2011 secure payments summit

8/6/2019 2011 Secure Payments Summit

1/113


2/113

Chris JohnsonFraud Monitoring & Incident Response

October 19, 2010

The Cyber Landscape


3/113


4/113

Infiltration Technical skill required is low Insecure passwords/remote access Lack of firewalls or segmentation Input validation

Food & Beverage, Retail, and Hospitality targeted Common POS Integrators, Franchises,

interconnected businesses Shared/default remote access passwords Shared/default internal passwords

Franchise breaches Aggregate of small exposures Larger investigation scope

Data Breach Trends


5/113

Root Causes 3rd party managed payment systems with

shared/default passwords. Remote access with insecure passwords

Default or insecure passwords on publicfacing computer systems. Lack of firewalls or incomplete

segmentation from non-paymentenvironments.

SQL Injection / xp_cmdshell

Card-Present Data Breach


6/113

Common POS Integrators/Franchises

Internet

Username: POSSYPassword: POSSY



Hacker

POS Integrator


7/113

Interconnected Franchise




Hacker

Corporate

Internet


8/113

Data Gathering and Proliferation Sophistication and methodology have increased. Automation

Internal network reconnaissance Malware distribution Card data harvesting

Alteration of POS configuration files Encryption of card data Modification of file time stamps Secure deletion of evidence

Volume of per incident exposure declining PA-DSS Compliant applications dont store track data

Data Breach Trends


9/113

Input

CPU

Input/Output

PermaStora

WorkingStorage

OutputNetworkKeyboard Monitor

Hard DRAM

Keylogger NetworkSniffer

ScreenCapture

MemoryParser

FileExfiltration

Von Neumann and Data Extraction


10/113

Memory Parsers First seen in 2008 Consisted of separate off the shelf tools

Memory dumper Track data parser

Early versions had flaws Caused POS system to run out of disk storage Crashed

Evolved into stable malware Self-contained application Encrypted track data Modified timestamps of encrypted data Recompiled often to avoid antivirus detection and target

additional POS systems

Hotel/lodging and food/beverage franchise industry primarilytargeted


11/113

Characteristics Shopping Carts With Known Vulnerabilities

Google Dorks Lack of Input Validation

SQL injection, Remote File Include,Cross-Site Scripting (XSS), etc.

Automated tools for input validationvulnerability detection and exploitation

Card-Not-Present Data Breach


12/113

SQL Injection

ErrorCould not convertJohn Doe, 6011 -0000-0000- 0000 to an integer

Username:

Password:

Submit

or 1=cast((Select cardname, cardnum

from order where orderid > 0) AS int) --


13/113


14/113


15/113

Emerging Attacks and Predictions

Merchant Credential Theft Fraudulent credits to debit accounts

Mass SQL Injection

Large scale automation of SQLInjection

Cardholder System Infections


16/113

?

Questions


17/113


18/113

Social Media & Your Compliance


19/113

Speaker

Bill Uptmore CISSP, CISAEMC Practice [email protected]


20/113

Social Media & Your Compliance Risk to Compliance

What Happens? Challenges

Common Issues How to limit exposure


21/113

Risk To Compliance Statement of the Federal Trade Commission's Bureau of

CompetitionOn Guidelines for Merger Investigations

http://www.ftc.gov FINRA Provides Guidance Regarding the Reviewand Supervision of Electronic Communications - Also see

Regulatory Notice 10-06 (2010)

FDA Prescription Drug Requirements Legal Hold


22/113

What Happens Your Company & Your Reputation

Law Suit(s) Fines

More regulatory scrutiny Someone May Be Held

Accountable


23/113


24/113

Connecting The Dots

Employee has good news on potential acquisitionEmployee puts the information on Social Network site (company is not stated)

Three more employees share acquisition , but no one has stated company name

All employees work for the same company

Someone connects the dots. Now what?


25/113

Challenges Companies are not prepared to

deal with the fast changes in howtheir employees communicate

Consumer Demand Lack Of Training


26/113

Common IssuesRes Gesti StatementMiscommunicationFilter What Filter?

Statement Taken Out of ContextPeople Will Be People

Cumulative Impact


27/113

How Does It Happen?

We have become too open inwhat we say

We have become conditioned toshare the moment


28/113

Information Discovery Social Media Monitoring

Social Networking Site Could beSubpoenaed


29/113

How To Limit Exposure Provide Training Security Matters Do Your Diligence


30/113


October 19, 2010


31/113

Next Generation FirewallsThreats Have Evolved, But Has Your Firewall?

