Upload
innotech
View
425
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Presented at InnoTech Dallas on May 17, 2012. All rights reserved.
Citation preview
How to Rebuild the Controls and
Confidence after Data Exfiltration Occurs
Brian BlankenshipOperations Information Security OfficerHeartland Payment Systems
Dump truck racing = InfoSec Career
Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
5
Heartland – A Full Service Payments Processor
• Card Processing• Credit/debit/prepaid cards:
• Process over 10 million transactions a day• Process over 3.9 billion transactions annually
• Payroll Processing (PlusOne Payroll)• Check Management (Check 21, ExpressFunds, StopLoss)• Online Payment Processing• MicroPayments – Vending, Laundry, Campus Solutions• Gift Cards and Loyalty Processing• Heartland Gives Back
Heartland – Our People
• HQ: Princeton, NJ• IT: Plano, TX
• 300 employees• Servicing: Louisville, KY
• 800 employees
• Heartland CaresFoundation
7
Heartland - 15 Years Ago ... and Today
1997 (1st Trans 6/15/97) Today•2,350 clients 255,000 clients•25 employees 3000+ employees•#62 in US #5 processor in U.S.•$0.4 billion portfolio $68 billion portfolio
2004 2005 2006 2007 2008
Net Revenue Net Income EPS
0.26137,796
8,855
1.08
383,708
41,840
0.50
186,48619,093
0.71
245,652
28,544
0.90
294,771
35,870
Heartland - Financials
Heartland – EPS in 2009…
Heartland CEO’s granddaughter
10
Heartland – The Recovery• 2009
• Total Revenues $1,652 m (up 6.93%*)• Net Income -52 m (down 224%)• EPS -1.38 (down 223%)
• 2010• Total Revenues $1,864 m (up 12.8%)• Net Income 35 m (up 167%)• EPS 0.88 (up 163%)
• 2011• Total Revenues $1,996 m (up 7.1%)• Net Income 44 m (up 25.7%)• EPS 1.09 (up 23.9%)
*All percentages year-over-year
Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
The Threat
It’s all about the money ….
What Happened? – The Penetration Very Late 2007 – SQL Injection via a customer facing web page in our
corporate (non-payments) environment. Bad guys were in our corporate network.
Early 2008 – Hired largest approved QSA to perform penetration testing of corporate environment
Spring 2008 – CEO learned of Sniffer Attack on Hannaford’s , Created a Dedicated Chief Security Officer Position and filled that position
April 30, 2008 – Passed 6th Consecutive “Annual Review” by Largest QSA
Very Late 2007 – Mid-May 2008 – Unknown period but it is possible that bad guys were studying the corporate network
Mid-May 2008 – Penetration of our Payments Network
What Happened?
The Investigation and The Announcement Late October 2008 – Informed by a card brand that several issuers
suspected a potential breach of one or more processors. We received sample fraud transactions to help us determine if there was a problem in our payments network. Many of these transactions never touched our payments network.
No evidence could be found of an intrusion despite vigorous efforts by HPS employees and then two forensics companies to find a problem.
January 9, 2009 – We were told by QIRA that “no problems were found” and that a final report reflecting that opinion would be forthcoming.
January 12, 2009 – January 20, 2009 – Learned of breach, notified card brands, notified law enforcement and made public announcement.
Why I came to Heartland…
• The way the breach was handled
• High degree of transparency
• Knew that security would be #1 priority
• Heartland was changing the perception of breaches, and how they should be handled
Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
PANIC
DENIAL
ANGER
BARGAINING
DEPRESSION
ACCEPTANCE
FIX THE PROBLEM
Vectors of Trust
• After any major incident, there are multiple vectors of trust that have to be rebuilt– Trust from your customers– Trust from your investors– Trust from your own employees– Trust from your competitors
• Heartland has worked hard to rebuild these
The Real Response
1/20/09 - Call to arms of all Heartland employees to visit clients and talk to partners
HPY share price drops from $15.16 on 1/16 to $8.18 on 1/22
HPY 4Q08 Earnings Call – HPY drops to $3.43 on March 12; a 77.6% drop since the breach announcement
3/14/09 – Delisted from Visa list of approved vendors
4/30/09 – Certified PCI compliant by VeriSign and reinstated on Visa list of approved vendors
5/11/12 – HPY Closed at $30.41
Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
Industry Security Advancements
• Chip & PIN (EMV)– Helps authenticate the card
• Tokenization – Reduces risk of storing card data
• Both help, but don’t address datain transit
Heartland Approach to E3
•End to End Encryption
•Continuous protection of the confidentiality and integrity of transmitted information by encrypting at the origin and decrypting at the destination.
E3 Security Model
•Build devices that use Tamper Resistant Security Modules to encrypt payment data at the point of swipe or data entry.
•Collaborate with existing device vendors and encryption solution providers.
E3 Device
Strategy
•Protect cardholder and merchant data wherever it resides on Heartland’s systems.
• Directly influence industry security standards and practices to strengthen data protection.
E3 Data
Strategy
Merchant Bill of Rights, Sales Professional Bill of Rights, Durbin
http://www.spbor.com/http://www.merchantbillofrights.org/http://getyourdurbindollars.com/
Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
Key Risk Mitigations
Data Loss Prevention
Network and Application Penetration Testing
Platform Security
Static and Dynamic Code Analysis
Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
27
The New Paradigm
• During investigation of Heartland breach• Found other processors knew of the
breach indicators• Several had seen or know about them• No one shared that information
• Started the PPISC (Payment ProcessorsInformation Sharing Council) in 2009
• Charter – bring processors to tableto discuss threat indicators and tactics
• Avoid any discussion on business related topics to avoidanti-trust
• Everyone brings to table topics that they are seeing through their various intel sources (internal and external)
Intelligence Sharing – PPISC
Malware signatures currently being shared with input of Secret Service and other agencies
Participation in threat exercises (CAPP – Cyber Attack Against Payment Processes)
Changes in Breach Perceptions
• For Heartland, the impact was immediate and very high
• People have come to understand that any company can be breached
• Acceptance becoming the norm
Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems
– What Happened in the Heartland Breach
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
Targeted Attacks
Is your company a target…?
