Embed Size (px)
DESCRIPTION
Citation preview
Who is the Next Target and
How is Big Data Related?
Ulf MattssonCTO, Protegrity
ulf . mattsson [at] protegrity . com
The Changing Threat
Landscape
2
Data loss worries IT pros most
3
Source: 2014 Trustwave Security Pressures Report
Targeted Malware Topped the Threats
4
62% said that the pressure to protect from data breaches also increased over the past year.
Source: 2014 Trustwave Security Pressures Report
US and Canada - Targeted Malware Top Threat
5
In the United States and Canada, targeted malware was the top threat IT pros felt pressured to secure against, and in the U.K. and Germany, the top threat was phishing/social engineering. Respondents in each country surveyed said viruses and worms caused the lowest pressure.
Source: 2014 Trustwave Security Pressures Report
6
http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf
7
Source: Symantec 2013
The Cost of Cyber Crime
Organizations worldwide are not "sufficiently protected" against cyberattac
Cyberattacks fallout could cost the global economy $3 trillion by 2020
The report states that if "attackers continue to get better more quickly than defenders," as is presently the case, "this could result in a world where a 'cyberbacklash' decelerates digitization."
Risk of Cyberattacks is a Real and Growing Threat
8
Source: McKinsey report on enterprise IT security implications released in January 2014.
74 targeted cyberattacks per day between July 2012 and June 2013, with the energy sector accounting for 16.3% of them, which put it in second place behind government/public sector at 25.4%.
The U.S. government's Department of Homeland Security (DHS) reported last year that its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to more than 200 incidents between Oct. 2012 and May 2013 — with 53% aimed at the energy sector.
There have, so far, not been any successful catastrophic attacks on the grid, and there is ongoing debate about how high the risk is for what both former Defense secretary Leon Panetta and former Homeland Security secretary Janet Napolitano called a "cyber Pearl Harbor" attack.
Source: www.csoonline.com/article/748580/energy-sector-a-prime-target-for-cyber-attacks
Energy Sector a Prime Target for Cyber Attacks
9
10
Breach Discovery Methods
Verizon 2013 Data-breach-investigations-report
11
Security Improving but We Are Losing Ground
Identity Theft
12
Source: www.pcworld.com/article/2088920/target-credit-card-data-was-sent-to-server-in-russia.html
The Wall Street Journal reported that financial institutions have spent big bucks—more than $200 million alone in the case of the Target episode—to ease our concerns
• The vast majority of that total ($172 million) covers the costs of replacing cards that have been compromised
Half of American adults said they are “extremely concerned” about their personal data when paying for goods at stores with plastic, according to a recent Associated Press-GfK poll
Source: www.cuinsight.com/target-shoppers-shrug-off-massive-credit-card-data-breach.html
Half of Americans Worry about Identity Theft
13
“Last year, some 13.1 million consumers suffered identity fraud,”
Those numbers don’t include the more than 110 million victims of the holiday breach, which, as it ripples through the population, will send the figures up like a rocket
A stranger takes over someone’s life about once every two seconds
And 1 in 3 of us now already has undesired personal experience with that upsetting fact, according to
• Even worse, that number is certain to grow dramatically this year
“Four years ago, the number of identity-fraud victims was 1 in 9, and last year it was 1 in 3. We think the way it is going, and given the … breach, that number will likely increase.”
Source: Javelin Strategy & Research’s 2014 Identity Fraud Report and nypost.com/2014/02/22/identity-crisis-exploding-with-massive-data-breaches/
Identity Theft Exploding with Massive Data Breaches
14
In many cases, an identity thief uses a legitimate taxpayer’s identity to fraudulently file a tax return and claim a refund
The agency’s work on identity theft and refund fraud continues to grow. For the 2014 filing season, the IRS has expanded its efforts to better protect taxpayers and help victims
Taxpayers can call the IRS’ Identity Protection Specialized Unit at 800-908-4490
Source: www.burlingtoncountytimes.com/business/irs-warns-about-scams/article_8d01916b-1af0-5960-8790-7991ef0bc20a.html
IRS Warns about Identity Theft
15
Target Data Breach
16
iSIGHT Partners has a deeply comprehensive understanding of the entire code family as well as that from several other victims
The USSS has permitted us to share limited details surrounding these types of attacks
iSIGHT partnered with the U.S. Secret Service
17
Credentials were stolen from Fazio Mechanical in a malware-injecting phishing attack sent to employees of the firm by email
• Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information.
• In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers.
The data theft was caused by the installation of malware on the firm's point of sale machines
• Free version of Malwarebytes Anti-Malware was used by Target
The subsequent file dump containing customer data is reportedly flooding the black market
• could be used to pilfer cash from accounts, be the starting point for the manufacture of fake bank cards, or provide data required for identity theft.
Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/
How The Breach at Target Went Down
18
Memory Scraping
19
In its warning titled, "Recent Cyber Intrusion Events Directed Toward Retail Firms", the FBI said in the past year it has uncovered around 20 cases of cyberattacks against retailers year that utilized similar methods to those uncovered in the Target incident
"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," said the FBI in the report, seen by Reuters
Source: searchsecurity.techtarget.com/news/2240213143/FBI-warns-of-memory-scraping-malware-in-wake-of-Target-breach
FBI warns of Memory-scraping Malware in wake of Target breach
20
Researchers at RSA's First Watch cybersecurity team:
• Similar to the gang that tapped into the point-of-sales systems at Target, Neiman-Marcus and Michaels
• That gang used a memory parsing program called POSRAM.
• This most recently discovered ring of thieves makes use of a similar piece of malware dubbed ChewBacca
Source:www.usatoday.com/story/cybertruth/2014/02/03/hacking-of-point-of-sales-systems-escalates/5060523/
Researchers: Another ring of Attackers on Retailers
21
The stolen credit card numbers of millions of Target shoppers took an international trip—to Russia
“The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity,” according to a Jan. 14 report from iSight Partners, a Dallas-based information security company.
Security company Seculert found that data stolen in the Target breach was received by a compromised U.S. server, then sent to a Russian server.
Malware Collected 11GB of Data from Target
22
Memory Scraping Malware – Target Breach
Web Server
Payment CardTerminal
Point Of Sale Application
Memory Scraping Malware
Authorization,Settlement
…
Russia
Attacks using memory scrapers can target any application that processes credit card numbers
In the past, memory scraping often required the attacker to have a small amount of target environment knowledge to configure the capture tool
• The trend is toward generic discovery tools that could identify the desired information in a list of preconfigured processes or all running processes
Source: http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf
Attacks using memory scrapers
24
2014 Trustwave Security Pressures Report• The rate and sophistication of malware and data
breaches continue to accelerate, a trend that is proving seemingly impossible for businesses to counter.
Memory scraping• Used at Target: 110 million …
• It’s next to impossible to stop data leakage.
• You can’t beat it completely
• detecting or intercepting related malware-dropping attacks aimed at those POS devices may be quite difficult to detect.
• That's because attackers can use antivirus evasion techniques or packing tools to give the malware executable a never-before-seen checksum.
Malware
25
Old security is like "boiling the ocean“ • Since you are trying to “patch” all possible data paths
and sensitive data stores, and
May not even find a trace of the attack.• Malware
• Data leaks
Old Security Approaches
26
Proactive Data Security
27
28
The Changing Thechnology Landscape
Chip-and-PIN or EMV, is more secure than the current magnetic stripe technology
Cyber criminals can “easily create cloned cards” from magnetic stripe data
Major credit card companies have placed a deadline on U.S. merchants to adopt EMV technology by October of 2015, or face increased liability of fraud
Source: news.medill.northwestern.edu/chicago/news.aspx?id=228123
Is it Impossible to Prevent Data Breaches?
29
Use Big Data to Analyze Abnormal Traffic Pattern
Web Server
Payment CardTerminal
Point Of Sale Application
Memory Scraping Malware
Authorization,Settlement
…
Russia
Big Data
AnalyticsSIEM
Don’t just fix yesterdays problems
Compliance vs Security
Think like a hacker
Malware & Memory Scraping
Protect the Data Flow with Tokenization
Use Big Data to Analyze Data Traffic
31
Reactionary vs Proactive Data Security
Big Data
Hadoop• Designed to handle the emerging “4 V’s”
• Massively Parallel Processing (MPP)
• Elastic scale
• Usually Read-Only
• Allows for data insights on massive, heterogeneous data sets
• Includes an ecosystem of components:
What is Big Data?
33
Hive
MapReduce
HDFS
Physical Storage
Pig Other
Application Layers
Storage Layers
34
Source: Gartner
Has Your Organization Already Invested in Big Data?
35
Vulnerabilities in Big
Data
Holes in Big Data…
36
Source: Gartner
Many Ways to Hack Big Data
Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase
37
HDFS(Hadoop Distributed File System)
MapReduce (Job Scheduling/Execution System)
Hbase (Column DB)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
Avr
o (S
eria
lizat
ion)
Zoo
keep
er (
Coo
rdin
atio
n)
Hackers
PrivilegedUsers
UnvettedApplications
OrAd Hoc
Processes
The Insider Threat
38
Big Data and Cloud environments are designed for access and deep insight into vast data pools
Data can monetized not only by marketing analytics, but through sale or use by a third party
The more accessible and usable the data is, the greater this ROI benefit can be
Security concerns and regulations are often viewed as opponents to data insight
Sensitive Data Insight & Usability
39
Big Data (Hadoop) was designed for data access, not security
Security in a read-only environment introduces new challenges
Massive scalability and performance requirements
Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear
Transparency and data insight are required for ROI on Big Data
Big Data Vulnerabilities and Concerns
40
Threats to Big Data
41
The honey pot idea is a 10+ years old trick based on fake data (in a pot) and redirection of requests:
• Great for monitor what attackers are doing.
