What to do when it all goes wrong Core objectives of Information Security

Jonathan Care, VeriSign jcare@verisign.com

September 25th 2008

Jonathan Care Who does he think he is?

+ Senior Consulting Manager, VeriSign Enterprise Security Solutions (ESS)

Interests: Forensic Computing, PCI, Online Fraud, Cryptography, Technical Security Current clients include telco, retail, banking, online marketing, airlines, logistics, etc.

+ 20 years in Information Security + Member of

High Tech Crime Investigation Association International Association for Cryptologic Research Expert Witness Institute British Computer Society

+ Former CESG Listed Advisor + Certified Fraud Examiner (CFE) and CISSP + BS7799 Lead Auditor, ITIL Security Practitioner

Anonymity? Not really.

Information Security
Where are we now?

What has information security been about?

+ For the last twenty years its been about

Confidentiality Integrity Availability all things that make sense to IT!

+ BUT

IT Staff are not equipped to resist advanced attacks Lawyers (Privacy teams etc.) arent either Auditors look for weakness in process Web Developers are not Security Experts

Marketable criminal assets on the Internet

+ Networks of compromised computers botnets + Credit card / Debit card numbers + Identity theft server hacking / phishing

+ Hacking attacks Intellectual property theft / Industrial espionage / kudos

+ SPAM

Real Statistics?

Real reality
+ Regrettably the percentage of organisations reporting computer intrusions has continued to decline. The key reason given was the fear of negative publicity. As a consequence this has resulted in a belief that the threat and impact has also been gravely underestimated Metropolitan Police + If I report this, I am worried what else the police will find Anonymous IT Director + We dont handle payments so it doesnt really matter if our code is secure or not Web Development firm providing e-commerce (!)
+ How soon can we start our web server up again? Compromised Web Merchant

Why commit crimes on the Internet?

+ + + + Potentially High Financial Gain Anonymity Rapid, secure, global communications Global impact 1 billion plus users (1 in 6 of the worlds population) + Virtual marketplace reduced risks of being detected, disrupted or caught + Volatile evidential trail ISP limited retention of data + Cross Border investigations protracted for law enforcement And Because thats where the money is Willie Sutton

Whats the solution?

Aware

Incident

Architecture

Response

HR
Compliance

PLAN

VULN TEST
EXPOSURE

RISK

+ Security Strategy that is informed and able to deal with a complex and changing threat landscape

A Taxonomy of Threats
Whats out there?

Top 10 threats in 2008

+ Trusted web sites exploit browser vulnerabilities + Botnets + Cyber Espionage including targeted phishing + Mobile phone threats + Insider Attacks + Advanced Identity Theft + Increasingly Malicious Spyware + Web Application Security Threats + Blended Attacks VOIP, Phishing, Event tracking (oh my!)

+ Supply chain attacks

Things not to complete in your inbox

An Urgent Email!!
Dear NatWest Bank Member, This email was sent by the NatWest server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your NatWest login ID, Password and PIN. This is done for your protection --- because some of our members no longer have access to their email addresses and we must verify it. To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser.

http://www.natwest.com:ac=uwFukj0FyWT0Y13hAnbI@amcn4a.MaIl333.CoM/3/?JcPhbzKuJntfU9I http://www.natwest.com:ac=uwFukj0FyWT0Y13hAnbI@amcn4a.MaIl333.CoM/3/?JcPhbzKuJntfU9I

UserID

Password

REAL Site!

Identifier

Hijacking Internet Browsing

Highly plausible interception

Why Web Application Risks Occur

+ Developers are not security professionals

Application Development stresses functionality Lack of Awareness of security issues in development Lack of effective testing tools in QA

Resource constrained development teams

Lack of awareness of application vulnerabilities in security teams

+ Security Professionals are not developers

Lack of effective testing tools

Development cycle missing from security procedures and audits Security scrutinise the desktop, the network, and the server. The web application is missing.

