Add to collection(s) Add to saved
  1. Business

PCI-DSS

advertisement 
PCI-DSS And Target:
What Went Wrong
Michael Haney
CS 7493, Fall 2014
4/15/2014
Computer Science / www.isec.utulsa.edu
1
The Payment Card Industry
•
•
•
•
•
Card Brands: Visa, MC, AmEx, Discover, JCB
Merchants (Retailers)
Banks, Processors, Gateways, and Acquirers
Security Standards Council (SSC)
The Standards:
–
–
–
–
–
4/15/2014
DSS
PA-DSS
PTS
HMS
P2PE
Computer Science / www.isec.utulsa.edu
2
Compliance Process
• 3-year standards cycle
– Previous version: v2.0 released October 2010
– Current version: v3.0 released October 2013
• Merchant Levels
– Level 1 – 4, based on size, unless you’re breached.
•
•
•
•
Who to report to?
ROC, AOC, and SAQ
QSAs, ASVs, QIRs, ISAs, etc., etc.
Breaches and Compliance
4/15/2014
Computer Science / www.isec.utulsa.edu
3
Verify Your QSA
https://www.pcisecuritystandards.org/approved_companies_provi
ders/verify_qsa_employee.php
•
•
•
•
•
•
Employee of Member in good standing
Annual Training
Annual Fees Paid ($1500 per person)
Suspended if reports fail QA review process externally.
Revoked if caught “hacking”.
Mine expired yesterday
4/15/2014
Computer Science / www.isec.utulsa.edu
4
Target and Trustwave
• Trustwave is (was) Target’s QSA. Individuals were assigned the
Target account to perform the annual testing and audit.
• Target Stores were compliant with PCI-DSS (v2.0) and had
submitted a ROC to their acquirers annually. Most recent in
September 2013.
• 12 requirements, many sub-requirements, many specific sub-subrequirements must be evaluated by observation, interview,
screenshots, and testing.
• For example, an ASV scanned Target’s external IP addresses
quarterly and reported on any vulnerabilities.
– All medium and high-risk vulns must be addressed (per Requirement
11.2, 11.2.1, 11.2.2, 11.2.3)
4/15/2014
Computer Science / www.isec.utulsa.edu
5
Target Breach Timeline, Part 1
2006:
Target
establish
es
Forensic
Services
1902:
Dayton
Stores
founded
in Minn.
1962:
Target
Stores
branded
4/15/2014
January,
2013:
Target
expands
into
Canada
2008:
Beth
Jacobs
assumes
CIO role
Computer Science / www.isec.utulsa.edu
As of
2014:
1924
stores,
36th on
Fortune
500
6
Target Breach Timeline, Part 2
February,
2013: Target
purchases
FireEye
services ($1.6
million) and
begins rollout
4/15/2014
September,
2013:
Trustwave
releases ROC
to Target and
its card
transaction
acquirers
Probably July
November 27,
or August,
2013:
2013: hacker
Malware has
group phishes
reached POS
Fazio
systems in all
Mechanical,
target stores
begins to
infiltrate
TargetComputer Science / www.isec.utulsa.edu
November 29,
2013: “Black
Friday”
shopping
spree begins
7
Target Breach Timeline, Part 3
November 30, 2013: First
alerts from FireEye
monitoring service in
Bangalore report to
Target that
“malware.binary” has
been detected.
December 2, 2013: Another
round of alerts from FireEye
in Bangalore
December 2, 2013: New
version of malware is
uploaded with instructions
to send skimmed data to
C&C on three Target
corporate servers
4/15/2014
Computer Science / www.isec.utulsa.edu
8
Target Breach Timeline, Part 4
• Between December 2 and December 15:
– CC’s and mag stripe data is sent from POS in all Target stores to
central servers for “staging”
– Additional customer information database is pilfered
– Hacker group begins exfiltrating data to several world-wide
hosting sites, eventually to Odessa, Ukraine
– Only uploaded data manually, via FTP between 10am and 6pm
CST.
– Over 2 weeks, 11GB are uploaded
4/15/2014
Computer Science / www.isec.utulsa.edu
9
Target Breach Malware Identified
• BlackPOS sold on crime market for $1800
• POSWDS on ThreatExpert (pulled down)
• Virustotal.com reports “30503 POS malware from FBI
source” – in June, 2013.
