• No results found

Compliance is not enough

N/A
N/A
Protected

Academic year: 2021

Share "Compliance is not enough"

Copied!
19
0
0

Loading.... (view fulltext now)

Full text

(1)

Compliance is not enough

Thomas Leeb

Director Business Development CSP EMEA

(2)

About CSP

Based in Toronto, Canada.

NonStop® DSPP Partner since

1987.

Develop, Support and Distribute

Security and Audit Solutions for

the HP NonStop® Market.

Over 250 Customers and over

Over 250 Customers and over

1000+ licenses World Wide

Customers include:

– Largest Banks

– Major Stock Exchanges – Defense and Healthcare

organizations

– Telecommunications – Manufacturers

(3)

Agenda / Why should you care ?

• Data breaches and resulting costs still increasing

• PCI DSS

– Has it really helped to improve security ?

– What are observations and learnings so far ?

– Lessons from the „Heartland“ case

– Lessons from the „Heartland“ case

• Approaching Security

– Security = minimise risk = decrease probability * decrease impact

– So how to deal with Compliance requirements like PCI DSS then ?

– Establishing a solid ISMS

(4)

Costs resulting from Data Breaches

Overall Costs continue to rise

Study 2009 : 45 US organisations from 15 different industry sectors

Avg. Costs per organisation: 6,75M$ (204 US$ / rec)

Largest case 101.000 records – 31 M$ in breach related costs

(or 307 US$ / rec)

Source : Ponemon Institute (Study 2009)

increasing focus on implementing automated IT-security solutions

– Identity and access management solutions – Expanded use of encryption

– Dataloss prevention solutions – Endpoint security solutions

Data breaches from malicious attacks doubled from 2008 to 2009

– „data-stealing“ malware increasing

Organisational Leadership

(5)

Mar, 2008 : Hannaford –

Data breach affected millions of shoppers

Intrusion into computer network of supermarket chain (Maine, US)

Forced banks to reissue millions of credit and debit cards

MBA reported 70 of its member banks were contacted by Visa, MC

4.2M Credit & debit card numbers stolen during transmission

Included data from magnetic stripe

Source : Computerworld

Hannaford instructed consumers to check their card statements

Felt they met and in many cases exceed industry standards on

security measures

Now „committed to take whatever steps may be necessary“ to

enhance security

(6)

Dec 23rd, 2008 - RBS Worldpay

Data breach resulting in ATM heist – 9M$ stolen

Hackers broke into database to get personal data

1.5 M cardholders affected

Social security numbers of 1.1M individuals may have been

accessed

Information included financial data on payroll cards

Source : Computerworld

Personal information „may“ have been affected

Feb 6th : coordinated attack on Nov 8th by „cashers“ withdrawing

9M$ using counterfeit cards on 130 ATMs, in 49 cities,

within 30 minutes

Hackers able to mess with card limits ? (100 cards)

FBI spokesman :

„People are out there attacking computers every day,

but this one is different in scope, timing and coordination of the attack.“

(7)

Jan 20, 2009 : Heartland –

Card processor victim of largest data breach

Visa, MC alerted about suspicious transaction activity, Heartland found

evidence of malicious software compromising data

Forensic exams has shown multiple instances across their network

Processing >100M tx/mth for >250k merchants and hundrets of banks

Included card numbers, exp and Track-2 data

Dropped from PCI compliance by Visa, recertified since then

Source : Computerworld

Dropped from PCI compliance by Visa, recertified since then

Gartner :

– „Cybercrooks are increasingly targetting payment processors. Attacking processors much more serious than retailers“

– „More radical moves required, PCI is clearly not enough“

Feb 13th : over 440 financial institutes affected in 40 U.S. states, Canada

and outside, lawsuits ongoing – meanwhile corrected to 673

May 2009 : Intrusion occured in May 2008, not detected until Jan

Oct 5th, 09 : breach believed to have started in Dec 2007 already

(8)

PCI DSS – some observations

„PCI DSS has done little to stop payment card data thefts“

„the standard is clearly not enough to protect cardholder data“

Hannaford

– certified just one day after they were informed about the system intrusions. – received PCI certification while intrusion was in progess.

RBS Worldpay and Heartland were both certified prior breaches.

