Data Breaches, Credit Card Fraud, Front Page News …Are You Next? Calvin Weeks EnCE, CEDS, CRISC, CISSP, CISM Computer Forensics Manager www.eidebailly.com 1
Home Depot Breach • CBS News • 2,200 stores compromised • Up to 60 million customers • Only 10% to 15% will see fraud activity • As much as $3 billion in bogus purchases • Krebs on Security • Variant of the code from the Target attack • Compromised CC #’s were first sold on Ukraine website www.eidebailly.com 2
Lawsuits / Lawyers and Settlements • Retailers not prepared for hack attacks • Companies breached include UPS, Goodwill, P.F. Chang’s, Sally Beauty, Michael’s and Neiman Marcus • Solak et al v. The Home Depot, Inc., Case No. 1:2014-cv-02856, filed September 4, 2014 at The Eleventh Circuit, Georgia Northern District Court www.eidebailly.com 3
How did the Breach occur? • All compromises were a direct result of human failure at all levels • Not one compromise has been attributed to hardware, operating system or application failures www.eidebailly.com 4
Complaints with Loss Statistics Complaints with Financial Loss FBI Internet Crime Report 115903 114908 COMPLAINTS WITH LOSS 106079 100000 102000 104000 106000 108000 110000 112000 114000 116000 118000 2011 2012 2013 www.eidebailly.com 5
Total Loss Statistics Total Financial Loss FBI Internet Crime Report $485 TOTAL LOSS IN MILLIONS $525 $574 $440 $460 $480 $500 $520 $540 $560 $580 $600 2011 2012 2013 www.eidebailly.com 6
Why is Data Security Important? The DATA has VALUE • Many organizations feel they have nothing worth stealing or they are too small and invisible. • Your data has value to an attacker. • 40M records X $2/record = $80M attacker profit. www.eidebailly.com 7
All Data Has Value Recent Breaches • Goodwill (Sept. 2014 – 330 stores in 20 states) • Home Depot (Sept. 2014 – 56,000,000 cards) • P.F. Chang (pre-June, 2014 – 33 locations) • Sally Beauty Supply (March 2014 – 25,000 records) • Target (2013 – 70,000,000 customers’ data) • Sony (2011 – 100,000,000 customers’ data) • Heartland Payment Systems (2009 – 130,000,000 accounts) • TJX (2007 – 90,000,000 accounts) • Card Systems (2005 – 40,000,000 accounts) www.eidebailly.com 8
Data Value 9 www.eidebailly.com
Frameworks • Implement Strong Access Control • PCI Measures • Build and Maintain a Secure • Restrict access to CHD by need- Network to-know • Firewall • Identify/authenticate access to • No vendor-supplied defaults system components (passwords/parameters) • Restrict physical access • Protect CHD • Regularly Monitor and Test • Stored (at rest) Networks • Encrypted transmission across • Track/monitor all access to open, public networks network resources and CHD • Maintain Vulnerability • Regularly test security systems Management Program and processes • Protect against malware, update • Maintain Information Security AV Policy • Develop/maintain secure systems • Address information security for and applications all personnel 10 www.eidebailly.com
Other Frameworks - NIST Critical Infrastructure Cybersecurity Table 1: Function and Category Unique Identifiers Function Category Unique Function Unique Category Identifier Identifier ID.AM Asset Management ID.BE Business Environment ID Identify ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy PR.AC Access Control Preventative PR.AT Awareness and Training PR.DS Data Security PR Protect Information Protection Processes and PR.IP Procedures PR.MA Maintenance PR.PT Protective Technology DE.AE Anomalies and Events Detective DE Detect DE.CM Security Continuous Monitoring DE.DP Detection Processes RS.RP Response Planning RS.CO Communications RS Respond RS.AN Analysis Corrective RS.MI Mitigation RS.IM Improvements RC.RP Recovery Planning RC Recover RC.IM Improvements RC.CO Communications 11 www.eidebailly.com
How about Compliance? • Being compliant does not mean you're secure, and being secure does not mean you're complaint • The Truth About Home Depot's Security Breach: Hacking Was Easy - By Jason Abbruzzese Sep 10, 2014 www.eidebailly.com 12
Established Standards • Security standards began in the 50’s with the launch of the Russian Sputnik satellite • In October 1967 a computer security task force was created • The results of the task force was published in 1970 and was named the Rand 609 report • The Rand R-609-1 report was reissued on October 1979 • The standards established are still the same today even as technology advances regularly www.eidebailly.com 13
