Download - Tripwire Retail Cyberthreat Summit
Retail Cyberthreat Summit
+ MANY MORE!
3
Security Alerts Around the Industry DHS site posted United States Computer Emergency Response Team (US-CERT) Alert Payment Card Industry Bulletin (August 27, 2014) US Secret Service Advisory (August 22, 2014)
A Global Leader in Secure Remote Access
[email protected](866) 725-7833
ABOUT NETOPThe world’s leading companies choose Netop
24%World Top 100 Retailers
60%Financial Times Top 100
42% World Top 50 Banks
50%Fortune 100
ABOUT NETOP
end-users
9M
customers
12K
connections / day
100M
Retail Cyberthreat Summit
Identifying and Securing Threat Vectors
USERS
Human error is a leading source of opportunity for cybercrime
Threats
DISCOVERABILITY
If a device is discoverable, a device is vulnerable.
Threats
REMOTE ACCESS
Remote access points are the target of choice for
cybercriminals.
Threats
88%
Remote Access
Secure 1. Segment your network
1
Segment your network
Remote Access
Secure
1 2
Segment your network Encrypt your data
1. Segment your network
2. Encrypt your data
Remote Access
Secure
1 2 3
Segment your network Encrypt your data Manage your users
1. Segment your network
2. Encrypt your data
3. Manage your users
Remote Access
Secure
1 2 3 4
Segment your network Encrypt your data Manage your users Document all activity
1. Segment your network
2. Encrypt your data
3. Manage your users
4. Document all activity
Point-of-Fail: Retail Network Intrusion & POS Malware
Ken WestinSr. Security Analyst
[email protected]: @kwestin
17
Hacking RDP For Fun & Profit
1,200 systems with open RDP ports in 10 seconds.
18
Brute Force RDP
19
NetworkInfiltration &
Scanning
ActiveDirectory
NetworkApplications
PatchServer
Critical Assets
Remote Desktop
Exploit
BusinessPartner
PhishingRecon &
Enumeration
Attacker
Initial AttackVector
Data Exfiltration
Drop Site
20
Remote Desktop
Exploit
BusinessPartner
PhishingInitial AttackVector
20 Critical Security Controls NSA Rank
CSC1Inventory H/W Assets, Criticality, and Location
Very High
CSC2Inventory S/W Assets, Criticality,and Location
Very High
CSC3Secure Configuration of Servers and Hardware
Very High
CSC4Vulnerability Assessment and Remediation
Very High
21
NetworkInfiltration &
Scanning
ActiveDirectory
NetworkApplications
PatchServer
Critical Assets
Data Exfiltration
Remote Desktop
Exploit
BusinessPartner
PhishingRecon &
Enumeration
Attacker
Initial AttackVector
Drop Site
1• Hardening Configurations• Assess Perimeter for Vulnerabilities
• Identify, Prioritize, Remediate Vulnerabilities2 3 • Continuously monitor for file changes• Indicators of Compromise (IoCs)
Point of Sale Attack Vectors
23
Many Versions of POS Malware
• Dexter/Stardust• BlackPOS/Kaptoxa• RawPOS• Backoff • LusyPOS
Similar Functionality Different Authors
24
POS Weak Points
POS SYSTEM
POS Application
DiskRAM
Network
25
Data In Transit: Network Sniffing
26
RAM Scraping