Source : Computerworld (related to Hearing at US House of Representatives)

RBS Worldpay and Heartland were both certified prior breaches.

Voices of US retailers :

– „Card issuers are requesting us to store card data. When a breach happens, we are the ones who bear the costs and who are demonized.“

– „PCI has been developed developed from the perspective of card companies as opposed to from that of those who are epected to follow them.“

– „PCI is little more than a tool to shift financial risks off card companies and

banks. We are forced to spend billions to implement a standard, which has done little to improve security.“

(9)

PCI DSS – observations (cont)

PCI SSC : „breached organisations were not „compliant“ at the time

of the breach.“

VISA :

– „The ‚Heartland case‘ never should have happened and is unfortunate, but this does not make me question the tools.“

– „However it‘s time for security controls to go beyond what‘s included in PCI now Source : Computerworld (related to Hearing at US House of Representatives)

– „However it‘s time for security controls to go beyond what‘s included in PCI now

VISA working with banks and retailers to test new security measures

New degree of uncertainty about the future of PCI specifications

(10)

banks

The PCI Blame Game

Source : Computerworld (by Phil Mellinger, prev. CISO at First Data)

Card

Associations

banks

1.

It‘s your fault !

You have not

been diligent !

2.

No, I‘m

compliant !

Their fault !

5.

6.

non-compliance

fee $$$.

7.

PCI SSC

QSA

„breach

victim“

banks

banks

3.

I‘m certified !

Those guys

confirmed !

4.

you are

decertified

and put on

probation.

5.

you are

considered

non-compliant.

7.

Lawsuit

8.

Lawsuit

(11)

Prepare for the „third“ attack wave

Phase 1 (1990‘s)

– first cyber attack wave aiming at Internet merchant databases

Phase 2

– PCI DSS was introduced post millenium,

– hackers already „hooked on“ cash and updating their weapons

– If stores would no longer store card data, attackers would use sniffing technology to read them while in transit

Source : Computerworld (by Phil Mellinger, prev. CISO at First Data)

them while in transit

– Breach-funded attackers improved their skills to yet unknown levels

Phase 3 (2005 – now)

– trojans became invisible to firewalls, AV tools

– Botnet controllers scaled up to manage massive numbers of infected PCs – Key-logging techniques perfected to collect valuable browser input

– Undetectable trojans organised into huge botnets efficiently collecting data – Targets increasingly online financial institutions

– Attackers quickly morph trojans to new and yet again undetectable variants – Russian cyber attackers meanwhile outsource cyber-attacks to China

(12)

What can be done ?

Stop the blame game

– infights, litigation, fines over breach responsibility is not useful

– Reward the ones in the industry, who identify weaknesses rather than punish the attack victims

PCI rules must evolve to address „3rd wave“ attacks

Improve fraud intelligence to understand attackers and their

Source : Computerworld (by Phil Mellinger, prev. CISO at First Data)

Improve fraud intelligence to understand attackers and their

weapons

– „No longer sufficient to monitor internet chat rooms“ – Now the task is to infiltrate the attackers

International laws

– If domestic law enforcements are not dealing with the attackers operating within their borders, create ability to hold those countries accountable

– Countries, who „protect“ cyber-attackers are no different than those providing safe heavens for terrorists

New security approaches and tools required to thwart attacker‘s

weapons.

(13)

Lessons from the „Heartland“ case

„The QSA‘s let us down“

„…had implemented each and every security control of the PCI

standard….“

„industry standard security controls do little to stop lawsuits against

you for negligence…“

Compliance is not taking away any responsibility from you

Source : Computerworld

Compliance is not taking away any responsibility from you

When things go wrong, you are (b)eaten by your contracted partners

Passing a PCI compliance audit does not make you secure

The QSA factor

However :

there is no way around PCI – it remains a contractual obligation

Compliance is not an option

(14)

ISMS using a unified Compliance framework

Business objectives Legal / regulatory Risk Management Auditing Plan Management responsibilities Awareness & Training Continual Improvement Documentation requirements Legal / regulatory requirements Contractual requirements Log Monitoring Reporting Do Check Act PCI DSS 12 baseline requirements

