Ulf Mattsson, profile picture
Uploaded byUlf Mattsson
PDF, PPTX1,370 views

The good, the bad and the ugly of the target data breach

The document discusses the Target data breach and lessons learned about data security. It covers how the breach occurred through memory scraping malware installed on Target's point of sale systems. The document also discusses how compliance with PCI standards does not guarantee security, and how new technologies like tokenization can help protect sensitive data by reducing the attack surface and use of cleartext data. Big data analytics is also discussed as a way to help detect abnormal usage patterns that could indicate a security incident.

Download as PDF, PPTX
The Good, The Bad and The Ugly of The TargetThe Good, The Bad and The Ugly of The Target Data Breach Ulf Mattsson CTO, Protegrity Ulf.Mattsson@protegrity.com
Working with the Payment Card Industry Security Standards Council (PCI SSC): • PCI SSC Tokenization Task Force - Guidelines • PCI SSC Encryption Task Force • PCI SSC Point to Point Encryption Task Force • PCI SSC Risk Assessment SIG Ulf Mattsson & PCI Data Security Standards • PCI SSC eCommerce SIG • PCI SSC Cloud SIG • PCI SSC Virtualization SIG • PCI SSC Pre-Authorization SIG • PCI SSC Scoping SIG • PCI SSC 2013 – 2014 Tokenization Task Force – Technical Standard 2
Data security today The Target breach New environments bring new vulnerabilities Topics New environments bring new vulnerabilities Thinking like a hacker - proactive data security New technologies & approaches to properly secure data 3
DATA SECURITY TODAYTODAY 4 How have the methods of attack shifted?
Worries of 800 IT Pros 5 Source: 2014 Trustwave Security Pressures Report
Data Loss Worries IT Pros Most 6 Source: 2014 Trustwave Security Pressures Report
“It’s clear the bad guys are winning at a faster rate than the good guys are winning, and we’ve The Bad Guys are Winning 7 Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening are winning, and we’ve got to solve that.” - 2014 Verizon Data Breach Investigations Report
We Are Losing Ground “…Even though security is improving, things are getting worse faster, so we're losing ground 8 we're losing ground even as we improve.” - Security expert Bruce Schneier Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11
Organizations are Not Protected Against Cyberattacks “Cyber attack fallout could cost the global economy $3 trillion by 2020.” 9 Source: McKinsey report on enterprise IT security implications released in January 2014. 2020.” - McKinsey & Company report Risk & Responsibility in a Hyperconnected World: Implications for Enterprises
TARGET DATA BREACHBREACH 10 What can we learn from the Target breach?
Target Data Breach, U.S. Secret Service & iSIGHT Target CIO Beth Jacob resigned 11
Memory Scraping Malware – Target Breach Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Russia 12
Credentials were stolen from Fazio Mechanical in a malware- injecting phishing attack sent to employees of the firm by email • Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information • In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers The data theft was caused by the installation of malware on How The Breach at Target Went Down the firm's point of sale machines The subsequent file dump containing customer data is reportedly flooding the black market • Starting point for the manufacture of fake bank cards, or provide data required for identity theft. Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/ 13
The FTC is probing the massive hack of credit card information Target could face federal charges for failing to protect its customers' data from hackers When you see a data breach of this size with clear harm to consumers, it's clearly something that the Target May Face Federal Suit Over Privacy Fumble harm to consumers, it's clearly something that the FTC would be interested in looking at," said Jon Leibowitz, a former FTC chairman Sen. Richard Blumenthal, a Connecticut Democrat, urged the FTC to investigate the Target hack soon after it became public in December Source: Bloomberg Businessweek 14
WHO IS THE NEXT TARGET?TARGET? 15
Who Is The Next Target? 16
It’s not like other businesses are using some special network security practices that Target doesn’t know about. They just haven’t been hit yet. No number of traps, bars, or alarms will keep out the determined thief Source: www.govtech.com/security 17
Who is the Next Target? Services Retailers 18 Healthcare Government
BEWARE MALWAREBEWARE MALWARE 19
FBI uncovered 20 cyber attacks against retailers in the past year that utilized methods similar to Target incident Believe POS malware crime will continue to grow over the near term Despite law enforcement and security firms' actions to mitigate it FBI Memory-Scraping Malware Warning mitigate it Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms” Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping- malware-in-wake-of-Target-breach 20
21
New Malware Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 22
Total Malicious Signed Malware Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 23
Targeted Malware Topped the Threats 24 Source: 2014 Trustwave Security Pressures Report
US - Targeted Malware Top Threat 25 Source: 2014 Trustwave Security Pressures Report
BIG DATA PROBLEMSPROBLEMS What effect, if any, does the rise of “Big Data” have on breaches? 26
Has Your Organization Already Invested in Big Data? 27 Source: Gartner
Holes in Big Data… 28 Source: Gartner
Many Ways to Hack Big Data 29 Hackers & APT Rogue Privileged Users Unvetted Applications Or Ad Hoc Processes
Many Ways to Hack Big Data MapReduce (Job Scheduling/Execution System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS Avro(Serialization) Zookeeper(Coordination) Hackers Unvetted Applications Or Ad Hoc Processes Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase 30 HDFS (Hadoop Distributed File System) Hbase (Column DB) Avro(Serialization) Zookeeper(Coordination) Privileged Users
