A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1

Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta, Dallas, Denver, New York, San Diego, San Francisco, Seattle, Washington DC, London Customers Served 10,000+ Engagements: 3PAO, FISMA, DIACAP, ICD 503, GLBA, SSAE 16, PCI, HIPAA, HITRUST, more Sample Clients 2

Agenda A Wake-Up Call What Went Wrong? Enough is Enough Cyber Risk is Nothing New Compliance Does Not Equal Security Trusted Assessments and Independence Beyond Compliance A Justified Response Questions 3

A Wake-Up Call The Cyber Threat is Increasing Recent cyber attacks» Target, Michaels, Sally Beauty, and Neiman Marcus» Sophisticated malware» Security programs were compliant; however, not effective Law enforcement warnings» Threats increasing on Point of Sales (POS) platforms» Malware increasingly available at a price to make cybercrime affordable» Recent attacks are part of a larger scheme to defraud POS systems 4

A Wake-Up Call The Cyber Threat is Increasing Coalfire Daily Media Report 3/21/14 Companies Turn to Cyber Insurance as Hacker Threats Mount Outlet: Fox Business Snippet: Investors cringe when a company they own, such as Target or Las Vegas Sands, suffers a cyber breach that results in the loss of customer or employee data. Coalfire Daily Media Report 3/25/14 U.S. Notified 3,000 Companies in 2013 About Cyberattacks Outlet: The Washington Post Snippet: Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked, White House officials have told industry executives... 5

A Wake-Up Call The Cyber Threat is Increasing Coalfire Daily Media Report 5/13/14 Cybersecurity in the Private Sector-Playing Catch-Up Outlet: The Hill Snippet: U.S. private sector may lead the world in many regards, but when it comes to insulating itself from cyber attacks, its performance has been weak. Coalfire Daily Media Report 5/13/14 Cyber Experts Warn Iranian Hackers Becoming More Aggressive Outlet: Reuters Snippet: Iranian hackers have become increasingly aggressive and sophisticated, moving from disrupting and defacing U.S. websites to... 6

What Went Wrong? Security operations excellence matters Computer anti-virus protection was not working or ineffective Egress filtering was not set to limit exfiltration of stolen data Lack of two-factor administrative access authentication No file integrity monitoring or application white listing to prevent malware installation Ineffective security monitoring and alerting 7

Enough is Enough Time for fresh ideas and decisive action Comprehensive risk management» Expanded Risk Assessment Personally Identifiable Information (PII) Intellectual Property Operational Data» Justified Response Understand inherent risk Mitigate risk to a justified level Risk Management Security Compliance 8

Cyber Risk is Nothing New Past data breaches are now an everyday occurrence What about SEC guidance Focus has escalated; consumers demand action More regulations Another difficult decision 9

SEC s Cybersecurity Guidance The SEC Cybersecurity Guidance (October 2011) identifies six areas where cybersecurity disclosures may be necessary. 1. Risk Factors 2. Management's Discussion and Analysis of Financial Condition and Results of Operation (See Next Slide) 3. Description of Business 4. Legal Proceedings 5. Financial Statement Disclosures 6. Disclosure Controls and Procedures 1010

SEC Management Discussion & Analysis Business Description Inherent risk material impact on clients, partners and industry Competitive position Viability of current or future products Legal Proceedings Identification of ongoing or potential litigation with material impact Description of impact or relief being requested Financial Statement Disclosure Remediation, investigation and recovery costs Security program enhancements Litigation costs and fines Reputation damage or impairment of future earnings Disclosure Controls and Procedures Impact on future reporting for the registrant 1111

Compliance Does Not Equal Security The focus on card security and Payment Card Industry (PCI) compliance There is NO guaranteed protection Ensure you use Two-Factor Authentication:» Assigning Unique User IDs and one of the following: Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Compliance is an outcome of an effective security program 12

Compliance is Just a Baseline A good start; however, much more is Training needed Reactive used as a defense Quality mechanism Security Arch. Design Another factor is applicable IDS Federal Firewalland Hosting Security Policy Certified Anti-Money Laundering Code Penetration Specialist (CAMS) Investigations Review Testing always find the merchant not compliant with the PCI Data Security NIDS/HIDS Standards State consumer data privacy laws 13

Multiple Control Models and Controls SSAE 16 SOC 1/2 Training Quality Security Policy ISO-27001/2 Privacy Laws Texas Medical Privacy Act of 2012 IT Security Controls Security Arch. Design Code Review NIDS/HIDS IDS Hosting 1414 Penetration Testing Firewall

Where did the Firewall Go? Cloud Environment 1515

Orgs Tend to Over-Estimate Their Compliance 16

Trusted Assessments Require Independence Over 50% of all PCI compliance assessments are conducted by companies with direct conflicts Transparency of control effectiveness is not always provided Trust is required to spur a justified response 17

Beyond Compliance Defense in Depth Physical and logical access controls Sufficient network segmentation File Integrity Monitoring (FIM) solution Security Event and Incident Management (SEIM) solution Encryption and/or tokenization Risk Management Identify all critical assets Prioritize criticality Select controls Establish effective oversight and governance 18

Technology There are No Silver Bullets Technology is great; however, beware Europe Mastercard Visa/Chip & PIN costly and not enough Point-2-Point Encryption (P2PE) can be used as a risk reduction process The cloud provides a path to outsource functions; however, not the risk 19

A New Generation of Risk Management is Justified Short-term actions Am I already hacked?» Conduct a forensic analysis» Take a second look at the top 5 critical controls in payment systems Payment Application Data Security Standards validation and implementation Network segmentation Secure configuration management Physical security Logging, monitoring and alerting Long-term actions How do I stay off the front page of the Wall Street Journal?» Make IT GRC a top priority» Explore risk-reducing technologies at the point of interaction 20

Summary The Data Security Risk is Significant & Therefore Requires Appropriate Controls The threat of data compromise is global in scope (Web) Many parties are involved in maintaining data security The impact of data compromise is widespread financially, legally, and in goodwill exposures Data security is a primary risk concern for companies, service providers, vendor, consumers, and regulators Data security has evolved from an operational problem and financial threat to a significant reputation risk The Time For Action is Now Customers Want Data Protection Shareholders Want a Healthy Organization 21

Questions Ricky Link Toll Free 877-224-8077 x8011 Dallas Office 972-763-8011 Ricky.Link@coalfire.com 22