4242 4242 4242 42424012 8888 8888 18813056 9309 0215 90045609 8732 0092 88346348 7723 8345 9092
27
Threat IntelligenceProvider
28
Detecting POS MalwareBehavior & File Change Detection
30
Security Professionals
Hackers
We WILL Fail
200 Days
Home DepotHit By SameMalware asTargetKrebs on SecuritySeptember 14, 2014
42
2%
5%
10%
25%
Card Losses
Reputation
Bankruptcy
SAFE FAST SENSITIVE
54
PCIDSS Level 1
SAFE
55FAST
Data7M Transaction / Day4x growth -> 2x speed
Coverage Map
http://goo.gl_3uDFKP
Transactions/Day
FAST
Performance
FAST
Chain Public Rippleshot AdvantageSpec's Wine & Spirits Mar 20, 2014 Mar 29, 2013 11.7 months
Aaron Brothers Apr 17, 2014 Aug 6, 2013 8.4 months
Neiman Marcus Jan 23, 2014 Oct 11, 2013 3.4 months
Target Dec 18, 2013 Nov 29, 2013 19 days
Michael’s Jan 25, 2014 Dec 10, 2013 1.5 months
California DMV Mar 22, 2014 Jan 22, 2014 1.9 months
Home Depot Sep 2, 2014 Mar 8, 2014 5.9 months
Dairy Queen Aug 27, 2014 Mar 8, 2014 5.7 months
The UPS Store Aug 20, 2014 Mar 8, 2014 5.4 months
Goodwill Industries Jul 14, 2014 Mar 8, 2014 4.2 months
Splash Car Wash Jun 26, 2014 Mar 8, 2014 3.6 months
Sally Beauty Supply Mar 14, 2014 Mar 8, 2014 6 days
PF Chang’s Jun 11, 2014 Mar 25, 2014 2.6 months
Supervalue Aug 15, 2014 Apr 6, 2014 4.3 months
Beef 'O' Brady's Sep 10, 2014 Apr 6, 2014 5.2 months
4.3 Months
FAST
SENSITIVE
61SENSITIVE
Use Case Start of Breach: April 1st
Public Announcement: September 2nd
Total Cards: 56M with Rippleshot: 5.6M
Rippleshot Detection: April 15th
Total Fraud Spend: $2B and climbing with Rippleshot: $200M
Home Depot
Home Depot
67
RETAIL CYBERTHREATSUMMITHow retailers can mitigate fraud associated with stolen credit cards
69© COPYRIGHT • IOVATION 69© COPYRIGHT • IOVATION
SCOTT WADDELL, IOVATION
(503) 943-6768
www.iovation.com
@svwaddell
SCOTT WADDELLChief Technology Officer
70© COPYRIGHT • IOVATION 70© COPYRIGHT • IOVATION
Identity Verification solutions Analysis of identity elements such as name, address, phone and more
Authentication solutions Out-of-band, KBA solutions, RBA
Device-based solutions
Device identification, device reputation, fraud sharing independent of PII
BATTLING ID THEFT AND CREDIT CARD FRAUD
71© COPYRIGHT • IOVATION 71© COPYRIGHT • IOVATION
RECOGNIZING EVERY DEVICE
From smartphones to gaming consoles, if a device can access the Internet, iovation will recognize it.
COMPUTERS TABLETS
SMART TVS
MOBILE
72© COPYRIGHT • IOVATION 72© COPYRIGHT • IOVATION
DEVICE INTELLIGENCE PROCESS
Is this device making a fraudulent transaction?
1. IDENTIFICATION
2. ASSOCIATIONS
3. ANOMALIES
4. REPUTATION ?Has anyone seen this device?
Has anyone had a bad experience?
Is the device guilty by its association?
Have any device anomalies been found?
73© COPYRIGHT • IOVATION 73© COPYRIGHT • IOVATION
Device-based solutions can be mixed and matched throughout your website based on what matters to your business.