Big Data (Hadoop) was designed for data access, not security Security in a read-only environment introduces new challenges Massive scalability and performance requirements Big Data Vulnerabilities and Concerns Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear Transparency and data insight are required for ROI on Big Data 31
THINKING LIKE A HACKERHACKER How can we shift from reactive to proactive thinking? 32
How do hackers think? Like a business. Go where the money is Thinking Like A Hacker Multiple touches to get in Easier targets = Higher ROI
The Modern Day Bank Robber 34
COMPLIANCE VS. SECURITYSECURITY 35
Target was certified as meeting the standard for the payment card industry in September 2013 Compliance can protect us from liability, but whether it actually protects us from loss of business and loss of data is not so clear Compliance is a minimal deterrent that everyone Target Breach Lesson: PCI Compliance Isn't Enough Compliance is a minimal deterrent that everyone has to have in place If you're driving a car, you're expected to have a driver's license. That doesn't make you a safe driver Source: TechNewsWorld 36
Protection of cardholder data in memory Clarification of key management dual control and split knowledge Recommendations on making PCI DSS business-as- usual and best practices Security policy and operational procedures added PCI DSS 3.0 Security policy and operational procedures added Increased password strength New requirements for point-of-sale terminal security More robust requirements for penetration testing 37
TURNING THE TIDE 38 What new technologies and techniques can be used to prevent future attacks?
What if a Social Security number or Credit Card NumberCredit Card Number in the Hands of a Criminal was Useless? 39
Coarse Grained Security • Access Controls • Volume Encryption • File Encryption Fine Grained Security Evolution of Data Security Methods Time Fine Grained Security • Access Controls • Field Encryption (AES & ) • Masking • Tokenization • Vaultless Tokenization 40
Old and flawed: Minimal access levels so people can only carry Access Control Risk High – can only carry out their jobs 41 Access Privilege Level I High I Low Low –
Applying the Protection Profile to the Structure of each Sensitive Data Fields allows forSensitive Data Fields allows for a Wider Range of Granular Authority Options 42
Risk High – Old: Minimal access levels – Least New : Much greater The New Data Protection - Tokenization Access Privilege Level I High I Low Low – levels – Least Privilege to avoid high risks Much greater flexibility and lower risk in data accessibility 43
Examples: De-Identified Sensitive Data Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.org SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 44
Use Case How Should I Secure Different Data? Simple – PCI PII Encryption of Files Card Holder Data Tokenization of Fields Personally Identifiable Information Type of Data I Structured I Un-structured Complex – PHI Protected Health Information 45 Personally Identifiable Information
Tokenization Research Tokenization Gets Traction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Tokenization users had 50% fewer security-related incidents than tokenization non-users 46 Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
Security of Different Protection Methods High Security Level I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization 47 Low
Fine Grained Data Security Methods Tokenization and Encryption are Different Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys TokenizationEncryption 48 Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
10 000 000 - 1 000 000 - 100 000 - 10 000 - Transactions per second* Speed of Different Protection Methods 10 000 - 1 000 - 100 - I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data Tokenization *: Speed will depend on the configuration 49
Different Tokenization Approaches Property Dynamic Pre-generated Vaultless Vault-based 50
Protecting Enterprise Data Flow 123456 123456 1234 CCN/SSN Social Media Blogs Smart Phones Meters Sensors Web Logs Trading Systems GPS Signals Stream 051 123456 999999 1234 Protecting Data Flows – Reducing Attack Surface Big Data (Hadoop) Aquisition Analytics & Visualization Enterprise Data Warehouse
Current Breach Discovery Methods 52 Verizon 2013 Data-breach-investigations-report & 451 Research
You must assume the systems will be breached. Once breached, how do you know you've been compromised? You have to baseline and understand what 'goodness' looks like and look for deviations from goodness McAfee and Symantec can't tell you what normal looks like in your own systems. Only monitoring anomalies can do that CISOs say SIEM Not Good for Security Analytics Only monitoring anomalies can do that Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner 53
Use Big Data to Analyze Abnormal Usage Pattern Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Moscow, Russia FireEye Malware?
Trend - Open Security Analytics Frameworks 55 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture Enterprise Big Data Lake
Conclusions Changing threat landscape & challenges to secure data: • Attackers are looking for not just payment data – a more serious problem. • IDS systems are lacking context needed to catch data theft • SIEM detection is too slow in handling large amounts of events. What happened at Target? • Modern customized malware can be very hard to detect 56 • They were compliant, but not secure How can we prevent what happened to Target and the next attack against our sensitive data? • Assume that we are under attack - proactive protection of the data itself • We need Big Data event information analysis & context to catch modern attackers • Use security methods that require less cleartext in use, such as tokenization
Thank you! Questions? Please contact me for more information Ulf.Mattsson@protegrity.com