Dmitriy AyrapetovProduct Line ManagerSonicWALL

Quick Quiz Real or Fake?


32/113

Quick Quiz Real or Fake?

FAKEREALREALFAKEFAKE

How does malware get on my


33/113

How does malware get on mycomputer?

Application Level Attacks Browser Drive-By Downloads (IE, Firefox, Safari) Application Exploits (Adobe Reader, Sun/Oracle JDK, Flash, Office)

No or Little User Intervention Required

Application Level?


34/113

Application Level? Malware is an economy

Your infected computer is a resource Ransomware/Keyloggers Your Data Botnets/Spam Your Resources & Liability Fake AV Your Money & Time

Applications are ubiquitous

Applications easy to target think ROI!

http://www.zdnet.com/blog/sestudy-finds-the-average-pri

renting-a-botn

the average price for renting a botnet is $67 for 24

hours, and $9 for hourlyacce

B I Al d H A Fi ll!
http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528


35/113

But I Already Have A Firewall!Stateful

Firewall

80 = HTTP

443 = HTTPS

21 = FTP

3389 =RDP

Firewall Report -Some Web Traffic, FTP, RDP, HTTPS

Everythings OK!

Web TrafficWeb Traffic

Great What Else? Application Chao
http://www.ebay.com/http://www.ebay.com/


36/113

GreatWhat Else?

Bad Control Good Prioritiz

Applications tunneling througha few ports

Many, many applications

Traditional BW Managementcant keep up

Full ApplicCo

SSL TInspec

Content Secu

Application Chao

Evolution of Firewalls
http://www.oracle.com/index.htmlhttp://en.wikipedia.org/wiki/Image:Skype_logo.pnghttp://images.google.com/imgres?imgurl=http://www.experientia.com/blog/uploads/2007/08/sap.jpg&imgrefurl=http://www.experientia.com/blog/sap-user-experience-testing/&h=1188&w=2395&sz=205&hl=en&start=6&um=1&tbnid=TgxjctreCJb-NM:&tbnh=74&tbnw=150&prev=/images?q=sap&um=1&hl=en&sa=Nhttp://images.google.com/imgres?imgurl=http://www.instranet.com/company/partners/images/siebel_logo.gif&imgrefurl=http://www.instranet.com/company/partners/&h=60&w=200&sz=2&hl=en&start=1&um=1&tbnid=J7qL057FlT2mkM:&tbnh=31&tbnw=104&prev=/images?q=siebel+logo&um=1&hl=enhttp://www.ebay.com/http://en.wikipedia.org/wiki/Image:BitTorrentLogo.gifhttp://www.salesforce.com/products/


37/113

CONFIDENTIAL

Evolution of Firewalls

Stateful Packet Inspection:UTM:

Next Generation Firewall:

Addressing of the EnvelopeContents of the Envelope/Letter

Subject of the Letter

Stateful InspectionDeep Packet Inspection (DPI)

D d


38/113

Do you ever wonderWhats really on my network?

Wheres all my bandwidth going?

Where Is this traffic coming from?

What are the threats?


39/113

Visualize??


40/113

Visualize??

Application Traffic

Application BreakdownUser BreakdownCountry Identification

Dig Deeper with Filtering

Apply Application Control

So Again What Does an NGFW Do?


41/113

So, Again, What Does an NGFW Do? Identify and Control Applications and Users

Block Intrusions Block Malware and Threats Enforce Content Security

All of the above, but for SSL traffic as wellt Importantly not hinder performance and LET YOU WORK


42/113

Q&A


43/113


October 19, 2010


44/113

Where Privacy Meets PCI

Chris ZoladzNavigate LLC

Events Making PCI/Privacy a


45/113

g yBusiness Priority

Consumer and regulator expectationshave never been higher

State security breach laws result in privacy lapsesbeing public events

The Massachusetts privacy law could be a gamechanger

U.S. federal privacy law is likely

U S State Security Breach Laws


46/113

U.S. State Security Breach Laws46 States including the District of Columbia have a breach law

The laws are similar but not the same, differences include:

Definition of a breachInclusions and exceptions

Definition of PIINotification Requirements

Learn Morehttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/ SecurityBreachNotificationLaws/tabid/13489/Default.aspx

