securing your point of sale systems: stopping malware and data theft

Post on 11-May-2015

416 Views

Category:

Technology

1 Downloads

Preview:

Click to see full reader

DESCRIPTION

Point of Sale (POS) systems have long been the target of financially-motivated crime. And in 2013 the magnitude of cybercrime against POS systems skyrocketed, with 97% of breaches in the retail sector and 47% in the healthcare sector aimed against POS systems. With sensitive financial and personal records getting exposed by the millions, the FBI recently warned that POS systems are under sustained and continued attack. During this webcast, we will take you into the three critical entry points to POS system attacks. We’ll discuss how the attacks look, the timelines for these breaches, and what proactive security measures you can take to help your organization minimize the risk to your POS systems. •3 Critical Entry Points to POS System Attacks •Impacts to an Organization •Top 3 Security Measures to Minimize Risk

TRANSCRIPT

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Securing Your Point of Sale Systems

Stopping Malware and Data Theft

February 20, 2014

Chris Merritt | Solution MarketingSource: http://www.wired.com/threatlevel/2014/01/target-hack/

Today’s Agenda

Setting the Stage

Three Attack Vectors

Impacts on Organizations

Top Security Measures to Minimize Risk

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Setting the Stage

• Focus on POS Systems, but …» Need to consider other fixed function

assets which abound, such as ATMs, kiosks, self-checkout, etc.

» Need to consider the entire chain, including “back office” assets such as servers, workstations, etc.

•Focus on Retail Sector, but …» Need to consider other sectors where POS

systems and other fixed function assets are heavily used, such as the Healthcare and Financial sectors

3

Three Attack Vectors

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Threat Environment

5

Source: Store Systems Security | Preparing for the Paradigm Shift– by IHL Group (Aug-2013)

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Threat Environment

6

Source: Store Systems Security | Preparing for the Paradigm Shift– by IHL Group (Aug-2013)

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Targeted Assets

7

Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013)

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Targeted Assets

8

Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013)

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Targeted Assets

9

Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013)

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Targeted Assets

10

Source: 2013 Data Breach Investigations Report – by Verizon (Apr-2013)

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Breach Timeline

11

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Security Alerts

12

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Security Alerts

13

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Security Alerts

14

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Three Attack Vectors

15

Physical Attack» Examples: Tampering, Beacons

» Impacts Front Line Assets

Network Attack» Examples: Hacking, Malware

» Impacts Front Line and Back Office Assets

Supply Chain Attack» Examples: Hacking, Malware

» Impacts Back Office Assets

Impacts on Organizations

US Breach Data (2005 – 2013)

17PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

1717

X-axis = Year Y-axis = Breach Count Bubble size = Breach Size

Breaches by Organization Type (2005 – 2013)

18PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

1818

Records by Organization Type (2005 – 2013)

19PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

1919

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Data Breach Costs

20

Security Measures

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Defense-in-Depth

22

• Multiple layers of Security Controls» Redundancy in case

Failure or Exploitation

» Covers People, Process and Technical Controls

» Seeks to delay attack

• Endpoint security threats too complex» Need multiple technologies

/ processes

• Successful risk mitigation » Starts with solid Vulnerability

Management

» Add other Layered Defenses, beyond traditional Blacklist approach

» Consider both Network and Physical Vectors

© Creative Commons / Fidelia Nimmons

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Practical Defense-in-Depth

23

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Practical Defense-in-Depth

24

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Practical Defense-in-Depth

25

Whitelisting

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Breach Timeline (IS)

26

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Breach Timeline (Ideal)

27

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Additional Information

28

Free Security Scanner Tools» Application Scanner – discover all the apps

being used in your network» Device Scanner – discover all the devices

being used in your network

https://www.lumension.com/resources/premium-security-tools.aspx

Reports» Targeted Threat Protection for POS Systems

https://www.lumension.com/Media_Files/Documents/Marketing---Sales/Datasheets/Lumension-Endpoint-Security---Point-of-Sale.aspx

» Tolly Reports on Application Control vs. Antivirus Performance at http://www.tolly.com/Server: ~/DocDetail.aspx?DocNumber=213121 Client: ~/DocDetail.aspx?DocNumber=213126

Free Trial (virtual or download)http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

info@lumension.com

top related