More Related Content

PDF
Verizon 2014 data breach investigation report and the target breach
byUlf Mattsson
 
PPTX
Who is the next target and how is big data related ulf mattsson
byUlf Mattsson
 
PPTX
Target data breach presentation
bySreejith Nair
 
PDF
Target Breach Analysis
byTal Be'ery
 
PPTX
Data Security Breach: The Sony & Staples Story
byInternational Institute for Learning
 
DOCX
Target Data Breach Case Study 10242014
byJoseph White MPA CPM
 
PDF
Data breach at Target, demystified.
byCyphort
 
PPTX
Battlefield network
byTal Be'ery
 
Verizon 2014 data breach investigation report and the target breach
byUlf Mattsson
 
Who is the next target and how is big data related ulf mattsson
byUlf Mattsson
 
Target data breach presentation
bySreejith Nair
 
Target Breach Analysis
byTal Be'ery
 
Data Security Breach: The Sony & Staples Story
byInternational Institute for Learning
 
Target Data Breach Case Study 10242014
byJoseph White MPA CPM
 
Data breach at Target, demystified.
byCyphort
 
Battlefield network
byTal Be'ery
 

What's hot

PDF
Cybersecurity in Banking Sector
byQuick Heal Technologies Ltd.
 
PDF
Target data breach case study
byAbhilash vijayan
 
PDF
Module 3-cyber security
bySweta Kumari Barnwal
 
PPTX
Year of pawnage - Ian trump
byMAXfocus
 
PPTX
Keynote Session : Kill The Password
byPriyanka Aash
 
PPTX
Insider Threat
byAndy Thompson
 
PPTX
Insider threat v3
byLancope, Inc.
 
PDF
[CB20] Illicit QQ Communities: What's Being Shared? by Aaron Shraberg
byCODE BLUE
 
PDF
The Anatomy of a Data Breach
byDavid Hunt
 
PPTX
Security weekly september 28 october 4, 2021
byRoen Branham
 
PDF
CYBER THREAT FORCAST 2016
byBolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
PPTX
Data protection on premises, and in public and private clouds
byUlf Mattsson
 
PPTX
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
byAlisha Deboer
 
PDF
Cyber of things 2.0
byDeepak Kumar (D3)
 
PPTX
Emerging application and data protection for cloud
byUlf Mattsson
 
PDF
Axxera End Point Security Protection
byShawn Crimson
 
PPT
Mark Arena - Cyber Threat Intelligence #uisgcon9
byUISGCON
 
PDF
Why cyber-criminals target Healthcare - Panda Security
byPanda Security
 
DOCX
Cryptography summary
byNi
 
PDF
Symantec 2011 Social Media Protection Flash Poll Global Results
bySymantec
 
Cybersecurity in Banking Sector
byQuick Heal Technologies Ltd.
 
