tripwire retail cyberthreat summit

Retail Cyberthreat Summit

+ MANY MORE!

3

Security Alerts Around the Industry DHS site posted United States Computer Emergency Response Team (US-CERT) Alert Payment Card Industry Bulletin (August 27, 2014) US Secret Service Advisory (August 22, 2014)

A Global Leader in Secure Remote Access

www.netop.cominfo.us@netop.com(866) 725-7833

ABOUT NETOPThe world’s leading companies choose Netop

24%World Top 100 Retailers

60%Financial Times Top 100

42% World Top 50 Banks

50%Fortune 100

ABOUT NETOP

end-users

9M

customers

12K

connections / day

100M

Retail Cyberthreat Summit

Identifying and Securing Threat Vectors

USERS

Human error is a leading source of opportunity for cybercrime

Threats

DISCOVERABILITY

If a device is discoverable, a device is vulnerable.

Threats

REMOTE ACCESS

Remote access points are the target of choice for

cybercriminals.

Threats

88%

Remote Access

Secure 1. Segment your network

1

Segment your network

Remote Access

Secure

1 2

Segment your network Encrypt your data

1. Segment your network

2. Encrypt your data

Remote Access

Secure

1 2 3

Segment your network Encrypt your data Manage your users

1. Segment your network

2. Encrypt your data

3. Manage your users

Remote Access

Secure

1 2 3 4

Segment your network Encrypt your data Manage your users Document all activity

1. Segment your network

2. Encrypt your data

3. Manage your users

4. Document all activity

Thank you! www.netop.cominfo.us@netop.com(866) 725-7833

Point-of-Fail: Retail Network Intrusion & POS Malware

Ken WestinSr. Security Analyst

kwestin@tripwire.comTwitter: @kwestin

17

Hacking RDP For Fun & Profit

1,200 systems with open RDP ports in 10 seconds.

18

Brute Force RDP

19

NetworkInfiltration &

Scanning

ActiveDirectory

NetworkApplications

PatchServer

Critical Assets

Remote Desktop

Exploit

BusinessPartner

PhishingRecon &

Enumeration

Attacker

Initial AttackVector

Data Exfiltration

Drop Site

20

Remote Desktop

Exploit

BusinessPartner

PhishingInitial AttackVector

20 Critical Security Controls NSA Rank

CSC1Inventory H/W Assets, Criticality, and Location

Very High

CSC2Inventory S/W Assets, Criticality,and Location

Very High

CSC3Secure Configuration of Servers and Hardware

Very High

CSC4Vulnerability Assessment and Remediation

Very High

21

NetworkInfiltration &

Scanning

ActiveDirectory

NetworkApplications

PatchServer

Critical Assets

Data Exfiltration

Remote Desktop

Exploit

BusinessPartner

PhishingRecon &

Enumeration

Attacker

Initial AttackVector

Drop Site

1• Hardening Configurations• Assess Perimeter for Vulnerabilities

• Identify, Prioritize, Remediate Vulnerabilities2 3 • Continuously monitor for file changes• Indicators of Compromise (IoCs)

Point of Sale Attack Vectors

23

Many Versions of POS Malware

• Dexter/Stardust• BlackPOS/Kaptoxa• RawPOS• Backoff • LusyPOS

Similar Functionality Different Authors

24

POS Weak Points

POS SYSTEM

POS Application

DiskRAM

Network

25

Data In Transit: Network Sniffing

26

RAM Scraping

4242 4242 4242 42424012 8888 8888 18813056 9309 0215 90045609 8732 0092 88346348 7723 8345 9092

27

Threat IntelligenceProvider

28

Detecting POS MalwareBehavior & File Change Detection

Thank You

Ken WestinSr. Security Analyst

kwestin@tripwire.comTwitter: @kwestin

30

Security Professionals

Hackers

We WILL Fail

200 Days

Home DepotHit By SameMalware asTargetKrebs on SecuritySeptember 14, 2014

42

2%

5%

10%

25%

Card Losses

Reputation

Bankruptcy

SAFE FAST SENSITIVE

54

PCIDSS Level 1

SAFE

55FAST

Data7M Transaction / Day4x growth -> 2x speed

Coverage Map

http://goo.gl_3uDFKP

Transactions/Day

FAST

Performance

FAST

Chain Public Rippleshot AdvantageSpec's Wine & Spirits Mar 20, 2014 Mar 29, 2013 11.7 months