What is identity theft/identity fraud?

+ Refers to all types of crime in which someone wrongfully obtains and uses another persons personal data in some way that involves fraud or deception. + It is estimated that Id theft costs the British economy alone 1.7 Billion and 100,000 people are targeted each year

These are not real, and can be obtained over the internet.

Compliance - PCI
Affordable perfection and avoidable risks

The Standards
PCI-PED
PCI PED addresses device characteristics impacting security of PIN Entry Device (PED) during financial transactions

PCI PA-DSS
PA-DSS applies to software vendors and others who develop payment applications that store, process or transmit cardholder data as part of authorisation or settlement, where those applications are sold, distributed or licensed to third parties.

PCI DSS
PCI DSS applies to any entity that stores, processes and/or transmits cardholder data, and specifically to those system components included in or connected to the cardholder data environment

Stand Alone PED Device

Payment Applications (e.g. Web Cart, POS)

Merchants and Service Providers Cardholder data environment

PEDs integrated with payment applications (POS, Kiosk)

Payment Applications in Merchant/Service Provider Environment

PCI PED applies PED device only

PA-DSS may apply

PCI DSS applies Systems and networks

Sensitive Information in PCI

Data Element Storage Permitted YES YES Protection Required YES YES PCI DSS Req. 3.4 YES NO

Primary Account Number (PAN)

Cardholder Data Cardholder Name

Service Code
Expiration Date Full Magnetic Stripe

YES
YES NO NO NO

YES
YES N/A N/A N/A

NO
NO N/A N/A N/A

Sensitive Authentication
Data

CVC2/CVV2/CID/ CAV2 PIN/PIN Block

Why are Companies Failing PCI Assessments?

PCI REQUIREMENT
Requirement 3: Protect stored data. Requirement 11: Regularly test security systems and processes. Requirement 8: Assign a unique ID to each person with computer access. Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 1: Install and maintain a firewall configuration to protect data.

PERCENTAGE OF ASSESSMENTS FAILING

79% 74% 71% 71% 66%

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Requirement 12: Maintain a policy that addresses information security. Requirement 9: Restrict physical access to cardholder data. Requirement 6: Develop and maintain secure systems and applications. Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.
Source: VeriSign Whitepaper on Top Reasons for PCI Failure based on sample of over 100 assessments https://www.verisign.com/cgi-bin/go.cgi?a=w63130157259894009

62%
60% 59% 56% 45%

Timeframes for a PCI incident investigation

+ Timeframes (e.g., flexibility on critical events)

Standard event timeframes

Visa client must identify forensic company within 5 days Visa client must ensure contract is signed within 10 days Forensic investigator must be onsite within 5 days from signed contract Preliminary forensic report be provided to Visa within 5 days from onsite work Final forensic report be provided to Visa within 10 business days from the completion of the review

Critical event timeframes can be even more immediate!

+ Visa will levy fines to clients in the event of delays

PCI Forensic Investigation Requirements

VISA appointed forensic reports must include:

All external connectivity points and network topology including firewalls, routing schema, VLANs, etc. between compromised systems and surrounding networks A review of the entire debit and or credit processing network to identify all compromised or affected systems

External Investigators will perform incident validation and assessment:

Establish how compromise occurred Identify the type of data stored, sniffed, and transferred out of the network (Visa/Plus/Interlink/Pre-Paid accounts) Recover data deleted by intruder Number of accounts at risk (stored, sniffed, and transferred) Determine the timeframe of compromise Determine transaction dates of compromised cardholder data

Three things to do right now

+ Plan for incidents

What would you do if your website was hacked?

+ Initiate a penetration testing program

Internal vulnerability scans Web site testing External attacks

+ Review information management

Data protection PCI Third parties

Data warehouses Call Centres Processors

Questions + Answers

Thank You
Jonathan Care, Verisign ESS jcare@verisign.com Tel: 0800 032 2101 IR&F: 01344 609313