verizon 2014 data breach investigation report and the target breach

48
Verizon 2014 Data Breach Investigation Report Verizon 2014 Data Breach Investigation Report and The Target Breach Proactive Approaches to Data Security Ulf Mattsson CTO, Protegrity [email protected]

Post on 14-Sep-2014

460 views

Category:

Technology


0 download

DESCRIPTION

The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them. What’s needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it. In this webinar, Protegrity CTO and data security thought leader Ulf Mattsson integrates new information from the Verizon 2014 Data Breach Investigation Report (DBIR) into his analysis on what is driving data breaches today, and how we can prevent them in the future. KEY TOPICS INCLUDE: • The changing threat landscape • The effects of new technologies on breaches • Analysis of recent breaches, including Target • Compliance vs. security • The importance of shifting from reactive to proactive thinking • Preparing for future attacks with new technology & techniques

TRANSCRIPT

Page 1: Verizon 2014 data breach investigation report and the target breach

Verizon 2014 Data Breach Investigation Report Verizon 2014 Data Breach Investigation Report and The Target Breach

Proactive Approaches to Data Security

Ulf MattssonCTO, Protegrity

[email protected]

Page 2: Verizon 2014 data breach investigation report and the target breach

Member of PCI Security Standards Council:

• Tokenization Task Force

• Encryption Task Force

• Point to Point Encryption Task Force

• Risk Assessment SIG

Ulf Mattsson, Protegrity CTO

• eCommerce SIG

• Cloud SIG

• Virtualization SIG

• Pre-Authorization SIG

• Scoping SIG

2

Page 3: Verizon 2014 data breach investigation report and the target breach

The Target Data Breach

Data Security & Threat Landscape

Topics

Think Like A Hacker - Proactive Data Security

New Data Security Technologies & Approaches

3

Page 4: Verizon 2014 data breach investigation report and the target breach

THE

TARGETDATA BREACHDATA BREACH

4

What can we learn?

Page 5: Verizon 2014 data breach investigation report and the target breach

First Attack: Fazio Mechanical Services• A 3rd party refrigeration design & maintenance contractor for Target

• Email malware-injecting phishing attack

• Credentials were stolen

Second Attack: Target POS Machines• Used stolen credentials from Fazio Mechanical Services to access

POS machines

How The Breach at Target Went Down

• Installation of malware to collect customer payment data

Aftermath: Malware Data Export• >40 million customer financial records & CCN

• >70 million customer personal information records

• The subsequent file dump containing customer data is reportedly flooding the black market

• Starting point for the manufacture of fake bank cards, or provide data required for identity theft.

Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/5

Page 6: Verizon 2014 data breach investigation report and the target breach

Memory Scraping Malware – Target Breach

Payment CardTerminal

Point Of Sale Application

Memory Scraping Malware

Authorization,Settlement

Web Server

Memory Scraping Malware

Russia

6

Page 7: Verizon 2014 data breach investigation report and the target breach

Security software picked up on suspicious activity after a cyberattack was launched, but it decided not to take immediate action

Received security alerts on Nov. 30 that

Target Says It Ignored Early Signs of Data Breach

Received security alerts on Nov. 30 that indicated malicious software had appeared in its network

Source: SEC (Securities and Exchange Commission )7

Page 8: Verizon 2014 data breach investigation report and the target breach

Target Corp. annual report: Massive security breach has hurt its image and business, while spawning dozens of legal actions, and it can't estimate how big the financial tab will end up being.

The FTC is probing the massive hack of credit card information. Target could face federal charges for

Target Data Breach Fallout

failing to protect its customers' data.

“When you see a data breach of this size with clear harm to consumers, it's clearly something that the FTC would be interested in looking at.”

- Jon Leibowitz, former FTC chairman

Source: Bloomberg Businessweek8

Page 9: Verizon 2014 data breach investigation report and the target breach

Target Data Breach Fallout

Target CIO Beth Jacob resigned

9

Page 10: Verizon 2014 data breach investigation report and the target breach

WHO IS THE NEXT TARGET?TARGET?

10

Page 11: Verizon 2014 data breach investigation report and the target breach

Who is the Next Target?

Services

Retailers

11

Healthcare

Government

Page 12: Verizon 2014 data breach investigation report and the target breach

It’s not like other businesses are using some special network security practices that Target

doesn’t know about.

They just haven’t been hit yet.They just haven’t been hit yet.

No number of walls, traps, bars, or alarms will keep out the determined thief.

12 Source: www.govtech.com/security

Page 13: Verizon 2014 data breach investigation report and the target breach

New Environments

Big Data and Cloud platforms are presenting new use cases that are incompatible with old security approaches. This makes them vulnerable and ideal targets.

