PCI SSC 3.0 and Cybersecurity
Threats
Presented by Bob BlakleyAssociate Director, Metro DCMarch, 2015
November 8, 2012
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Speaker
1
Presenter
Topic
Objective
Relevant
Experience
Bob BlakleyAssociate Director, Metro DC
Managing IT Security Risk
Provide:• Overview of key changes in PCI DSS 3.0
• Cybersecurity Threats
• Associate Director in Security & Privacy Practice
• 18 years of IT Security experience, including 10 years of
consulting, and 8 years of security threat management
• PCI Qualified Security Assessor
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Change in PCI DSS 3.0
• Effective January 1, 2015
• Defining CDE - Network Segmentation
• E-Commerce Outsourcing
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Network Segmentation
Scoping -
• Scoping has been clarified to indicate that system components must include “any component or
device located within or connected to the cardholder data environment (CDE).
• PCI DSS security requirements apply to all system components included in or connected to the
CDE.
• A new requirement that if segmentation is used, “penetration testing procedures must test all
segmentation methods to confirm they are operational and effective, and isolate all out-of-scope
systems from the in-scope systems
Implications:
• The new focus on connected systems likely expands the number of systems considered in-scope for
many organizations, thereby increasing the complexity and cost of compliance
• Example –
• In an Active Directory environment, a compromise of any domain member could impact security of
the CDE and now all domain members could be considered in-scope.
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Why is Network Segmentation Important?
1. Flat networks significantly increase the potential exposure of a single data breach without adequate protection of the network
• A credit card data breach can occur at any site/unit/store that accepts credit cards.
• A flat network leaves all machines vulnerable to the ‘weakest link’ -- Once connected to the network at any store/unit, an outsider can reach machines at corporate or any other store/unit
2. Network Segmentation can both reduce the scope and cost of PCI Compliance
• Adequate Network Segmentation reduces the number of systems, applications and users that are in scope
• Network Segmentation can reduce the impact of PCI Compliance on other IT users (Marketing, Legal, HR, R&D)
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
E-Commerce Outsourcing
• Alternatively, a Company could decide to outsource the credit card processing and
storage to PCI compliant vendors that provide solutions from the initial “swipe”
through settlement and chargeback. Some companies may find this approach more
cost-effective then a segmentation of their network and would also reduce the scope.
• However, Version 3.0 eliminates the “loophole” for on-line merchants that outsourced
online payment processing
• Version 3.0 now states “System components include systems that may impact the
security of the CDE (for example web redirection servers).
• Implication – many e-commerce merchants’ infrastructure is typically connected to
back-end billing, accounting, content and other systems which will now be in-scope if
connected to outsourced web servers.
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
6
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Data Breach Demographics
Industry Segments
• Reports vary greatly on ranking of impacted industry segments
• Financial Services
• Public Sector
• Retail
• Hospitality
• Utilities
Geography
• Victims affected in 95 countries
Developing Areas of Note:
• Cloud security
• SCADA systems are increasingly targeted
• Medical device security under the microscope
Bottom Line: It’s All About the Data!
