What to Do When It All Goes

“What to do when it all goes wrong”

Core objectives of Information Security

Jonathan Care, VeriSign [email protected]

September 25th 2008

Jonathan Care … Who does he think he is?

+ Senior Consulting Manager, VeriSign Enterprise

Security Solutions (ESS)▪ Interests: Forensic Computing, PCI, Online Fraud,

Cryptography, Technical Security▪ Current clients include telco, retail, banking, online

marketing, airlines, logistics, etc.

+ 20 years in Information Security

+ Member of ▪ High Tech Crime Investigation Association▪ International Association for Cryptologic Research▪ Expert Witness Institute▪ British Computer Society

+ Former CESG Listed Advisor

+ Certified Fraud Examiner (CFE) and CISSP

+ BS7799 Lead Auditor, ITIL Security Practitioner

Anonymity? Not really.

Information Security

Where are we now?

What has information security been about?

+ For the last twenty years its been about▪ Confidentiality▪ Integrity▪ Availability▪ … all things that make sense to IT!

+ BUT▪ IT Staff are not equipped to resist

advanced attacks▪ Lawyers (Privacy teams etc.) aren’t either▪ Auditors look for weakness in process▪ Web Developers are not Security Experts

Marketable criminal assets on the Internet

+ Networks of compromised computers – botnets

+ Credit card / Debit card numbers

+ Identity theft – server hacking / phishing

+ Hacking attacks – Intellectual property theft / Industrial

espionage / kudos

+ SPAM

Real Statistics?

Real reality

+ Regrettably the percentage of organisations reporting

computer intrusions has continued to decline. The key

reason given… was the fear of negative publicity. As a

consequence this has resulted in a belief that the threat

and impact has also been gravely underestimated –

Metropolitan Police

+ If I report this, I am worried what else the police will find

– Anonymous IT Director

+ We don’t handle payments so it doesn’t really matter if

our code is secure or not – Web Development firm

providing e-commerce (!)

+ How soon can we start our web server up again? – Compromised Web Merchant

Why commit crimes on the Internet?

+ Potentially High Financial Gain

+ Anonymity

+ Rapid, secure, global communications

+ Global impact – 1 billion plus users (1 in 6 of the world’s population)

+ Virtual marketplace – reduced risks of being detected, disrupted or caught

+ Volatile evidential trail – ISP limited retention of data

+ Cross Border investigations protracted for law enforcement

And… “Because that’s where the money is” – Willie Sutton

What’s the solution?

RISK EXPOSURE

VULN TEST

Forensics

Intelligence

Incident

Response

Compliance

MonitorAware

+ Security Strategy that is informed and able to deal with a complex

and changing threat landscape

Architecture

HR PLAN

A Taxonomy of Threats

What’s out there?

Top 10 threats in 2008

+ “Trusted” web sites exploit browser vulnerabilities

+ Botnets

+ Cyber Espionage including targeted phishing

+ Mobile phone threats

+ Insider Attacks

+ Advanced Identity Theft

+ Increasingly Malicious Spyware

+ Web Application Security Threats

+ Blended Attacks – VOIP, Phishing, Event tracking (oh my!)

+ Supply chain attacks

Things not to complete in your inbox

An Urgent Email!!

Dear NatWest Bank Member,

This email was sent by the NatWest server to verify your e-mailaddress. You must complete this process by clicking on the linkbelow and entering in the small window your NatWest login ID,Password and PIN.

This is done for your protection --- because some ofour members no longer have access to their email addresses andwe must verify it.

To verify your e-mail address and access your bank account,click on the link below. If nothing happens when you click on thelink (or if you use AOL), copy and paste the link intothe address bar of your web browser.

http://www.natwest.com:[email protected]/3/?JcPhbzKuJntfU9Ihttp://www.natwest.com:[email protected]/3/?JcPhbzKuJntfU9I

UserID Password REAL Site! Identifier

Hijacking Internet Browsing

Highly plausible interception…

Why Web Application Risks Occur

+ Developers are not security professionals▪ Application Development stresses functionality

▪ Lack of Awareness of security issues in development

▪ Lack of effective testing tools in QA

▪ Resource constrained development teams

+ Security Professionals are not developers▪ Lack of awareness of application vulnerabilities in

security teams

▪ Lack of effective testing tools

▪ Development cycle missing from security procedures and audits

▪ Security scrutinise the desktop, the network, and the server. The web application is missing.

