who is the next target proactive approaches to data security

WHO IS THE NEXT TARGET?WHO IS THE NEXT TARGET?

Proactive Approaches to Data Security

Ulf MattssonCTO, Protegrity

[email protected]

Working with the Payment Card Industry Security Standards Council (PCI SSC):

• PCI SSC Tokenization Task Force

• PCI SSC Encryption Task Force

• PCI SSC Point to Point Encryption Task Force

• PCI SSC Risk Assessment SIG

Ulf Mattsson & PCI Data Security Standards

• PCI SSC eCommerce SIG

• PCI SSC Cloud SIG

• PCI SSC Virtualization SIG

• PCI SSC Pre-Authorization SIG

• PCI SSC Scoping SIG

• PCI SSC 2013 – 2014 Tokenization Task Force

2

New threats and methods of attack

New technologies offer new vulnerabilities

Lessons learned from the Target breach

Topics

Lessons learned from the Target breach

The importance of proactive thinking

New technologies to properly secure data

3

THE CHANGING THREAT LANDSCAPETHREAT LANDSCAPE

4

How have the methods of attack shifted?

Data Loss Worries IT Pros Most

5

Source: 2014 Trustwave Security Pressures Report

Data Loss Worries IT Pros Most

6


“It’s clear the bad guys are winning at a faster rate than the good guys

Security - We Are Losing Ground

7

Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening

rate than the good guysare winning, and we’ve got to solve that.”- 2014 Verizon Data Breach Investigations Report


“…Even though security is improving, things are getting worse faster, so

8

getting worse faster, so we're losing ground even as we improve .”- Security expert Bruce Schneier

Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11


“Cyber attack fallout could cost the global economy $3 trillion by

9

Source: McKinsey report on enterprise IT security implications released in January 2014.

economy $3 trillion by 2020.”

PRIME TARGETS FOR DATA BREACHDATA BREACH

10

CIA and NSA Tell Utilities How To Up Cybersecurity

11

Source: Smart Grid News

The Bipartisan Policy Center (BPC) has published a new report titled "Cybersecurity and the North American Electric Grid: New Policy Approaches to

Address an Evolving Threat."

The U.S. government's Industrial Control Systems Cyber Emergency Response Team

Responded to more than 200 incidents

53% aimed at the energy sector.

So far, there have not been any successful catastrophic attacks on the US energy grid

Energy Sector a Prime Target for Cyber Attacks

attacks on the US energy grid

Ongoing debate about the risk of a "cyber Pearl Harbor" attack.

Source: www.csoonline.com/article/748580/energy-sector-a-prime-target-for-cyber-attacks(Oct. 2012 - May 2013)

12

The global energy sector has become vulnerable to cyber-attack

Increasingly adopting internet-based industrial control systems in an effort to cut costs

The industry has yet to experience business

Energy Sector Faces Cyber-attack Threat: Marsh

interruption or physical damage as a result of a cyber-attack

Being "disproportionately" targeted by increasingly sophisticated hacker networks the broker

Source: 2014 Report, Insurance broker Marsh

13

BEWARE MALWAREBEWARE MALWARE

14

New Malware

Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf

16

Total Malicious Signed Malware

Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf

17

Targeted Malware Topped the Threats

18

62% said that the pressure to protect from data breaches also increased over the past year.


US - Targeted Malware Top Threat

19


FBI uncovered 20 cyber attacks against retailers in the past year that utilized methods similar to Target incident

Believe POS malware crime will continue to grow over the near term

Despite law enforcement and security firms' actions to mitigate it

FBI Memory-Scraping Malware Warning

mitigate it

Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms”

Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping-malware-in-wake-of-Target-breach

20

THE CHANGING TECHNOLOGY TECHNOLOGY LANDSCAPE

What effect, if any, does the rise of “Big Data” have on breaches?

21

Has Your Organization Already Invested in Big Data?

