Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Similar documents
Creating, Developing and Instituting an Effective Incident Response Plan. Webinar. 15 April 2015

Data Security Basics for Small Merchants

Third Party Risk Management Basics. Webinar. 26 February 2015

Effectively Managing Data Breaches

Managing Network Segmentation in Payment Environments

Payment Card Data and Protected Health Information Security Practices

MITIGATING LARGE MERCHANT DATA BREACHES

2015 Visa Payment Security Symposium Webinar

Implement Effective Penetration Testing

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

Strengthening Processor Security Webinar 10:00 AM 11:00 AM PT

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Identifying and Mitigating Threats to E-commerce Payment Processing

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

PCI Requirements Coverage Summary Table

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI Requirements Coverage Summary Table

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

What You Need to Know About PCI SSC Guiding open standards for global payment card security

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

New PCI Standards Enhance Security of Cardholder Data

Global Partner Management Notice

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

Top PCI 3.0 Challenges for Chain Merchants. March 11, 2015

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Template for PFI Final Incident Report for Remote Investigations

Becoming PCI Compliant

Franchise Data Compromise Trends and Cardholder. December, 2010

Payment Processing Threats Impacting Grocery Store Merchants. April 2013

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

INFORMATION TECHNOLOGY FLASH REPORT

Webinar - Skimming and Fraud Protection for Petroleum Merchants. November 14 th 2013

NACS/PCATS WeCare Data Security Program Overview

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.0.

Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.1.

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

LESS IS MORE PCI DSS SCOPING DEMYSTIFIED

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Payment Card Industry Data Security Standards

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI Compliance 3.1. About Us

PCI Security Standards Council

Security & Compliance, Sikich LLP

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

PCI DSS 3.0 and You Are You Ready?

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Project Title slide Project: PCI. Are You At Risk?

Transitioning from PCI DSS 2.0 to 3.1

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

PCI Compliance The Road Ahead. October 2012 Hari Shah & Parthiv Sheth

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

SecurityMetrics Introduction to PCI Compliance

North Carolina Office of the State Controller Technology Meeting

PCI Security Standards Council

Thoughts on PCI DSS 3.0. September, 2014

PCI DSS Requirements - Security Controls and Processes

V ISA SECURITY ALERT 13 November 2015

SECURING YOUR REMOTE DESKTOP CONNECTION

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Continuous compliance through good governance

CONTENTS. PCI DSS Compliance Guide

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

Josiah Wilkinson Internal Security Assessor. Nationwide

So you want to take Credit Cards!

Achieving PCI-Compliance through Cyberoam

PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1

Introduction to PCI DSS

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PCI Compliance. Top 10 Questions & Answers

PCI Compliance Top 10 Questions and Answers

March

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

How To Protect Your Data From Being Stolen

Security Management. Keeping the IT Security Administrator Busy

74% 96 Action Items. Compliance

Net Report s PCI DSS Version 1.1 Compliance Suite

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

The PCI Security Standards Council. Bob Russo June 2011

Transcription:

Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Disclaimer The information or recommendations contained herein are provided "AS IS" and intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. When implementing any new strategy or practice, you should consult with your legal counsel to determine what laws and regulations may apply to your specific circumstances. The actual costs, savings and benefits of any recommendations or programs may vary based upon your specific business needs and program requirements. By their nature, recommendations are not guarantees of future performance or results and are subject to risks, uncertainties and assumptions that are difficult to predict or quantify. Assumptions were made by us in light of our experience and our perceptions of historical trends, current conditions and expected future developments and other factors that we believe are appropriate under the circumstance. Recommendations are subject to risks and uncertainties, which may cause actual and future results and trends to differ materially from the assumptions or recommendations. Visa is not responsible for your use of the information contained herein (including errors, omissions, inaccuracy or nontimeliness of any kind) or any assumptions or conclusions you might draw from its use. Visa makes no warranty, express or implied, and explicitly disclaims the warranties of merchantability and fitness for a particular purpose, any warranty of non-infringement of any third party's intellectual property rights, any warranty that the information will meet the requirements of a client, or any warranty that the information is updated and will be error free. To the extent permitted by applicable law, Visa shall not be liable to a client or any third party for any damages under any theory of law, including, without limitation, any special, consequential, incidental or punitive damages, nor any damages for loss of business profits, business interruption, loss of business information, or other monetary loss, even if advised of the possibility of such damages. 2 Breach Findings for Large Merchants 28 January 2015

