From Data Breach to PCI Compliance Jose Cruz Director of IT www.nanettelepore.com
From Data Breach to PCI Compliance
Jose Cruz Director of IT
www.nanettelepore.com
Agenda
BackgroundSecurity threats facing the industry2007 Security breach2007 Security breachInstalling the current security infrastructureLessons learned from 20072008 DDOS attackToday’s best practices for network security in the era of Web 2.0 tools
About Nanette Lepore
Haute couture fashion designer9 Boutiques in the U.S.hNew York Los Angeles Bal Harbour Chicago Las Vegas New York, Los Angeles, Bal Harbour, Chicago, Las Vegas,
Boston and Chevy Chase1 Boutique in London1 Boutique in LondonClothes distributed in Bergdorf Goodman, Neiman Marcus, Nordstrom and Saks Fifth AvenueNordstrom and Saks Fifth Avenue
Security Threats Facing The Design Industry
In 2007, Nanette Lepore was representative of what other designers were doinghNetworks were wide openhSecurity was an afterthought
Mostly worried about design theft, fraud and knock-offs
2007 was the era before PCI Compliance
Nanette Lepore’s 2007 Attack
In 2007, Las Vegas store manager receives information from several customers about credit card charges originating in Italy and Spain St t t IT L V P li t t dStore manager contacts IT, Las Vegas Police contactedFBI is contacted and takes all equipment for forensic reviewLas Vegas store closed on a SaturdayAll remote connections (VPN) to HQ closedAll remote connections (VPN) to HQ closed
Nanette Lepore’s 2007 Attack
The hackers changed the configuration file for a Netopia router, compromised the POS system captured screens of customers’ compromised the POS system, captured screens of customers’ credit card purchases and sold them to someone in SpainRouter identified to be controlled by ISPRouter identified to be controlled by ISPRouter contained IP routes not part of ISP, but still workedKeyboard logger and screen captures made at 2 second intervalsKeyboard logger and screen captures made at 2-second intervalshFTP’d screenshots to GeorgiahManufacturing in ItalyhSold to card distributor in Spain
C ShCards tested at McDonald’s in Spain and other minor purchases in Italy
Nanette Lepore’s 2007 Attack (continued)
Caught security breach earlyhStore manager has close relationship with customershSmall window of opportunity collected 300 Layer 3 entriesSmall window of opportunity collected 300 Layer 3 entrieshCalled in L.V.P.D. computer crime lab to investigate and FBI got
involvedinvolvedLas Vegas store shut downM ll ll t d POS i t d kt f 1 k f ll tManually collected POS via remote desktop for 1 week for all stores
Nanette Lepore’s Security Infrastructure
Worked with FBI, PCI, and Webistix to revamp storeLimited firewall vendors in 2007 doing PCI compliance testingWebistix recommends testing Sonicwall TZ180Webistix recommends testing Sonicwall TZ180Two 3rd party auditing firms hired by PCI review and confirm PCI compliancecomplianceFirewall configuration becomes template for all stores
Nanette Lepore’s Security Infrastructure (con’t.)
Install new router, backoffice serverPOS system could not be replaced, but was cleanedFirewall installedhPCI requires separate subnet for credit card transaction, and only credit card
transactionshSecond subnet setup for backoffice server POS and manager usehSecond subnet setup for backoffice server, POS, and manager usehFirewall must perform DPI, VPN, etc.
FBI recommendationsFBI recommendationshMotion activated cameras with specific locationshPhysical layouthPhysical layout
Las Vegas store reopened following Tuesday
Nanette Lepore’s Security Infrastructure
After a review by Webistix following the 2007 attack, the company frecreated its security infrastructure as a distributed security
network across the stores and its main warehouse, POS system, inventory management and business applicationsinventory management and business applicationsMobile-centric and Mac-based company D i d it i f t t t l t l l d t l Designed its infrastructure to let employees securely and remotely access the retail database and inventory database from any device hAllows Mac PowerBook iPhone or Pocket PC on any platform into the hAllows Mac, PowerBook, iPhone or Pocket PC on any platform into the
system (Mac or PC)hAll employees have locked down end point securityp y p y
Nanette Lepore’s Security Infrastructure (con’t).