1,500+ Data Breaches in 2014
1 Billion Records Compromised in 2014 Alone!
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Underground Hacking Economy
Credentials Price
Visa and Master Card
(US)
$4
American Express (US) $7
Discover Card with (US) $8
Credit Card with Track 1
and 2 Data (US)
$12
US Fullz $25
DOB (US) $11
Bank Acct. with $70,000-
$150,000
$300 and less
Doxing $25-$100
Hacker Services Price
Infected Computers
(1,000)
$4
Infected Computers
(5,000)
$7
Infected Computers
(10,000)
$8
Infected Computers
(15,000)
$12
Remote Access
Trojan(RAT)
$50-$250
Sweet Orange Exploit Kit
Leasing Fees
$450 a week/
$1800 a month
Hacking Website; stealing
data
$100-$300
DDoS Attacks Per hour-$3-$5
Per Day-$90-$100
Per Week-$400-$600
Source: http://www.secureworks.com/resources/blog/the-underground-hacking-economy-is-alive-and-well/
A Zero Day Exploit targeting Apple’s IOS sold for $250k in 2012
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
ACME
Corporation
Opportunistic vs. Targeted Attacks
Opportunistic Attacks
• Targets of opportunity based on a known vulnerability or set of characteristics
• Organization wasn’t specifically targeted
Targeted Attacks
• Organization is specifically targeted because of who they are, what they do, something they did, or the data they have
• Persistent attacks – Attackers keep coming back
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Profiling Threat Actors
ORGANIZED CRIME STATE-AFFILIATED ACTIVISTS
VICTIM INDUSTRY• Finance
• Retail
• Food
• Manufacturing
• Professional
• Transportation
• Information
• Public
• Other Services
REGION OF OPERATION• Eastern Europe
• North America
• East Asia (China) • Western Europe
• North America
COMMON ACTIONS
• Tampering (Physical)
• Brute force (Hacking)
• Spyware (Malware)
• Capture stored data (Malware)
• Adminware (Malware)
• RAM Scraper (Malware)
• Backdoor (Malware)
• Phishing (Social)
• Command/Control (C2)
• (Malware, Hacking)
• Export data (Malware)
• Password dumper (Malware)
• Downloader (Malware)
• Stolen creds (Hacking)
• SQLi (Hacking)
• Stolen creds (Hacking)
• Brute force (Hacking)
• RFI (Hacking)
• Backdoor (Malware)
TARGETED ASSETS
• ATM
• POS controller
• POS terminal
• Database
• Desktop
• Laptop/desktop
• File server
• Mail server
• Directory server
• Web application
• Database
• Mail server
DESIRED DATA
• Payment cards
• Credentials
• Bank account info
• Credentials
• Internal organization data
• Trade secrets
• System info
• Personal info
• Credentials
• Internal organization data
Source: 2013 Data Breach Investigation Report by Verizon
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Breach Kill Chain – Anatomy of a
Breach
Persist
Undetected
Initial
Attach
Vector
Establish
Foothold
Identify
Interesting
Data
Distribute
Ongoing
Collection
Malware
Exfiltrate
Data
Breach Kill Chain
The attack can be disrupted at any point in the kill chain. Ideally, a company will
have controls at each point to create a defense in depth strategy. “Cyber kill
chain” model shows, cyber attacks can and do incorporate a broad range of
malevolent actions, from spear phishing and espionage to malware and data
exfiltration that may persist undetected for an indefinite period.
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
What is the corporate risk?
Monetary:
$5.85 million per breach average
$201 per record
12
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
What is the corporate risk?
Monetary:
$5.85 million per breach average
$194 per record
The risks are more than just immediate monetary impact:
Litigation
Reputation Loss
Loss of System Availability
Lost Productivity
Loss of Intellectual Property
Regulatory Fines
13
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Mitigation Trends
After a data breach, organizations are relying on a combination of people-centric and technology-
centric based steps. One technique not depicting is Breach insurance which we are seeing become
more popular.
Ponemon 2014 Annual Study: Cost of a Data Breach
14
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
15
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
16
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
17
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
18
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
• Vendor Management
– What roles do third parties play in supporting the company’s technology needs?
• Emerging Technologies
• Cloud
• Mobile
• Data governance and data leakage prevention (DLP)
• Application security
– Are Security Development Lifecycle protocols embedded in the application development
process?
– Are periodic pen tests performed to identify vulnerabilities?
– Database Security
– Social Engineering
• Incident Response
– Are there well-defined and communicated processes in place to respond to security breaches?