What is identity theft/identity fraud?

+ Refers to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception.

+ It is estimated that Id theft costs the British economy alone £1.7 Billion and 100,000 people are targeted each year

These are not real, and can be obtained over the internet.

Compliance - PCI

Affordable perfection and avoidable risks

The Standards

PCI-PEDPCI-PED PCI PA-DSSPCI PA-DSS PCI DSSPCI DSS

PCI PED addresses device characteristics impacting security of PIN Entry Device (PED)

during financial transactions

PA-DSS applies to software vendors and others who develop payment applications that store, process or transmit cardholder data as

part of authorisation or settlement, where those applications are sold, distributed or

licensed to third parties.

PCI DSS applies to any entity that stores, processes and/or transmits cardholder data, and specifically to those system components

included in or connected to the cardholder data environment

Stand AlonePED Device

PCI PED applies – PED device only

PEDs integrated with payment applications

(POS, Kiosk)

PA-DSS may applyPCI DSS applies –

Systems and networks

Payment Applications(e.g. Web Cart, POS)

Payment Applications inMerchant/Service Provider

Environment

Merchant’s and Service Provider’sCardholder data

environment

Sensitive Information in PCI

Data ElementStorage

Permitted

Protection

Required

PCI DSS

Req. 3.4

Cardholder

Data

Primary Account

Number (PAN)YES YES YES

Cardholder Name YES YES NO

Service Code YES YES NO

Expiration Date YES YES NO

Sensitive

Authentication

Data

Full Magnetic Stripe NO N/A N/A

CVC2/CVV2/CID/

CAV2NO N/A N/A

PIN/PIN Block NO N/A N/A

Why are Companies Failing PCI Assessments?

PERCENTAGE OF

ASSESSMENTS

FAILING

PCI REQUIREMENT

79%Requirement 3: Protect stored data.

Source: VeriSign Whitepaper on Top Reasons for PCI Failure based on sample of over 100 assessmentshttps://www.verisign.com/cgi-bin/go.cgi?a=w63130157259894009

74%Requirement 11: Regularly test security systems and processes.

71%Requirement 8: Assign a unique ID to each person with computer access.

71%Requirement 10: Track and monitor all access to network resources and cardholder data.

66%Requirement 1: Install and maintain a firewall configuration to protect data.

62%Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

60%Requirement 12: Maintain a policy that addresses information security.

59%Requirement 9: Restrict physical access to cardholder data.

56%Requirement 6: Develop and maintain secure systems and applications.

45%Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.

Timeframes for a PCI incident investigation

+ Timeframes (e.g., flexibility on critical events)▪ Standard event timeframes

Visa client must identify forensic company within 5 days Visa client must ensure contract is signed within 10 days Forensic investigator must be onsite within 5 days from signed contract Preliminary forensic report be provided to Visa within 5 days from onsite

work Final forensic report be provided to Visa within 10 business days from the

completion of the review▪ Critical event timeframes can be even more immediate!

+ Visa will levy fines to clients in the event of delays

PCI Forensic Investigation Requirements

• VISA appointed forensic reports must include:▪ All external connectivity points and network topology including firewalls,

routing schema, VLANs, etc. between compromised systems and surrounding networks

▪ A review of the entire debit and or credit processing network to identify all compromised or affected systems

• External Investigators will perform incident validation and

assessment:▪ Establish how compromise occurred▪ Identify the type of data stored, sniffed, and transferred out of the

network (Visa/Plus/Interlink/Pre-Paid accounts)▪ Recover data deleted by intruder ▪ Number of accounts at risk (stored, sniffed, and transferred)▪ Determine the timeframe of compromise▪ Determine transaction dates of compromised cardholder data

Three things to do right now

+ Plan for incidents▪ What would you do if your website was hacked?

+ Initiate a penetration testing program▪ Internal vulnerability scans▪ Web site testing▪ External attacks

+ Review information management▪ Data protection▪ PCI▪ Third parties

– Data warehouses– Call Centres– Processors

Questions + Answers

Thank You

Jonathan Care, Verisign ESS

[email protected]

Tel: 0800 032 2101

IR&F: 01344 609313