• Modified and referred to as BladeLogic with specific
servers and username/passwords in Target environment:
“Best1_user” with pw: “BackupU$r”
• Servers
include
\\TTCOPSLI3ACS\
and
\\TCMPSPRINT04P\ .
• UserIDs of hackers include “Rescator” and “Crysis1089”
4/15/2014
Computer Science / www.isec.utulsa.edu
10
Target Breach Timeline, Part 5
December
12, 2013:
FBI notifies
Target of
evidence of
breach.
December
18, 2013:
Brian Krebs
breaks the
story
December
15, 2013:
Breach
tunnel is
discovered,
cut off at
firewalls
4/15/2014
December
19, 2013:
Target
makes
press
release
December
18, 2013:
Copy of
malware
uploaded
to
December
20, 2013:
PCI SSC
releases
statement
ThreatExpert
.com,
removed
Computer ScienceJanuary
/ www.isec.utulsa.edu
16.
11
Target Breach Timeline, Part 6
January 10, 2013:
Target announces
investigation is
ongoing, another
70 million
customers
affected, total may
be 110 million
Mach 6, 2013:
Beth Jacobs
resigns as CIO
January 29,
2013: Fazio
Mechanical is
identified as
source of initial
breach
4/15/2014
Computer Science / www.isec.utulsa.edu
March 13, 2013:
Story breaks that
FireEye sent
plenty of alerts,
and auto-delete
was disabled.
12
Target Breach Timeline, Part 7
March 25, 2013:
Target and Trustwave
defenders in classaction lawsuit by
Green Bank and
TrustMark National;
90 lawsuits to date
March 5, 2013:
FTC announces
investigation,
possible fines or
federal charges
March 20, 2013:
Congressional
hearings called
4/15/2014
Computer Science / www.isec.utulsa.edu
Total costs to date:
$175 million;
believed to reach $1
billion in the end.
13
A Closer Look at PCI-DSS 12 Requirements
•
Requirement 1: Firewalls
– 1.1
• 1.1.6
• 1.1.7
– 5.1
– 1.2
• 5.1.1
• 1.2.1
– 1.3
• 1.3.5
•
Requirement 2: Vendor-supplied
Defaults
– 2.1
•
Requirement 3: Protect Storage
of Cardholder Data
– 3.1
– 3.2
• 3.2.3
– 3.4
4/15/2014
• Requirement 5: Protect
systems against malware
– 5.2
– 5.3
• Requirement 7: Restrict
access to business need-toknow
– 7.1
• 7.1.2
– 7.2
Computer Science / www.isec.utulsa.edu
14
A Closer Look at PCI-DSS 12 Requirements
• Requirement 10: Track and
monitor all access
– 10.1
– 10.2
– 11.3
– 11.4
– 11.5
• 10.2.2
• 10.2.4
• Requirement 12: Maintain a
policy
– 10.6
• 10.6.1
• Requirement 8: Identify and
authenticate access
– 8.1
• 8.1.1
• 8.1.2
• 8.1.5
– 8.3
– 8.5
– 8.7
4/15/2014
• Requirement 11: Regularly
test security systems
– 12.5
• 12.5.2
• 12.5.3
• 12.5.5
– 12.8
• 12.8.4
– 12.10
• 12.10.5
Computer Science / www.isec.utulsa.edu
15
Could Anything Have Prevented This?
• EMV and Chip-and-PIN cards
–
–
–
–
How they work: use encryption on the card.
Use time factor to prevent replay.
Counterfeiting cards is much harder
PIN requires “something you know” as 2-factor.
• But clever hackers will find another way
• Memory-scraping is hard to prevent
• Fully complying with PCI-DSS would have prevented
several stages of this attack
4/15/2014
Computer Science / www.isec.utulsa.edu
16
Questions?
