As many slides are somewhat empty “by design”, you will find slide

notes to the right where required.

The preparation for this presentation used mostly the 2012 report,

but the 2013 report appeared by now as well; hence the two years in

the title

copyright (2013, 2014) comForte 21 1

The speaker has a long history in IT security

- The first mind-boggling event was a SANS training he attended in

Washington in 2002: most of todays “new attack vectors” were

discussed in detail back then already

- Over the years, he has given probably 100s of presentations on

IT security, the topics being SSL, SSH, Single Sign on, on

platform security

- Sometimes the speaker bores himself

- While the players in the HP NonStop world are all good and

honest companies, the Verizon Data Breach Investigative Report

(VDBR) is coming from real incident data and from a large

company in the IT security space

- A problem today is that the talk is limited to 30 minutes only – and

the speaker would like to talk about the topic for 8 hours

- IT security is complicated and also counterintuitive here

and there

- VDBR is 80 pager

copyright (2013, 2014) comForte 21 2

This word map shows word frequency in the various

articles the author has written over the past decade:

2001-0910 Securing your NSK system

2003-0708 NonStop Network Security

2005-0910 Secure File Transfer

2006-0102 comForte and mandates

2008-0102 PCI Encryptoin Requirements

2011-0910 SecurData-Tokenization

2012-08 Nightmare on PCI street

2012-0304 SecurData-Auditing

2013-0304 PCI Compliance Deconstructed

The HP NonStop platform was formerly known as

“Tandem computers” and is the focus of the

company comForte; hence the focus of his articles

on that platform. The articles are available on the

comForte web site at

http://www.comforte.com/news/in-the-media/articles-

by-comforte/

copyright (2013, 2014) comForte 21 3

Rather than focus on technical details, the goal of this presentation is

a mind change of the audience:

• Bad news!

• Surprising news!

• Please don’t kill the messenger…

copyright (2013, 2014) comForte 21 4

copyright (2013, 2014) comForte 21 5

History:

- Has been around since about 2005

- Based on actual breaches (!); Verizon team doing forensics.

- Anonymized:

- No companies being named

- Data aggregated

- But still based on real stuff

- Small sample size (see later) – but it does not get *any* better in

terms of honest information

- Presentation focusing on 2012 (because speaker has read it in

full), 76-pager

- 2013 just released, only skimmed so far, 62-pager

Note: The author fully acknowledges the copyright of the DBIR,

this is a great resource. You can (and should!) download the full

report yourself. You’ll find plenty of screenshots in the

upcoming slides.

copyright (2013, 2014) comForte 21 6

copyright (2013, 2014) comForte 21 7

copyright (2013, 2014) comForte 21 8

copyright (2013, 2014) comForte 21 9

copyright (2013, 2014) comForte 21 10

Note: for BASE24, *neither* is typically being done (PCI 3.4 not

addressed; no proper automatic data discovery, event logs not

present and/or not fed into company SIEM system)

copyright (2013, 2014) comForte 21 11

Note that ‘external agents’ are responsible in nearly all attacks. We

shall see later why this is the case.

copyright (2013, 2014) comForte 21 12

Note that many attacks go undetected for months (!) and are only

detected once the fraudulent transactions resulting of a breach are

found out by end customers.

This has been the case in the very recent Neimann-Marcus incident

(which occurred after this presentation was given).

copyright (2013, 2014) comForte 21 13

Todays’ typical breach is not using a single vulnerability any more –

that is why prevention involves a full framework of proper measures

as set forth i.e. in the PCI standard.

Copyright (2013, 2014) comForte 21

14

(graphic from the author)

Note the

• Shift from “simple” to “complex” viruses

• Shift from “for fun”/”hacking” to commercial or state-sponsored

interest

Beyond this, there is a new quality of the attacks: APT, Advanced

Persistent Threats, we cannot talk about this due to time constraints,

but APTs are typically qualified by a multi-step attack as shown on

the prior slide.

copyright (2013, 2014) comForte 21 15

(Graphic from blog with URL)

As mentioned before, the timeframe for an attack can easily be

weeks or months as the attacks are “multi-staged”. ((Side note: none

of these techniques are new; they are know among the security

community for 10+ years.))

Note the “targeted server” – the attacker was looking for specific

source code and found it. Servers (rather than user workstations) are

increasingly becoming the target of attacks.

