a wireless world: combatting security breaches through parallel networking - lindsay notwell,...
DESCRIPTION
Interop Academy - June 17th, 11:30-12:00 Parallel networking addresses evolving security concerns of major retailers and distributed enterprises. Using UK-based HART Systems and Barnes and Noble as examples, Mr. Notwell will speak to today’s modern retail store environment, the challenges that it faces and value of introducing parallel networking to achieve secure and optimal business performance.TRANSCRIPT
ADDRESSING THE BREACH Offloading Non-Essential and Vendor Applications to Application-Specific, Parallel Networks Using 4G LTE
June 17, 2014
Lindsay Notwell VP, Operator & International Business CradlePoint
Contact: [email protected]
M200 Circa 2006
OUR COMPANY The trusted global leader in enterprise-grade 4G-LTE networking solutions for distributed enterprise
2 CradlePoint Proprietary and Confidential • © 2014 CradlePoint, Inc. • All Rights Reserved. Information subject to change without notice.
INDUSTRY AWARDS
2014 Top 20 Retail IT Solutions
OPERATOR PARTNERS
Focus: Enterprise grade cloud managed 3G/4G/LTE solutions
Advantages: Performance Protocols Efficiency
DIFFERENTIATION
Security WiFi Flexibility
Kiosks C-Stores
OUR CUSTOMERS Distributed Enterprises with Hundreds and Thousands of Locations
3
Restaurants Retail Stores Digital Signage Transportation Branch Offices
CradlePoint Proprietary and Confidential • © 2014 CradlePoint, Inc. All Rights Reserved. • Information subject to change without notice.
Key Challenges No Local IT Support
PCI Compliance WiFi & Mobility
Cloud-based Apps Business Continuity
RETAIL
BRANCH OFFICE KIOSKS, SIGNAGE, ETC TRANSPORTATION
OUR RECORD OF SUCCESS Over 1,000,000 deployments with leading distributed enterprises
4 CradlePoint Proprietary and Confidential • © 2014 CradlePoint, Inc. All Rights Reserved. • Information subject to change without notice.
Internet / Private Network
5 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
TYPICAL BRANCH OFFICE
Server
Employee Tablet
Back Office
Customer Area
Equip Room
Customer Smartphone
Primary Network (WAN) Typically T1, DSL or Cable
Internet / Private Network
6 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
WITH 3G/4G RESILIENCY
Server
Employee Tablet
Back Office
Customer Area
Equip Room
Customer Smartphone
Primary Network (WAN) Typically T1, DSL or Cable
Failover Connection 4G-LTE as a backup WAN connection
4G-LTE
Internet / Private Network
7 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE MONOLITHIC NETWORK
Server
Employee Tablet
Back Office
Customer Area
Equip Room
Customer Smartphone
Primary Network (WAN) Typically T1, DSL or Cable
Failover Connection 4G-LTE as a backup WAN connection
4G-LTE
Penetration – Launched email phishing campaign – Successfully tricked many users to open the email – Attackers researched victims and determined suppliers to Target – Obtained vendor’s credentials, used to access Target’s network
Execution
– Used “pivoting” technique to attack systems on other networks – Infected POS terminals using customized memory scraping tool – Established “unauthorized server” inside the Target network – Exfiltrated credit card data through the compromised servers
Based on Currently-Available Information THE ATTACK AT TARGET
The Exposure – Up to 110 million customers could have been affected – 40 million debit and credit cards stolen – Up to 70 million individuals had personal information stolen
The Cost – The breach will cost Target $500 million to $1.1 billion USD
some analysts estimate.
– Analysts have cut Target profit estimates for the fiscal years ending Jan ’14 and Jan ‘15 by about 12.2% and 9.5%, respectively, Thomson Reuters Starmine data showed.
– Target’s CIO resigned, CEO forced out
Based on Currently-Available Information
9 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE RESULT AND IMPACT
Source:
Source:
The Industry Experts’ Analysis
– Target passed its PCI Compliance audit in September
– The company has since moved to isolate its different platforms and networks to make it harder for a hacker to move between them a Target executive said.
