Payment Security Update

Transcription

1 Payment Security Update Rick Dakin, CEO & Cofounder October 2, 2014

2 Agenda Coalfire Introduction Changing Environment Threats Technology Compliance Mobile Security Recent Data Breaches Risk Management Strategies

3 About Coalfire Leading independent provider of IT Governance, Risk and Compliance (IT GRC) solutions IT Governance Risk and Compliance Focused expertise in Healthcare (HIPAA), Retail (PCI), Banking (GLBA), Utilities (NERC) and Cloud (FedRAMP) Full suite of IT GRC solutions: compliance audit, risk and vulnerability assessment, application security, penetration testing and forensic analysis Served over [1,500] clients to date, including Oracle, Epic, IBM, Ford, Nordstrom, EchoStar, Microsoft, Intuit, Overstock, Savvis Over [200] employees and contractors across [8] offices: UK, Denver, Seattle, New York, Atlanta, Los Angeles, San Francisco and Dallas 3

4 Changing Environment New attack surfaces New attack vectors More active Nation States 4

5 Payments Yesterday and Today

6 What s a consumer mobile device?

7 Sensitive data goes mobile Payment data Corporate Corporate apps VPN credentials Banking data Healthcare ephi Home automation Automotive Social Dropboxes We can t wait to manage sensitive data on mobile.

8 What are Mobile Payments? Consumer electronic device this is generally assumed to be a widely available device that runs one of the mobile operating systems currently available. Form factor, and the term mobile, is becoming increasingly irrelevant, but will include devices not capable of meeting traditional PCI DSS requirements around host or server based security. ios, Android, Windows Mobile Devices can serve many functions including payment capture, payment presentment, client access for ecommerce transactions, store use, etc. Purpose built payment device these devices fall into one of the categories described in the PCI PTS standard Traditional card swipe and PIN capture devices SCR Secure card readers can be attached using USB, serial, audio jack, dedicated device ports, etc.

9 More Mobile Payments Wallets, e wallets, digital wallets These are applications and/or services that facilitate the access to, storage and presentment of consumer payment details Wallet applications can be enabled using various techniques and technologies (QR codes, NFC, Web transfer, etc) It is generally (and wrongly) assumed that wallets store payment details securely using consumer electronic device protections or other means (secure element or secure cloud storage) Mobile POS or mpos an increasingly difficult use case to define, but generally refers to the use of a non traditional POS application/system/tool to facilitate the consumer checkout process in a face to face situation

10 Mobile Payment Options Wallets Google Wallet PayPal MasterCard PayPass Payment Applications Square Paypal Here Verifone Mobile Pay Apple Pay

11 Can this possibly be safe?

12 Threats and attacks are increasing Mobile s proliferation and access to sensitive data make it an enticing target Loss / Theft Phishing Malware Spy ads Repackaging QR attacks Wi Fi Botnet Smartphones are 90% more likely to be lost than laptops Phishing is many times more successful on mobile devices Android Market had over 400,000 downloads of malicious apps identified in 2011 Legitimate sounding applications from the Dark Side Multi media whiz bang idea, can be used for evil Man in the middle attacks, just like using a laptop An emerging threat to organizational infrastructure

13 Vulnerabilities of the mobile platform today Security awareness and usage Confusion over security ownership Small size increases loss and theft Authentication and access control not designed for multi user or secure application management Mobile security standards are immature and not consistently deployed even when available o o o o No firewalls No system hardening or patching No Monitoring or alerting No antivirus

14 Payment security trends on mobile devices Deploy encrypting sled devices provide fastest way to reduce risk for merchant acceptance on consumer mobile stay on current POS platform (Verifone, Ingenico, etc) Integrate a 3 rd party payment gateway that handles all encryption on the POS and decrypts authorization request in the cloud (Square, Shift 4, Verishield, etc) Close you eyes and hope for the best. Deploy a dongle. While the most popular route today, it does not offer any risk mitigation and no ability to achieve PCI compliance.

15 Merchant acceptance strategies not clear cut The risks highlighted previously are compounded when mobile is now an aggregating point of sensitive data. Are customers demanding the replacement of their credit card with a mobile device? Should a merchant consider cloud based wallets, carrier payment solutions or mobile based store loyalty/gift programs?

16 Compliance Strategies Not clear cut PCI DSS Special Interest Groups Mobile Task Force Working Groups Mobile Guidance Category 1 PTS approved device Category 2 Single-Use device Category 3 Multi-Use device Guidance Published Mobile Payment Acceptance Security Guidelines for Developers (Sept 2012) Use secure and dedicated payment sleds Prefer PTS approved device accept PIN transactions Mobile Payment Acceptance Security Guidelines for Merchants (Feb 2013) You own all the risk for non validated payment devices

17 Compliance Strategies part 2 Visa Ready The program provides innovators a path for the certification of devices, software and solutions used to initiate or accept Visa payments as well as guidance and best practices to access the power of the Visa network. Acquirers Ultimately, it is up to the acquirer to determine what mobile acceptance platforms are acceptable Third party evaluation may be acceptable in the interim

18 Merchant PCI Compliance Concerns Using an un validated mobile POS solution? PCI DSS ROC Scope: No assurance that Track Data isn t captured and stored insecurely Wireless is in scope at merchant retail environments Centralized logging and monitoring is virtually impossible PCI DSS SAQ Risk: Up to the responsible merchant to accurately determine scope and applicability

19 Mobile security action items Mobile is here deal with the risk o o o o o o Awareness New policies and security controls Training Risk Assessment before integration of 3rd parties or deployment of new technologies Require encryption and tokenization Enhance physical security Enhance testing and oversight while new technologies are being deployed o Validated applications and service providers make it mandatory even without PCI requirement Make users aware that their wallets have no firewalls, security controls or fraud protection NOT YOUR JOB TO PROTECT THEM