Target data breach case study
byAbhilash vijayan
 
Module 3-cyber security
bySweta Kumari Barnwal
 
Year of pawnage - Ian trump
byMAXfocus
 
Keynote Session : Kill The Password
byPriyanka Aash
 
Insider Threat
byAndy Thompson
 
Insider threat v3
byLancope, Inc.
 
[CB20] Illicit QQ Communities: What's Being Shared? by Aaron Shraberg
byCODE BLUE
 
The Anatomy of a Data Breach
byDavid Hunt
 
Security weekly september 28 october 4, 2021
byRoen Branham
 
CYBER THREAT FORCAST 2016
byBolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
Data protection on premises, and in public and private clouds
byUlf Mattsson
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
byAlisha Deboer
 
Cyber of things 2.0
byDeepak Kumar (D3)
 
Emerging application and data protection for cloud
byUlf Mattsson
 
Axxera End Point Security Protection
byShawn Crimson
 
Mark Arena - Cyber Threat Intelligence #uisgcon9
byUISGCON
 
Why cyber-criminals target Healthcare - Panda Security
byPanda Security
 
Cryptography summary
byNi
 
Symantec 2011 Social Media Protection Flash Poll Global Results
bySymantec
 

Viewers also liked

PDF
The Target Breach – Follow The Money
byResilient Systems
 
PDF
Biggest Data Breaches of 2013
byMihajlo Prerad
 
PPTX
Target Corporation - Strategic Analysis
byKyle Brown
 
PDF
Target PDF
bySarah Jacobs
 
PPTX
Trading Target Stock after the Data Breach
byInvestingTips
 
ODP
Critical Controls Might Have Prevented the Target Breach
by2nd Sight Lab
 
The Target Breach – Follow The Money
byResilient Systems
 
Biggest Data Breaches of 2013
byMihajlo Prerad
 
Target Corporation - Strategic Analysis
byKyle Brown
 
Target PDF
bySarah Jacobs
 
Trading Target Stock after the Data Breach
byInvestingTips
 
Critical Controls Might Have Prevented the Target Breach
by2nd Sight Lab
 

Similar to The good, the bad and the ugly of the target data breach

PPTX
New regulations and the evolving cybersecurity technology landscape
byUlf Mattsson
 
PDF
Cyber Security and Data Privacy - presentation
bynoorebrahim2002
 
PPTX
A practical data privacy and security approach to ffiec, gdpr and ccpa
byUlf Mattsson
 
PDF
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
byIBM Security
 
PDF
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
byFinancial Poise
 
PDF
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
byFinancial Poise
 
PPTX
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
PPTX
Baker Tilly Presents: Emerging Trends in Cybersecurity
byBakerTillyConsulting
 
PDF
Data Privacy Compliance
byFinancial Poise
 
PDF
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
PDF
Emerging Trends in Information Security and Privacy
bylgcdcpas
 
PPTX
Blue Dark Professional Geometric Business Project Presentation (1).pptx
bycongsonmarie
 
PDF
Who is the next target proactive approaches to data security
byUlf Mattsson
 
PDF
Key note in nyc the next breach target and how oracle can help - nyoug
byUlf Mattsson
 
PDF
Isaca new delhi india - privacy and big data
byUlf Mattsson
 
PPTX
Moving to the Cloud: A Security and Hosting Introduction
byBlackbaud
 
PDF
Data Privacy
bycliff_rudolph
 
PPTX
NumaanHuq_Hackfest2015
byNumaan Huq
 
PPTX
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
byUlf Mattsson
 
PDF
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
byUlf Mattsson
 
New regulations and the evolving cybersecurity technology landscape
byUlf Mattsson
 