Aaron Brothers Apr 17, 2014 Aug 6, 2013 8.4 months

Neiman Marcus Jan 23, 2014 Oct 11, 2013 3.4 months

Target Dec 18, 2013 Nov 29, 2013 19 days

Michael’s Jan 25, 2014 Dec 10, 2013 1.5 months

California DMV Mar 22, 2014 Jan 22, 2014 1.9 months

Home Depot Sep 2, 2014 Mar 8, 2014 5.9 months

Dairy Queen Aug 27, 2014 Mar 8, 2014 5.7 months

The UPS Store Aug 20, 2014 Mar 8, 2014 5.4 months

Goodwill Industries Jul 14, 2014 Mar 8, 2014 4.2 months

Splash Car Wash Jun 26, 2014 Mar 8, 2014 3.6 months

Sally Beauty Supply Mar 14, 2014 Mar 8, 2014 6 days

PF Chang’s Jun 11, 2014 Mar 25, 2014 2.6 months

Supervalue Aug 15, 2014 Apr 6, 2014 4.3 months

Beef 'O' Brady's Sep 10, 2014 Apr 6, 2014 5.2 months

4.3 Months

FAST

SENSITIVE

61SENSITIVE

Use Case Start of Breach: April 1st

Public Announcement: September 2nd

Total Cards: 56M with Rippleshot: 5.6M

Rippleshot Detection: April 15th

Total Fraud Spend: $2B and climbing with Rippleshot: $200M

Home Depot

Home Depot

67

RETAIL CYBERTHREATSUMMITHow retailers can mitigate fraud associated with stolen credit cards

69© COPYRIGHT • IOVATION 69© COPYRIGHT • IOVATION

SCOTT WADDELL, IOVATION

(503) 943-6768

scott.waddell@iovation.com

www.iovation.com

@svwaddell

SCOTT WADDELLChief Technology Officer

70© COPYRIGHT • IOVATION 70© COPYRIGHT • IOVATION

Identity Verification solutions Analysis of identity elements such as name, address, phone and more

Authentication solutions Out-of-band, KBA solutions, RBA

Device-based solutions

Device identification, device reputation, fraud sharing independent of PII

BATTLING ID THEFT AND CREDIT CARD FRAUD

71© COPYRIGHT • IOVATION 71© COPYRIGHT • IOVATION

RECOGNIZING EVERY DEVICE

From smartphones to gaming consoles, if a device can access the Internet, iovation will recognize it. 

COMPUTERS TABLETS

SMART TVS

MOBILE

72© COPYRIGHT • IOVATION 72© COPYRIGHT • IOVATION

DEVICE INTELLIGENCE PROCESS

Is this device making a fraudulent transaction?

1. IDENTIFICATION

2. ASSOCIATIONS

3. ANOMALIES

4. REPUTATION ?Has anyone seen this device?

Has anyone had a bad experience?

Is the device guilty by its association?

Have any device anomalies been found?

73© COPYRIGHT • IOVATION 73© COPYRIGHT • IOVATION

Device-based solutions can be mixed and matched throughout your website based on what matters to your business.

