Upload
jonathan-care
View
13
Download
2
Tags:
Embed Size (px)
Citation preview
“What to do when it all goes wrong”
Core objectives of Information Security
Jonathan Care, VeriSign [email protected]
September 25th 2008
Jonathan Care … Who does he think he is?
+ Senior Consulting Manager, VeriSign Enterprise
Security Solutions (ESS)▪ Interests: Forensic Computing, PCI, Online Fraud,
Cryptography, Technical Security▪ Current clients include telco, retail, banking, online
marketing, airlines, logistics, etc.
+ 20 years in Information Security
+ Member of ▪ High Tech Crime Investigation Association▪ International Association for Cryptologic Research▪ Expert Witness Institute▪ British Computer Society
+ Former CESG Listed Advisor
+ Certified Fraud Examiner (CFE) and CISSP
+ BS7799 Lead Auditor, ITIL Security Practitioner
Anonymity? Not really.
Information Security
Where are we now?
What has information security been about?
+ For the last twenty years its been about▪ Confidentiality▪ Integrity▪ Availability▪ … all things that make sense to IT!
+ BUT▪ IT Staff are not equipped to resist
advanced attacks▪ Lawyers (Privacy teams etc.) aren’t either▪ Auditors look for weakness in process▪ Web Developers are not Security Experts
Marketable criminal assets on the Internet
+ Networks of compromised computers – botnets
+ Credit card / Debit card numbers
+ Identity theft – server hacking / phishing
+ Hacking attacks – Intellectual property theft / Industrial
espionage / kudos
+ SPAM
Real Statistics?
Real reality
+ Regrettably the percentage of organisations reporting
computer intrusions has continued to decline. The key
reason given… was the fear of negative publicity. As a
consequence this has resulted in a belief that the threat
and impact has also been gravely underestimated –
Metropolitan Police
+ If I report this, I am worried what else the police will find
– Anonymous IT Director
+ We don’t handle payments so it doesn’t really matter if
our code is secure or not – Web Development firm
providing e-commerce (!)
+ How soon can we start our web server up again? – Compromised Web Merchant
Why commit crimes on the Internet?
+ Potentially High Financial Gain
+ Anonymity
+ Rapid, secure, global communications
+ Global impact – 1 billion plus users (1 in 6 of the world’s population)
+ Virtual marketplace – reduced risks of being detected, disrupted or caught
+ Volatile evidential trail – ISP limited retention of data
+ Cross Border investigations protracted for law enforcement
And… “Because that’s where the money is” – Willie Sutton
What’s the solution?
RISK EXPOSURE
VULN TEST
Forensics
Intelligence
Incident
Response
Compliance
MonitorAware
+ Security Strategy that is informed and able to deal with a complex
and changing threat landscape
Architecture
HR PLAN
A Taxonomy of Threats
What’s out there?
Top 10 threats in 2008
+ “Trusted” web sites exploit browser vulnerabilities
+ Botnets
+ Cyber Espionage including targeted phishing
+ Mobile phone threats
+ Insider Attacks
+ Advanced Identity Theft
+ Increasingly Malicious Spyware
+ Web Application Security Threats
+ Blended Attacks – VOIP, Phishing, Event tracking (oh my!)
+ Supply chain attacks
Things not to complete in your inbox
An Urgent Email!!
Dear NatWest Bank Member,
This email was sent by the NatWest server to verify your e-mailaddress. You must complete this process by clicking on the linkbelow and entering in the small window your NatWest login ID,Password and PIN.
This is done for your protection --- because some ofour members no longer have access to their email addresses andwe must verify it.
To verify your e-mail address and access your bank account,click on the link below. If nothing happens when you click on thelink (or if you use AOL), copy and paste the link intothe address bar of your web browser.
http://www.natwest.com:[email protected]/3/?JcPhbzKuJntfU9Ihttp://www.natwest.com:[email protected]/3/?JcPhbzKuJntfU9I
UserID Password REAL Site! Identifier
Hijacking Internet Browsing
Highly plausible interception…
Why Web Application Risks Occur
+ Developers are not security professionals▪ Application Development stresses functionality
▪ Lack of Awareness of security issues in development
▪ Lack of effective testing tools in QA
▪ Resource constrained development teams
+ Security Professionals are not developers▪ Lack of awareness of application vulnerabilities in
security teams
▪ Lack of effective testing tools
▪ Development cycle missing from security procedures and audits
▪ Security scrutinise the desktop, the network, and the server. The web application is missing.
