PCI SSC 3.0 and Cybersecurity

Threats

Presented by Bob BlakleyAssociate Director, Metro DCMarch, 2015

November 8, 2012

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Speaker

1

Presenter

Topic

Objective

Relevant

Experience

Bob BlakleyAssociate Director, Metro DC

Managing IT Security Risk

Provide:• Overview of key changes in PCI DSS 3.0

• Cybersecurity Threats

• Associate Director in Security & Privacy Practice

• 18 years of IT Security experience, including 10 years of

consulting, and 8 years of security threat management

• PCI Qualified Security Assessor

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Change in PCI DSS 3.0

• Effective January 1, 2015

• Defining CDE - Network Segmentation

• E-Commerce Outsourcing

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Network Segmentation

Scoping -

• Scoping has been clarified to indicate that system components must include “any component or

device located within or connected to the cardholder data environment (CDE).

• PCI DSS security requirements apply to all system components included in or connected to the

CDE.

• A new requirement that if segmentation is used, “penetration testing procedures must test all

segmentation methods to confirm they are operational and effective, and isolate all out-of-scope

systems from the in-scope systems

Implications:

• The new focus on connected systems likely expands the number of systems considered in-scope for

many organizations, thereby increasing the complexity and cost of compliance

• Example –

• In an Active Directory environment, a compromise of any domain member could impact security of

the CDE and now all domain members could be considered in-scope.

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Why is Network Segmentation Important?

1. Flat networks significantly increase the potential exposure of a single data breach without adequate protection of the network

• A credit card data breach can occur at any site/unit/store that accepts credit cards.

• A flat network leaves all machines vulnerable to the ‘weakest link’ -- Once connected to the network at any store/unit, an outsider can reach machines at corporate or any other store/unit

2. Network Segmentation can both reduce the scope and cost of PCI Compliance

• Adequate Network Segmentation reduces the number of systems, applications and users that are in scope

• Network Segmentation can reduce the impact of PCI Compliance on other IT users (Marketing, Legal, HR, R&D)

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

E-Commerce Outsourcing

• Alternatively, a Company could decide to outsource the credit card processing and

storage to PCI compliant vendors that provide solutions from the initial “swipe”

through settlement and chargeback. Some companies may find this approach more

cost-effective then a segmentation of their network and would also reduce the scope.

• However, Version 3.0 eliminates the “loophole” for on-line merchants that outsourced

online payment processing

• Version 3.0 now states “System components include systems that may impact the

security of the CDE (for example web redirection servers).

• Implication – many e-commerce merchants’ infrastructure is typically connected to

back-end billing, accounting, content and other systems which will now be in-scope if

connected to outsourced web servers.

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

6

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Data Breach Demographics

Industry Segments

• Reports vary greatly on ranking of impacted industry segments

• Financial Services

• Public Sector

• Retail

• Hospitality

• Utilities

Geography

• Victims affected in 95 countries

Developing Areas of Note:

• Cloud security

• SCADA systems are increasingly targeted

• Medical device security under the microscope

Bottom Line: It’s All About the Data!

1,500+ Data Breaches in 2014

1 Billion Records Compromised in 2014 Alone!

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Underground Hacking Economy

Credentials Price

Visa and Master Card

(US)

$4

American Express (US) $7

Discover Card with (US) $8

Credit Card with Track 1

and 2 Data (US)

$12

US Fullz $25

DOB (US) $11

Bank Acct. with $70,000-

$150,000

$300 and less

Doxing $25-$100

Hacker Services Price

Infected Computers

(1,000)

$4

Infected Computers

(5,000)

$7

Infected Computers

(10,000)

$8

Infected Computers

(15,000)

$12

Remote Access

Trojan(RAT)

$50-$250

Sweet Orange Exploit Kit

Leasing Fees

$450 a week/

$1800 a month

Hacking Website; stealing

data

$100-$300

DDoS Attacks Per hour-$3-$5

Per Day-$90-$100

Per Week-$400-$600

Source: http://www.secureworks.com/resources/blog/the-underground-hacking-economy-is-alive-and-well/

A Zero Day Exploit targeting Apple’s IOS sold for $250k in 2012

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

ACME

Corporation

Opportunistic vs. Targeted Attacks

Opportunistic Attacks

• Targets of opportunity based on a known vulnerability or set of characteristics

• Organization wasn’t specifically targeted

Targeted Attacks

• Organization is specifically targeted because of who they are, what they do, something they did, or the data they have

• Persistent attacks – Attackers keep coming back

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Profiling Threat Actors

ORGANIZED CRIME STATE-AFFILIATED ACTIVISTS

VICTIM INDUSTRY• Finance

• Retail

• Food

• Manufacturing

• Professional

• Transportation

• Information

• Public

• Other Services

REGION OF OPERATION• Eastern Europe

• North America

• East Asia (China) • Western Europe

• North America

COMMON ACTIONS

• Tampering (Physical)

• Brute force (Hacking)

• Spyware (Malware)

• Capture stored data (Malware)

• Adminware (Malware)

• RAM Scraper (Malware)

• Backdoor (Malware)

• Phishing (Social)

• Command/Control (C2)

• (Malware, Hacking)

• Export data (Malware)

• Password dumper (Malware)

• Downloader (Malware)

• Stolen creds (Hacking)

• SQLi (Hacking)

• Stolen creds (Hacking)

• Brute force (Hacking)

• RFI (Hacking)

• Backdoor (Malware)

TARGETED ASSETS

• ATM

• POS controller

• POS terminal

• Database

• Desktop

• Laptop/desktop

• File server

• Mail server

• Directory server

• Web application

• Database

• Mail server

DESIRED DATA

• Payment cards

• Credentials

• Bank account info

• Credentials

• Internal organization data

• Trade secrets

• System info

• Personal info

• Credentials

• Internal organization data

Source: 2013 Data Breach Investigation Report by Verizon

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Breach Kill Chain – Anatomy of a

Breach

Persist

Undetected

Initial

Attach

Vector

Establish

Foothold

Identify

Interesting

Data

Distribute

Ongoing

Collection

Malware

Exfiltrate

Data

Breach Kill Chain

The attack can be disrupted at any point in the kill chain. Ideally, a company will

have controls at each point to create a defense in depth strategy. “Cyber kill

chain” model shows, cyber attacks can and do incorporate a broad range of

malevolent actions, from spear phishing and espionage to malware and data

exfiltration that may persist undetected for an indefinite period.

