data breaches. are you next? what does the data say?

Data Breaches: Are you next?

What does the data say?

Phil Agcaoili,

VP & Chief Information Security Officer, Elavon

ATPS Worldwide

3rd-4th December 2014

Fear, uncertainty and

doubt (FUD)

…Generally a strategic attempt to

influence perception by

disseminating negative and

dubious or false information…

The term originated to

describe disinformation tactics…

FUD is a manifestation of the

appeal to fear.

Truth

Truth is most often used to

mean being in accord with

fact or reality, or fidelity to

an original or to a standard

or ideal.

FUD and Cyber Security

ATPS Worldwide


Fact: Worst Travel Day of the Year

Fiction: Worst day of the year is the Day Before Thanksgiving

ATPS Worldwide


//Cyber Security

The interconnection and reliance of physical

lifeline functions over the Internet

(cyberspace) that impacts:

• National security,

• Public health and safety, and/or our

• Economic well-being

ATPS Worldwide


Information

Technology

Sector

Transportation

Systems

Sector

Commercial

Facilities

Sector

Financial

Services

Sector

Defense

Industrial Base

Sector

We are All Interconnected

ATPS Worldwide


Heightened Concerns on

Cyber Security

Low Barrier of Entry

High Damage Potential / Lucrative

ATPS Worldwide


Cost of Data$102.60

Average black market price for all of the data on a credit card

$187.44

Cost of taking control of a bank account

$200K

Average cost of cyber attach to SMB

$1M-$46M

Average cost of breach to a large company

$169M

Target breach clean-up costs

$46M

The Home Depot breach clean-up costs

$350M-1T

Global cost of cyber crime

ATPS Worldwide


//Cyber Crime

Global and growing industry

Increasing in size and efficiency

Targets everyone and every company

Leveled playing field for criminal activity

ATPS Worldwide


Cyber Crime Orgs

Professional Hackers

Spammers

Mafia

Military

Terrorists

//APT - Nation States Hacking

and a Cyber Cold War

ATPS Worldwide


What are your risks?

Have you assessed your risks?

ATPS Worldwide


Airlines and Airport Security

Complex ecosystems with advanced IT infrastructures

Real-time exchange of sensitive information

Scan and monitor passenger flow

Complex procedures and rules

Security requirements

Vulnerable to a multitude of attacks and IT-based emerging

threats

ATPS Worldwide


Information

Technology

Sector

Transportation

Systems

Sector

Commercial

Facilities

Sector

Financial

Services

Sector

Defense

Industrial Base

Sector

Data Breaches

ATPS Worldwide


Merchants Under Attack

Credit cards

ATPS Worldwide


What else must be said?

Case Studies: The Facts

Nothing new here

All information presented is based on:

Past incidents

Reported cyber attacks

ATPS Worldwide


2004 Fact: Sasser Worm and British

Airways at Heathrow Airport

British Airways suffered delays

Worm hit Terminal Four at London's Heathrow Airport,

Also affected call centers

Written by a teenager

ATPS Worldwide


2008 Fact: Spanair Flight 5022

Crashed just after take off

Over 150 people died

Only 18 people survived

Accident weakened Spanair's image (reputation risk)

Crash exacerbated company’s financial difficulties

Ceased operations in 2012

Internal report issued by airline revealed:

Malware infected airline's central computer system

May have prevented detection of technical problems with aircraft

Final report determined crew failure as root cause

ATPS Worldwide


2011 Fact: Delhi’s Indira Gandhi

International (IGI) Airport Incident

Passenger processing system failure

Backend server glitch

Common Use passengers Processing System

(CUPPS)

Down for almost 12 hours

Approximately 50 flights delayed

Passengers had to be manually checked in

Central Bureau of Investigation (CBI) of India

Virus attack / malicious code on the system

Used from an unknown remote location

Someone at a remote location operated the

system

ATPS Worldwide


2011 Fact: Computer Virus Hits

U.S. Drone Fleet

Virus infected Predator and Reaper drones

One of the US military’s most important weapons

systems

Virus resisted multiple efforts to remove it

Remote cockpits are not connected to the Internet

Virus believed to have spread through removable drives

ATPS Worldwide


2014 Facts: Infected Belgian

Charleroi Airport Servers

Belgian Charleroi airport network servers infected with

malware

Turned them into botnet zombies

Airport and customer data stolen

ATPS Worldwide


ATPS Worldwide


2014 Fact: Account Backdoors on Airport

Scanners, Default Passwords

Blackhat 2014

Backdoor accounts present in airport scanners

Many machines deployed at airport security checkpoints have embedded accounts with default passwords that can be abused

Attackers may be able to use the accounts as a backdoor to get access to the system

ATPS Worldwide


Via Billy Rios

2014 Fact: More Backdoors

FTP, Telnet, and Web hardcoded backdoors

~6000 on Internet at major airports

Foreign made

ATPS Worldwide


Via Billy Rios

2014 Fact: More Backdoors

Multiple backdoor accounts

ATPS Worldwide


Via Billy Rios

Internet of Things (IoT)

Embedded systems

Devices with an IP stack

May or may not be connected to the Internet

Think smartphones

Drones

ATPS Worldwide


Address Cyber Security Now

Raise visibility to senior leadership and Board of

Directors

Use a Cyber Risk Framework

Invest in Cyber Security

ATPS Worldwide


Risk Management NIST CSF

Your Responsibility

Ensure Basic Cyber Hygiene

It’s Everyone’s Responsibility

Airlines focus:

Defense in-depth and anti-malware programs

Follow the money

Trust, but Verify

Especially with embedded devices

Supply chain

Vendor Management / Third Party Security

Overall security

Hardcoded backdoors

Participate in an Information Sharing & Analysis Center (ISAC)

ATPS Worldwide


ATPS Worldwide


ThanksPhil AgcaoiliVP & Chief Information Security Officer, Elavon

Contributor, NIST Cybersecurity Framework version 1

Co-Founder & Board Member, Southern CISO Security Council

Distinguished Fellow and Fellows Chairman, Ponemon Institute

Founding Member, Cloud Security Alliance (CSA)

Inventor & Co-Author, CSA Cloud Controls Matrix,

GRC Stack, Security, Trust and Assurance Registry (STAR), and

CSA Open Certification Framework (OCF)

@hacksec

https://www.linkedin.com/in/philA

data breaches. are you next? what does the data say?

Internet

elavonatps worldwide3rd

thanksgivingatps worldwide3rd

teenageratps worldwide3rd

data breachesatps worldwide3rd

cost of data

cyber crimeglobal

maverage cost of breach

worst day