Cyber Security and Data Privacy - presentation
bynoorebrahim2002
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
byUlf Mattsson
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
byIBM Security
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
byFinancial Poise
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
byFinancial Poise
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
Baker Tilly Presents: Emerging Trends in Cybersecurity
byBakerTillyConsulting
 
Data Privacy Compliance
byFinancial Poise
 
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
Emerging Trends in Information Security and Privacy
bylgcdcpas
 
Blue Dark Professional Geometric Business Project Presentation (1).pptx
bycongsonmarie
 
Who is the next target proactive approaches to data security
byUlf Mattsson
 
Key note in nyc the next breach target and how oracle can help - nyoug
byUlf Mattsson
 
Isaca new delhi india - privacy and big data
byUlf Mattsson
 
Moving to the Cloud: A Security and Hosting Introduction
byBlackbaud
 
Data Privacy
bycliff_rudolph
 
NumaanHuq_Hackfest2015
byNumaan Huq
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
byUlf Mattsson
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
byUlf Mattsson
 

More from Ulf Mattsson

PPTX
Safeguarding customer and financial data in analytics and machine learning
byUlf Mattsson
 
PPTX
Privacy preserving computing and secure multi-party computation ISACA Atlanta
byUlf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning ISACA London UK
byUlf Mattsson
 
PPTX
Jun 15 privacy in the cloud at financial institutions at the object managemen...
byUlf Mattsson
 
PPTX
New technologies for data protection
byUlf Mattsson
 
PPTX
Unlock the potential of data security 2020
byUlf Mattsson
 
PPTX
GDPR and evolving international privacy regulations
byUlf Mattsson
 
PPTX
What is tokenization in blockchain?
byUlf Mattsson
 
PPTX
What is tokenization in blockchain - BCS London
byUlf Mattsson
 
PPTX
Evolving international privacy regulations and cross border data transfer - g...
byUlf Mattsson
 
PPTX
New opportunities and business risks with evolving privacy regulations
byUlf Mattsson
 
PPTX
Book
byUlf Mattsson
 
PPTX
Protecting data privacy in analytics and machine learning - ISACA
byUlf Mattsson
 
PPTX
May 6 evolving international privacy regulations and cross border data tran...
byUlf Mattsson
 
PPTX
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
byUlf Mattsson
 
PPTX
The future of data security and blockchain
byUlf Mattsson
 
PPTX
Jun 29 new privacy technologies for unicode and international data standards ...
byUlf Mattsson
 
PDF
Data encryption and tokenization for international unicode
byUlf Mattsson
 
PPTX
Qubit conference-new-york-2021
byUlf Mattsson
 
PDF
Secure analytics and machine learning in cloud use cases
byUlf Mattsson
 
Safeguarding customer and financial data in analytics and machine learning
byUlf Mattsson
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
byUlf Mattsson
 
Protecting data privacy in analytics and machine learning ISACA London UK
byUlf Mattsson
 
Jun 15 privacy in the cloud at financial institutions at the object managemen...
byUlf Mattsson
 
New technologies for data protection
byUlf Mattsson
 
Unlock the potential of data security 2020
byUlf Mattsson
 
GDPR and evolving international privacy regulations
byUlf Mattsson
 
What is tokenization in blockchain?
byUlf Mattsson
 
What is tokenization in blockchain - BCS London
byUlf Mattsson
 
Evolving international privacy regulations and cross border data transfer - g...
byUlf Mattsson
 
New opportunities and business risks with evolving privacy regulations
byUlf Mattsson
 
Book
byUlf Mattsson
 
Protecting data privacy in analytics and machine learning - ISACA
byUlf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
byUlf Mattsson
 
Nov 2 security for blockchain and analytics ulf mattsson 2020 nov 2b
byUlf Mattsson
 
The future of data security and blockchain
byUlf Mattsson
 
Jun 29 new privacy technologies for unicode and international data standards ...
byUlf Mattsson
 
