropriation of federal funds of more than $1.5 million by the CEO and spouse that was the CFO of a public/private/research program. Attorneys needed all of the e-mails and files collected to review for financial activities and communications.

28


Classified Experience

• Designed, engineered and implemented systems, networks and applications in a Top Secret Classified DoD facility

• Applying concepts and standards introduced in the presentations met with 100% security compliance

• Responsible for 35 systems

• Part of a team of 8 engineers

• Project consisted of 35 professionals in one facility and another 15 in another location

29


My Classified Experience

• In two years, two attempts were made to compromise Top Secret Systems.

• If it were not for the established monitoring to detect activity, the attacks would have been successful.

• Not because security was not applied, but because of unknown vulnerabilities of the OS.

• These attempts shutdown all operations of more than 135 people for more than three weeks.

• DoD has the money to sustain this kind of operations, but businesses cannot afford this level of response to compromises, much less only unsuccessful attacks.

30


Lesson Learned

• Once you consider the extremity of operating like a DoD classified facility then other discussions can take place.

• If you can quantify your IT and security operations then a declarative value can be placed on attempts and compromises.

• Insurance companies can now have a third party assess the security compliance and capabilities of organization to begin serious cyber loss coverage.

31


Conclusion

Cyberthreats and cyberattacks have increased dramatically over the past several years. They have exposed sensitive personal and business information, disrupted the critical operations of institutions, and imposed high costs on the economy and business operations. That is why it is imperative that companies stay informed about the continuously changing forms of cyberthreats and develop appropriate, cost-effective controls to safeguard their businesses.

32


This presentation is presented with the understanding that the information contained does not constitute legal, accounting or other professional advice. It is not intended to be responsive to any individual situation or concerns, as the contents of this presentation are intended for general informational purposes only. Viewers are urged not to act upon the information contained in this presentation without first consulting competent legal, accounting or other professional advice regarding implications of a particular factual situation. Questions and additional information can be submitted to your Eide Bailly representative, or to the presenter of this session.

Questions?

33


Calvin Weeks [email protected]

405.858.5591

Data Breaches, Credit Card Fraud, Front Page News …Are You Next?

34

mailto:[email protected]

Documents

Data Breaches, Credit Card Fraud, Front Page News …...Chang’s, Sally Beauty, Michael’s and Neiman Marcus • Solak et al v. The Home Depot, Inc., Case No. 1:2014-cv-02856, filed