Upload
fgxpreso
View
289
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Here is the Foregenix presentation delivered by Andrew Henwood at PCI London on the 25th January 2012.
Citation preview
08/02/2012
1
Andrew Henwood
The diary of a forensic investigator: Secrets Revealed
Dear Diary – who do ADCs affect?
• Smallest merchant • Largest merchants with multitudes of sites • Issuers and Acquirers
IR Plan should be similar, irrespective of entity size!
08/02/2012
2
Cybercriminals are using: • Same old vulnerabilities (SQL, backdoor trojans,
malware etc). • Increasingly sophisticated attack methods. • Targeted attacks. • More automated tools. • Quicker developing trends. • Repeat attacks to maximise harvest. • Increasingly powerful systems and techniques. • Decrease in time between compromise and fraud
spend.
ADC Trends & Targets
…But the target remains the same. Cardholder Data.
ADC Trends & Targets
08/02/2012
3
Dear Diary - How are ADC’s typically identified?
• Cardholders report fraud on their card => their card is compromised
• Issuers and/or Schemes trace back legitimate spend • If multiple compromises, this trace identifies Common
Points of Purchase (CPP)
!"#$%&'%(')*+'!#",)*+' --..' /"0%1"#2'
!"#$%&'()*+,,-".&/0(1,&)33"4"&32'!+5'*66'
0%783$9:;'!"#$%&
/)23()2-,+1&
4,,5+(,&6&7*8+2+,&1+$+*$&/''&
5:1%<"'!+5'=%#":>$0>'
!"#$%&9:-,,;5::%&5"0<0(+&);&=>/&
?90<"#>'$:'@9#1">A:4'7%&"'
'?4&?)(+",-*,&@"1+(<0%'
7+:;A>-,*)B+(&);&4"*-1+"$&
Compromise Timeline
-B%:"A>9A%:-'' =#9C&-'&!"#$%&'
()*+,!
08/02/2012
4
How not to respond
Compromise Penalties!
08/02/2012
5
Compromise Penalties!
Type Initial Fine
Lack of removing SAD (90 days)
Monthly PCIDSS Violation (4 months)
Monthly PCIDSS Violation (5 months)
Monthly PCIDSS Violation (>=6 months)
L1 !50,000 !30,000
!50,000
!75,000
!75,000
L2 !25,000
!15,000
!25,000
!50,000
!50,000
L3&4 !10,000 !5,000
!10,000 !15,000 !15,000
Members !50,000
!30,000
!50,000
!75,000
!75,000
PSPs !25,000 !15,000 !50,000 !30,000 !30,000
Others !10,000 !5,000 !10,000 !25,000 !25,000
Card Scheme / Acquirer vs. Entity Priorities
In most cases, these priorities are NOT aligned!
• Card Schemes & Acquirers • Containment, Limit Exposure, Identify “At Risk” card data, Fines
• Entities • Containment, root cause identification, remediation, get on with
business
For potentially compromised entities, ensure the PFI selected / engaged has your priorities at heart
08/02/2012
6
Facilitating a Forensic Investigation
1. Invoke IR plan 2. Engage a PFI (ASAP!) 3. Document and collate all current and ongoing events, all people
involved, and all discoveries into a timeline for evidentiary use 4. Do not access or alter any aspect of the suspect system(s) 5. If you suspect the attack is currently ongoing, remove the system
connectivity to the network. i.e. pull the network cable / down the adapter
Do not power the system down!
Facilitating a Forensic Investigation
Re-Emphasise:
Do not access or alter any aspect of the suspect system(s) …or at least minimise access!
08/02/2012
7
PCI Forensics vs. Traditional Forensics
1. PCI Forensics does not equal traditional forensics 2. Majority of attacks are coordinated, focused, highly sophisticated
and custom to the environment – Custom malware (targeted memory scraping) – Payment application manipulation (source code modifications and
manipulation of limits / controls) – Custom Rootkits and built in defense mechanisms – Hacker SDLC – Anti-Forensics
Real-World Forensic Statistics Affected Industry (example)
Category Trustwave (2011)
Verizon (2011)
7Safe (2010)
Hospitality 10% 40% 5%
Financial Services 6% 22% 7%
Retail 18% 25% 69%
Food and Beverage 57% ? ?
