Herding Cats: Issues with Distributed Retail Network

Security

Thursday, February 25, 2016

Agenda

• Housekeeping • Presenters • About Conexxus • Presentation • Q & A

Housekeeping This webinar is being recorded. The webinar presentation will be made available to all attendees after completing a short 6 question survey. The recording will be available on the Conexxus website under resourses in about 2 weeks Once the survey is completed, a link will be provided to the presentation handout. Conexxus uses the survey results to develop the content for our webinar series.

3

Presenters • Kara Gunderson (kgunder@citgo.com)

POS Manager Citgo Petroleum Corporation

• Ann Zecca (azecca@conexxus.org) • Hubert Williams (Hubert.Williams@Maverik.com)

Vice President of Technology and Development Maverik, Inc.

4

Outcomes Recognize that multi-store networks are more difficult to secure than single stores.

See how the threat evolution has forced retailers to change how we secure our distributed retail networks.

Look at some tools and methods for defending your multi-store retail company.

Understand the big picture strategy necessary to prevent, detect and limit the scope of threats

Agenda Understand the Distributed Retail Network Security landscape

Why is it different from single site retailers?

Distributed Retail Network Security Strategy

Overview of Layered Security

Layered Security Tools

What, exactly, is Threat Intelligence?

Some bits of Common Sense

Q & A

Distributed Retail Network Security Landscape

Single Site Security….Ahhh! The Good Life

Perimeter is centralized at the store and endpoints were easily managed Data and assets are static on network with little or no segmentation PCI-DSS Audits are comprised of a self-assessment Hub up the computers and go!!

Distributed Retail Network Security Landscape

Single Site Security….Ahhh! The Good Life

Distributed Retail Network Security Landscape

The Multi-Site Threat Landscape

Probably a level 1 – 2 Merchant for PCI

Segments? Every store has it’s own segments and it’s own perimeter

Hackers are developing malware specifically for your POS Systems

Data and Assets are mobile, dynamic, and IOT is everywhere BTW….80% of IOT efforts are NOT driven by IT (Gartner)

Let’s face it, we are herding cats

Distributed Retail Network Security Landscape

It Is a Bit Complex

Distributed Retail Network Security Strategy When developing a security strategy to secure your company, think about it in terms of:

• Prevention: None shall pass!

• Scope Limitation: Limit what they can get if they do get in

• Detection: If they get in, spot them quick (oh…and kick them out)

Distributed Retail Network Security Landscape

Security Strategy Basics Layered Security Know your network and attack vectors

Ensure you are up to date with patching and virus

Firewalls, IPS between network segments

Threat Intelligence: Collect and Interrogate logs from systems Employ a Security Information and Event Monitoring system (SIEM)

Create or Contract a Monitoring Entity for the SIEM

Investigate

ACT!

Layered Security: The Holy Grail

REALITY CHECK: There is nothing holy about it. Layered security is a commitment and requires investment both in terms of dollars and labor.

Layered Security: A Quick Inventory

BIG IDEA: Secure from perimeters to endpoint, paralleling what Lockheed Martin calls the “Cyber Kill Chain”

External IPS, Next-Gen Firewalls, Application Firewalls, Vulnerability Scanning, and Penetration Testing

Deploy IPS/IDS, Web Proxies, SPAM Filters, Sandbox/Sandnet techniques

Anti-virus, Personal Firewalls, Host-based IPS, patching, software updates

Use a SIEM to develop Threat Intelligence

Layered Security: “Defense in Depth” Recommended by the NSA

”There are two types of business: those who have been attacked and those who have yet to fine out” Neil Seeman, CEO

Let’s Look at Some Tools and Methods That Might Help

Layered Security: Next Generation Firewalls

A key to Prevention and Scope Limitation (segmentation), Next-Generation Firewall (NGFW) is an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques.

• Legacy firewalls focus on source, destination and ports

• Legacy firewalls do not identify and stop malicious payloads

• Evasive nature of today’s attacks require a greater level of protection

What kind of firewalls are you using??

You REALLY Need to Take a Look!!

Layered Security: Intrusion Detection and Intrusion Prevention Systems

What are IDS and IPS?

