docemv and security
download 
Report Transcription
emv and security
EMV AND SECURITY ELAVON TRAVEL SYMPOSIUM GENERAL SESSION February 25th, 2014 Greg Rosenberg CISA, QSA Trustwave Security Engineer AGENDA 1 2 3 4 5 Trustwave Overview Global Security Report Who is executing these breaches? Prevention Question and Answer Session Who WE We ARE Are WHO Company facts and figures ESTABLISHED 1995 TRUSTED BY OVER 2.5 MILLION BUSINESSES GROWING NOW OVER 1,200 EMPLOYEES GLOBAL CUSTOMERS IN INNOVATING OVER 50 96 COUNTRIES PATENTS & COUNTING *+30 patents granted; +20 patents pending Selected by more enterprises for compliance – chosen more often than the next 10 service providers combined Global Threat Database feeds technologies and services with threat intelligence Industry’s most holistic portfolio of security technologies delivered through TrustKeeper® EVERY DAY AT TRUSTWAVE... Log Analyze Scan +9,000 network based attacks +1 million endpoints for vulnerabilities Review +22,000 web application attacks Classify +10,000 malicious web pages +2B security and compliance events Conduct Analyze +1 million spam and phishing messages a new forensic investigation WHO IS EXECUTING THESE BREACHES? WHO’S RESPONSIBLE FOR BREACHES? HOW DID THESE RECENT BREACHES TAKE PLACE? Card present merchants INFILTRATION Email Trojan Remote File Inclusion Exposed Services SQL Injection 3rd Party Connections Remote Access Application 0% 20% 40% 60% 80% 100% HOW DID THESE RECENT BREACHES TAKE PLACE? Card present merchants DATA HARVESTING Memory Parser 67% – Software application to monitor the random access memory (RAM) being used by a certain process – When process interacts with data, it parses this data for the specific information it is designed to look for • Personally identifiable information (PII) or financial information (credit card numbers and bank accounts/routing codes ) – Predominant way card data stolen HOW DID THESE RECENT BREACHES TAKE PLACE? Card present merchants EXFILTRATION - Very basic and unencrypted 12% 6% Microsoft Windows Network Shares 28% Native Remote Access Application 10% Malware Capability 17% 27% Native FTP Client SQL Injection Other HOW DID THESE RECENT BREACHES TAKE PLACE? The new techniques aren’t so new Global Security Report 2010 2013 GLOBAL SECURITY REPORT The breach quadrilateral 2013 GLOBAL SECURITY REPORT 2010 vs. 2013 2010 2013 95% 15% 12% N/A 2% 47% 26% N/A 18% 1% 67% 18% 9% 59% 0% 49% 0% 0% 40% 10% 1% 1% 17% 6% 60% 1% 1% 10% 21% 17% Method of Entry Remote Access Application SQL Injection Exposed Services Unknown Physical Access Data Harvesting Memory Sniffer Key Logger Network Sniffer Stored Code Modification Exfiltration Physical Harvesting Source Code Modification Native Utilities/Services Built-In Malware Basic Utilities HOW DID THESE BREACHES TAKE PLACE? Online Clothing Retailer John Smith 1122 Elm St Salem’s Lot ME 63601234567855 11/16 6464 HOW DID THESE BREACHES TAKE PLACE? Online Clothing Retailer John Smith 1122 Elm St Salem’s Lot ME 63601234567855 11/16 6464 EXAMPLE: E-COMMERCE DATA BREACH Online Retailer Improper input validation allows attacker to send SQL statements to the database. The schema is identified. Even though data is encrypted, the “decrypt” function is a stored procedure. A complex SQL statement decrypts the data and outputs to file in the “images” directory, encoded and renamed. . Attackers navigates to the “images” directory, and export the harvested data. WHAT CAN I DO TO PREVENT THIS FROM HAPPENING TO ME? WHAT CAN I DO TO PREVENT THIS FROM HAPPENING TO ME? 1 Are you doing a risk assessment? 2 How are you valuing your sensitive data? 3 How are you keeping abreast of the latest threat vectors? 4 Assume you have already been breached and act accordingly. 5 Who are your Service Providers? HAVE YOU BEEN BREACHED ALREADY? TIMELINE: INTRUSTION TO CONTAINMENT AVERAGE: 210 DAYS TO DETECTION WHO ARE YOUR SERVICE PROVIDERS? Service Provider: “Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.” – PCI SSC The problem: Service Providers are exploited in the majority of breaches. WHO ARE YOUR SERVICE PROVIDERS? Why? • Most Service Providers don’t share liability or the liability is limited to the value of the contract. • Most Service Providers may not be educated on the latest on information and network security. How do we solve this problem? • Due diligence needs to be revamped and include a security professional. • Explore higher liability limits and the ability to withstand them. EMV HOW DOES EMV HELP ME? • EMV is primarily an anti-fraud mechanism with some additional security against theft techniques. • The fraud reduction is focused on chip reading combined with additional authentication (though not necessarily PIN). • In other words, this closes out some fraud that we see today in a card present environment. Proper Risk Assessment EMV Holistic protection against bad actors THANK YOU