Government 6% 4% 2%
Education 1% ? ?
Other ? ? ?
* References to reports in conclusion of presentation
08/02/2012
8
Statistics & Trends
Individual company statistics are “interesting” but impossible to correlate except broadly!
Statistics & Trends
• Utilise public combined sources: www.datalossdb.org http://www.privacyrights.org/ar/ChronDataBreaches.htm
• Hospitality / Food & Beverage / Retail compromised the most • Majority of ADC are from external sources • Majority of breaches are focused and well organised criminal
businesses • Majority of victims had evidence of the breach in their log files thus
should have been aware! • Majority of attacks were trivial • Only a fraction reported in CEMEA
08/02/2012
9
GoldenDump.com (2011)
GoldenDump.com (2011)
08/02/2012
10
GoldenDump.com (2011)
Incident Overview • Subject : Multi-national Issuer / Acquirer • Incident Date : 2010 • Investigation Date : Late 2010 • Initial Vulnerability : SQL Injection • Exploited Weaknesses :
– Poor network segregation – Lack of log review – Let down by security partners
• Exposure : – 2.4 million PAN – 780,000 Track 2 – > ! 90,000 in cash
Incident
08/02/2012
11
DB03
Internet Banking Servers
DB01 DB02
DB04 DEVDB
AS400
Online Payment Servers
Backend Systems
Application Servers
Branch Offices
The Environment
2010
DB03
DB01 DB02
DB04 DEVDB
AS400
08/02/2012
12
SO…..What went wrong? (Underlying Causes) • Phase 1: Initial Compromise – SQL Injection
– The site had been tested by multiple external parties and had “passed” three penetration tests (Code had NOT changed since 2005!).
– Logs were collected (plenty of them – 4.5 Billion events) but never reviewed.
– Network architecture was “temporary” but never resolved. – Poor password policies.
• Phase 2: Reconnaissance & Exploration – Poor network architecture design decisions. – Poor password policy. – Lack of log review.
• Phase 3: Account Data Extraction (PAN) – Inappropriate data retention policies. – Lack of awareness regarding Account Data storage (where is it?) – Poor system management.
• Phase 4: Account Data Extraction (Track 2) – Inappropriate data retention policies (again). – Poor network segmentation.
• Phase 5: Internet Banking Manipulation – Application made “blind” use of data within a database. – Application unable to detect “tampering”. – Failed transfers were not reviewed or followed up.
08/02/2012
13
How could things have been Done? (Means of Reducing Exposure) • Fundamentally – An awareness of Account Data
– Review & revise data retention policies. – Know where the stuff is. (Get Rid)
• Regular & thorough testing of external attack surfaces. – Reputable companies (not always the big players). – Speak with your peers (word of mouth is invaluable).
• Log retention is great! Log review is better! Both are needed. • Review & revise network architecture designs. • Review & revise system build policies (including password
policies).
None of this is new and should sound familiar
PCI Prioritised Approach.....!
Also supported by the VISA
Technology Innovation
Program!
PCI Prioritised Approach.....!
Also supported by the VISA
Technology Innovation
Program!
08/02/2012
14
Means of Reducing Exposure • Fundamentally – An awareness of Account Data
– Review & revise data retention policies. – Know where the stuff is. (Get Rid)
• Regular & thorough testing of external attack surfaces. – Reputable companies (not always the big players). – Speak with your peers (word of mouth is invaluable).
• Log retention is great! Log review is better! Both are needed. • Review & revise network architecture designs. • Review & revise system build policies (including password
policies).
Milestone #1
Milestone #2 / #6
Milestone #4 / #6
Milestone #1 / #2
Milestone #2 / #3 / #4
Summary • Identify, remove / protect your sensitive data • Segment / scope the network • Regularly: Test & Review • Maintain full logs but pointless if no review • Define, build and test an incident response plan • Build a partnership with a security business to
independently review
08/02/2012
15
Stay Safe & Risk Aware
www.foregenix.com