Intrusion Detection Systems (IDS) sit off to the side of the network, monitoring traffic at many different points, and provide visibility into the security posture of the network

Intrusion Prevention systems (IPS), also known as intrusion detection and

prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity.

Layered Security: File Integrity Monitoring

What is File Integrity Monitoring? File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and the known, good baseline. Used for Detection.

Layered Security: Data Loss Prevention Software

What is DLP Software? •Data loss Prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. •DLP Software are products that help a network administrator control what data end users can transfer.

Layered Security: SIEM Tools

Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization's information technology (IT) security to detect problems.

This is important folks. It is a shame to spend time and resources putting in systems that create logs to meet compliance requirements and not use those logs to your full benefit. If you don’t pay attention to what they are telling you, why have them? SIEM tools are a great way to clear the data fog and get vision into what you need to know. The more stores you have, the greater your need for a tool or service like this. (BTW, there are options to outsource)

Threat Intelligence

What is Threat Intelligence? Malware Exchanges & Sources

Malware Exchange (major NetSec vendors) VirusTotal.com VirusShare.com

IDS/IPS Event Feedback Loop Universities

ISPs and Carriers IDS/IPS Customer base

IDS/IPS Rulesets

Other Misc Sources

DNS/Domain Lists and Analytics

IP Reputation Lists and Analytics

.

Here is what is happening. Lot’s of companies and organizations collect intel on security threats worldwide.

They share the information and companies that make security products like IPS, IDS, Firewalls use this information to interrogate your data for problems. These problems will show up in their logs.

An SIEM product can be used to collect the logs and alert you to possible attacks.

Threat Intelligence and Layered Security

~85% BLOCKED MALWARE

“Actionable” Threat Intelligence SIEM consolidates data from multiple devices Might include Intelligence from external sources Used for analysis and incident response

“Active” Threat Intelligence IP and/or Domain reputation lists Pushed out to security devices regularly Collaboration of InfoSec community

Other Stuff To Consider: WEAK PASSWORDS ARE BAD

A 2013 Verizon Data Breach Investigation Report states that this is the cause of 76% of all attacks on corporate networks. Consider providing your employees education on this problem and enforcing a 10 digit complex password. LENGTH = STRENGTH Random 8-character passwords take 8 to 72 hours to crack using brute force methods on a standard PC while a 10 character complex password will take 19 to 58 years.

BTW: It is generally the first attack vector hackers will try.

Other Stuff To Consider: SOCIAL ENGINEERING

Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Follow the ATE – AWARENESS, TRAINING and EDUCATION security concept for all employees, no matter what level and what position they hold in the organization. While C-level employees are great targets, their admins can be even more powerful vectors for attack!

•Store employees may not know all the IT techs that call them!!! USE 2-factor authentication in order to make it more difficult for hackers to gain remote access at your sites.

A Few Last Bits of Common Sense: •Don’t let one stores network pass traffic to another. Keep them separated with firewalls and routing rules.

•Don’t get behind on patching! Rather than trying to patch all equipment of the same type at the same time, develop patching groups that can be handled in a timely fashion.

•Use simple tools like the screensavers on your store and office PCs to display messages and reminders about security.

•Look beyond compliance. Passing an audit is a point in time check while security is vigilance and a commitment to protecting your company and your customers.

•If you are secure, you are likely compliant….seek to be secure.

Sources

• LightCyber.com • Wiki • Mastercard • Visa • Trustwave • RIWI

February 25, 2016 Page 27

Q&A

May 1 – 5 Loews Ventana Canyon

Tucson, AZ Registration is OPEN

Conexxus.org/AnnualConference

2016 Conexxus Annual Conference

29

Page 23

About Conexxus

• We are an independent, non-profit, member driven technology organization

• We set standards… – Data exchange – Security – Mobile commerce

• We provide vision – Identify emerging tech/trends

• We advocate for our industry – Technology is policy

30

Page 24

• Website: www.conexxus.org • Email: info@conexxus.org • LinkedIn Group: Conexxus Online • Follow us on Twitter: @Conexxusonline • 2016 Conexxus Annual Conference • Dec. 17, 2015: Defending the island-A

guide to reducing the risk of skimming Page 26