the verizon 2012/2013 data breach investigations reports - lessons learned for running base24...
DESCRIPTION
In light of the recent security breaches against payment systems (most prominent: Target), running BASE24 securely is becoming even more important than before. This presentation discusses properly the Verizon Data Breach Investigations Report (VDBR) with a focus on the relevance on securing BASE24 systems. It also discusses the (sad!) state of computer security today, how this came about and what can be done about it.TRANSCRIPT
As many slides are somewhat empty “by design”, you will find slide
notes to the right where required.
The preparation for this presentation used mostly the 2012 report,
but the 2013 report appeared by now as well; hence the two years in
the title
copyright (2013, 2014) comForte 21 1
The speaker has a long history in IT security
- The first mind-boggling event was a SANS training he attended in
Washington in 2002: most of todays “new attack vectors” were
discussed in detail back then already
- Over the years, he has given probably 100s of presentations on
IT security, the topics being SSL, SSH, Single Sign on, on
platform security
- Sometimes the speaker bores himself
- While the players in the HP NonStop world are all good and
honest companies, the Verizon Data Breach Investigative Report
(VDBR) is coming from real incident data and from a large
company in the IT security space
- A problem today is that the talk is limited to 30 minutes only – and
the speaker would like to talk about the topic for 8 hours
- IT security is complicated and also counterintuitive here
and there
- VDBR is 80 pager
copyright (2013, 2014) comForte 21 2
This word map shows word frequency in the various
articles the author has written over the past decade:
2001-0910 Securing your NSK system
2003-0708 NonStop Network Security
2005-0910 Secure File Transfer
2006-0102 comForte and mandates
2008-0102 PCI Encryptoin Requirements
2011-0910 SecurData-Tokenization
2012-08 Nightmare on PCI street
2012-0304 SecurData-Auditing
2013-0304 PCI Compliance Deconstructed
The HP NonStop platform was formerly known as
“Tandem computers” and is the focus of the
company comForte; hence the focus of his articles
on that platform. The articles are available on the
comForte web site at
http://www.comforte.com/news/in-the-media/articles-
by-comforte/
copyright (2013, 2014) comForte 21 3
Rather than focus on technical details, the goal of this presentation is
a mind change of the audience:
• Bad news!
• Surprising news!
• Please don’t kill the messenger…
copyright (2013, 2014) comForte 21 4
copyright (2013, 2014) comForte 21 5
History:
- Has been around since about 2005
- Based on actual breaches (!); Verizon team doing forensics.
- Anonymized:
- No companies being named
- Data aggregated
- But still based on real stuff
- Small sample size (see later) – but it does not get *any* better in
terms of honest information
- Presentation focusing on 2012 (because speaker has read it in
full), 76-pager
- 2013 just released, only skimmed so far, 62-pager
Note: The author fully acknowledges the copyright of the DBIR,
this is a great resource. You can (and should!) download the full
report yourself. You’ll find plenty of screenshots in the
upcoming slides.
copyright (2013, 2014) comForte 21 6
copyright (2013, 2014) comForte 21 7
copyright (2013, 2014) comForte 21 8
copyright (2013, 2014) comForte 21 9
copyright (2013, 2014) comForte 21 10
Note: for BASE24, *neither* is typically being done (PCI 3.4 not
addressed; no proper automatic data discovery, event logs not
present and/or not fed into company SIEM system)
copyright (2013, 2014) comForte 21 11
Note that ‘external agents’ are responsible in nearly all attacks. We
shall see later why this is the case.
copyright (2013, 2014) comForte 21 12
Note that many attacks go undetected for months (!) and are only
detected once the fraudulent transactions resulting of a breach are
found out by end customers.
This has been the case in the very recent Neimann-Marcus incident
(which occurred after this presentation was given).
copyright (2013, 2014) comForte 21 13
Todays’ typical breach is not using a single vulnerability any more –
that is why prevention involves a full framework of proper measures
as set forth i.e. in the PCI standard.
Copyright (2013, 2014) comForte 21
14
(graphic from the author)
Note the
• Shift from “simple” to “complex” viruses
• Shift from “for fun”/”hacking” to commercial or state-sponsored
interest
Beyond this, there is a new quality of the attacks: APT, Advanced
Persistent Threats, we cannot talk about this due to time constraints,
but APTs are typically qualified by a multi-step attack as shown on
the prior slide.
copyright (2013, 2014) comForte 21 15
(Graphic from blog with URL)
As mentioned before, the timeframe for an attack can easily be
weeks or months as the attacks are “multi-staged”. ((Side note: none
of these techniques are new; they are know among the security
community for 10+ years.))