Information security
With security breaches being an every day event, regulators
remain very focused on:
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Vendors are a common source of data loss and incidents, as
such companies are increasingly faced with more due diligence
in managing profiles, completing risk assessments, streamlining
management, and reporting key metrics:
Information security – vendor
management
Increased data exposure
Increased regulatory exposure
Limited visibility
Limited resiliency
Limited responsibility
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
As mobile devices gain popularity and are used throughout
businesses, new risks emerge:
Business data stored on personal mobile devices
Lost mobile devices
Insecure Apps
Malware
Misconfiguration
Many companies are not prepared to handle mobile device loss
and may lack policies and response procedures to be prepared.
Information Security – emerging risks
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Information Security
Forensic Reviews
eDiscovery
Incident Response
Vendor Contracting
Asset Inventory
License Compliance
Information Security – emerging risks
Companies are processing and storing data in the “cloud” and this
creates new challenges:
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Database Security
Where are your valuables?
• Is it your data, systems, or network?
• Current focus is towards protecting information through network configuration,
systems administration, application security
• How about the data in the database and the systems that manage it?
Security in Layers:
• Secure database
• Secure applications
• Secure operating system (relative to database system)
• Secure web server (relative to database system)
• Secure network environment (relative to database system)
The database security is often a neglected area because it is typically not well
understood by DBA’s and auditors
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Social Engineering
24
Can you tell them apart?
Customer’s Outlook Web Phishing Site
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Phishing as Security Awareness Tool
25
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Attack Discovery
229
Median Number of Days from
Compromise to Discovery
~67%
Victims Notified by a 3rd Party
Internal Discovery Methods
User
Financial Audit
Network IDS
Log Review
Fraud Detection
Host IDS
Incident Response
IT Audit
External Discovery Methods
Law Enforcement
Service Provider
Business Partner
Customer
Actor
Source: Mandiant 2014 M-Trends Report
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Responding to an Incident
Incident Containment and Damage Assessment
• Determine nature and extent of incident through network and system log analysis.
• Identify potential assets involved
• Determine severity
• If attack is still active, take appropriate measures to contain the intruder.
Collect and Analyze Digital Evidence
• Utilize forensic analysis tools to gather digital evidence from work stations, laptops, servers, mobile devices, network devices, etc.
• Maintain proper chain-of-custody for future court proceedings.
Recover from the Incident and Resume Normal Operations
• Identify the means of attack and address any exploited security vulnerabilities.
• Conduct system restoration to resume normal operations.
• Analyze the Incident and provide insight as to how to prevent similar incident in the future.
Corporate Incident Response and Computer Forensic Capabilities
• Evaluate corporate incident response capabilities, tools and procedures and identify opportunities for improvement.
• Augment corporate incident response team.
• Develop corporate incident response plan, train personnel and assist in the acquisition of proper tools.
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Resources
Web Sites:
Protiviti www.protiviti.com
National Institute of Standards and Technology (NIST) http://csrc.nist.gov/
SANS http://www.sans.org/resources/
CERT Coordination Center http://www.cert.org/other_sources/
Privacy Rights Clearinghouse www.privacyrights.org
In Defense of Data www.indefenseofdata.com
Incident Response Resources
United States Computer Emergency Readiness Team http://www.us-cert.gov
NIST Computer Security Resource Center http://csrc.nist.gov
SANS Institute http://www.sans.org
Computer Emergency Response Team (CERT) http://www.cert.org
28
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Summary
• Corporate assets continue to be targeted for
malicious intent
• The expansion of IT assets (devices and data)
makes protection of assets more challenging
• Most companies still are susceptible to the most
common threats
• Take action -- Implement an IT Risk Management
Plan and follow it !
29
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
Thank You
30
Bob Blakley
Associate Director
Tysons Corner, VA
+1 703-300-0199
30
© 2012 Protiviti Inc. This
document may not be copied
© 2010 Protiviti Inc. An Equal Opportunity Employer.
CONFIDENTIAL: This document is for your company's internal use only
and may not be copied nor distributed to another third party.
31