Agenda Introduction Payment Card Compromises Analyzing Large Merchant Breaches Breach Findings & Vulnerabilities Security Controls for Large Merchants Questions and Answers 3 Breach Findings for Large Merchants 28 January 2015

Payment Card Compromises Glen Jones 4 Breach Findings for Large Merchants 28 January 2015

Visa Inc. CAMS Compromise Events Entity Type by Month Brick & Mortar Ecommerce Processor / Agent Source: Compromised Account Management System (CAMS) Original IC and PA Alerts 5 Breach Findings for Large Merchants 28 January 2015 5

Visa Inc. CAMS Compromise Events Top Market Segment* (MCC) Restaurants and retailers are leading market segments in 2014 Insecure remote access and poor credential management continue to be attack vectors RESTAURANTS OTHER RETAIL QSR'S B2B SUPERMARKETS LODGING 2011 2012 2013 2014 * Market Segment based on Acceptance Solutions MCC Market Segment category Source: Compromised Account Management System (CAMS) Original IC and PA Alerts 6 Breach Findings for Large Merchants 28 January 2015 6

Analyzing Large Breaches Lester Chan 7 Breach Findings for Large Merchants 28 January 2015

What we looked for Large breaches over the past 2 years Common themes, sources Attack patterns, characteristics Malware used Determine vulnerabilities Large versus small breaches Lessons learned Conclusion: Intruders are exploiting basic vulnerabilities 8 Breach Findings for Large Merchants 28 January 2015

Breach Findings & Vulnerabilities 9 Breach Findings for Large Merchants 28 January 2015

Profile of Large U.S. Merchant Breaches Aggregate findings over the past 2 years 9 8 6 5 2 Privileged accounts compromised Sysadmin accounts exploited Weak AppSec testing Inadequate monitoring Malware infected POS systems Weak segmentation between CDE and core Completed PCI DSS validation before incident Weak audit function 10 Breach Findings for Large Merchants 28 January 2015

Establish Security Controls for Remote Access Point of entry for attackers Harvest credentials using malware Social engineering to acquire Many remote servers not hardened Auditing not configured properly Lack of multi-factor authentication Lack of account management REMOTE ACCESS Enable multi-factor authentication Only enable when needed Business need only restrict by IP Regularly audit 3 rd party vendor remote access Malware on laptop harvested Remote access servers support end of life 11 Breach Findings for Large Merchants 28 January 2015

Ensure Merchant Core Network is Properly Segmented from Cardholder Data Environment (CDE) Some had flat networks Weak using ACLs, VLANs Allows attacker to pivot and traverse Network reconnaissance Lack of auditing and monitoring Lack of IPS/IDS on systems NETWORK SEGMENTATION ACLs and VLANs not sufficient Physical firewalls Separate CDE domain Some allowed Windows shares Patch servers access all Review alerts 12 Breach Findings for Large Merchants 28 January 2015

Review Elevated Account Privileges, Reviews, and Justifications Attackers use multiple accounts Install malware on POS systems Login with one, switch to elevated Owns the network, systems Allows attackers to execute commands Hides audit trails, actions, logs ELEVATED PRIVILEGES Ensure business justification Regularly review access No shared accounts Vendor account had Admin privileges Shared accounts used No account reviews 13 Breach Findings for Large Merchants 28 January 2015

Review Audit Controls To Capture Relevant Data with Actionable Information Misconfigured logs Not capturing correct or enough Threshold for alerts Requires tuning (noise) Assists investigators Ensure integrity on logs WEAK AUDITING Requires human interaction Use of automated tools Ensure capture of relevant info Some did not capture enough data Attacker deleted or modified logs Did not act on alerts 14 Breach Findings for Large Merchants 28 January 2015

Review Internet Ingress/Egress for Controls, Insecure Protocols and Alerts L Lack of monitoring Large data transfers Outside work hours Suspicious network activity Insecure protocols Infiltration of malware Exfiltration of cardholder data INTERNET INGRESS/EGRESS Employ the use of IDS/IPS Assess protocols Threshold for alerts, actionable info No Internet egress from CDE Insecure egress protocol Disguised as legitimate data Alerts but didn t take action 15 Breach Findings for Large Merchants 28 January 2015

