CYBER ATTACKS CASHING IN ON RETAILERS: A WEBINAR ON CYBERSECURITY May 21, 2015
WELCOME Jim Ambrosini CISSP, CFE, CISA, CRISC, CRMA is a Managing Director with CohnReznick Advisory Group who leads its cybersecurity and IT risk solutions. His team specializes in analyzing technology infrastructure, evaluating processes/applications, developing strategic plans, and deploying secure solutions. Jim has nearly 20 years of diversified experience in IT systems, technology risk management and information security. May 21, 2015 2
CPE INFORMATION Learning Objectives: 1. Understand the evolving cyber risk landscape and its implications to retailers 2. Learn how to get the basics right when building a cyber program 3. Dispel common myths of cyber security and how cyber has become an enterprise-wide issue Questions may be asked by webinar participants through the chat feature. In order to receive CPE credit for this session, participants must answer 75% of polling; however these questions do not need to be answered correctly. Please email learn@cohnreznick.com with any questions. May 21, 2015 3
AGENDA Cyber Trends and Landscape Cyber Threats to Retail Hacker Tactics and Approaches Top 5 Cyber Myths Protecting Your Organization May 21, 2015 4
CYBER TRENDS AND LANDSCAPE
CHANGING SECURITY THREATS Sophistication of Attack System Tampering Malicious Employee Lone Hacker exploiting system weaknesses Internet Viruses & Malware Government Sponsored Cyber - warfare, Cyber - terrorism & Organized Crime 1970s 1980s 1990s 2000s Present Source of Attack May 21, 2015 6
RECENT CYBERATTACKS BY YEAR May 21, 2015 7
2015 BY THE NUMBERS Source: 2015 Verizon Data Breach Report May 21, 2015 8
TIME TO CONTAIN MALICIOUS ACTIVITY DETECTION TO CONTAINMENT IS 94 DAYS Source: 2014 Trustwave Global Security Report May 21, 2015 9
TODAY S REALITIES 1 in 5 of all organizations have experienced a cyber attack 3 Months is the time an advanced threat goes unnoticed on a victim s network 2.5 Billion exposed records as a result of data breaches in the last 5 years 62% increase in breaches in 2013 From January 2012 to June 2014, 75% of reported data breaches have occurred at small and mid-sized organizations Up to 98% of Fortune 500 companies have been breached Sources: Forbes, Business Insider, ISACA Global Security Analysis & 2014 Verizon Data Breach Report May 21, 2015 10
SECURITY NOT A KEY CONCERN I don t think we re a real target for hackers May 21, 2015 11
WHAT S ALLOWING SECURITY ISSUES TO PERSIST Generally weak security standards Up until recently security was often an afterthought Focus on Perimeter Security Relatively little monitoring detection and prevention at endpoints Ignoring where sensitive data actually resides Security Awareness People are the weakest link of all May 21, 2015 12
PERCEPTION OF RISKS OF CYBER ATTACKS Highest Enterprise Risk of a Cyber Attack Reputation Damage Tangible Financial Loss Contractual Breach Loss of Employee / Company Info. Loss of Intellectual Property Loss of Availability Source: 2014 Global Survey of 1,220 individuals 0% 10% 20% 30% May 21, 2015 13
YOU AIN T SEEN NOTHING YET BREACHES IN 2020 The average cost of a breach will increase to: Source: Juniper Research The Future of Cybercrime & Security: Financial and Corporate Threats and Mitigation A single lost or stolen data record costs, on average: May 21, 2015 14
EVOLVING RETAIL CYBER THREATS
