System Theoretic Approach To Cybersecurity
|
|
- Juliana Bryan
- 8 years ago
- Views:
Transcription
1 System Theoretic Approach To Cybersecurity Dr. Qi Van Eikema Hommes Lecturer and Research Affiliate Hamid Salim Stuart Madnick Professor IC3.mit.edu 1
2 Research Motivations Cyber to Physical Risks with Major Consequences Source: Hitachi
3 Presentation Outline Research Motivations Approaches System Theoretic Accident Model and Processes (STAMP) Causal Analysis based on STAMP (CAST) System Theoretic Process Analysis (STPA) Case Study CAST Applied to the TJX Case Future Research Directions 3
4 System Theoretic Accident Process and Modeling (STAMP) Controller Model of controlled Process Control Actions Feedback Controlled Process 4
5 A Generic Control Structure 5
6 The Approaches The System Theoretic Model: STAMP Looking forward: System Theoretic Process Analysis (STPA) Looking backwards: Causal Analysis using System Theory (CAST) 6
7 STPA Process Safety or Security Problem to Prevent Hazard Inadequate Control Actions Causes Design and Management Requirements and Controls 7
8 CAST Process 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximate events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 8
9 Presentation Outline Research Motivations Approach System Theoretic Accident Model and Processes (STAMP) Causal Analysis based on STAMP (CAST) Case Study CAST Applied to the TJX Case Future Research Directions 9
10 TJX (TJ Maxx & Marshalls) Case Study TJX is a US-based major off-price retailer. Revenues > $25 billion (FY2014) Victim of largest (by number of cards) cyber-attack in history, when announced in Cost to TJX > $170 million, per SEC filings. Cyber-attack launched from a store on Miami, FL in 2005 by exploiting Wi-Fi vulnerability. Hackers ultimately reached corporate payment servers and stole current transaction data. Cyber-attack lasted for over 1.5 years Sources: Federal/State Court records (primary), TJX SEC Filings, Others (NYT, WSJ, Globe, FTC, Academic papers, Journal articles). 10
11 CAST Step 1: Identify System and Hazards System TJX payment card processing and management system Hazards at system level System allows for unauthorized access to customer information 1 2 System and hazard definition System level safety/security requirements 3 Draw control structure 4 Proximal events 5 6 Analyze the physical system Moving up the levels of the control structure Coordination and communication Dynamics and change over time Generate recommendations. 11
12 CAST Step 2: Define System Security Requirements Protect customer information from unauthorized access. Provide adequate training to staff for managing security technology infrastructure. Minimize losses from unauthorized access to payment system. 1 2 System and hazard definition System level safety/security requirements 3 Draw control structure 4 Proximal events Analyze the physical system Moving up the levels of the control structure Coordination and communication Dynamics and change over time Generate recommendations. 12
13 CAST Step 3: Hierarchical Control Structure 13
14 Proximal Event Chain 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximal events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 14
15 Breaching Marshalls Store 1. AP- Open authentication vs Shared Key authentication. 2. WEP publically known weak algorithm compromised. 3. Sniffers used to monitor data packets. 4. Hackers steal store employee account information and gain access to TJX corporate servers. 15
16 Hackers Establish VPN Connectivity 1. Hackers use Marshalls AP to install VPN connection. 2. VPN is between TJX corporate server and hacker controlled servers in Latvia. 3. Code installed on TJX corporate payment processing server. 16
17 Flow for Sales of Stolen Payment Card Information. Via Bank in Latvia 17
18 Proximal Event Chain 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximal events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 18
19 CAST Step 5: Analyzing the Physical Process (TJX Retail Store) 19
20 CAST Step 5: Analyzing the Physical Process (TJX Retail Store) Safety Requirements and Constraints Emergency and Safety Equipment Failures and Inadequate of the Above Equipment Physical Contextual Factors 20
21 CAST Step 5: Analyzing the Physical Process (TJX Retail Store) Safety Requirements and Constraints Prevent unauthorized access to customer information. Emergency and Safety Equipment Wi Fi network Access Point (AP) authentication Wi Fi encryption algorithm 21
22 CAST Step 5: Analyzing the Physical Process (TJX Retail Store) Failures and Inadequacy Retail store Wi Fi AP misconfigured Inadequate encryption technology WEP decrypting key were freely available on the internet. Inadequate monitoring of data activities on the Wi Fi. Physical Contextual Factors Early adopter of Wi Fi Learning curve and training 22
23 Proximal Event Chain 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximal events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 23
24 Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Safety Requirements and Constraints Emergency and Safety Equipment Failures and Inadequate of the Above Equipment Physical Contextual Factors 24
