data breaches. are you next? what does the data say?
DESCRIPTION
8th Global Airline & Travel Payments Summit - ATPS 2014TRANSCRIPT
Data Breaches: Are you next?
What does the data say?
Phil Agcaoili,
VP & Chief Information Security Officer, Elavon
ATPS Worldwide
3rd-4th December 2014
Fear, uncertainty and
doubt (FUD)
…Generally a strategic attempt to
influence perception by
disseminating negative and
dubious or false information…
The term originated to
describe disinformation tactics…
FUD is a manifestation of the
appeal to fear.
Truth
Truth is most often used to
mean being in accord with
fact or reality, or fidelity to
an original or to a standard
or ideal.
FUD and Cyber Security
ATPS Worldwide
3rd-4th December 2014
Fact: Worst Travel Day of the Year
Fiction: Worst day of the year is the Day Before Thanksgiving
ATPS Worldwide
3rd-4th December 2014
//Cyber Security
The interconnection and reliance of physical
lifeline functions over the Internet
(cyberspace) that impacts:
• National security,
• Public health and safety, and/or our
• Economic well-being
ATPS Worldwide
3rd-4th December 2014
Information
Technology
Sector
Transportation
Systems
Sector
Commercial
Facilities
Sector
Financial
Services
Sector
Defense
Industrial Base
Sector
We are All Interconnected
ATPS Worldwide
3rd-4th December 2014
Heightened Concerns on
Cyber Security
Low Barrier of Entry
High Damage Potential / Lucrative
ATPS Worldwide
3rd-4th December 2014
Cost of Data$102.60
Average black market price for all of the data on a credit card
$187.44
Cost of taking control of a bank account
$200K
Average cost of cyber attach to SMB
$1M-$46M
Average cost of breach to a large company
$169M
Target breach clean-up costs
$46M
The Home Depot breach clean-up costs
$350M-1T
Global cost of cyber crime
ATPS Worldwide
3rd-4th December 2014
//Cyber Crime
Global and growing industry
Increasing in size and efficiency
Targets everyone and every company
Leveled playing field for criminal activity
ATPS Worldwide
3rd-4th December 2014
Cyber Crime Orgs
Professional Hackers
Spammers
Mafia
Military
Terrorists
//APT - Nation States Hacking
and a Cyber Cold War
ATPS Worldwide
3rd-4th December 2014
What are your risks?
Have you assessed your risks?
ATPS Worldwide
3rd-4th December 2014
Airlines and Airport Security
Complex ecosystems with advanced IT infrastructures
Real-time exchange of sensitive information
Scan and monitor passenger flow
Complex procedures and rules
Security requirements
Vulnerable to a multitude of attacks and IT-based emerging
threats
ATPS Worldwide
3rd-4th December 2014
Information
Technology
Sector
Transportation
Systems
Sector
Commercial
Facilities
Sector
Financial
Services
Sector
Defense
Industrial Base
Sector
Data Breaches
ATPS Worldwide
3rd-4th December 2014
Data Breaches
ATPS Worldwide
3rd-4th December 2014
Merchants Under Attack
Credit cards
ATPS Worldwide
3rd-4th December 2014
What else must be said?
Case Studies: The Facts
Nothing new here
All information presented is based on:
Past incidents
Reported cyber attacks
ATPS Worldwide
3rd-4th December 2014
2004 Fact: Sasser Worm and British
Airways at Heathrow Airport
British Airways suffered delays
Worm hit Terminal Four at London's Heathrow Airport,
Also affected call centers
Written by a teenager
ATPS Worldwide
3rd-4th December 2014
2008 Fact: Spanair Flight 5022
Crashed just after take off
Over 150 people died
Only 18 people survived
Accident weakened Spanair's image (reputation risk)
Crash exacerbated company’s financial difficulties
Ceased operations in 2012
Internal report issued by airline revealed:
Malware infected airline's central computer system
May have prevented detection of technical problems with aircraft
Final report determined crew failure as root cause
ATPS Worldwide
3rd-4th December 2014
2011 Fact: Delhi’s Indira Gandhi
International (IGI) Airport Incident
Passenger processing system failure
Backend server glitch
Common Use passengers Processing System
(CUPPS)
Down for almost 12 hours
Approximately 50 flights delayed
Passengers had to be manually checked in
Central Bureau of Investigation (CBI) of India
Virus attack / malicious code on the system
Used from an unknown remote location
Someone at a remote location operated the
system
ATPS Worldwide
3rd-4th December 2014
2011 Fact: Computer Virus Hits
U.S. Drone Fleet
Virus infected Predator and Reaper drones
One of the US military’s most important weapons
systems
Virus resisted multiple efforts to remove it
Remote cockpits are not connected to the Internet
Virus believed to have spread through removable drives
ATPS Worldwide
3rd-4th December 2014
2014 Facts: Infected Belgian
Charleroi Airport Servers
Belgian Charleroi airport network servers infected with
malware
Turned them into botnet zombies
Airport and customer data stolen
ATPS Worldwide
3rd-4th December 2014
ATPS Worldwide
3rd-4th December 2014
2014 Fact: Account Backdoors on Airport
Scanners, Default Passwords
Blackhat 2014
Backdoor accounts present in airport scanners
Many machines deployed at airport security checkpoints have embedded accounts with default passwords that can be abused
Attackers may be able to use the accounts as a backdoor to get access to the system
ATPS Worldwide
3rd-4th December 2014
Via Billy Rios
2014 Fact: More Backdoors
FTP, Telnet, and Web hardcoded backdoors
~6000 on Internet at major airports
Foreign made
ATPS Worldwide
3rd-4th December 2014
Via Billy Rios
2014 Fact: More Backdoors
Multiple backdoor accounts
ATPS Worldwide
3rd-4th December 2014
Via Billy Rios
Internet of Things (IoT)
Embedded systems
Devices with an IP stack
May or may not be connected to the Internet
Think smartphones
Drones
ATPS Worldwide
3rd-4th December 2014
Address Cyber Security Now
Raise visibility to senior leadership and Board of
Directors
Use a Cyber Risk Framework
Invest in Cyber Security
ATPS Worldwide
3rd-4th December 2014
Risk Management NIST CSF
Your Responsibility
Ensure Basic Cyber Hygiene
It’s Everyone’s Responsibility
Airlines focus:
Defense in-depth and anti-malware programs
Follow the money
Trust, but Verify
Especially with embedded devices
Supply chain
Vendor Management / Third Party Security
Overall security
Hardcoded backdoors
Participate in an Information Sharing & Analysis Center (ISAC)
ATPS Worldwide
3rd-4th December 2014
ATPS Worldwide
3rd-4th December 2014
ThanksPhil AgcaoiliVP & Chief Information Security Officer, Elavon
Contributor, NIST Cybersecurity Framework version 1
Co-Founder & Board Member, Southern CISO Security Council
Distinguished Fellow and Fellows Chairman, Ponemon Institute
Founding Member, Cloud Security Alliance (CSA)
Inventor & Co-Author, CSA Cloud Controls Matrix,
GRC Stack, Security, Trust and Assurance Registry (STAR), and
CSA Open Certification Framework (OCF)
@hacksec
https://www.linkedin.com/in/philA