Data encryption and tokenization for international unicode
byUlf Mattsson
 
Qubit conference-new-york-2021
byUlf Mattsson
 
Secure analytics and machine learning in cloud use cases
byUlf Mattsson
 

Recently uploaded

PDF
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
PDF
A Complete Beginner's Guide to Internet of Things 2025.pdf
bySecuodsoft
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
A Complete Beginner's Guide to Internet of Things 2025.pdf
bySecuodsoft
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 

The good, the bad and the ugly of the target data breach

  • 1.
    The Good, TheBad and The Ugly of The TargetThe Good, The Bad and The Ugly of The Target Data Breach Ulf Mattsson CTO, Protegrity [email protected]
  • 2.
    Working with thePayment Card Industry Security Standards Council (PCI SSC): • PCI SSC Tokenization Task Force - Guidelines • PCI SSC Encryption Task Force • PCI SSC Point to Point Encryption Task Force • PCI SSC Risk Assessment SIG Ulf Mattsson & PCI Data Security Standards • PCI SSC eCommerce SIG • PCI SSC Cloud SIG • PCI SSC Virtualization SIG • PCI SSC Pre-Authorization SIG • PCI SSC Scoping SIG • PCI SSC 2013 – 2014 Tokenization Task Force – Technical Standard 2
  • 3.
    Data security today TheTarget breach New environments bring new vulnerabilities Topics New environments bring new vulnerabilities Thinking like a hacker - proactive data security New technologies & approaches to properly secure data 3
  • 4.
    DATA SECURITY TODAYTODAY 4 How havethe methods of attack shifted?
  • 5.
    Worries of 800IT Pros 5 Source: 2014 Trustwave Security Pressures Report
  • 6.
    Data Loss WorriesIT Pros Most 6 Source: 2014 Trustwave Security Pressures Report
  • 7.
    “It’s clear thebad guys are winning at a faster rate than the good guys are winning, and we’ve The Bad Guys are Winning 7 Source: searchsecurity.techtarget.com/news/2240215422/In-2014-DBIR-preview-Verizon-says-data-breach-response-gap-widening are winning, and we’ve got to solve that.” - 2014 Verizon Data Breach Investigations Report
  • 8.
    We Are LosingGround “…Even though security is improving, things are getting worse faster, so we're losing ground 8 we're losing ground even as we improve.” - Security expert Bruce Schneier Source: http://www.businessinsider.com/bruce-schneier-apple-google-smartphone-security-2012-11
  • 9.
    Organizations are NotProtected Against Cyberattacks “Cyber attack fallout could cost the global economy $3 trillion by 2020.” 9 Source: McKinsey report on enterprise IT security implications released in January 2014. 2020.” - McKinsey & Company report Risk & Responsibility in a Hyperconnected World: Implications for Enterprises
  • 10.
    TARGET DATA BREACHBREACH 10 What canwe learn from the Target breach?
  • 11.
    Target Data Breach,U.S. Secret Service & iSIGHT Target CIO Beth Jacob resigned 11
  • 12.
    Memory Scraping Malware– Target Breach Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Russia 12
  • 13.
    Credentials were stolenfrom Fazio Mechanical in a malware- injecting phishing attack sent to employees of the firm by email • Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information • In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers The data theft was caused by the installation of malware on How The Breach at Target Went Down the firm's point of sale machines The subsequent file dump containing customer data is reportedly flooding the black market • Starting point for the manufacture of fake bank cards, or provide data required for identity theft. Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/ 13
  • 14.
    The FTC isprobing the massive hack of credit card information Target could face federal charges for failing to protect its customers' data from hackers When you see a data breach of this size with clear harm to consumers, it's clearly something that the Target May Face Federal Suit Over Privacy Fumble harm to consumers, it's clearly something that the FTC would be interested in looking at," said Jon Leibowitz, a former FTC chairman Sen. Richard Blumenthal, a Connecticut Democrat, urged the FTC to investigate the Target hack soon after it became public in December Source: Bloomberg Businessweek 14
  • 15.
    WHO IS THENEXT TARGET?TARGET? 15
  • 16.
    Who Is TheNext Target? 16
  • 17.