The Maryland Law
http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx


47/113

The Maryland LawCovers both paper and electronic data

Name in combination with social security numberor drivers license number or credit card number

Notification exemption if data is encrypted

State Attorney General must be notified beforeany notifications to Maryland residents are sent

Notification Content & Requirements


48/113

Notification Content & RequirementsExplain what happened, why, and how the person canprotect themselves

De facto practice is to offer 1 year of free creditmonitoring service

Sent to all affected individuals or communicated to majormedia if individual notification is not practical

Certain State Attorneys General (e.g., MA, MD, NC) andConsumer Protection Offices must be notified

Notification Content & Requirements


49/113

Notification Content & RequirementsSending notification letters

Credit monitoring serviceCall center to handle questions

Legal fees

Lost productivity of employees that are part of the incidentresponse effort

Potential FTC settlements

Loss of customer, public and regulator trust

Recently released Ponemon Institute study disclosed cost of $216per record

Massachusetts In Detail


50/113

Massachusetts In Detail

Written Information Security Program(WISP)

Designated program owners

Employee training

Policies

possession of PII outside the facility

remote access to PII

disciplinary actions for violations

Inventory paper and electronic records as wellas systems and media

Regularly monitor and annually review securimeasures

Encrypt PII on laptops, portable devices

Service provider program

Limit the collection, storage and access to PIIRisk assessments

Incident response

Specific computer security requirements

Learn Morehttp: //www.mass.gov/?pageID=ocahomepage&L=1&L0=Home&sid=Eoca

The FTC is Also an Enforcer
http://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asp


51/113

The FTC is Also an EnforcerPrivacy is a central element of the FTCs consumer

protection mission. (Source: www.ftc.gov/privacy)

Focuses on unfair or deceptive trade practices

Settlements:- Range from tens of thousands to millions of dollars.- Include agreement by the company to independentoversight of their information security program for up toyears.

EU Data Protection Directive


52/113

EU Data Protection Directive Went into effect in 1998

Key requirements:- Notice- Choice- Onward transfer- Security- Data Integrity- Access- Enforcement

(Note: Canada, Australia, Russia and others havesimilar national laws)

Dont Think If, Think When


53/113

Don t Think If, Think When Incident response planning

Learn from others - was their weaknessyour weakness?http://www.privacyrights.org/ar/ChronDataBreaches.htm

You cant plan for every scenario but youcan plan many of them

An effective plan is the difference betweena well-managed event and a disaster.

Elements of an Incident Responsel
http://www.privacyrights.org/ar/ChronDataBreaches.htmhttp://www.privacyrights.org/ar/ChronDataBreaches.htmhttp://www.privacyrights.org/ar/ChronDataBreaches.htmhttp://www.privacyrights.org/ar/ChronDataBreaches.htm


54/113

pPlan

Form a Response Team

Incident Discovery and ConfirmationIsolate and RemediateNotificationAnalysis/Explanation

Close-outPractice the planExecute with speedThe plan should be viewed by legal counsel

Are You Prepared?


55/113

Are You Prepared?A person calls the IT Director on Monday morning, theheaviest online sales day of the week and:

Claims to have penetrated the companys websitethrough a common vulnerability and is recordingevery keystroke entered on the website.

Provides the last 10 ten credit card numbers enteredon the website as evidence.

Is requesting a $50,000 consulting fee to help thecompany strengthen its website security

Provided a bank account and routing number for awire transfer.. . .

Initial Questions


56/113

QWhat would you do first?

What if the callers information regarding the last 10transactions is accurate?

Has the website really been compromised or is thecaller receiving data from an employee?

Would you shut down the website?

Would you immediately call law enforcement for thisapparent extortion?

. . .

Contact Information


57/113

Chris Zoladz

[email protected]

The PCI Coach

www.thepcicoach.com


58/113


October 19, 2010


59/113

Payment Application DataSecurity Standards

Unraveling the Mystery of PA DSS

What is PA DSS


60/113

The global security standard created by the Payment CardIndustry Security Standards Council (PCI SSC).

Is the definitive data standard for software vendors thatdevelop payment applications.

Prevents developed payment applications for third partiesfrom storing prohibited secure data including magnetic stripe,

CVV2, or PIN

Requires that software vendors develop paymentapplications that are compliant with the Payment Card

Industry Data Security Standards (PCI DSS).