20 NFC mobile payments just around the corner? Legacy paradigm of plastic cards represented by a mobile device expands the security challenges for PCI. The mobile wallet contains the valuable assets now who is the owner? Billions of mobile devices will now contain toxic cardholder data so much for limiting the footprint. Mobile security management solutions take on an even greater importance

21 Now Apple Pay is here with a new security strategy 2. User identified 1. Request Mobile card 4.. Token installed in wallet 3. Card and associated token issued Card Issuer Token exchange 5. Token presented to merchant 6. Authorization request with token Vault Mobile Wallet Merchant NFC Card Processor or Acquiring Bank Transaction receipt 7. Transaction authorized

22 And What is up with all those data breaches? 22

23 A wake up call the cyber threat is increasing 23

24 Current Cyber Attack Data 24

25 Heartbleed Bug opens new vulnerabilities User / Admin Credentials Captured Web sites are no longer secure Perimeter devices (firewalls and routers) are vulnerable A single credential can be escalated to compromise entire access control mechanisms Criminals don t have to take some of the data they can take it all! 25

26 Kill Chain Analysis Report

27 Missed Opportunities 27

28 Lessons Learned 28

29 New VISA Guidance to Retailers Risk Management Security VISA Strategy Compliance Enhance network security Control administrative accounts Harden POS platforms Secure web accessible applications Mitigate 3 rd Party Risk Deploy more secure applications EM Encryption Tokenization 29

30 Beyond compliance focus on security 30 Defense in Depth Secure Applications Physical and logical access controls in place (focus on admin users) Sufficient network segmentation FIM or White List solution SIEM solution & Monitoring (become agile) New Security Technology EMV, Tokenization or Encryption Static to Active Security Continuous Monitoring Integrated Incident Response Change Management

31 CEO IT Security Scorecard 1. Are we already compromised but simply do not know it yet? 2. How would I know if we had a serious alert and when it would be escalated? 3. If we have a serious vulnerability, how would the senior executive team know if it has been remediated to an acceptable level of risk? 31

32 Rick Management Strategies 32

33 Increasing Maturity for Cyber Risk Management Maturity of Service Risk Management Advisory, Governance Analysis CCM, Risk Assessment Continuous Diagnostics AppSec, Forensic, APT, Sand Box Technical Testing Vulnerability Scans, Pen Testing Compliance Validation (ITGC) PCI, HIPAA, SSAE16, FISMA, FedRAMP Enterprise IT Risk Management Baseline Compliance Management 33 Depth of Service

34 Market Maturity 2014 Cyber Risk Management Threat Management Industry Cyber Maturity Rating 2014 Security Testing 1. Initiated early efforts with an informal organization. 2. Piloted functional expertise and some early repeatability. Getting the job done. 3. Deployed Baseline operations achieved and deployment teams in place. 34 Governance Compliance Security Operations 4. Institutionalized The entire organization operates with consistency and quality. 5. Optimized This visionary and collaborative state allows for all to contribute to include partners and clients. 1. Governance early efforts focused on policies and compliance reporting. 2. Compliance The early winner for resources. Organizations did not want to be negligent and made baseline compliance investments. 3. Security Operations While compliance achieved baseline results, operations remain sporadic and largely ineffective against current threats. 4. Security Testing Basic vulnerability testing and light pen testing has become commonplace. However, effective infrastructure, application security and 3 rd party integration is largely unserved. 5. Threat Management The hackers and adversarial nation states are winning. While tools are becoming available, the skills and resources to counter more sophisticated threats remains weak.

35 Market Maturity Cyber Risk Management Definitions Compliance 1. IT General Controls Matrix and Metrics 2. IT GC testing and operational response 3. Internal Compliance Validation 4. External Compliance Validation 5. Beyond Compliance Testing and Reporting Technical Testing 1. Vulnerability Scanning 2. Vulnerability Management includes remediation tracking 3. Penetration Testing 4. Application Testing and Validation 5. Red Team Testing and integrated control validation through forensic testing Security Operations 1. Network and system security 2. Logging, monitoring and response 3. Application security and 3 rd party controls 4. Integrated forensic analysis and incident response 5. Continuous diagnostics and enterprise dashboard reporting Threat Management 1. Threat advisory processing 2. Malware protection 3. Application White Listing 4. APT Detection and Response 5. Threat Intelligence Management and integration into industry threat groups Governance 1. Policies and enforcement 2. Security plans (Disaster Recovery, Incident Response, 3 rd Party Management) 3. Compliance Reporting 4. Risk Analysis and Advisory 5. Risk Management and appropriate Cyber Insurance 35

36 Market Maturity 2016 Opportunity for Growth Threat Management Industry Cyber Maturity Rating 2016 Security Testing Governance Compliance Security Operations While the need for enhanced compliance management will grow, it will not grow at the rate or complexity of the other cyber risk management components. The following opportunities will dominate. Sec Ops - Become more nimble at security operations. Convert static security perimeters and fragile systems to dynamic event monitoring and response. Security Testing Expand routine vulnerability scans to include continuous application level testing. Extend pen tests to full red team exercises. Threat Management An emerging area that will determine winners and losers is threat management. New tools for detecting APT and other threats will enable better responses and proactive planning for security operations. Governance - Governance will move upstairs. Executives and boards are just now starting to interact with IT leadership to manage cyber risk. They need better dashboards, testing and analysis. 36

37 Questions Rick Dakin Coalfire CEO