Embed Size (px)
Citation preview
Retail Security and Compliance – Where On Earth is it Headed?
An overview of the retail sector’s IT threats and how to be more effective in preventing them.
Agenda Introduction Retail in the news Why cyber security is important? Where are the threats? What can you do? Additional Resources Questions?
About CoalfireCoalfire is a founding member of the PCI Security Standard Council’s (SSC) program for Qualified Security Assessors (QSAs) and has been a QSA under Visa’s CISP initiative since 2003.
We are also an Approved Scanning Vendor (ASV) and Payment Application Qualified Security Assessor (PA-QSA).
We have completed more than 4,000 PCI projects for merchants, service providers and payment application developers and we are recognized as one of the top five assessors based on the number of Reports on Compliance completed for service providers and Reports on Validation completed for payment application developers.
Our clients include…
4
About Jeff Messer Senior IT Security Consultant 15+ years of information technology and business experience. Extensive experience in delivering security assessments, compliance auditing,
general IT and application controls assessments and system development reviews Industries
o Retail, higher education, healthcare, transportation, banking, finance, entertainment and leading edge technologies.
Hands-on experience in developing and implementing IT security strategy, directing and managing an IT department and knowledgeable in various areas including: o Network & Systems Securityo Risk Managemento Vulnerability Assessmentso Authentication & Access Controlo System Monitoringo Regulatory Complianceo Systems Integration Planningo Penetration Testing
Certificationso CISSP - Certified Information Systems Security Professionalo CISA - Certified Information Systems Auditoro QSA - Qualified Security Assessor
Retail in the news US FBI Warns Retailers of Further Cyber Attacks Similar to
Target Data Breach Target - 40 million payment card records and 70 million
customers' records Neiman Marcus - 1.1 million cards Michaels (2nd breach) Sally Beauty - 282,000 cards Sears? According to the FBI there were 20 infections with BlackPOS.
So far, Target and Neiman Marcus are the only two to go public.
Why cyber security is important? Increasing reliance on technology Attacks are increasing faster than ability to stop them Lots of money can be made from stealing the data Public image can be tarnished quickly Corporate espionage Federal agencies moving to the cloud
Where are the threats? POS Software Mobile POS Remote Desktop/Terminal services Wireless Access Access rights Outsourcing managed services Unencrypted data over the network SQL injections Weak controls
POS Software Have you patched your POS devices lately? When was the last time you upgraded? Do you perform any vulnerability scans? Have you turned on logging? PA-DSS and P2PE certification options
Magnetic Card Reader POS
Mobile POS Using an iPad or mobile POS device over wireless? How is the device secured? Is the data cached locally?
iPad running POS
Remote Desktop/Terminal Services Do you have a device plugged into the internet? If they use cellular or 3G/4G, where is the firewall? Digi International
LantronixWireless Radio
Network Access Server
WIFI and Web Access for Ethernet Devices Ethernet Switches
Wireless routers How is your network setup? Have you performed a wireless assessment? Rogue access points?
Wireless Access Point/Router
Access rights Generic and shared accounts? Default accounts? Default passwords? User = Password? Segregation of duties? Logging of ‘root’ or ‘admin’ accounts? User Account reviews? User and Access Rights Administration
Outsourced managed services What have you outsourced? Have you checked your contract? Are you monitoring their work?
Third-party administrating firewall rules
Unencrypted data over the network Have you properly segmented your network? It’s a private/corporate network, that’s safe, right? Where does responsibility begin/end for sending data? We only send unencrypted data across trusted networks.
“Sniffing the wire”
SQL Injections Have you “escaped” or blacklisted any commands? Have you limited the database permissions of the web app? Have you restricted the type of commands, or applied
“parameterized statements”?
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
Sample SQL Injection Line
Weak controls When was the last time you performed a risk assessment? Do you have an external, independent auditor? Are you experiencing high turnover? Do you do perform background checks? We rely on a third-party and they do it…
What can you do? Firewall management Segment your POS network Training PCI compliance Point-to-point encryption (P2PE) Deploy a Security Information and Event Management
(SIEM) to monitor network events Use two-factor authentication when accessing payment
processing networks. Monitor alerts from Visa, MasterCard, and Amex Ensure you are using certified hardware and software Whitelist programs
Enhance your existing cyber security Social engineering Penetration testing Application penetration testing Wireless assessment IT risk assessment POS forensic testing Vulnerability scanning IT Audits
Top 5 trends that we see ahead1. Cyber attacks are going to continue to increase in
frequency, complexity and scale.2. Mobile is no longer the exception.3. The move to cloud computing will show demonstrable cost
savings … but will add new risks4. Data breaches will continue to drive new security standards
and spending5. Information risk management is no longer an “IT problem”
its a board problem.
Additional resources Whitepapers, webinars, blog www.coalfire.com/resources What to do if you are compromised?
http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf
Respond to a breach?http://usa.visa.com/download/merchants/cisp_responding_to_a_data_breach.pdf
Identity Theft Resource Center - www.idtheftcenter.orgo 2014 ITRC Breach Report
• ww.idtheftcenter.org/images/breach/ITRC_Breach_Report_2014.pdfo 2014 ITRC Breach Stats Report
• www.idtheftcenter.org/images/breach/ITRC_Breach_Stats_Report_2014.pdf
Incident Response - Best Practiceso Data Breach Response & Preparation -
http://www.idtheftcenter.org/id-theft/incident-response-best-practices.html Interactive Breach/Hacks Diagram
o www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
For additional information, contact…
Jeff MesserSenior IT Security Consultant
Coalfire16420 Bake Parkway, Suite 100Irvine, CA 92618
Office: (949) 271-7014 x7089 Cell: (949) [email protected]
www.coalfire.com