Why PA DSS


61/113

y Payment Application found source of multiple data

compromises events

Merchants has limited insight to the security of commercial payment applications

Merchants held liable for losses associated with datacompromise events, not application provider

What is Subject to PA DSS


62/113

jThe PA-DSS applies to software vendors and others who

develop payment applications that store, process, or transmit

cardholder data as part of authorization or settlement, wherethese payment applications are sold, distributed, or licensed tothird parties. Applies to payment applications provided in modules

May only apply to the baseline module ,if that module is the only one performingpayment funct

If other modules also perform payment functions, PA-DSS applies to those modules

as

Note: It is considered a best practice for software vendors to isolate paymentfunctions into a single or small number of baseline modules, reserving other modules

for non-payment functio

What is NOT Subject to PA DSS


63/113

jMerchants that use in-house developed applications &

stand-alone POS hardware terminals

Only applies to applications that store ,process, or transmit cardholder data

Home grown systems must be included inover all PCI DSS compliance review (DSS

Req. 6.3) Point to point encryption and tokenization do

not remove an application from scope

Terminal may not connect to other systems

PA DSS MandatesEffective


64/113

Phase Visa Compliance MandateEffectiveDate

1

Newly boarded merchants must not use known vulnerablepayment applications, and VisaNet Processors (VNPs) and agents

must not certify new payment applications to their platformsthat are known vulnerable payment applications

1/1/08

2 VNPs and agents must only certify new payment applications totheir platforms that are PA-DSS-compliant

7/1/08

3Newly boarded Level 3 and 4 merchants must be PCI DSScompliant or use PA-DSS-compliant applications*

10/1/08

4VNPs and agents must decertify all vulnerable paymentapplications**

10/1/09

5Acquirers must ensure their merchants, VNPs and agents useonly PA-DSS compliant applications

7/1/10

PA DSS Mandates - Continued


65/113

Effective July 1, 2012 , MasterCard will revise the MasterCardSDP Program Standards to require all merchants and Service

Providers that use third party-provided payment applications toonly use those applications that are compliant with the PaymentCard Industry Payment Application Data Security Standard (PCIPA-DSS), as applicable. The applicability of the PCI PA-DSS tothird party-provided payment applications is defined in the PCI

PA-DSS Program Guide. In addition, MasterCard will establish anew PA-DSS compliance validation requirement for Level 1,

Level 2, and Level 3 merchants as well as Level 1 and Level 2Service Providers.


66/113

R l i d D l i


67/113

Regulation and Deregulation :

How Compliance Gets Made

Michael DahnDirector, PCI Compliance

Rules Keep Getting Bigger


68/113

Hello Dave 2001 : Space Odyssey


69/113

Know the Rules Before You CanBreak Them


70/113

Break Them

Dance Improvisation Music Composition Know which rules are

Followed Flexible Broken

Why Regulation?


71/113

Trying to get a

handle on largeproblems: Unbound risk

Consumerprotection

How Compliance Happens


72/113


73/113

Data Breaches & Black Swans


74/113

Slide Title


75/113

Large Data Breaches (million records)

Evolution of Methods Flat files, network sniffing, serial port sniffing, custommalware

EU: retail moved to e-commerce

What risk are we trying to prevent?


76/113


77/113

Next Steps

Vaccinations & RegulatoryCompliance


78/113

p The problem is that although most all agree that

vaccination is positive for the population not everyoneagrees that it is positive for the individual

Individuals say: My environment is already secure I know how to manage risk better than the regulatory

bodies

My environment is special and unique and does not fitinto your Procrustean boxes

Are we as secure as we think we are? Do we rely on third parties? Who do we share data with?

Who do we give access to our data and systems?



79/113

p Economics of Immunization and

Compliance A poorer population will benefit more strongly

from an immunization program than one thatmaintains a high level of sanitation, healthcare, and treatment programs

A more vulnerable population (e.g. retail,restaurants, higher education, e-commerce,etc.) will benefit more from regulatorycompliance than one that is more highly secure


80/113



81/113

p Tipping point of vaccination

An aggressive vaccination program thatfirst targets children and ultimatelyreaches 70% of the US population wouldmitigate pandemic influenza *flu+

Vaccine and Infectious Disease Institute(VIDI) at Fred Hutchinson CancerResearch Center

So what makes us happy?