HIGH PROFILE RETAIL BREACHES August 2014: Payment data system was breached. Malware installed on cash register system across 2,200 stores syphoned credit card details of up to 56 million customers. Could be largest breach ever recorded affecting all 2,200 stores. Profits down $50M over last quarter and breach will cost them $62M. November 2014: Hackers gain access to Sony network after Wide-ranging hack of potentially every piece of data held by the company, including: unreleased films & scripts, employee social security numbers, salaries and health check results, as well as sensitive internal business documents relating to lay-offs, restructures and executive salaries. The estimated breach cost to Sony is $100M. February 2014: Hackers who raided the credit-card payment system of Neiman Marcus set off alerts on the company s security systems about 60,000 times as they slunk through the network. The hackers moved unnoticed for more than eight months, sometimes tripping hundreds of alerts daily because their card-stealing software was deleted automatically each day from the payment registers. 1.1 Million customers were affected and cost the retailer $4.1 Million in legal fees, investigations, customer communications and credit monitoring subscriptions December 2013: Hackers installed software installed on credit card machines that customers use to swipe magnetic strips on their cards when paying for merchandise at Target stores. As a result 40 million credit cards and 70 million records of personally identifiable information stolen. The current estimate of breach cost to Target is $148M. "Cyber attacks are growing every day in strength and velocity across the globe. It is going to be a continual and likely never-ending battle to stay ahead of it. CEO of a major financial firm May 21, 2015 16
RETAIL CYBER ATTACKS CURRENT STATE May 21, 2015 17
May 21, 2015 18
May 21, 2015 19
May 21, 2015 20
RETAIL SECURITY PERFORMANCE Source: 2014 BitSight Retail Study (300 company security survey) May 21, 2015 21
HACKING TACTICS AND METHODS
TACTIC #1 SOCIAL ENGINEERING Hi This is Joe from your Help Desk department, please give me your PC id and password, so I can evaluate the issue in your system. There s no patch for human nature May 21, 2015 23
SIMPLE HACKS TO PERSONAL ACCOUNTS 1. Called Amazon and added a fake CC# to someone s account 2. Called back and claimed to be locked out used CC# they just added to verify account. Amazon issued verbal temporary password. Hackers logged in to get last 4 digits of real CC# 3. Called Apple claiming to have forgotten Apple I-Cloud Password. Apple asked for last 4 digits of CC# as a security check. 4. Locked out user 5. Used accounts for shopping and on-line vandalism Total time span = 45 Minutes May 21, 2015 24
HOW WE HACKED A COMPANY WITH NO TECHICAL SKILLS May 21, 2015 25
TACTIC #2 SMASH & GRAB Goal: Compromise as many systems as possible # HOSTS COMPROMISED Detection Threshold Signature becomes available TIME May 21, 2015 26
HACKING TARGET WITH MALWARE May 21, 2015 27
WHAT HAPPENS WITH STOLEN CREDIT CARDS? Hacker Carder Website Carder Gift Cards / Prepaid Buys Goods Goods delivered to Mule and Shipped Carder resells goods May 21, 2015 28
WHAT IS YOUR HACKED DATA WORTH? CVV 3- digit Bank a/c details Bank a/c details PayPal/eBay account $2 5 10 27 3 5 10 20 32 45 Full package of identifying info (name, DOB, etc.) Credit card (old) Health credentials Used to buy drugs or make fake insurance claims lowest Credit Card (fresh) Average Highest Source: informationisbeatutiful.net May 21, 2015 29
TACTIC #3 UNDER THE RADAR Goal: Compromise fewer, highvalue targets avoid detection # HOSTS COMPROMISED Detection Threshold TIME May 21, 2015 30
HOME DEPOT A DIFFERENT TYPE OF HACK Exposed a decade-old Windows XP vulnerability (used at most POS systems). Malware allowed for an exploit known as RAM Scraping. Attack siphoned off CC data and emails for 5 Months (April September 2014). 56 Million cards leaked Why didn t Home Depot upgrade POS? Cost of upgrading 2,200 stores is expensive and would have taken months. May 21, 2015 31
TACTIC #4 ADVANCED PERSISTENT THREAT An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT is the new black May 21, 2015 32
HACKING RSA HOW THE WORLD S TOP SECURITY COMPANY WAS BREACHED Part 1: Homework Part 2: Targeted Phishing Scam Email titled Recruitment Plan 2011 Classified as Spam and ended in Junk folder At least one user found it interesting enough to retrieve it May 21, 2015 33