• A modern approach should be based on tokenization with fake data “everywhere” instead of in “a pot”.
Attacks on Big Data – Honey Pot
42
The old perimeter security and encryption :• The discussion should be how to “balance
between security and insight”.
Attacks on Big Data – Perimeter & Encryption
43
The challenge of maintaining a “classic” access control model:
• The “new approach” should be based on building the protection into the data (tokenization)
• Not be based only on preventing access to data
Attacks on Big Data – Access Control
44
The “data inference” (re-identification) problem:
• New problem
• Not a Big Data problem
A “balance between security and insight” is the right approach
The de-tokenization-policy should evaluate combination of data fields that are accessed over time.
Attacks on Big Data – Data Inference
45
The “the lack of analytical tools” • Can it prevent an attacker from finding sensitive
data?
Attackers are simply looking for sensitive records
• Not interested in advanced analytical results.
The attacker will find points in the data flow where sensitive data is easier to find
Attacks on Big Data – Analytical Tools
46
Evolution of
Data Security
47
Coarse Grained Security• Access Controls
• Volume Encryption
• File Encryption
Fine Grained Security• Access Controls
• Field Encryption (AES & )
• Masking
• Tokenization
• Vaultless Tokenization
Evolution of Data Security Methods
48
Time
Use of Enabling Technologies
Access controls
Database activity monitoring
Database encryption
Backup / Archive encryption
Data masking
Application-level encryption
Tokenization
1%
18%
30%
21%
28%
7%
22%
91%
47%
35%
39%
28%
29%
23%
Evaluating Current Use
49
Old and flawed:Minimal access levels so people can only carry out their jobs
Access Control
50
AccessPrivilege
Level
Risk
IHigh
ILow
High –
Low –
Applying the protection profile to the content of
data fields allows for a wider range of authority options
51
AccessPrivilege
Level
Risk
IHigh
ILow
High –
Low –
Old:Minimal access levels – Least
Privilege to avoid high risks
New:Much greater
flexibility and lower risk in data accessibility
How the New Approach is Different
52
Reduction of Pain with New Protection Techniques
53
1970 2000 2005 2010
High
Low
Pain& TCO
Strong Encryption Output:AES, 3DES
Format Preserving EncryptionDTP, FPE
Vault-based Tokenization
Vaultless Tokenization
Input Value: 3872 3789 1620 3675
!@#$%a^.,mhu7///&*B()_+!@
8278 2789 2990 2789
8278 2789 2990 2789
Format Preserving
Greatly reduced Key Management
No Vault
8278 2789 2990 2789
Fine Grained Data Security Methods
54
Vault-based Tokenization Vaultless TokenizationFootprint Large, Expanding. Small, Static.
High Availability, Disaster Recovery
Complex, expensive replication required.
No replication required.
Distribution Practically impossible to distribute geographically.
Easy to deploy at different geographically distributed locations.
Reliability Prone to collisions. No collisions.
Performance, Latency, and
Scalability
Will adversely impact performance & scalability.
Little or no latency. Fastest industry tokenization.
Vault-based vs. Vaultless Tokenization
Fine Grained Data Security Methods
55
Tokenization and Encryption are Different
Used Approach Cipher System Code System
Cryptographic algorithms
Cryptographic keys
Code books
Index tokens
Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY
TokenizationEncryption
PCI DSS 3.0• Split knowledge and dual control
PCI SSC Tokenization Task Force• Tokenization and use of HSM
Card Brands – Visa, MC, AMEX …• Tokens with control vectors
ANSI X9• Tokenization and use of HSM
The Future of Tokenization
56
I
Format
Preserving
Encryption
Security of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Basic
Data
Tokenization
57
High
Low
Security Level
10 000 000 -
1 000 000 -
100 000 -
10 000 -
1 000 -
100 -
Transactions per second*
I
Format
Preserving
Encryption
Speed of Different Protection Methods
I
Vaultless
Data
Tokenization
I
AES CBC
Encryption
Standard
I
Vault-based
Data
Tokenization
*: Speed will depend on the configuration
58
Type of Data
Use Case
IStructured
How Should I Secure Different Data?
IUn-structured
Simple –
Complex –
PCI
PHI
PII
Encryption of Files
CardHolder
Data
Tokenization of Fields
ProtectedHealth
Information
59
Personally Identifiable Information
Protegrity Summary
Proven enterprise data security software and innovation leader
• Sole focus on the protection of data
• Patented Technology, Continuing to Drive Innovation
Cross-industry applicability• Retail, Hospitality, Travel
and Transportation
• Financial Services, Insurance, Banking
• Healthcare
• Telecommunications, Media and Entertainment
• Manufacturing and Government
60