ISO 27001 / 2 / 3 / ff as framework for data security Basel II Capital risk Ops. risk BS 25999 Business Continuity SOX financial reporting ISO 9001 quality management Company Rules and guidelines

(15)

Risk Analysis and Risk Management

Risk can be defined as :

„…the risk of direct or indirect loss resulting from inadequate or

„…the risk of direct or indirect loss resulting from inadequate or

failed internal processes, people and systems or from

external events.“

(16)

Measuring and Quantifying Risk

ALE – Annualised Loss Expectancy

ALE = SLE * ARO

Sample : risk of potential data breach SLE = 6 M$

likelyhood of occurence : Once in 12 years likelyhood of occurence : Once in 12 years

ALE = 6 * 1/12 = $500,000

Investment in intrusion detection and data encryption : SLE(target) = 2 M$

likelyhood of occurence = once in 25 years ALE = 2 * 1/25 = $80,000

With this investement you just „released“ $420,000 of blocked

capital

(17)

The 2 Dimensions of Reducing Risk

Reduce Probability of Incident

– Authentication control – Access restriction policies – Password mangement – Encryption

Reduce Impact of Incident

– Real time event Monitoring of user activities

– Detection of unauthorized actions – Filtering, Alerting and Escalation – Encryption

– Usage restricition of administrative tools

– Time based access control – Change control procedures – Software updates

– Vulnerability management

– Policies for reporting weaknesses – …

– Filtering, Alerting and Escalation – Monitoring and reporting of

security Events – Log Management

– File Integrity Monitoring – Network intrusion detection – O/S level intrusion detection – …

(18)

CSP Solutions of interest to you !

Reduce Probability of Incident

– Authentication control – Access restriction policies – Password mangement – Encryption

Reduce Impact of Incident

– Real time event Monitoring of user activities

– Detection of unauthorized actions – Filtering, Alerting and Escalation

• COMPLIANCE REPORTING MODULE • TANDEM SECURITY ANALYZER • AUDITVIEW • PROTECT XP • PROTECT UX • AUTHENTICATOR • PASSPORT • Nonstop IDENTITY Mgmt. Access Control Mangement Audit Reporting & Assessment – Encryption

– Usage restricition of administrative tools

– Time based access control – Change control procedures – Software updates

– Vulnerability management

– Policies for reporting weaknesses

– Filtering, Alerting and Escalation – Monitoring and reporting of

security Events – Log Management

– File Integrity Monitoring – Network intrusion detection – O/S level intrusion detection• ALERT PLUS

• FILE INTEGRITY CHECKER • FTP Shield • CLIENT Shield • ENTERPRISE Shield Monitoring Encryption

(19)

Thank you !

Compliance is an opportunity to get security on track.

However, it is a risk, if you rely on it.

For additional information please contact

Thomas Leeb (CSP EMEA)

thomasl@CSPsecurity.com

References

Related documents

Take to the road with peace of mind knowing you have the best protection available – the motorcycle insurance program from Aviva Elite. Be it cruisers or touring, you can count

Stakeholders directly involved in the tourism industry that demonstrated strong tacit knowledge about cruise tourism and diff erentiated between the impact and value of the forms

The Christmas tree is called Tree of Light.' Non-Christian Chinese celebrate the holiday known as Spring Festival. They pay respect to their honors and festivals and

Electronic spectra, magnetic and conductance measurements The electronic spectra of the ligands and their metal complexes in DMSO solvent, magnetic moments and molar conductivi-

This paper discusses the main approaches for risk measures VaR and CVaR evaluation for a random variable, based on different statistical and econometric methods.. Prices and

• DC Grounded metallic parts for impulse suppression. Start-up operation of the RCU 86010149 is possible in an RET system supporting AISG 1.1 or supporting 3GPP/AISG 2.0

N9335 FREE-DESIGN N9135 FREE-DESIGN N9327 FREE-DESIGN 1MR 2MR 3MR 4MR 5MR N9 323 FREE-DESIGN N8027 FREE-DESIGN N80 25 FREE-DESIGN N80 23 FREE-DESIGN N80 29 FREE-DESIGN N9325

It is used to structure re-usable architecture and solution assets Correct Answer: E Section: (none) Explanation Explanation/Reference: QUESTION