SpyEye: targets financial institutions
northerntrust.com treasury.pncbank.com ssl.selectpayment.com svbconnect.com onlinebanking.banksterling.com texascapitalbank.com web-access.com nashvillecitizensbank.com singlepoint.usbank.com sso.unionbank.com commercial.wachovia.com wellsoffice.wellsfargo.com mandtbank.com online.corp.westpac.com paymentech.com appliedbank.com
heartlandmerchantcenter.com reporting.worldpay.us firstnational.com merchante-solutions.com portal.mercurypay.com 1fbusa.com logon.merrickbank.com mybmwcard.com gotomycard.com cardmemberservices.net nordstromcard.comstatefarm.com tnbonlinebanking.com accountcentralonline.com chase.com wellsfargofinancialcards.com credit.compassbank.com rcam.target.com partnercardservices.com accessmycardonline.com creditcards.citi.com commercebank.com hsbccreditcard.com neteller.com mypremiercreditcard.com
penfed.org bankofamerica.com hsbc.com huntington.com usaa.com citibank.com paypal.com
34
Adversary Attributes
• Advanced• Well funded adversary• Advanced technical capabilities• Ability to identify zero-day exploits• Weaponize exploits• Trained professionals • Backing of nation state or organized crime
• Persistent• Sustained presence with target organization• Remains undetected • Takes time needed reach objective and exfiltrate information
• Threat• Covert threat or alteration of sensitive information
• Political or military advantage• Strategic or tactical advantage• Economic advantage or financial gain
Can a system be completely secure?
“The only secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”
Gene Spafford – Purdue University
Getting in can be easy…
The malware code was obfuscated:
Encoded: Zero AV Detection
Decoded: detected by 8 of 43 AV engines
Blackhole Explotation Kit
Social Engineering:
• Manipulating people into performing actions or divulging confidential information
• Pretexting: creating an invented story to engage a target in a way that makes them more likely to divulge the desired information.
• Usually involves: sympathy, intimidation, flattery, or fear
• Most companies are vulnerable to SE
Example SE scenario…
What would you do if…• Receive call from your Helpdesk• Caller ID shows correct number• Said there is suspicious activity coming
from your computer, need you to run a scan by visiting the following URL.
• http://onlinesecurityscanner.com
• After the scan runs, you are informed that your system checked out fine. Sorry for the inconvenience.
For more info on Social Engineering: http://social-engineer.org
Example SE scenario…
Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
Are attacks on the rise?
• Increased media coverage over the last year– Much like “shark attack” coverage
• New motivations– Political– Limelight / Ego– Embarrassment– Retaliation
Are attacks on the rise…???
The number of incidents reported has been increasing
• 2010 – 800 new compromise incidents
• 2004-09 - just over 900
source: 2011 Verizon DBIR
Records Compromised
• The total number of records compromised annually has declined
2011 – 4 million 2010 – 144 million 2009 – 361 million
source: 2011 Verizon DBIR
Who is behind data breaches?
• 92% - stemmed from external agents (+22%)
• 17% - implicated insiders (-31%)
• <1% - resulted from business partners (-10%)
source: 2011 Verizon DBIR
How do breaches occur?
• 50% utilized some form of hacking (+10%)
• 49% incorporated malware (+11%)
• 29% involved physical attacks (+14%)
• 17% resulted from privilege misuse (-31%)
• 11% employed social tactics (-17%)
source: 2011 Verizon DBIR
How do breaches occur?
83% of victims were targets of opportunity
92% of attacks were not highly difficult (+7%)
76% of all data was compromised from servers (-22%)
86% were discovered by a third party (+25%)
96% of breaches were avoidable through simple or intermediate controls
89% of victims subject to PCI-DSS had not achieved compliance (+10%)
source: 2011 Verizon DBIR
Where should mitigations be focused?
Eliminate unnecessary dataEnsure essential controls are metCheck the above againAssess remote access servicesTest and review web applicationsAudit user accounts and monitor privileged
activityMonitor and mine event logsExamine ATMs and other payment card input
devices for tampering
source: 2011 Verizon DBIR
Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
Ever work with a security guy like this?
Information Security Balance
Purpose is to secure assets without adversely affecting business functions.
Ultimate Security
Needs of a Business
Con
fiden
tialit
y
Availability
Integrity
Information Security Balance
CIATriad
Security Systems
Firewalls IPSFIMSoftware AgentsMalware AppliancesStatic/Dynamic Code Analyzers Vulnerability ScannersWAFDLPSIEMAnti-Virus
Security Systems
• Purchasing a “checklist” of security devices is not enough..!
• You need skilled personnel to manage these devices.
• Most of these technologies require a large amount of time to manage effectively.
58
Summary
• Businesses can recover from a major breach• HPS has recovered and is growing• PCI Security Standards Council Board of Advisors• FS-ISAC Board of Directors
• Every company is a target, make yours a hard one• Assume you have been compromised• Focus on detection, data elimination
• Get involved• Information Sharing (FS-ISAC, PPISC, Infragard)• Local security chapters
ISSA, ISACA, OWASP
Thank you!