PROTECTION AT CUSTOMER TOUCH POINTS
74© COPYRIGHT • IOVATION 74© COPYRIGHT • IOVATION
RETAILER: FRAUD SCREENING PROCESS
ReputationManager 360
Transactions and
Outcomes
Real-TimeScoring
Deny
Review
Allow
75© COPYRIGHT • IOVATION 75© COPYRIGHT • IOVATION
DEVICES: UNIQUELY IDENTIFIED AND ASSOCIATED
76© COPYRIGHT • IOVATION 76© COPYRIGHT • IOVATION
ACTIVITY: CREDIT PROCESSOR RETAILERS
77© COPYRIGHT • IOVATION 77© COPYRIGHT • IOVATION
DEVICE INTELLIGENCE: SHARED ACROSS INDUSTRIES
78© COPYRIGHT • IOVATION 78© COPYRIGHT • IOVATION
DEVICE INTELLIGENCE NETWORK
Total Reputation Checks
Known Devices
Verified Frauds
Reputation Checks per Day
Incidents Stopped per Day
Active Fraud Analysts
15 Billion
2 Billion
20 Million
12 Million
200,000
3000
79© COPYRIGHT • IOVATION 79© COPYRIGHT • IOVATION
SPOTTING FRAUDSTER EVASION
FRAUDSTER TECHNIQUES
• Using a Proxy• Disabling JavaScript• Blocking Device Identification• Manipulating Device Attributes
IOVATION COUNTERMEASURES
• Proxy Detection• Real IP Proxy Piercing• Tor Detection• Time Zone Mismatch• Geolocation Velocity & Mismatch• Insufficient / Malformed Device Data• Multi-Domain Recognition• Device and IP Risk Profiling
TIME ZONE LANGUAGEIP PROFILES GEOLOCATIONCLOAKING
80© COPYRIGHT • IOVATION 80© COPYRIGHT • IOVATION
POWERFUL RULES ENGINE: MAKE IT WORK FOR YOU
EVIDENCE
Identifies risky devices already associated with fraud in iovation’s fraud
records.
GEOLOCATION
Gets users actual location with Real IP reveals
unauthorized country, TOR and more.
VELOCITY
Set thresholds for too many transactions or
multiple devices accessing account.
WATCH LIST
Create your own custom-built positive or negative
lists based on your specific fraud.
RISK PROFILE
Indicates when a device has characteristics similar
to other groups of risky devices.
AGE-BASED
Shows the amount of history that you have with
a paired account and device.
ANOMALY
Reveals when the device has risky characteristics
or is trying to evade detection.
COMPOUND
Combine multiple rules to expand use case and pinpoint specific fraud
behavior.
81© COPYRIGHT • IOVATION 81© COPYRIGHT • IOVATION
TYPICAL CASE: LOSS AT 4 BUSINESSES
82© COPYRIGHT • IOVATION 82© COPYRIGHT • IOVATION
SHARING INTELLIGENCE ACROSS INDUSTRIES
CommunitiesFinancial Gaming GamblingRetail
32%Sharin
g 68%Local
83© COPYRIGHT • IOVATION 83© COPYRIGHT • IOVATION
VALUE OF SHARING
Sharing automatically gives you access to fraud evidence placed by other iovation clients.
04/14/2023
Contact Information
Jeremy HenleyDirector of Breach Services
760-304-4761
04/14/2023
What is a Data Breach*?
Data Breach is a “Legal” Construct• All breaches start as incidents, but not all incidents
end up as breaches• "Incident" = attempted or successful unauthorized
access, use, disclosure, modification, or destruction of PHI/PII
• "Breach" = acquisition, access, use, or disclosure of PHI/PII [that poses a significant risk of financial, reputational, or other harm]** The definition of “data breach” varies across specific legislation and rules. In US states, many include a “harm threshold”
04/14/2023
Before the Breach occurs
• Complete a Privacy & Security Assessment• Develop or review Incident Response Plan• Test your plan• Repeat
04/14/2023
When a Data Breach Occurs
Be Prepared- Have a Team and a Plan
• Organizations must rely on a trusted partner(s)• Help you determine if your incident is a breach• Develop a proportionate and compliant breach
response• Provide the proper level of concern and care to the
affected individuals (customers)
04/14/2023
Breach Response
You will need a repeatable methodology for data breach response to reduce risks and reach a positive outcome
• Discovery• Analysis• Formulate• Respond
Retail Cyberthreat Summit
Q&A