22

Source: Gartner

Holes in Big Data…

23

Source: Gartner

Many Ways to Hack Big Data

24

Hackers& APT

RoguePrivileged

Users

UnvettedApplications

OrAd Hoc

Processes

Many Ways to Hack Big Data

MapReduce(Job Scheduling/Execution System)

Pig (Data Flow) Hive (SQL) Sqoop

ETL Tools BI Reporting RDBMS

Avr

o (S

eria

lizat

ion)

Zoo

keep

er (

Coo

rdin

atio

n)

Hackers

UnvettedApplications

OrAd Hoc

Processes

Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase

25

HDFS(Hadoop Distributed File System)

Hbase (Column DB)

Avr

o (S

eria

lizat

ion)

Zoo

keep

er (

Coo

rdin

atio

n)

PrivilegedUsers

Big Data (Hadoop) was designed for data access, not security

Security in a read-only environment introduces new challenges

Massive scalability and performance requirements

Big Data Vulnerabilities and Concerns

Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear

Transparency and data insight are required for ROI on Big Data

26

TARGET DATA BREACHBREACH

27

What can we learn from the Target breach?

Target Breach Optioned as Sony Feature Film

28

Source: Welivesecurity.com

Target Corp. said in its annual report that a massive security breach has hurt its image and business, while spawning dozens of legal actions, and it noted it can't estimate how big the financial tab will end up being

Security software picked up on suspicious activity

Target Says It Ignored Early Signs of Data Breach

Security software picked up on suspicious activity after a cyberattack was launched, but it decided not to take immediate action

Received security alerts on Nov. 30 that indicated malicious software had appeared in its network

Source: SEC (Securities and Exchange Commission )

29

Target Data Breach, U.S. Secret Service & iSIGHT

Target CIO Beth Jacob resigned

30

Memory Scraping Malware – Target Breach

Payment CardTerminal

Point Of Sale Application

Memory Scraping Malware

Authorization,Settlement

…

Web Server


Russia

31

Credentials were stolen from Fazio Mechanical in a malware-injecting phishing attack sent to employees of the firm by email

• Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information.

• In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers.

The data theft was caused by the installation of malware on

How The Breach at Target Went Down

the firm's point of sale machines

The subsequent file dump containing customer data is reportedly flooding the black market

• Starting point for the manufacture of fake bank cards, or provide data required for identity theft.

Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/

32

The FTC is probing the massive hack of credit card information

Target could face federal charges for failing to protect its customers' data from hackers

When you see a data breach of this size with clear harm to consumers, it's clearly something that the

Target May Face Federal Suit Over Privacy Fumble

harm to consumers, it's clearly something that the FTC would be interested in looking at," said Jon Leibowitz, a former FTC chairman

Sen. Richard Blumenthal, a Connecticut Democrat, urged the FTC to investigate the Target hack soon after it became public in December

Source: Bloomberg Businessweek

33

Who Is The Next Target?

34

It’s not like other businesses are using some special network security practices that Target

doesn’t know about.

They just haven’t been hit yet.

No number of traps, bars, or alarms will keep out the determined thief

Source: www.govtech.com/security

35

THINKING LIKE A HACKERHACKER

How can we shift from reactive to proactive thinking?

36

The Modern Day Bank Robber

37

Current Breach Discovery Methods

38

Verizon 2013 Data-breach-investigations-report & 451 Research

You must assume the systems will be breached.

Once breached, how do you know you've been compromised?

You have to baseline and understand what 'goodness' looks like and look for deviations from goodness

McAfee and Symantec can't tell you what normal looks like in your own systems.

Only monitoring anomalies can do that

CISOs say SIEM Not Good for Security Analytics

Only monitoring anomalies can do that

Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets

Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner

39

TURNING THE TIDE

40

What new technologies and techniques can be used to prevent future attacks?

What if a

Social Security number or

Credit Card Number Credit Card Number

in the Hands of a Criminal

was Useless?

41

COMPLIANCEVS.