    It’s not likeother businesses are using some special network security practices that Target doesn’t know about. They just haven’t been hit yet. No number of traps, bars, or alarms will keep out the determined thief Source: www.govtech.com/security 17
  • 18.
    Who is theNext Target? Services Retailers 18 Healthcare Government
  • 19.
  • 20.
    FBI uncovered 20cyber attacks against retailers in the past year that utilized methods similar to Target incident Believe POS malware crime will continue to grow over the near term Despite law enforcement and security firms' actions to mitigate it FBI Memory-Scraping Malware Warning mitigate it Report: “Recent Cyber Intrusion Events Directed Toward Retail Firms” Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping- malware-in-wake-of-Target-breach 20
  • 21.
  • 22.
  • 23.
    Total Malicious SignedMalware Source: mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf 23
  • 24.
    Targeted Malware Toppedthe Threats 24 Source: 2014 Trustwave Security Pressures Report
  • 25.
    US - TargetedMalware Top Threat 25 Source: 2014 Trustwave Security Pressures Report
  • 26.
    BIG DATA PROBLEMSPROBLEMS What effect,if any, does the rise of “Big Data” have on breaches? 26
  • 27.
    Has Your OrganizationAlready Invested in Big Data? 27 Source: Gartner
  • 28.
    Holes in BigData… 28 Source: Gartner
  • 29.
    Many Ways toHack Big Data 29 Hackers & APT Rogue Privileged Users Unvetted Applications Or Ad Hoc Processes
  • 30.
    Many Ways toHack Big Data MapReduce (Job Scheduling/Execution System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS Avro(Serialization) Zookeeper(Coordination) Hackers Unvetted Applications Or Ad Hoc Processes Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase 30 HDFS (Hadoop Distributed File System) Hbase (Column DB) Avro(Serialization) Zookeeper(Coordination) Privileged Users
  • 31.
    Big Data (Hadoop)was designed for data access, not security Security in a read-only environment introduces new challenges Massive scalability and performance requirements Big Data Vulnerabilities and Concerns Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear Transparency and data insight are required for ROI on Big Data 31
  • 32.
    THINKING LIKE A HACKERHACKER Howcan we shift from reactive to proactive thinking? 32
  • 33.
    How do hackersthink? Like a business. Go where the money is Thinking Like A Hacker Multiple touches to get in Easier targets = Higher ROI
  • 34.
    The Modern DayBank Robber 34
  • 35.
  • 36.
    Target was certifiedas meeting the standard for the payment card industry in September 2013 Compliance can protect us from liability, but whether it actually protects us from loss of business and loss of data is not so clear Compliance is a minimal deterrent that everyone Target Breach Lesson: PCI Compliance Isn't Enough Compliance is a minimal deterrent that everyone has to have in place If you're driving a car, you're expected to have a driver's license. That doesn't make you a safe driver Source: TechNewsWorld 36
  • 37.
    Protection of cardholderdata in memory Clarification of key management dual control and split knowledge Recommendations on making PCI DSS business-as- usual and best practices Security policy and operational procedures added PCI DSS 3.0 Security policy and operational procedures added Increased password strength New requirements for point-of-sale terminal security More robust requirements for penetration testing 37
  • 38.
    TURNING THE TIDE 38 Whatnew technologies and techniques can be used to prevent future attacks?
  • 39.
    What if a SocialSecurity number or Credit Card NumberCredit Card Number in the Hands of a Criminal was Useless? 39
  • 40.
    Coarse Grained Security •Access Controls • Volume Encryption • File Encryption Fine Grained Security Evolution of Data Security Methods Time Fine Grained Security • Access Controls • Field Encryption (AES & ) • Masking • Tokenization • Vaultless Tokenization 40
  • 41.
    Old and flawed: Minimalaccess levels so people can only carry Access Control Risk High – can only carry out their jobs 41 Access Privilege Level I High I Low Low –
  • 42.
    Applying the Protection Profileto the Structure of each Sensitive Data Fields allows forSensitive Data Fields allows for a Wider Range of Granular Authority Options 42
  • 43.
    Risk High – Old: Minimal access levels– Least New : Much greater The New Data Protection - Tokenization Access Privilege Level I High I Low Low – levels – Least Privilege to avoid high risks Much greater flexibility and lower risk in data accessibility 43