25 Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Safety Requirements and Constraints Prevent unauthorized access to customer information. Emergency and Safety Equipment Payment card data is encrypted during transmission and storage Conform to Payment Card Industry Data Security Standard (PCI DSS) 25
26 Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Failures and Inadequacy Payment data briefly stored and then transmitted unencrypted to the bank. Not compliant with PCI DSS. Fifth Third Bancorp had limited influence on TJX Physical Contextual Factors PCI DSS is not legally required by States (except for NV) and Federal Government. Fifth Third Bancorp has no regulatory role 26
27 Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure 27
28 Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure State Legislature PCI DSS is a law in the State of Nevada, but not in Massachusetts where TJX is headquartered. TJX creates jobs and generate revenue in Massachusetts. Legislature may be reluctant to impose constraints. 28
29 Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure 29
30 Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Federal Regulatory agency: Most Cyber Security standards are voluntary and are written broadly. At the time of the attack, no regulation existed for the overall retail industry. 30
31 Proximal Event Chain 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximal events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 31
32 Step 7: Coordination and Communication Lack of coordination for PCI DSS Compliance 32
33 Step 7: Coordination and Communication Aware of PCI DSS compliance issue. 33
34 Step 7: Coordination and Communication Cyber Security spending was not the highest priority. Aware of PCI DSS compliance issue. 34
35 Step 7: Coordination and Communication Missing support 35
36 Step 7: Coordination and Communication Missing support Uninformed 36
37 Step 7: Coordination and Communication No single person responsible for cyber security 37
38 Proximal Event Chain 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximal events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 38
39 CAST Step 8: Dynamics and Migration to a High Risk State Initially cyber security risk was low because vulnerabilities were unknown to everyone experts, businesses, and hackers. Flaws in managerial decision making process. Information availability: recent experiences strongly influence the decision (i.e., no break ins so far.) 39
40 CAST Step 8: Dynamics and Migration to a High Risk State (Cont.) My understanding is that we can be PCI compliant without the planned FY07 upgrade to WPA technology for encryption because most of our stores do not have WPA capability without some changes. WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future. I think we have an opportunity to defer some spending from FY07 s budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible. TJX CIO, Nov Above is a message from CIO in November 2005 to his staff, requesting agreement on his belief that cyber security risk is low. There were only two opposing views, a majority of his staff agreed. This confirmation trap led to postponing upgrades. 40
41 Comparison of Results from FTC and CTC Investigations and STAMP/CAST Analysis No. Recommendation CPC FTC STAMP/CAST 1 Create an executive level role for managing cyber security risks. No * Yes 2 PCI-DSS integration with TJX processes. No No Yes 3 Develop a safety culture. No No Yes 4 Understand limitations of PCI-DSS and standards in general. No No Yes 5 Review system architecture. No No Yes 6 Upgrade encryption technology. Yes No Yes 7 Implement vigorous monitoring of systems. Yes No Yes 8 Implement information security program. No Yes Yes CPC = Canadian Privacy Commission FTC = Federal Trade Commission * = Indicates recommendations that are close to STAMP/CAST based analysis but also has differences. 41
42 Research Contributions 1. Highlighted need for system thinking and systems engineering approach to cyber security. 2. Tested STAMP/CAST as a new approach for managing cyber security risks. 3. Discovered new insights when applying STAMP/CAST to the TJX case. 4. Recommendations provide a basis for preventing similar events in the future. 42
43 Application to Cyber Physical System (Stuxnet Example) 43
44 Application to Cyber Physical System (Stuxnet Example) Unauthenticated command is allowed from any source. 44
45 Application to Cyber Physical System (Stuxnet Example) Tempered feedback sensor data 45
46 Application to Cyber Physical System (Stuxnet Example) Tempered Algorithm 46
47 Future Research Directions Continue applying CAST for Cyber Security attack analysis and generate comprehensive list of recommendations that include: Improvements to mitigate technology vulnerabilities Ways to address systemic issues related to management, decision making, culture, policy and regulation. Apply the System Theoretic Process Analysis (STPA) approach to identify system vulnerability prior to an attack. Identify leading indicators The US Air Force had a successful example and is implementing STPA as a cyber security measure. Compatible with NIST standard on cyber security 47