SECURITYSECURITY

42

Target was certified as meeting the standard for the payment card industry in September 2013

Compliance can protect us from liability, but whether it actually protects us from loss of business and loss of data is not so clear

Compliance is a minimal deterrent that everyone

Target Breach Lesson: PCI Compliance Isn't Enough

Compliance is a minimal deterrent that everyone has to have in place

If you're driving a car, you're expected to have a driver's license. That doesn't make you a safe driver

Source: TechNewsWorld

43

Protection of cardholder data in memory

Clarification of key management dual control and split knowledge

Recommendations on making PCI DSS business-as-usual and best practices

Security policy and operational procedures added

PCI DSS 3.0

Security policy and operational procedures added

Increased password strength

New requirements for point-of-sale terminal security

More robust requirements for penetration testing

44

Coarse Grained Security

• Access Controls

• Volume Encryption

• File Encryption

Fine Grained Security

Evolution of Data Security Methods

Time

Fine Grained Security

• Access Controls

• Field Encryption (AES & )

• Masking

• Tokenization

• Vaultless Tokenization

45

Old and flawed:

Minimal access

levels so people

can only carry

Access Control

Risk

High –

can only carry

out their jobs

46

AccessPrivilege

LevelI

High

I

Low

Low –

Applying the Protection Profile to the

Structure of each Sensitive Data Fields allows for Sensitive Data Fields allows for

a Wider Range of Granular Authority Options

47

Examples: De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized

Name Joe Smith csu wusoj

Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA

Date of Birth 12/25/1966 01/02/1966

Telephone 760-278-3389 760-389-2289

E-Mail Address [email protected] [email protected]

SSN 076-39-2778 076-28-3390

CC Number 3678 2289 3907 3378 3846 2290 3371 3378

Business URL www.surferdude.com www.sheyinctao.com

Fingerprint Encrypted

Photo Encrypted

X-Ray Encrypted

Healthcare / Financial Services

Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc.Financial Services Consumer Products and activities

Protection methods can be equally applied to the actual data, but not needed with de-identification

48

Risk

High –

Old:

Minimal access

levels – Least New :

Much greater

The New Data Protection - Tokenization

AccessPrivilege

LevelI

High

I

Low

Low –

levels – Least

Privilege to avoid

high risks

Much greater

flexibility and

lower risk in data

accessibility

49

Tokenization Research

Tokenization Gets Traction

Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption

Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data

Tokenization users had 50% fewer security-related incidents than tokenization non-users

50

Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/

Security of Different Protection Methods

High

Security Level

I

Format

Preserving

Encryption

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Basic

Data

Tokenization

51

Low

Fine Grained Data Security Methods

Tokenization and Encryption are Different

Used Approach Cipher System Code System

Cryptographic algorithms

Cryptographic keys

TokenizationEncryption

52

Cryptographic keys

Code books

Index tokens

Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY

10 000 000 -

1 000 000 -

100 000 -

10 000 -

Transactions per second*

Speed of Different Protection Methods

10 000 -

1 000 -

100 -I

Format

Preserving

Encryption

I

Vaultless

Data

Tokenization

I

AES CBC

Encryption

Standard

I

Vault-based

Data

Tokenization

*: Speed will depend on the configuration

53

Different Tokenization Approaches

Property Dynamic Pre-generated Vaultless

Vault-based

54

Use

Case

How Should I Secure Different Data?

Simple –PCI

PII

Encryption

of Files

CardHolder Data

Tokenization of Fields

Personally Identifiable Information

Type of

DataI

Structured

I

Un-structured

Complex – PHI

ProtectedHealth

Information

55

Personally Identifiable Information

Use Big Data to Analyze Abnormal Usage Pattern

Payment CardTerminal

Point Of Sale Application


Authorization,Settlement

…

Web Server


Moscow, Russia

FireEye

Malware?

Trend - Open Security Analytics Frameworks

57 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture

Enterprise Big Data Lake

ConclusionsChanging threat landscape & challenges to secure da ta:

• Attackers are looking for not just payment data – a more serious problem.

• IDS systems are lacking context needed to catch data theft

• SIEM detection is too slow in handling large amounts of events.

What happened at Target ?• Modern customized malware can be very hard to detect

58

• They were compliant, but not secure

How can we prevent what happened to Target and the next attack against our sensitive data?

• Assume that we are under attack - proactive protection of the data itself

• We need to analyze event information and context to catch modern attackers

• The Oracle Big Data Appliance can provide the foundation for solving this problem

Thank you!Thank you!

Questions?

Please contact us for more information

http://www.protegrity.com/news-resources/collateral/

[email protected]

who is the next target proactive approaches to data security

Technology

security security

new malware source

data breaches

secure data

data access

big data hadoop

processes source

broker source