It is only the increased motivation of the attacker which made this

possible, this slides digests the attack against the security company

RSA in some depth.

copyright (2013, 2014) comForte 21 16

copyright (2013, 2014) comForte 21 17

Well, this is the key message – so please pardon the non-subtlety of

this slide…

The good news is that this can be addressed relatively easily –

compared to the cost of running a BASE24 system the “cost to

improve the security posture massively” is rather low.

copyright (2013, 2014) comForte 21 18

copyright (2013, 2014) comForte 21 19

CEO thoughts (as the author is assuming): Yeah, there is all this

‘hacking stuff’ going on – but it is not going to happen to *us*. After

all, we have been PCI audited. And we have increased security

spending. By the way, I am very busy on plenty of other, more

important, topics.

copyright (2013, 2014) comForte 21 20

Your thoughts (?): Well it is kind of amazing what is possible these

days; but boy are we increasing our work; I can barely keep up with

the bl**dy PCI audits.

copyright (2013, 2014) comForte 21 21

This is my view; probably the view of the best auditors as well:

Mostly, the attackers have won. It happened to Sony, RSA, NYT. It is

not a question of IF but more of WHEN and HOW you’ll be breached.

[[Note: that does *not* mean giving up is an option, well talk about

that later]]

Addendum January 2014: this presentation was prepared and given

_before_ the Target breach.

copyright (2013, 2014) comForte 21 22

To be honest, this is somewhat of a mystery to the author

– after spending 10+ years focusing on IT security.

Really. Some suggestions to follow:

So why is WHY ON EARTH IS BASE24 *NEVER*

PROTECTED PROPERLY – authors’ suggestions:

- There is typical a large “Organizational Disconnect”

between the CSO, CIO, CFO and CEO

- The attackers on the other hand are very well

connected and organized

- Who owns security anyway: that is a difficult question

in every organization: is it the platform owner? The

application owner? The CSO? The CIO? The CEO?

- Penny pinching IT costs

- For banks, IT is typically 6 % of the global

budget

- IT is often used as asset where saving can be

applied whenever the economy is bad

- It should be noted that the BASE24 application

is *very* profitable – but cost is saved anyway

Let’s assume this to be the case for now – If you need

convincing, that’ll take an extra 30 min (or more). But the

list of companies being breached does speak for itself?

copyright (2013, 2014) comForte 21 23

copyright (2013, 2014) comForte 21 24

Question to audience:

- Any surprises so far?

- Did I reach my goals as stated in the beginning?

- Do you agree that the state of computer security today is

somewhat dire? [[Note: we are hoping for a “yes” here – this

leads over to the next slide!]

copyright (2013, 2014) comForte 21 25

Options are to …

Ignore the issue or…

Hope that it does not happen to you or …

Do something

copyright (2013, 2014) comForte 21 26

[Note: the presentation now moves on to products comForte is

selling]

We have two products which will implement:

- Data discovery

- Encryption of data at rest

for your BASE24 system(s). They do _not_ cost a fortune and

massively improve your security posture!

copyright (2013, 2014) comForte 21 27

Note the two highlighted Requirements 3 and 10 – SecurData can

strengthen your footprint in both areas.

And unless you have done proper data discovery (i.e. with the

PANfinder product), you (1)will not know whether you are really

protecting all relevant files on your NonStop (2) will not be able to

prove it to your auditor.

copyright (2013, 2014) comForte 21 28

This is a suggested order of doing this which takes the following into

account:

• Ease of implementation

• Priority as per PCI priorized approach

• budgetary constraints

The color of the arrows marks how often this is typically done in the

experience of the author with green meaning “most companies do

this”. You will notice that there is very little green.

copyright (2013) comForte 21 29

This should only be started if Phase 1 has been completed

Note: it is absolutely recommend to actually start with Phase 1 rather

than trying to combine Phase 1 and Phase 2 into a “big bang”

scenario. Your PCI auditor wants to see progress early…

Again, the color of the arrows marks how often this is typically done

in the experience of the author. There is no green at all here –

indicating that Phase 2 is very rarely done in the experience of the

author.

copyright (2013) comForte 21 30

This is a graphical summary of the presentation today, starting at the

upper right, moving in a half-circle counterclockwise.

copyright (2013, 2014) comForte 21 31

copyright (2013, 2014) comForte 21 32