Further Established Standards • Manufacturer established standards for specific products • After 2001 the National Institute of Standards and Technology (NIST) expanded special publications for technology standards • NIST established Information Systems Management and Operational Standards for executives www.eidebailly.com 14
Basic Security Concept Cyber Security Operations • Prevent • Monitor/Detect • Respond www.eidebailly.com 15
Prevent • Establish budgets • Follow best practices • National Institute of Standards and Technology (NIST) • Obtain advance training • Employ appropriate expertise • Strategize to prevent every ATTEMPT www.eidebailly.com 16
Monitor & Detect • Establish centralized logging • Collect logs from all systems, networks, applications and all reported issues • Correlate and aggregate all logs • Setup rules and signature databases for alarms and alerts • Collection should have no filters • Establish robust search, filtering and reporting capability • Strategize to detect every ATTEMPT www.eidebailly.com 17
Respond • Establish a response capability • Include members from executive, IT, HR, security, legal, public relations and others as appropriate • Review reports from monitoring activities • Meet regularly to make informed decisions • Strategize to respond to every ISSUE • Making an informed decision to do nothing is acceptable www.eidebailly.com 18
IT/Security Operational Model www.eidebailly.com 19
IT/Security Operational Model www.eidebailly.com 20
Security & Risk Assessments • Vulnerability Assessments and Penetration Testing are technical options, but do not go far enough • Just because you are vulnerable and your system and networks can be compromised does not address the business question of what is the priority • A properly performed security & risk assessment will help you set priorities that match business goals and objectives www.eidebailly.com 21
The Experts • IT Professionals will help keep your systems and networks up and running • Security Professionals will help keep your systems and networks protected • Computer Forensics Professionals will help respond and investigate issues involving technology for HR, Legal and executive purposes www.eidebailly.com 22
IT Professional vs. Forensic Examiner • IT Professional training does not include handling of evidence • Primary focus is keeping system up and running • Can be witness on system, network, internet operations • Not trained or prepared to testify as an expert • Forensic Examiner understands the rules of evidence • Primary focus are collecting, preserving and examining relevant data • Can provide assistance with technical legal strategies • Trained and prepared to testify as an expert www.eidebailly.com 23
Examples IT Professional vs. Forensic Examiner • A police officer’s daily work involves knowing, understanding and applying laws, but that does not make them an attorney. • A bookkeeper knows the accounting of their books and how to apply accounting practices everyday, but this does not make them a CPA. • An IT Professional knows how to setup, operate and maintain computer and network systems, but this does not make them qualified to investigate and testify, nor should they. www.eidebailly.com 24
Computer Forensics vs E-Discovery e-Discovery is Electronic Discovery • Production of known responsive info for litigation • Indexed database searching and filtering • Provides data statistics • Also refers to Federal Rules of Civil Procedures, Process or Service Computer Forensics • Investigation and recovery of relevant info • Provides the details in context • Provides transactional details • Scientifically supports or disputes statements made by parties • Identifies and demonstrates facts about the activities found on a computer or electronic device www.eidebailly.com 25
Example: Business Sale Made-up • A business owner discussed the sale of his business over public internet e-mail. An offer to sell was made in the amount of $1,000,000. After several months without a deal, the purchaser sued and as evidence produced a “PRINTED” copy of a reply e-mail from the seller asking to sell the business in the amount of $100,000. www.eidebailly.com 26
Recommend
More recommend