  • 44.
    Examples: De-Identified SensitiveData Field Real Data Tokenized / Pseudonymized Name Joe Smith csu wusoj Address 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CA Date of Birth 12/25/1966 01/02/1966 Telephone 760-278-3389 760-389-2289 E-Mail Address [email protected] [email protected] SSN 076-39-2778 076-28-3390 CC Number 3678 2289 3907 3378 3846 2290 3371 3378 Business URL www.surferdude.com www.sheyinctao.com Fingerprint Encrypted Photo Encrypted X-Ray Encrypted Healthcare / Financial Services Dr. visits, prescriptions, hospital stays and discharges, clinical, billing, etc. Financial Services Consumer Products and activities Protection methods can be equally applied to the actual data, but not needed with de-identification 44
  • 45.
    Use Case How Should ISecure Different Data? Simple – PCI PII Encryption of Files Card Holder Data Tokenization of Fields Personally Identifiable Information Type of Data I Structured I Un-structured Complex – PHI Protected Health Information 45 Personally Identifiable Information
  • 46.
    Tokenization Research Tokenization GetsTraction Aberdeen has seen a steady increase in enterprise use of tokenization for protecting sensitive data over encryption Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data Tokenization users had 50% fewer security-related incidents than tokenization non-users 46 Source: http://www.protegrity.com/2012/08/tokenization-gets-traction-from-aberdeen/
  • 47.
    Security of DifferentProtection Methods High Security Level I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Basic Data Tokenization 47 Low
  • 48.
    Fine Grained DataSecurity Methods Tokenization and Encryption are Different Used Approach Cipher System Code System Cryptographic algorithms Cryptographic keys TokenizationEncryption 48 Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
  • 49.
    10 000 000- 1 000 000 - 100 000 - 10 000 - Transactions per second* Speed of Different Protection Methods 10 000 - 1 000 - 100 - I Format Preserving Encryption I Vaultless Data Tokenization I AES CBC Encryption Standard I Vault-based Data Tokenization *: Speed will depend on the configuration 49
  • 50.
    Different Tokenization Approaches PropertyDynamic Pre-generated Vaultless Vault-based 50
  • 51.
    Protecting Enterprise DataFlow 123456 123456 1234 CCN/SSN Social Media Blogs Smart Phones Meters Sensors Web Logs Trading Systems GPS Signals Stream 051 123456 999999 1234 Protecting Data Flows – Reducing Attack Surface Big Data (Hadoop) Aquisition Analytics & Visualization Enterprise Data Warehouse
  • 52.
    Current Breach DiscoveryMethods 52 Verizon 2013 Data-breach-investigations-report & 451 Research
  • 53.
    You must assumethe systems will be breached. Once breached, how do you know you've been compromised? You have to baseline and understand what 'goodness' looks like and look for deviations from goodness McAfee and Symantec can't tell you what normal looks like in your own systems. Only monitoring anomalies can do that CISOs say SIEM Not Good for Security Analytics Only monitoring anomalies can do that Monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets Source: 2014 RSA Conference, moderator Neil MacDonald, vice president at Gartner 53
  • 54.
    Use Big Datato Analyze Abnormal Usage Pattern Payment Card Terminal Point Of Sale Application Memory Scraping Malware Authorization, Settlement … Web Server Memory Scraping Malware Moscow, Russia FireEye Malware?
  • 55.
    Trend - OpenSecurity Analytics Frameworks 55 Source: Emc.com/collateral/white-paper/h12878-rsa-pivotal-security-big-data-reference-architecture Enterprise Big Data Lake
  • 56.
    Conclusions Changing threat landscape& challenges to secure data: • Attackers are looking for not just payment data – a more serious problem. • IDS systems are lacking context needed to catch data theft • SIEM detection is too slow in handling large amounts of events. What happened at Target? • Modern customized malware can be very hard to detect 56 • They were compliant, but not secure How can we prevent what happened to Target and the next attack against our sensitive data? • Assume that we are under attack - proactive protection of the data itself • We need Big Data event information analysis & context to catch modern attackers • Use security methods that require less cleartext in use, such as tokenization
  • 57.