Note the “targeted server” – the attacker was looking for specific
source code and found it. Servers (rather than user workstations) are
increasingly becoming the target of attacks.
It is only the increased motivation of the attacker which made this
possible, this slides digests the attack against the security company
RSA in some depth.
copyright (2013, 2014) comForte 21 16
copyright (2013, 2014) comForte 21 17
Well, this is the key message – so please pardon the non-subtlety of
this slide…
The good news is that this can be addressed relatively easily –
compared to the cost of running a BASE24 system the “cost to
improve the security posture massively” is rather low.
copyright (2013, 2014) comForte 21 18
copyright (2013, 2014) comForte 21 19
CEO thoughts (as the author is assuming): Yeah, there is all this
‘hacking stuff’ going on – but it is not going to happen to *us*. After
all, we have been PCI audited. And we have increased security
spending. By the way, I am very busy on plenty of other, more
important, topics.
copyright (2013, 2014) comForte 21 20
Your thoughts (?): Well it is kind of amazing what is possible these
days; but boy are we increasing our work; I can barely keep up with
the bl**dy PCI audits.
copyright (2013, 2014) comForte 21 21
This is my view; probably the view of the best auditors as well:
Mostly, the attackers have won. It happened to Sony, RSA, NYT. It is
not a question of IF but more of WHEN and HOW you’ll be breached.
[[Note: that does *not* mean giving up is an option, well talk about
that later]]
Addendum January 2014: this presentation was prepared and given
_before_ the Target breach.
copyright (2013, 2014) comForte 21 22
To be honest, this is somewhat of a mystery to the author
– after spending 10+ years focusing on IT security.
Really. Some suggestions to follow:
So why is WHY ON EARTH IS BASE24 *NEVER*
PROTECTED PROPERLY – authors’ suggestions:
- There is typical a large “Organizational Disconnect”
between the CSO, CIO, CFO and CEO
- The attackers on the other hand are very well
connected and organized
- Who owns security anyway: that is a difficult question
in every organization: is it the platform owner? The
application owner? The CSO? The CIO? The CEO?
- Penny pinching IT costs
- For banks, IT is typically 6 % of the global
budget
- IT is often used as asset where saving can be
applied whenever the economy is bad
- It should be noted that the BASE24 application
is *very* profitable – but cost is saved anyway
Let’s assume this to be the case for now – If you need
convincing, that’ll take an extra 30 min (or more). But the
list of companies being breached does speak for itself?
copyright (2013, 2014) comForte 21 23
copyright (2013, 2014) comForte 21 24
Question to audience:
- Any surprises so far?
- Did I reach my goals as stated in the beginning?
- Do you agree that the state of computer security today is
somewhat dire? [[Note: we are hoping for a “yes” here – this
leads over to the next slide!]
copyright (2013, 2014) comForte 21 25
Options are to …
Ignore the issue or…
Hope that it does not happen to you or …
Do something
copyright (2013, 2014) comForte 21 26
[Note: the presentation now moves on to products comForte is
selling]
We have two products which will implement:
- Data discovery
- Encryption of data at rest
for your BASE24 system(s). They do _not_ cost a fortune and
massively improve your security posture!
copyright (2013, 2014) comForte 21 27
Note the two highlighted Requirements 3 and 10 – SecurData can
strengthen your footprint in both areas.
And unless you have done proper data discovery (i.e. with the
PANfinder product), you (1)will not know whether you are really
protecting all relevant files on your NonStop (2) will not be able to
prove it to your auditor.
copyright (2013, 2014) comForte 21 28
This is a suggested order of doing this which takes the following into
account:
• Ease of implementation
• Priority as per PCI priorized approach
• budgetary constraints
The color of the arrows marks how often this is typically done in the
experience of the author with green meaning “most companies do
this”. You will notice that there is very little green.
copyright (2013) comForte 21 29
This should only be started if Phase 1 has been completed
Note: it is absolutely recommend to actually start with Phase 1 rather
than trying to combine Phase 1 and Phase 2 into a “big bang”
scenario. Your PCI auditor wants to see progress early…
Again, the color of the arrows marks how often this is typically done
in the experience of the author. There is no green at all here –
indicating that Phase 2 is very rarely done in the experience of the
author.
copyright (2013) comForte 21 30
This is a graphical summary of the presentation today, starting at the
upper right, moving in a half-circle counterclockwise.
copyright (2013, 2014) comForte 21 31
copyright (2013, 2014) comForte 21 32