Security Controls for Large Merchants 16 Breach Findings for Large Merchants 28 January 2015

Protecting Cardholder Data Ensure proper segmentation between core network and CDE using strong security controls External network Core network Cardholder data environment Ensure strong controls between Internet facing systems and core network Cardholder data 17 Breach Findings for Large Merchants 28 January 2015

Highlighted Changes to PCI DSS version 3.0 V 2.0 V 3.0 Changes to PCI DSS 3.0 related to breach findings 1.1.2 1.1.2, 1.1.3 Understand all data flows in your environment especially cardholder data ingress/egress and provide an updated network diagram 2.1 2.1 Clarifies requirement to change all default passwords and remove all unnecessary default accounts 2.2.2 2.2.2, 2.2.3 Enable only necessary services and ensure secure protocols are properly configured 5.3 New requirement to ensure active anti-malware cannot be disabled or altered without authorization 7.1.1 7.1.2 Restrict privilege IDs to those necessary to carry out job functions 8.5.6 8.1.5 Remote vendor access disabled when not in use 8.3 8.3 Two-factor authentication for remote access applies to users, admins, and vendors 8.5.1 Requires unique user authentication credentials for all remote access 10.1 10.1 Requires audit trails to be associated with a user not just a process 11.2.1 11.2.1 Quarterly vulnerability scans with high vulnerabilities are addressed by qualified staff, and re-scanned until remediated 11.3.4 New requirement for pentesting the CDE if segmented from the core network to ensure controls are in place 18 Breach Findings for Large Merchants 28 January 2015

Maturing Information Security Validate to Version 3.0 After January 1, 2015, all merchants must validate to PCI DSS version 3.0. Version 3.0 continues to evolve the PCI DSS standard controls to address current threats and vulnerabilities. Implement P2PE, EMV Chip, and Tokenization EMV Chip - Creates a unique cryptogram for each transaction Tokenization - Token replaces account number with unique digital token P2PE -Encrypt from the point of sale to the point where the third-party payment processor or acquirer decrypts the data for processing Proactive Security Controls Use two-factor authentication especially for remote access File integrity monitoring to protect against malware Application whitelisting to allow only those allowed applications Improve segmentation between CDE and core network Web application firewalls (WAF) 19 Breach Findings for Large Merchants 28 January 2015

Additional Security Controls SIEM Security intelligence and correlation Alerts and notification Tuning Vulnerability Management Frequency of scans Zero day vulnerabilities Remediation and tracking Antivirus Keep signatures updated Ensure settings cannot be altered Patch Management Keep all software, hardware, appliances up to date End of life systems Vulnerability window 20 Breach Findings for Large Merchants 28 January 2015

Key Takeaways Large merchant breaches continue to occur Continue focus on security basics, ongoing maturity and going beyond PCI Review security controls for remote access Review elevated account privileges, reviews, and justifications Ensure proper network segmentation Review auditing and logging to capture relevant data Review Internet ingress/egress for controls, insecure protocols, alerts Fully understand all cardholder data flows Changes in 2015 due to EMV liability shift Consider secure technologies to de-value data, reduce scope and fortify payment processing environments 21 Breach Findings for Large Merchants 28 January 2015

Upcoming Events and Resources Upcoming Webinars Training tab on www.visa.com/cisp Cyberlocker Merchant Overview & Enhanced Due Diligence 24 February 2015, 7 pm PST (Asia Pacific / Central Europe, Middle East, Africa audience) Cyberlocker Merchant Overview & Enhanced Due Diligence 25 February 2015, 10 am PST (North America, Latin America audience) Visa Third Party Risk Management Basics 26 February 2015, 10 am PST Visa Data Security Website www.visa.com/cisp Alerts, Bulletins Best Practices, White Papers Webinars PCI Security Standards Council Website www.pcissc.org Data Security Standards PCI DSS, PA-DSS, PTS Programs ASV, ISA, PA-QSA, PFI, PTS, QSA, QIR, PCIP, and P2PE Fact Sheets ATM Security, Mobile Payments Acceptance, Tokenization, Cloud Computing, and many more 22 Breach Findings for Large Merchants 28 January 2015

Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information