– So-called segmentation issues, where computer systems that shouldn't be connected for security reasons are in fact linked, are a problem at a number of retailers a person familiar with retail breaches said.
– There shouldn't have been a route between a network for an outside contractor and the one for payment data people familiar with large corporate networks said.
Based on Currently-Available Information
10 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE RESULT AND IMPACT
Source:
Legitimate looking emails Relevant, somewhat inside information
Think of grifters, con men, etc.
Click on the link or attachment
Phishing, Spear Phishing, Whaling SOCIAL ENGINEERING ATTACKS
PHISHING EXAMPLE
Internet / Private Network
13 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE MONOLITHIC NETWORK
Server
Employee Tablet
Back Office
Customer Area
Equip Room
Customer Smartphone
Primary Network (WAN) Typically T1, DSL or Cable
Failover Connection 4G-LTE as a backup WAN connection
4G-LTE
The Industry Experts’ Analysis
–So-called segmentation issues, where computer systems that shouldn't be connected for security reasons are in fact linked, are a problem at a number of retailers a person familiar with retail breaches said.
–There shouldn't have been a route between a network for an outside contractor and the one for payment data people familiar with large corporate networks said.
Based on Currently-Available Information
14 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE RESULT AND IMPACT
Source:
15 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
SEGMENTATION ISSUES?
16 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
AND THEN…
17 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
AND THEN…
Internet / Private Network
18 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE MONOLITHIC NETWORK
Server
Employee Tablet
Back Office
Customer Area
Equip Room
Customer Smartphone
Primary Network (WAN) Typically T1, DSL or Cable
Failover Connection 4G-LTE as a backup WAN connection
4G-LTE
Internet / Private Network
19 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
4G-LTE
VoIP Phone Network Separate 4G Network
Server
Employee Tablet
Back Office
Customer Area
Equip Room
Customer Smartphone
Kiosks Separate 4G Network
for 3rd-Party
4G-LTE 4G-LTE
Digital Signage Separate 4G Network
for 3rdParty
HVAC System Separate 4G Network for 3rd-party vendor
4G-LTE
Customer WiFi Network Separate 4G Network for
non-secure customer access
4G-LTE
Store-in-a-Store Separate 4G Network
for 3rd-Party
4G-LTE
Employee Network Separate 4G Network for secure enterprise access
4G-LTE 4G-LTE
Security System Separate 4G Network
for 3rd-party vendor
4G-LTE
Energy Mgmt System Separate 4G Network
for 3rd-party vendor
POS Device Network Separate 4G Network
for security-sensitive devices
4G-LTE
PARALLEL NETWORKING
Primary Network (WAN) Typically T1, DSL or Cable
Failover Connection 4G-LTE as a backup WAN connection
4G-LTE
Point-of-Sale Device Network Separate 4G Network
for security-sensitive devices
4G-LTE
Internet / Private Network
20 CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
PARALLEL NETWORKING
4G-LTE
VoIP Phone Network Separate 4G Network
Server
Employee Tablet
Back Office
Customer Area
Equip Room
Customer Smartphone
Kiosks Separate 4G Networks
for 3rd-Party
4G-LTE 4G-LTE
Digital Signage Separate 4G Network
for 3rdParty
HVAC System Separate 4G Network
for 3rd-party service provider (Heating, Ventilation & Air Conditioning)
4G-LTE
Customer WiFi Network Separate 4G Network
for non-secure customer access
4G-LTE
Store-in-a-Store Separate 4G Network
for 3rd-Party
4G-LTE
Employee Network Separate 4G Network
for secure enterprise access
4G-LTE 4G-LTE
Security System Separate 4G Network for 3rd-party service provider
Failover Connection 4G-LTE as a backup
WAN connection
4G-LTE 4G-LTE
Energy Mgmt System Separate 4G Network for 3rd-party service provider
Primary Network (WAN) Typically T1, DSL or Cable
21
See us at Interop Stand IW343 FREE WHITE PAPER
ADDRESSING THE BREACH Offloading Non-Essential and Vendor Applications to Application-Specific, Parallel Networks Using 4G LTE
QUESTIONS? Contact : [email protected]
Lindsay Notwell VP, Operator & International Business CradlePoint