What is identity theft/identity fraud?
+ Refers to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception.
+ It is estimated that Id theft costs the British economy alone £1.7 Billion and 100,000 people are targeted each year
These are not real, and can be obtained over the internet.
Compliance - PCI
Affordable perfection and avoidable risks
The Standards
PCI-PEDPCI-PED PCI PA-DSSPCI PA-DSS PCI DSSPCI DSS
PCI PED addresses device characteristics impacting security of PIN Entry Device (PED)
during financial transactions
PA-DSS applies to software vendors and others who develop payment applications that store, process or transmit cardholder data as
part of authorisation or settlement, where those applications are sold, distributed or
licensed to third parties.
PCI DSS applies to any entity that stores, processes and/or transmits cardholder data, and specifically to those system components
included in or connected to the cardholder data environment
Stand AlonePED Device
PCI PED applies – PED device only
PEDs integrated with payment applications
(POS, Kiosk)
PA-DSS may applyPCI DSS applies –
Systems and networks
Payment Applications(e.g. Web Cart, POS)
Payment Applications inMerchant/Service Provider
Environment
Merchant’s and Service Provider’sCardholder data
environment
Sensitive Information in PCI
Data ElementStorage
Permitted
Protection
Required
PCI DSS
Req. 3.4
Cardholder
Data
Primary Account
Number (PAN)YES YES YES
Cardholder Name YES YES NO
Service Code YES YES NO
Expiration Date YES YES NO
Sensitive
Authentication
Data
Full Magnetic Stripe NO N/A N/A
CVC2/CVV2/CID/
CAV2NO N/A N/A
PIN/PIN Block NO N/A N/A
Why are Companies Failing PCI Assessments?
PERCENTAGE OF
ASSESSMENTS
FAILING
PCI REQUIREMENT
79%Requirement 3: Protect stored data.
Source: VeriSign Whitepaper on Top Reasons for PCI Failure based on sample of over 100 assessmentshttps://www.verisign.com/cgi-bin/go.cgi?a=w63130157259894009
74%Requirement 11: Regularly test security systems and processes.
71%Requirement 8: Assign a unique ID to each person with computer access.
71%Requirement 10: Track and monitor all access to network resources and cardholder data.
66%Requirement 1: Install and maintain a firewall configuration to protect data.
62%Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
60%Requirement 12: Maintain a policy that addresses information security.
59%Requirement 9: Restrict physical access to cardholder data.
56%Requirement 6: Develop and maintain secure systems and applications.
45%Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.
Timeframes for a PCI incident investigation
+ Timeframes (e.g., flexibility on critical events)▪ Standard event timeframes
Visa client must identify forensic company within 5 days Visa client must ensure contract is signed within 10 days Forensic investigator must be onsite within 5 days from signed contract Preliminary forensic report be provided to Visa within 5 days from onsite
work Final forensic report be provided to Visa within 10 business days from the
completion of the review▪ Critical event timeframes can be even more immediate!
+ Visa will levy fines to clients in the event of delays
PCI Forensic Investigation Requirements
• VISA appointed forensic reports must include:▪ All external connectivity points and network topology including firewalls,
routing schema, VLANs, etc. between compromised systems and surrounding networks
▪ A review of the entire debit and or credit processing network to identify all compromised or affected systems
• External Investigators will perform incident validation and
assessment:▪ Establish how compromise occurred▪ Identify the type of data stored, sniffed, and transferred out of the
network (Visa/Plus/Interlink/Pre-Paid accounts)▪ Recover data deleted by intruder ▪ Number of accounts at risk (stored, sniffed, and transferred)▪ Determine the timeframe of compromise▪ Determine transaction dates of compromised cardholder data
Three things to do right now
+ Plan for incidents▪ What would you do if your website was hacked?
+ Initiate a penetration testing program▪ Internal vulnerability scans▪ Web site testing▪ External attacks
+ Review information management▪ Data protection▪ PCI▪ Third parties
– Data warehouses– Call Centres– Processors
Questions + Answers