4/15/2014
Computer Science / www.isec.utulsa.edu
17
References
•
Verify a QSA:
https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_
employee.php
•
PCI statement about the Target breach (December 20):
https://www.pcisecuritystandards.org/news_events/statements/2013_12_20.php
•
Breach announced (December 19):
http://www.wired.com/threatlevel/2013/12/target-hack-hits-40-million/
http://arstechnica.com/security/2013/12/secret-service-investigating-allegedcredit-card-breach-at-target/
•
POS Malware identified (January 16):
http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/
•
Target Breach Used Stolen Vendor Access Credentials (January 30, 2014)
http://www.govinfosecurity.com/target-breach-credentials-stolen-a-6452
http://www.informationweek.com/security/attacks-and-breaches/target-hackerstapped-vendor-credentials/d/d-id/1113641
4/15/2014
18
Computer Science / www.isec.utulsa.edu
http://www.zdnet.com/target-traces-security-breach-to-stolen-vendor-
References (1)
•
Verify a QSA:
https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_
employee.php
•
Breach announced (December 19):
http://www.wired.com/threatlevel/2013/12/target-hack-hits-40-million/
http://arstechnica.com/security/2013/12/secret-service-investigating-allegedcredit-card-breach-at-target/
•
PCI statement about the Target breach (December 20):
https://www.pcisecuritystandards.org/news_events/statements/2013_12_20.php
•
POS Malware identified (January 16):
http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/
4/15/2014
Computer Science / www.isec.utulsa.edu
19
References (2)
•
Target Breach Used Stolen Vendor Access Credentials (January 30, 2014)
http://www.govinfosecurity.com/target-breach-credentials-stolen-a-6452
http://www.informationweek.com/security/attacks-and-breaches/target-hackers-tappedvendor-credentials/d/d-id/1113641
http://www.zdnet.com/target-traces-security-breach-to-stolen-vendor-credentials7000025780/
http://www.computerworld.com/s/article/9245877/Target_says_attackers_stole_vendor_cred
entials?taxonomyId=17
http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-inwidely-used-server-software/
http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/
•
Target and Executives Testify at Senate Committee Hearing (February 4 & 5, 2014)
http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472
http://www.nbcnews.com/tech/security/senators-grill-target-cfo-after-massive-credit-carddata-hack-n22131
http://www.scmagazine.com//retailers-testify-before-senate-judiciary-committee-push-chipcards/article/332868/
http://www.computerworld.com/s/article/9246070/Target_and_Neiman_Marcus_execs_defen
d_security_practices?taxonomyId=17
4/15/2014
20
Computer Science / www.isec.utulsa.edu
References (3)
•
Target Attackers Phished for HVAC Company Network Access Credentials
(February 12 & 13, 2014)
http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-attarget/
http://arstechnica.com/security/2014/02/epic-target-hack-reportedly-beganwith-malware-based-phishing-e-mail/
http://www.nextgov.com/cybersecurity/2014/02/heres-how-hackers-stole-110million-americans-data-target/78740/?oref=ng-channeltopstory
http://www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-fromtarget-7000026299/
•
CIO Beth Jacob resigns (March 6):
http://www.computerworld.com/s/article/9246773/Target_CIO_resigns_following_
breach?taxonomyId=17
•
Target was warned of breach (March 13):
http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epichack-of-credit-card-data
4/15/2014
Computer Science / www.isec.utulsa.edu
21
References (4)
•
Target and the FTC investigation, may face federal charges (March 20):
http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federalcharges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver
•
Banks sue Target and Trustwave (March 26):
http://www.scmagazine.com/banks-file-class-action-against-target-and-trustwaveover-massive-breach/article/339760/
http://www.theregister.co.uk/2014/03/26/banks_lob_sueball_at_trustwave_target
/
•
Target Breach Illustrates Value of Limiting Exfiltration (April 2, 2014)
http://www.darkreading.com/attacks-breaches/operation-stop-theexfiltration/d/d-id/1171947?
•
Chip-and-PIN and EMV cards:
http://www.scmagazine.com/mastercard-visa-to-push-emv-nfr-calls-for-use-ofpins/article/338019/
4/15/2014
Computer Science / www.isec.utulsa.edu
22
Related documents
Review, Grammar and Test
Review, Grammar and Test
Fee for Intervention
Fee for Intervention
Remedies for Breach of Contract pages 210-214
Remedies for Breach of Contract pages 210-214
Mending Fences After a Breach - Centre for Information Policy
Mending Fences After a Breach - Centre for Information Policy
here
here
security risks
security risks
Data Privacy and Data Security Compliance Issues
Data Privacy and Data Security Compliance Issues
Power Point presentation
Power Point presentation
Best Practices for Insuring Medical Practices from Cyber Risk
Best Practices for Insuring Medical Practices from Cyber Risk
DrTimBateman-slides
DrTimBateman-slides
Download
advertisement