Retail Security and Cmpliance Where On Earth is it Headed? An verview f the retail sectr s IT threats and hw t be mre effective in preventing them.
Agenda Intrductin Retail in the news Why cyber security is imprtant? Where are the threats? What can yu d? Additinal Resurces Questins?
Abut Calfire Calfire is a funding member f the PCI Security Standard Cuncil s (SSC) prgram fr Qualified Security Assessrs (QSAs) and has been a QSA under Visa s CISP initiative since 2003. We are als an Apprved Scanning Vendr (ASV) and Payment Applicatin Qualified Security Assessr (PA-QSA). We have cmpleted mre than 4,000 PCI prjects fr merchants, service prviders and payment applicatin develpers and we are recgnized as ne f the tp five assessrs based n the number f Reprts n Cmpliance cmpleted fr service prviders and Reprts n Validatin cmpleted fr payment applicatin develpers.
Our clients include 4
Abut Jeff Messer Senir IT Security Cnsultant 15+ years f infrmatin technlgy and business experience. Extensive experience in delivering security assessments, cmpliance auditing, general IT and applicatin cntrls assessments and system develpment reviews Industries Retail, higher educatin, healthcare, transprtatin, banking, finance, entertainment and leading edge technlgies. Hands-n experience in develping and implementing IT security strategy, directing and managing an IT department and knwledgeable in varius areas including: Netwrk & Systems Security Risk Management Vulnerability Assessments Authenticatin & Access Cntrl System Mnitring Regulatry Cmpliance Systems Integratin Planning Penetratin Testing Certificatins CISSP - Certified Infrmatin Systems Security Prfessinal CISA - Certified Infrmatin Systems Auditr QSA - Qualified Security Assessr
Retail in the news US FBI Warns Retailers f Further Cyber Attacks Similar t Target Data Breach Target - 40 millin payment card recrds and 70 millin custmers' recrds Neiman Marcus - 1.1 millin cards Michaels (2 nd breach) Sally Beauty - 282,000 cards Sears? Accrding t the FBI there were 20 infectins with BlackPOS. S far, Target and Neiman Marcus are the nly tw t g public.
Why cyber security is imprtant? Increasing reliance n technlgy Attacks are increasing faster than ability t stp them Lts f mney can be made frm stealing the data Public image can be tarnished quickly Crprate espinage Federal agencies mving t the clud
Where are the threats? POS Sftware Mbile POS Remte Desktp/Terminal services Wireless Access Access rights Outsurcing managed services Unencrypted data ver the netwrk SQL injectins Weak cntrls
POS Sftware Have yu patched yur POS devices lately? When was the last time yu upgraded? D yu perfrm any vulnerability scans? Have yu turned n lgging? PA-DSS and P2PE certificatin ptins Magnetic Card Reader POS
Mbile POS Using an ipad r mbile POS device ver wireless? Hw is the device secured? Is the data cached lcally? ipad running POS
Remte Desktp/Terminal Services D yu have a device plugged int the internet? If they use cellular r 3G/4G, where is the firewall? Digi Internatinal Wireless Radi Lantrnix Netwrk Access Server WIFI and Web Access fr Ethernet Devices Ethernet Switches
Wireless ruters Hw is yur netwrk setup? Have yu perfrmed a wireless assessment? Rgue access pints? Wireless Access Pint/Ruter
Access rights Generic and shared accunts? Default accunts? Default passwrds? User = Passwrd? Segregatin f duties? Lgging f rt r admin accunts? User Accunt reviews? User and Access Rights Administratin
Outsurced managed services What have yu utsurced? Have yu checked yur cntract? Are yu mnitring their wrk? Third-party administrating firewall rules
Unencrypted data ver the netwrk Have yu prperly segmented yur netwrk? It s a private/crprate netwrk, that s safe, right? Where des respnsibility begin/end fr sending data? We nly send unencrypted data acrss trusted netwrks. Sniffing the wire
SQL Injectins Have yu escaped r blacklisted any cmmands? Have yu limited the database permissins f the web app? Have yu restricted the type f cmmands, r applied parameterized statements? SELECT * FROM users WHERE name = 'a';drop TABLE users; SELECT * FROM userinf WHERE 't' = 't'; Sample SQL Injectin Line
Weak cntrls When was the last time yu perfrmed a risk assessment? D yu have an external, independent auditr? Are yu experiencing high turnver? D yu d perfrm backgrund checks? We rely n a third-party and they d it
What can yu d? Firewall management Segment yur POS netwrk Training PCI cmpliance Pint-t-pint encryptin (P2PE) Deply a Security Infrmatin and Event Management (SIEM) t mnitr netwrk events Use tw-factr authenticatin when accessing payment prcessing netwrks. Mnitr alerts frm Visa, MasterCard, and Amex Ensure yu are using certified hardware and sftware Whitelist prgrams
Enhance yur existing cyber security Scial engineering Penetratin testing Applicatin penetratin testing Wireless assessment IT risk assessment POS frensic testing Vulnerability scanning IT Audits
Tp 5 trends that we see ahead 1. Cyber attacks are ging t cntinue t increase in frequency, cmplexity and scale. 2. Mbile is n lnger the exceptin. 3. The mve t clud cmputing will shw demnstrable cst savings but will add new risks 4. Data breaches will cntinue t drive new security standards and spending 5. Infrmatin risk management is n lnger an IT prblem its a bard prblem.
Additinal resurces Whitepapers, webinars, blg www.calfire.cm/resurces What t d if yu are cmprmised? http://usa.visa.cm/dwnlad/merchants/cisp_what_t_d_if_cmprmised.pdf Respnd t a breach? http://usa.visa.cm/dwnlad/merchants/cisp_respnding_t_a_data_breac h.pdf Identity Theft Resurce Center - www.idtheftcenter.rg 2014 ITRC Breach Reprt ww.idtheftcenter.rg/images/breach/itrc_breach_reprt_2014.pdf 2014 ITRC Breach Stats Reprt www.idtheftcenter.rg/images/breach/itrc_breach_stats_reprt_2014.pdf Incident Respnse - Best Practices Data Breach Respnse & Preparatin - http://www.idtheftcenter.rg/idtheft/incident-respnse-best-practices.html Interactive Breach/Hacks Diagram www.infrmatinisbeautiful.net/visualizatins/wrlds-biggest-databreaches-hacks/
Fr additinal infrmatin, cntact Jeff Messer Senir IT Security Cnsultant Calfire 16420 Bake Parkway, Suite 100 Irvine, CA 92618 Office: (949) 271-7014 x7089 Cell: (949) 355-9096 jeff.messer@calfire.cm www.calfire.cm www.calfire.cm