SonicWALL e-mail security gateway - TZ 170s for wireless networksblocks up to 20,000 e-mails/day
SonicWALL 3060 and SSL VPN GatewaySonicWALL CDP for back-up and
Other gear includes: Cisco, Netgear, Powerlink and Netopia. All are handed off to SonicWALL security infrastructure
SonicWALL CDP for back up and redundancy (hosted offsite and online for replication)
Windows 2003 Active Directory
For bandwidth control, redundancy, fault tolerance and instant disaster recovery: trunked into a 100M WAN aggregator, which allows multiple ISP sources (including T1 and Windows 2003 Active Directory
Mac Open Directory serverOracle Systems
p ( gWi-Max) to trunk into 1 piece of equipment to 1 Ethernet to SonicWALLFor mobile-centric environment: Exchange
connectivity for iPhonesAccounting Systems with MAS 500 connectivity for iPhones
Amount of redundancy and fault tolerance sets a Amount of redundancy and fault tolerance sets a
standard for the industry
Infrastructure for Remote Locations
For the showroomshUse SonicWALL TZ180s for PCI compliance and securityhSonicWALL GMS reports provide detail on potential intrusions SonicWALL GMS reports provide detail on potential intrusions hKeeps track of intrusions before they happenhEyes in the skyhAutomated monitoring and alertshEmployee knowledge first line of defense
2008 DDOS Attack
In 2008, DDOS attack from Asia hit Nanette LeporehCompany e-mails delayedhAdmin got kicked off the company’s central serverAdmin got kicked off the company s central serverhSales machines at the company’s 8 boutiques were routinely
getting bumped off-line when they tried to connect to the central getting bumped off line when they tried to connect to the central server
Nanette Lepore Was Prepared
Had installed redundant servers, with multiple links between stores, the company’s central database, and the InternetWeb hosting was offsite, its security software up to date, WAN
t did it j b d ht th i t i d S i WALL aggregator did its job and caught the intrusion and SonicWALL renegotiated its handoffsI ith fli /flIssues with flip/flopISP switched off the link that was being bombarded and established
d li k f th t t a secondary link for the stores to useReturned to normal 3 days laterGood opportunity to review and enhance system
Lessons Learned
PCI compliance changed the way security infrastructure p g y yis managedhEmployees each have log-insEmployees each have log inshAutomatically logs out employees who are inactive for a
predetermined amount of timep edete ed a ou t o t ehGateway intrusionshP d t ti f d h 45 d hPassword rotation: forced changes every 45 days
Lessons Learned (continued)
Deal with IT security needs firsthDon’t just opt for least expensive solutionhTried and tested equipmenth In the cases of security threats, make decisions on how it affects the
consumerhCatch it and work with the threat early on hCatch it and work with the threat early on
Acknowledge each employee has a role in the company hTraining of policieshUnderstanding the ‘why’ behind them
Today’s Real Security Threat: Web 2.0 Tools
In brand creation, Web 2.0 tools are a There will always be necessity at Nanette LeporehAt first, limited Twitter and social media
t l f t
There will always be DDOS attacks and security breaches, but tools up front
hRealized Nanette needs to be in tune with public trends in the market
secu ty b eac es, butreal threats come from Web 2.0 tools (Twitter, with public, trends in the market
hFacebook, Twitter and MySpace used day to day to interact with fan base
YouTube, Facebook)
day to day to interact with fan basehUse of proxies and isolated networkshDifference between threats to Mac and hDifference between threats to Mac and
PC
Best Practices for Balancing Network Performance & Web 2 0 Tools& Web 2.0 Tools
Authentication is keyhStandardize desktops and implement mandatory log-ins h Integrate into Active Directory and Microsoft Directoryh Implement policies for remote users
Keep in mind Mac vs. PChFor support 1 admin:60 Macs; 1 admin: 20 WindowshMacs primarily handled by gateway
– Not compromised on the desktop– Remote sites are Mac-based
hWindows are entirely locked down – Accounting has access to Web 2.0 tools in their conference room
Best Practices for balancing Network Performance & Web 2 0 Tools (continued)& Web 2.0 Tools (continued)
Don’t just buy cheapest equipmentIf resources are limited, use partners with good value-added capabilitieshPartners provide dynamic advantages hWatchdog servicesghWorkflow issues on the day to day in the production and design
Best Practices for balancing Network Performance & Web 2 0 Tools (continued)& Web 2.0 Tools (continued)
Realize all resource availablehEmployeeshLaw enforcement (FBI, local)hStandard organizations (PCI)hResellershManufactureshNon-profit security groups
– Information Systems Security Association– Infragard– Information Systems Audit and Control Association– List of others at http://csrc.nist.gov/csrc/professional.html
Thank YouThank You
Jose CruzDirector of IT
www.nanettelepore.com