PROTECTION AT CUSTOMER TOUCH POINTS

74© COPYRIGHT • IOVATION 74© COPYRIGHT • IOVATION

RETAILER: FRAUD SCREENING PROCESS

ReputationManager 360

Transactions and

Outcomes

Real-TimeScoring

Deny

Review

Allow

75© COPYRIGHT • IOVATION 75© COPYRIGHT • IOVATION

DEVICES: UNIQUELY IDENTIFIED AND ASSOCIATED

76© COPYRIGHT • IOVATION 76© COPYRIGHT • IOVATION

ACTIVITY: CREDIT PROCESSOR RETAILERS

77© COPYRIGHT • IOVATION 77© COPYRIGHT • IOVATION

DEVICE INTELLIGENCE: SHARED ACROSS INDUSTRIES

78© COPYRIGHT • IOVATION 78© COPYRIGHT • IOVATION

DEVICE INTELLIGENCE NETWORK

Total Reputation Checks

Known Devices

Verified Frauds

Reputation Checks per Day

Incidents Stopped per Day

Active Fraud Analysts

15 Billion

2 Billion

20 Million

12 Million

200,000

3000

79© COPYRIGHT • IOVATION 79© COPYRIGHT • IOVATION

SPOTTING FRAUDSTER EVASION

FRAUDSTER TECHNIQUES

• Using a Proxy• Disabling JavaScript• Blocking Device Identification• Manipulating Device Attributes

IOVATION COUNTERMEASURES

• Proxy Detection• Real IP Proxy Piercing• Tor Detection• Time Zone Mismatch• Geolocation Velocity & Mismatch• Insufficient / Malformed Device Data• Multi-Domain Recognition• Device and IP Risk Profiling

TIME ZONE LANGUAGEIP PROFILES GEOLOCATIONCLOAKING

80© COPYRIGHT • IOVATION 80© COPYRIGHT • IOVATION

POWERFUL RULES ENGINE: MAKE IT WORK FOR YOU

EVIDENCE

Identifies risky devices already associated with fraud in iovation’s fraud

records.

GEOLOCATION

Gets users actual location with Real IP reveals

unauthorized country, TOR and more.

VELOCITY

Set thresholds for too many transactions or

multiple devices accessing account.

WATCH LIST

Create your own custom-built positive or negative

lists based on your specific fraud.

RISK PROFILE

Indicates when a device has characteristics similar

to other groups of risky devices.

AGE-BASED

Shows the amount of history that you have with

a paired account and device.

ANOMALY

Reveals when the device has risky characteristics

or is trying to evade detection.

COMPOUND

Combine multiple rules to expand use case and pinpoint specific fraud

behavior.

81© COPYRIGHT • IOVATION 81© COPYRIGHT • IOVATION

TYPICAL CASE: LOSS AT 4 BUSINESSES

82© COPYRIGHT • IOVATION 82© COPYRIGHT • IOVATION

SHARING INTELLIGENCE ACROSS INDUSTRIES

CommunitiesFinancial Gaming GamblingRetail

32%Sharin

g 68%Local

83© COPYRIGHT • IOVATION 83© COPYRIGHT • IOVATION

VALUE OF SHARING

Sharing automatically gives you access to fraud evidence placed by other iovation clients.

04/14/2023

Contact Information

Jeremy HenleyDirector of Breach Services

760-304-4761

Jeremy.henley@idexpertscorp.com

04/14/2023

What is a Data Breach*?

Data Breach is a “Legal” Construct• All breaches start as incidents, but not all incidents

end up as breaches• "Incident" = attempted or successful unauthorized

access, use, disclosure, modification, or destruction of PHI/PII

• "Breach" = acquisition, access, use, or disclosure of PHI/PII [that poses a significant risk of financial, reputational, or other harm]** The definition of “data breach” varies across specific legislation and rules. In US states, many include a “harm threshold”

04/14/2023

Before the Breach occurs

• Complete a Privacy & Security Assessment• Develop or review Incident Response Plan• Test your plan• Repeat

04/14/2023

When a Data Breach Occurs

Be Prepared- Have a Team and a Plan

• Organizations must rely on a trusted partner(s)• Help you determine if your incident is a breach• Develop a proportionate and compliant breach

response• Provide the proper level of concern and care to the

affected individuals (customers)

04/14/2023

Breach Response

You will need a repeatable methodology for data breach response to reduce risks and reach a positive outcome

• Discovery• Analysis• Formulate• Respond

Retail Cyberthreat Summit

Q&A