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

What is the corporate risk?

Monetary:

$5.85 million per breach average

$201 per record

12

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

What is the corporate risk?

Monetary:

$5.85 million per breach average

$194 per record

The risks are more than just immediate monetary impact:

Litigation

Reputation Loss

Loss of System Availability

Lost Productivity

Loss of Intellectual Property

Regulatory Fines

13

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Mitigation Trends

After a data breach, organizations are relying on a combination of people-centric and technology-

centric based steps. One technique not depicting is Breach insurance which we are seeing become

more popular.

Ponemon 2014 Annual Study: Cost of a Data Breach

14

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

15

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

16

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

17

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

18

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

• Vendor Management

– What roles do third parties play in supporting the company’s technology needs?

• Emerging Technologies

• Cloud

• Mobile

• Data governance and data leakage prevention (DLP)

• Application security

– Are Security Development Lifecycle protocols embedded in the application development

process?

– Are periodic pen tests performed to identify vulnerabilities?

– Database Security

– Social Engineering

• Incident Response

– Are there well-defined and communicated processes in place to respond to security breaches?

Information security

With security breaches being an every day event, regulators

remain very focused on:

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Vendors are a common source of data loss and incidents, as

such companies are increasingly faced with more due diligence

in managing profiles, completing risk assessments, streamlining

management, and reporting key metrics:

Information security – vendor

management

Increased data exposure

Increased regulatory exposure

Limited visibility

Limited resiliency

Limited responsibility

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

As mobile devices gain popularity and are used throughout

businesses, new risks emerge:

Business data stored on personal mobile devices

Lost mobile devices

Insecure Apps

Malware

Misconfiguration

Many companies are not prepared to handle mobile device loss

and may lack policies and response procedures to be prepared.

Information Security – emerging risks

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Information Security

Forensic Reviews

eDiscovery

Incident Response

Vendor Contracting

Asset Inventory

License Compliance

Information Security – emerging risks

Companies are processing and storing data in the “cloud” and this

creates new challenges:

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Database Security

Where are your valuables?

• Is it your data, systems, or network?

• Current focus is towards protecting information through network configuration,

systems administration, application security

• How about the data in the database and the systems that manage it?

Security in Layers:

• Secure database

• Secure applications

• Secure operating system (relative to database system)

• Secure web server (relative to database system)

• Secure network environment (relative to database system)

The database security is often a neglected area because it is typically not well

understood by DBA’s and auditors

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Social Engineering

24

Can you tell them apart?

Customer’s Outlook Web Phishing Site

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Phishing as Security Awareness Tool

25

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Attack Discovery

229

Median Number of Days from

Compromise to Discovery

~67%

Victims Notified by a 3rd Party

Internal Discovery Methods

User

Financial Audit

Network IDS

Log Review

Fraud Detection

Host IDS

Incident Response

IT Audit

External Discovery Methods

Law Enforcement

Service Provider

Business Partner

Customer

Actor

Source: Mandiant 2014 M-Trends Report

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Responding to an Incident

Incident Containment and Damage Assessment

• Determine nature and extent of incident through network and system log analysis.

• Identify potential assets involved

• Determine severity

• If attack is still active, take appropriate measures to contain the intruder.

Collect and Analyze Digital Evidence

• Utilize forensic analysis tools to gather digital evidence from work stations, laptops, servers, mobile devices, network devices, etc.

• Maintain proper chain-of-custody for future court proceedings.

Recover from the Incident and Resume Normal Operations

• Identify the means of attack and address any exploited security vulnerabilities.

• Conduct system restoration to resume normal operations.

• Analyze the Incident and provide insight as to how to prevent similar incident in the future.

Corporate Incident Response and Computer Forensic Capabilities

• Evaluate corporate incident response capabilities, tools and procedures and identify opportunities for improvement.

• Augment corporate incident response team.

• Develop corporate incident response plan, train personnel and assist in the acquisition of proper tools.

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Resources

Web Sites:

Protiviti www.protiviti.com

National Institute of Standards and Technology (NIST) http://csrc.nist.gov/

SANS http://www.sans.org/resources/

CERT Coordination Center http://www.cert.org/other_sources/

Privacy Rights Clearinghouse www.privacyrights.org

In Defense of Data www.indefenseofdata.com

Incident Response Resources

United States Computer Emergency Readiness Team http://www.us-cert.gov

NIST Computer Security Resource Center http://csrc.nist.gov

SANS Institute http://www.sans.org

Computer Emergency Response Team (CERT) http://www.cert.org

28

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Summary

• Corporate assets continue to be targeted for

malicious intent

• The expansion of IT assets (devices and data)

makes protection of assets more challenging

• Most companies still are susceptible to the most

common threats

• Take action -- Implement an IT Risk Management

Plan and follow it !

29

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

Thank You

30

Bob Blakley

Associate Director

Tysons Corner, VA

+1 703-300-0199

Bob.Blakley@protiviti.com

30

© 2012 Protiviti Inc. This

document may not be copied

© 2010 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only

and may not be copied nor distributed to another third party.

31