Cloud & Big Data Vulnerabilities Include:

Hackers& APT

RoguePrivileged

Users

UnvettedApplications

OrAd Hoc

Processes

Page 14: Verizon 2014 data breach investigation report and the target breach

DATA SECURITY & THREAT LANDSCAPETHREAT LANDSCAPE

14

How have the methods of attack shifted?

Page 15: Verizon 2014 data breach investigation report and the target breach

“It’s clear the bad guys are winning at a faster rate than the good guysare winning, and we’ve

The Bad Guys are Winning

15

Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening

are winning, and we’ve got to solve that.”- 2014 Verizon Data Breach Investigations Report

Page 16: Verizon 2014 data breach investigation report and the target breach

External Threats are Exploding

16

Source: The 2014 Verizon Data Breach Investigations Report

Page 17: Verizon 2014 data breach investigation report and the target breach

More, Better Attack Tools

17

Source: The 2014 Verizon Data Breach Investigations Report

Page 18: Verizon 2014 data breach investigation report and the target breach

Changing Motives

18Source: The 2014 Verizon Data Breach Investigations Report

Page 19: Verizon 2014 data breach investigation report and the target breach

We Are Losing Ground

“…Even though security is improving, things are getting worse faster, so we're losing ground

19

we're losing ground even as we improve .”- Security expert Bruce Schneier

Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11

Page 20: Verizon 2014 data breach investigation report and the target breach

Organizations Are Not Protecting Against Cyberattacks

“Cyber attack fallout could cost the global economy $3 trillion by 2020.”

20

Source: McKinsey report on enterprise IT security implications released in January 2014.

2020.”- McKinsey & Company reportRisk & Responsibility in a Hyperconnected World: Implications for Enterprises

Page 21: Verizon 2014 data breach investigation report and the target breach

Organizations Are Also Bad At Detecting Breaches

21 Verizon 2013 Data-breach-investigations-report & 451 Research

Page 22: Verizon 2014 data breach investigation report and the target breach

BEWARE MALWAREBEWARE MALWARE

22

Page 23: Verizon 2014 data breach investigation report and the target breach

New Malware Detections

Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf

23

Page 24: Verizon 2014 data breach investigation report and the target breach

#17 in 2012 among all types of incidents, rose to a very concerning #4 spot in 2013.

Incidents surged from just 27 in 2012

to 223 in 2013.

The Dramatic Rise of RAM Scraping Malware

to 223 in 2013.

24 Source: Verizon’s 2014 Data Breach Investigations Report

A 10x increasein only ONE YEAR.

Page 25: Verizon 2014 data breach investigation report and the target breach

In past year, there were at least 20 malware cyber attacks on retail targets similar to Target incident.

“POS malware crime will continue to grow over the near term.”

FBI Memory-Scraping Malware Warning

grow over the near term.”

Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms”

Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping-malware-in-wake-of-Target-breach

25

Page 26: Verizon 2014 data breach investigation report and the target breach

Export data became the #1 malware threat in 2013, doubling in occurrence from 2012.

Malware represented 60% (12/20) of the top threat actors in the 2014 Verizon DBIR.

The Dramatic Rise of RAM Scraping Malware

threat actors in the 2014 Verizon DBIR.

26 Source: Verizon’s 2014 Data Breach Investigations Report

My conclusion:Malware will continue to proliferate until we secure the sensitive data flow.

Page 27: Verizon 2014 data breach investigation report and the target breach

THINK LIKE A HACKERHACKER

How can we shift from reactive to proactive thinking?

27

Page 28: Verizon 2014 data breach investigation report and the target breach

How do hackers think?

Like a business.

Go where the money is

Thinking Like A Hacker

Multiple touches to get in

Easier targets = Higher ROI

Page 29: Verizon 2014 data breach investigation report and the target breach

The Modern Day Bank Robber

29

Page 30: Verizon 2014 data breach investigation report and the target breach

Target was certified as meeting the standard for the Payment Card Industry in September 2013

Compliance is minimal protection that everyone has to have in place.

• It can protect from liability.

Target Breach Lesson: Compliance Isn't Enough

• But obviously, it does not actually protect from data loss.

If you're driving a car, you have to wear your seatbelt.

That doesn't make you a safe driver.

Source: TechNewsWorld30

Page 31: Verizon 2014 data breach investigation report and the target breach

TURNING THE TIDE

31

What new technologies and techniques can be used to prevent future attacks?

Page 32: Verizon 2014 data breach investigation report and the target breach

Coarse Grained Security

• Access Controls

• Volume Encryption

• File Encryption

Fine Grained Security

Evolution of Data Security Methods

EvolutionFine Grained Security

• Access Controls

• Field Encryption

• Masking

• Tokenization

• Vaultless Tokenization

32

Evolution

Page 33: Verizon 2014 data breach investigation report and the target breach

Fine Grained (Field-Level) Sensitive Data Security allows for a Wider and allows for a Wider and

Deeper Range of Authority Options

33

Page 34: Verizon 2014 data breach investigation report and the target breach

Risk

High –

Old:

Minimal access

levels – Least New :

Much greater

The New Fine Grained Data Security

AccessPrivilege

LevelI

High

I

Low

Low –

levels – Least

Privilege to avoid

high risks

Much greater

flexibility and

lower risk in data

accessibility

34

Page 35: Verizon 2014 data breach investigation report and the target breach

What ifa Credit Card Number

in the Hands of a Criminalwas Useless?