HACKING RSA HOW THE WORLD S TOP SECURITY COMPANY WAS BREACHED ( C O N T I N U E D ) Part 3: Breaking In Excel spreadsheet with embedded Flash object Exploited Adobe Flash vulnerability (CVE -2011-0609) access to kernel and installed Poison IVY Remote Access Tool ( RAT ) Poison Ivy set in Reverse Connect mode ( PC reaches out to external machine over Port 80 rather than the other way around.) outbound traffic over dedicated ports are harder to control Part 4: Privilege Escalation: Data is acquired from target servers and exfiltrated Hackers use stolen RSA information to hack Lockheed Martin May 21, 2015 34
TOP 5 CYBERSECURITY MYTHS
CYBER MYTH #1 CYBERSECURITY RISK IS OWNED BY THE IT DEPARTMENT CYBER is a board-level/ C-level issue. Questions Boards Should Be Asking: What digital assets do we maintain? What are our main cyber-related risks? Third parties Hackers / espionage Inside threats Etc. What have we done to assess our cyber risks and vulnerabilities? What mechanisms are in place to protect, detect, respond and recover from cyber incidents? Are these methods in line with our risk tolerance? May 21, 2015 36
CYBER MYTH #2 CYBERSECURITY IS A TECHNICAL ISSUE Cybersecurity requires governance Drivers of Security MONITOR Business Environment Threats Compliance Requirements Cybersecurity Processes & Controls DIRECT Security Protocols Infrastructure Computer Settings May 21, 2015 37
CYBER MYTH #3 I NEED A PEN TEST Cybersecurity Hierarchy 04 Security Information & Event Management, Risk Assessments, Identity Management Holistic 03 Log management, Intrusion protection, Monitoring solutions, Pen Test, Wireless, Storage security, DLP Enhancing 02 Anti-spam, email security, Remote access/vpn, Encryption Vulnerability Management, Recovery Important 01 Anti-malware / Anti-virus Network Firewalls Patch Management Access Controls Focus on fundamentals first Fundamental May 21, 2015 38
CYBER MYTH #4 CYBER THEFT IS ONLY ABOUT CREDIT CARDS Other data is considered high-value 33% increase of non payment card data from 2013 1 Source 1: 2014 Trustwave Global Security Report May 21, 2015 39
CYBER MYTH #5 THERE IS NO ROI ON SECURITY Security is an enabler Security is an expectation for your customers and employees Security needs to be scaled to the cyber threats affecting your business If you decrease the number and extent of security incidents you will save money May 21, 2015 40
PROTECTING YOUR DATA
WHAT WE HAVE SEEN TOP WAYS HACKERS OBTAIN DATA Sensitive data on company intranet / Internet Admin rights on servers Open folders Weak Credentials Insecure Password Storage Unpatched / legacy firewalls and operating systems May 21, 2015 42
HOW TO AVOID BEING THE NEXT TARGET (PUN INTENDED ) Know your information assets Don t boil the ocean with security controls do the basics and do them well: Patch management Good authentication Perimeter security Malware and anti-virus Security awareness and training!!! Don t forget these blocking & tackling IT controls: Backups Periodic vulnerability / security assessments Monitoring Response plan is critical May 21, 2015 43
CLOSING THOUGHT Generals spend too much time preparing for the last war rather than the next one Georges Clemenceau, French Statesman who lead the nation in WWI Don t fight last year s cyber war May 21, 2015 44
VISUAL OF HACKS OVER A TWO HOUR PERIOD Source: Map.norsecorp.com May 21, 2015 45
THANK YOU Jim Ambrosini, CFE, CRMA, CRISC, CISSP, CISA Managing Director and Service Leader, Infrastructure Management and Technology Risk CohnReznick Advisory Group Tel: 973-618-6251 jim.ambrosini@cohnreznick.com www.cohnreznick.com May 21, 2015 46
CLOSING THOUGHT Generals spend too much time preparing for the last war rather than the next one Georges Clemenceau, French Statesman who lead the nation in WWI Real-time cyber attacks Source: http://map.ipviking.com/ May 21, 2015 47