48 Next Steps (IC)3 is starting a project to ensure the cyber security of complex power systems. Other project ideas? 48
49 Questions? Qi Van Eikema Hommes 49
50 Backups 50
51 Research Motivations Increased cyber intrusions and attacks Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace. We rely on this vast array of networks to communicate and travel, power our homes, run our economy, and provide government services. Yet cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy. U.S. Department of Homeland Security Study Cybersecurity as a complex sociotechnical system problem. We want to prevent, not react to cyber attacks. 51
52 System Theoretic Accident Causality Model STAMP: System Theoretic Accident Modeling Process Professor Nancy Leveson: Engineering a Safer World, MIT Press System Theory: Hierarchy and emergence Communication and control STAMP models: the effects of complex system interactions The role of human actions and decisions as a part of the whole system 52
53 CAST Step 4: Proximate Event Chain 1. In 2005 TJX decided not to upgrade to a stronger encryption algorithm and continued using deprecated WEP encryption. 2. In 2005, hackers use war driving method to discover a misconfigured Access Point (AP) at a Marshalls store in Miami, FL. 3. Hackers join the store network and start monitoring data traffic. 4. In 2005, they exploited inherent encryption algorithm weaknesses at the store, and decrypted the key to steal employee account and password. 5. Using stolen account information, hackers accessed corporate payment card processing servers in Framingham, MA. 6. In late 2005 hackers downloaded customer payment card data from TJX corporate transaction processing servers in Framingham, MA using Marshalls store connection in Florida. 7. In 2006 hackers discover vulnerability, that TJX was processing and transmitting payment card transactions without encryption. 53
54 CAST Step 4: Proximate Event Chain (Cont.) 8. In 2006 hackers installed a script on TJX corporate servers to capture unencrypted payment card data. 9. In 2006 hackers used TJX corporate servers as staging area and create files containing customer payment card data and started downloading files using Marshalls store network. 10. In late 2006 hackers installed a dedicated VPN connection between TJX server in Framingham, MA and a server in Latvia. 11. In 2006 hackers started moving files directly from TJX server to the Latvian server. 12. In December 2006, TJX was alerted by a credit card company of possible data breach of TJX systems, initiating an investigation. 13. In January 2007, TJX announced publically that it was a victim of a cyberattack. 54
55 CAST Step 5: Analyzing the Physical Process (TJX Retail Store) (Cont.) Safety Requirements and Constraints: Prevent unauthorized access to customer information. Emergency and Safety Equipment (Controls): Wi Fi network Access Point (AP) authentication Wi Fi encryption algorithm Use of account id/password Failures and Inadequate Controls: Retail store Wi Fi AP misconfigured and allowed unauthenticated access. Inadequate monitoring of data activities on the retail store Wi Fi. Inadequate encryption technology WEP decrypting key were freely available on the internet. TJX collecting customer information that was not required Physical Contextual Factors: TJX was an early adopter of first generation Wi Fi technology at its over 1200 retail stores in 2000 Requiring a significant learning curve, training, and a new knowledge base in a short span of time. 55
56 CAST Step 8: Dynamics and Migration to a High Risk State (Cont.) My understanding is that we can be PCI compliant without the planned FY07 upgrade to WPA technology for encryption because most of our stores do not have WPA capability without some changes. WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future. I think we have an opportunity to defer some spending from FY07 s budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible. TJX CIO, Nov Above is a message from CIO in November 2005 to his staff, requesting agreement on his belief that cyber security risk is low. There were only two opposing views, a majority of his staff agreed. This confirmation trap led to postponing upgrades. 56
57 CAST Step 9: Recommendations 1. According to PCI Security Standards Council, compliance is a business issue requiring management attention and need to integrate PCI-DSS requirements within appropriate components on development and operations parts of the control structure. a. Doing so would not ensure full protection against a cyber-attack, but it will help manage the risk more effectively. b. Ensure that TJX is shielded from liability, because TJX was fined $880,000* by VISA for non-compliance plus another $41 million 2. Understand objectives of standards and align them with cyber security and business needs, but PCI-DSS not fully adequate. a. Data must be encrypted when sent over a public network, but not when transmitted within TJX, over intranet or behind a firewall. b. PCI-DSS did not mandate using stronger encryption WPA until 2006, even though WPA was available in