35

Page 36: Verizon 2014 data breach investigation report and the target breach

De-identification through TokenizationField Real Data Tokenized / Pseudonymized

Name Joe Smith csu wusoj

Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA

Date of Birth 12/25/1966 01/02/1966

Telephone 760-278-3389 760-389-2289

E-Mail Address [email protected] [email protected]

SSN 076-39-2778 076-28-3390

CC Number 3678 2289 3907 3378 3846 2290 3371 3378

Business URL www.surferdude.com www.sheyinctao.com

Fingerprint Encrypted

Photo Encrypted

X-Ray Encrypted

Healthcare / Financial Services

Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities

Protection methods can be equally applied to the actual data, but not needed with de-identification

36

Page 37: Verizon 2014 data breach investigation report and the target breach

Fine Grained Data Security Methods

Tokenization and Encryption are Different

Used Approach Cipher System Code System

Cryptographic algorithms

Cryptographic keys

TokenizationEncryption

37

Cryptographic keys

Code books

Index tokens

Page 38: Verizon 2014 data breach investigation report and the target breach

Different Tokenization Approaches

Property Dynamic Pre-generated Vaultless

Vault-based

38

Page 39: Verizon 2014 data breach investigation report and the target breach

Security of Fine Grained Protection Methods

High

Security Level

I

Format

Preserving

Encryption

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Basic

Data

Tokenization

39

Low

Page 40: Verizon 2014 data breach investigation report and the target breach

10 000 000 -

1 000 000 -

100 000 -

10 000 -

Transactions per second*

Speed of Fine Grained Protection Methods

10 000 -

1 000 -

100 -I

Format

Preserving

Encryption

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

*: Speed will depend on the configuration

40

Page 41: Verizon 2014 data breach investigation report and the target breach

Tokenization Research

Tokenization Gets Traction

Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption

Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data

Tokenization users had 50% fewer security-related incidents than tokenization non-users

41

Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/

Page 42: Verizon 2014 data breach investigation report and the target breach

Use

Case

How Should I Secure Different Data?

Simple –PCI

PII

Encryption

of Files

CardHolder Data

Tokenization of Fields

Personally Identifiable Information

Type of

DataI

Structured

I

Un-structured

Complex – PHI

ProtectedHealth

Information

42

Personally Identifiable Information

Page 43: Verizon 2014 data breach investigation report and the target breach

Protecting Enterprise Data Flow

123456 123456 1234

CCN/SSNSocial MediaBlogsSmart PhonesMetersSensorsWeb LogsTrading SystemsGPS Signals

Stream

043

123456 999999 1234

Protecting Data Flows – Reducing Attack Surface

Big Data (Hadoop)

Acquisition

Analytics & Visualization

Enterprise Data

Warehouse

Page 44: Verizon 2014 data breach investigation report and the target breach

You must assume your perimeter systems will be breached.

How do you know when your systems have been compromised?

You have to baseline and understand what ‘normal' looks like and look for deviations from normal.

McAfee and Symantec can't tell you what normal looks like in your own systems.

Only monitoring anomalies can do that.

CISOs say SIEM Not Good for Security Analytics

Only monitoring anomalies can do that.

Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets

Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner

44

Page 45: Verizon 2014 data breach investigation report and the target breach

Use Big Data to Analyze Abnormal Usage Pattern

Payment CardTerminal

Point Of Sale Application

Memory Scraping Malware

Authorization,Settlement

Web Server

Memory Scraping Malware

Moscow, Russia

FireEye

Malware?

Page 46: Verizon 2014 data breach investigation report and the target breach

Trend - Open Security Analytics Frameworks

46 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture

Enterprise Big Data Lake

Page 47: Verizon 2014 data breach investigation report and the target breach

Conclusions

Threats are increasing and attackers are getting more advanced• Sticking your head in the sand will not make it go away

• Malware is everywhere – secure and monitor the data flow

Compliance does not equal security

47

Compliance does not equal security• Everyone must be compliant, but it’s just a starting point

• Assume you’re under attack – proactive security must be a priority

Take advantage of the tools available today• Tokenization provides flexibility to capture, store and use data securely

• Big Data event analysis & context can catch threats early on

Page 48: Verizon 2014 data breach investigation report and the target breach

Thank you!

Questions?

Please contact us for more information

www.protegrity.com

[email protected]

To Request A Copy of the Presentation

Email: [email protected]