Slide Title


82/113

Bullets

Bullets Bullets Bullets


Slide Title


83/113

Bullets



Understand the Intent


84/113

Do not focus on the fingeror you will miss all thatheavenly glory [of RegulatoCompliance+

- Bruce Lee, Enter the Dragon

Example: Audit Logging


85/113

PCI DSS Requirements

# 10.2 and the implications Intent

This is only the beginning

Verizon PCI Compliance ReportA ll l i ll


86/113

Are all regulatory requirements equallyimportant?

What are organizations good/bad atdoing?

How does regulatory adherence impactdata breaches?

How effective is regulatory compliance?

Compliance vs Validation


87/113

21

A point-in-time event

Validation

In order to understand the report and the conclusions drawn from the data,it is necessary to differentiate between c ompliance and v alidation .

6

A continuous process of adheringto the regulatory standard as setforth in the PCI DSS

Compliance

Compliance Statistics


88/113

What are we bad at doing?


89/113

% of Orgs meeting PCI Regs


90/113

Slide TitleB ll t


91/113

Bullets



3 Habits of Highly Effective Regulation Education Education Education!


92/113

Education, Education, Education!

Drives adoption and adherence

Flexibility of controls

100 % compliance is not the goal when system failures occur groups

PCI DSS Compensating controls EU Data Protection Directive Comply or explain

More data for Risk Modeling

Can we ever manage risk on a moving target? Frequentist vs. Bayesian statistics

What is the Solution? Building more roads to ease traffic is like


93/113

Building more roads to ease traffic is liketrying to cure obesity by loosening the belt

Richard Moe, Head of the US National Trust foHistoric Preservation

Simply applying more security does not

necessarily mean you achieve bettersecurity

Rotate days that cars are permitted on theroad?

What is the Solution?H l t d t l


94/113

Help prevent data sprawl

Security is required where data is maintaine Data, data, anywhere? Data, data, everywhere?

Reduce scope through grouping of systems

Business Process Re-engineering The more complex a system the harder (and

more costly) it is to maintain

Options Examine Use Cases


95/113

Examine Use Cases Medical record data vs. payment card data Data retention sometimes required, but what

do you retain? Dept collection agencies Reoccurring payments

Data mining and analysis Cost to secure data vs. Business need for

data Cost to securing data can be proportional to

the volume of it


96/113

Questions: @MikD


97/113


98/113


October 19, 2010

Compliance Validation Overview


99/113

Dick BlossFifth Third Processing Solutions

Vice PresidentGovernance, Risk and Compliance

Where Do We Begin? Understand the mission and scope


100/113

Understand the mission and scope

Appoint a program manager Discuss with acquirer Engage your security org. & others Determine a schedule

BE OBJECTIVE

The Players PCI Security Standards Council


101/113

PCI Security Standards Council

The Networks (The Brands) Your Acquirer Your third-party providers Every employee of your company


102/113


103/113

Qualified Security Assessors Willing to partner


104/113

Willing to partner

Consultative Insightful

Resourceful

Available Communicative

Scope - Less is More Segment your network


105/113

Segment your network

Retain only the data you need Limit access by non-essential

systems to cardholder data region

Talk to acquirer & providers aboutP2P encryption and tokenization

Validation TipsAIM and DO


106/113

Awareness and Attitude Inventory Monitoring

Documentation Organization

Monitoring Vulnerability Scans


107/113

Vulnerability Scans

Approved Scanning Vendor Quarterly doesnt mean JUST quarterly

Penetration Tests

Event Logs File Integrity Providers Compliant Status

Assertions of ComplianceQSA/Merchant confirms that ...

ROC was completed according to the PCI DSS Requirements


108/113

ROC was completed according to the PCI DSS Requirements

Its all true! (Fair representation in all material aspects)

Their payment application stores no sensitive data after the authn

That they have read the PCI DSS and maintain 24/365 compliance

they found no evidence of storage of magnetic stripe or PIN data

And the Return on This Effort?


109/113

ValidationCompliance

Security

A point-in- timeevent

You oother 364

A long

Leverage Available Resources Acquirer may offer


110/113

q y

Training Step-by-step SAQ guidance Advice on security best-practices

PCI Security Standards Council www.pcisecuritystandards.org/merchants Annual Community Meetings

Brands and their web sites

Challenge Your Providers PTS & PA-DSS compliant products?


111/113

Providers compliant status and ownershipof responsibility? Is your acquirer responsive and providingdirection?

Do you have clear instructions on properconfiguration of your paymentapplications?

Do you really need that card number?

Questions?


112/113


113/113


October 19, 2010

2011 secure payments summit

Documents