58 CAST Step 9: Recommendations (Cont.) 3. Building a safety culture at TJX Specific steps can include: a. Safety critical entities can include encryption technology, hardware components (AP, servers, etc.), data retention/disposal/archival policies, a list of Key Threat Indicators (KTI)* to include in monitoring metric, and prevailing cyber security trends. b. Implement a plan to manage these entities with periodic reviews to update the list of safety critical entities. c. A dedicated executive role with cyber security responsibilities, will allow for a consistent view of TJX security technology across the organization. * KTI can be network traffic beyond an established threshold at TJX stores, number of network connections at odd hours of the day, etc. 58
Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks
Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks Hamid Salim Stuart Madnick Working Paper CISL# 2014-12 September 2014 Composite Information Systems Laboratory
More informationIT Compliance Volume II
The Essentials Series IT Compliance Volume II sponsored by by Rebecca Herold Addressing Web-Based Access and Authentication Challenges by Rebecca Herold, CISSP, CISM, CISA, FLMI February 2007 Incidents
More informationWHITE PAPER. Preventing Wireless Data Breaches in Retail
WHITE PAPER Preventing Wireless Data Breaches in Retail Preventing Wireless Data Breaches in Retail The introduction of wireless technologies in retail has created a new avenue for data breaches, circumventing
More informationPCI Solution for Retail: Addressing Compliance and Security Best Practices
PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment
More informationAPPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST
APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data
More informationThe Business Case for Security Information Management
The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationClosing Wireless Loopholes for PCI Compliance and Security
Closing Wireless Loopholes for PCI Compliance and Security Personal information is under attack by hackers, and credit card information is among the most valuable. While enterprises have had years to develop
More informationWHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks
WHITE PAPER The Need for Wireless Intrusion Prevention in Retail Networks The Need for Wireless Intrusion Prevention in Retail Networks Firewalls and VPNs are well-established perimeter security solutions.
More informationFive PCI Security Deficiencies of Restaurants
Whitepaper The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations By Bradley K. Cyprus- Senior Security Architect, Vendor Safe 2011 7324 Southwest Freeway, Suite 1700, Houston, TX 77074
More informationTop Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009
Top Five Data Security Trends Impacting Franchise Operators Payment System Risk September 29, 2009 Top Five Data Security Trends Agenda Data Security Environment Compromise Overview and Attack Methods
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationPCI Security Compliance in KANA Solutions How KANA Applications Helps Companies Comply with PCI Security Standards
PCI Security Compliance in KANA Solutions How KANA Applications Helps Companies Comply with PCI Security Standards Table of Contents PCI Security Compliance in KANA Solutions...1 The Importance of Protecting
More informationMaintaining Strong Security and PCI DSS Compliance in a Distributed Retail Environment
PCI DSS Maintaining Strong Security and PCI DSS Compliance in a Distributed Retail Environment White Paper Published: February 2013 Executive Summary Today s retail environment has become increasingly
More informationOverview. Summary of Key Findings. Tech Note PCI Wireless Guideline
Overview The following note covers information published in the PCI-DSS Wireless Guideline in July of 2009 by the PCI Wireless Special Interest Group Implementation Team and addresses version 1.2 of the
More informationFranchise Data Compromise Trends and Cardholder. December, 2010
Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee
More informationHow To Understand And Understand Cyber Security
Special Sessions on Cybersecurity Research for Critical Infrastructure Thursday, February 12, 2015 In Oceans 12 Session 1, 8:30 10:00, Oceans 12 Michael Siegel Principal Research Scientist, and Associate
More informationPCI Wireless Compliance with AirTight WIPS
A White Paper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2013 AirTight Networks, Inc. All rights reserved. Introduction Although [use
More informationCyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks
Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks Hamid Salim Working Paper CISL# 2014-07 May 2014 Composite Information Systems Laboratory (CISL) Sloan School
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More information8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
More informationFive PCI Security Deficiencies of Restaurants
WHITE PAPER Five PCI Security Deficiencies of Restaurants Five PCI Security Deficiencies of Restaurants The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations By Bradley K. Cyprus - Chief
More informationIs the PCI Data Security Standard Enough?
Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationApplication Delivery in PCI DSS Compliant Environments
Application Delivery in PCI DSS Compliant Environments By Jason S. Dover, Director of Technical Product Marketing Introduction Protecting web applications is of critical importance for all organizations,
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
More informationSecurity Awareness. Wireless Network Security
Security Awareness Wireless Network Security Attacks on Wireless Networks Three-step process Discovering the wireless network Connecting to the network Launching assaults Security Awareness, 3 rd Edition
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationPCI Compliance: Protection Against Data Breaches
Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
More informationWireless Network Security. Pat Wilbur Wireless Networks March 30, 2007
Wireless Network Security Pat Wilbur Wireless Networks March 30, 2007 Types of Attacks Intrusion gain unauthorized access to a network in order to use the network or Internet connection Types of Attacks
More informationPCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
More informationFive PCI Security Deficiencies of Retail Merchants and Restaurants
Whitepaper January 2010 Five PCI Security Deficiencies of Retail Merchants and Restaurants The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations by Brad Cyprus, SSCP - Senior Security Architect,
More informationWHITE PAPER. Protecting Credit Card Data: How to Achieve PCI Compliance
WHITE PAPER Protecting Credit Card Data: How to Achieve PCI Compliance These days, anyone who owns a credit card is familiar with the problem of identity theft, in which technology-savvy thieves extract
More informationTJ Maxx Settlement Requires Creation of Information Security Program and Funding of State Data Protection and Prosecution Efforts
Litigation Privacy & Data Protection Global Sourcing July 1, 2009 TJ Maxx Settlement Requires Creation of Information Security Program and Funding of State Data Protection and Prosecution Efforts by Tara
More informationUnderstanding Layered Security and Defense in Depth
Understanding Layered Security and Defense in Depth Introduction Cybercriminals are becoming far more sophisticated as technology evolves. Well-publicized security breaches of major corporations are capturing
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationPCI Compliance in Multi-Site Retail Environments
TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationwhitepaper 4 Best Practices for Building PCI DSS Compliant Networks
4 Best Practices for Building PCI DSS Compliant Networks Cardholder data is a lucrative and tempting target for cyber criminals. Recent highly publicized accounts of hackers breaching trusted retailers
More informationInternet threats: steps to security for your small business
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
More informationData breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC
Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationEstablishing a Data-Centric Approach to Encryption
Establishing a Data-Centric Approach to Encryption Marcia Kaufman, COO and Principal Analyst Sponsored by Voltage Security Voltage Security: Many data breaches occur at companies that already have a data
More informationMaking Your Network Safe
Making Your Network Safe Key Differentiator NetVanta Security Audit Investing in Secure Networking Solutions is Key to Prevention It is critical that your communications network provides the security necessary
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationSecurityMetrics Vision whitepaper
SecurityMetrics Vision whitepaper 1 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft,
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationHow To Secure Your Store Data With Fortinet
Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements Introduction In the wake of many well-documented data breaches, standards such as the
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationIIABSC 2015 - Spring Conference
IIABSC 2015 - Spring Conference Cyber Security With enough time, anyone can be hacked. There is no solution that will completely protect you from hackers. March 11, 2015 Chris Joye, Security + 1 2 Cyber
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationWireless Network Standard and Guidelines
Wireless Network Standard and Guidelines Purpose The standard and guidelines listed in this document will ensure the uniformity of wireless network access points and provide guidance for monitoring, maintaining
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE IAD Best Practices for Securing Wireless Devices and Networks in National Security Systems IAG U/OO/814639-15 13 October
More informationSee page 16. Thomas A. Vallas
Compliance TODAY July 2014 a publication of the health care compliance association www.hcca-info.org What s the key to successfully merging two large hospital systems? an interview with Michael R. Holper
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationIntro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits
HIPAA Security Rule & Live Hack Tod Ferran, CISSP, QSA Intro Tod Ferran, CISSP, QSA 25 years working with IT and physical security 2 years PCI and HIPAA security consulting, performing entity compliance
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationProtecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)
Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting
More informationEncryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013
Encryption and Tokenization: Protecting Customer Data Your Payments Universally Amplified Tia D. Ilori Sue Zloth September 18, 2013 Agenda Global Threat Landscape Real Cost of a Data Breach Evolution of
More informationTOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series
TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationInformation Security and Risk Management
Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management
More informationUnderstanding WiFi Security Vulnerabilities and Solutions. Dr. Hemant Chaskar Director of Technology AirTight Networks
Understanding WiFi Security Vulnerabilities and Solutions Dr. Hemant Chaskar Director of Technology AirTight Networks WiFi Proliferation Global WiFi Radio Chipset Sales 387 307 Millions 120 200 2005 2006
More informationCyber Risk to Help Shape Industry Trends in 2014
Cyber Risk to Help Shape Industry Trends in 2014 Rigzone Staff 12/18/2013 URL: http://www.rigzone.com/news/oil_gas/a/130621/cyber_risk_to_help_shape_industry_trends_i n_2014 The oil and gas industry s
More informationCyberprivacy and Cybersecurity for Health Data
Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies
More informationAUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES
AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES INTRODUCTION Cybersecurity has become an increasing concern in the medical device
More informationSymposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
More informationNavigate Your Way to PCI DSS Compliance
Whitepaper Navigate Your Way to PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) is a series of IT security standards that credit card companies must employ to protect cardholder
More informationOverview of Banking Application Security and PCI DSS Compliance for Banking Applications
Overview of Banking Application Security and PCI DSS Compliance for Banking Applications Thought Paper www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process
More informationSMALL BUSINESS PRESENTATION
STOP.THINK.CONNECT NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION ABOUT STOP.THINK.CONNECT. In 2009, President Obama issued the Cyberspace Policy Review, which tasked the Department
More informationPCI Overview. PCI-DSS: Payment Card Industry Data Security Standard
PCI-DSS: Payment Card Industry Data Security Standard Why is this important? Cardholder data and personally identifying information are easy money That we work with this information makes us a target That
More informationCybersecurity Risks, Regulation, Remorse, and Ruin
Financial Planning Association of Michigan 2014 Fall Symposium Cybersecurity Risks, Regulation, Remorse, and Ruin Shane B. Hansen shansen@wnj.com (616) 752-2145 October 23, 2014 Copyright 2014 Warner Norcross
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationData Loss Prevention Program
Data Loss Prevention Program Safeguarding Intellectual Property Author: Powell Hamilton Senior Managing Consultant Foundstone Professional Services One of the major challenges for today s IT security professional
More informationElectronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security
Electronic Communication In Your Practice How To Use Email & Mobile Devices While Maintaining Compliance & Security Agenda 1 HIPAA and Electronic Communication 2 3 4 Using Email In Your Practice Mobile
More informationFor more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa.
Global Partner Management Notice Subject: Visa Data Security Alert Malicious Software and Internet Protocol Addresses Dated: April 10, 2009 Announcement: The protection of account information is a responsibility
More informationThe Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:
Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction
More informationPCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv
PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv Security Challenges Desirability of Data 80% of all data breaches is payment card data (Verizon RISK team assessment)
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationEnterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003
Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003 Executive Summary The threat to network security from improperly secured WLANs is a real and present danger for today s enterprises.
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationMeeting Today s Data Security Requirements with Cisco Next-Generation Encryption
White Paper Meeting Today s Data Security Requirements with Cisco Next-Generation Encryption Today s Encryption Environments The number of cyber attacks targeting US organizational data has doubled over
More informationINFORMATION SECURITY FOR YOUR AGENCY
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationHOW SECURE IS YOUR PAYMENT CARD DATA?
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
More informationDon t Let Wireless Detour Your PCI Compliance
Understanding the PCI DSS Wireless Requirements A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2012 AirTight Networks, Inc.
More informationSecure communications via IdentaDefense
Secure communications via IdentaDefense How vulnerable is sensitive data? Communication is the least secure area of digital information. The many benefits of sending information electronically in a digital
More informationSecurity. Tiffany Trent-Abram VP, Global Product Management. November 6 th, 2015. One Connection - A World of Opportunities
One Connection - A World of Opportunities Security Tiffany Trent-Abram VP, Global Product Management November 6 th, 2015 2015 TNS Inc. All Rights Reserved. Bringing Global Credibility and History TNS Specializes
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationPayment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,
More informationTarget Security Breach
Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More information