Professional Documents
Culture Documents
What To Do When It All Goes
What To Do When It All Goes
What To Do When It All Goes
Interests: Forensic Computing, PCI, Online Fraud, Cryptography, Technical Security Current clients include telco, retail, banking, online marketing, airlines, logistics, etc.
High Tech Crime Investigation Association International Association for Cryptologic Research Expert Witness Institute British Computer Society
+ Former CESG Listed Advisor + Certified Fraud Examiner (CFE) and CISSP + BS7799 Lead Auditor, ITIL Security Practitioner
Information Security
Where are we now?
+ BUT
IT Staff are not equipped to resist advanced attacks Lawyers (Privacy teams etc.) arent either Auditors look for weakness in process Web Developers are not Security Experts
+ Networks of compromised computers botnets + Credit card / Debit card numbers + Identity theft server hacking / phishing
Real Statistics?
Real reality
+ Regrettably the percentage of organisations reporting computer intrusions has continued to decline. The key reason given was the fear of negative publicity. As a consequence this has resulted in a belief that the threat and impact has also been gravely underestimated Metropolitan Police + If I report this, I am worried what else the police will find Anonymous IT Director + We dont handle payments so it doesnt really matter if our code is secure or not Web Development firm providing e-commerce (!)
+ How soon can we start our web server up again? Compromised Web Merchant
Aware
Incident
Architecture
Response
HR
Compliance
PLAN
VULN TEST
EXPOSURE
RISK
+ Security Strategy that is informed and able to deal with a complex and changing threat landscape
A Taxonomy of Threats
Whats out there?
An Urgent Email!!
Dear NatWest Bank Member, This email was sent by the NatWest server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your NatWest login ID, Password and PIN. This is done for your protection --- because some of our members no longer have access to their email addresses and we must verify it. To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser.
http://www.natwest.com:ac=uwFukj0FyWT0Y13hAnbI@amcn4a.MaIl333.CoM/3/?JcPhbzKuJntfU9I http://www.natwest.com:ac=uwFukj0FyWT0Y13hAnbI@amcn4a.MaIl333.CoM/3/?JcPhbzKuJntfU9I
UserID
Password
REAL Site!
Identifier
Application Development stresses functionality Lack of Awareness of security issues in development Lack of effective testing tools in QA
These are not real, and can be obtained over the internet.
Compliance - PCI
Affordable perfection and avoidable risks
The Standards
PCI-PED
PCI PED addresses device characteristics impacting security of PIN Entry Device (PED) during financial transactions
PCI PA-DSS
PA-DSS applies to software vendors and others who develop payment applications that store, process or transmit cardholder data as part of authorisation or settlement, where those applications are sold, distributed or licensed to third parties.
PCI DSS
PCI DSS applies to any entity that stores, processes and/or transmits cardholder data, and specifically to those system components included in or connected to the cardholder data environment
Service Code
Expiration Date Full Magnetic Stripe
YES
YES NO NO NO
YES
YES N/A N/A N/A
NO
NO N/A N/A N/A
Sensitive Authentication
Data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Requirement 12: Maintain a policy that addresses information security. Requirement 9: Restrict physical access to cardholder data. Requirement 6: Develop and maintain secure systems and applications. Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.
Source: VeriSign Whitepaper on Top Reasons for PCI Failure based on sample of over 100 assessments https://www.verisign.com/cgi-bin/go.cgi?a=w63130157259894009
62%
60% 59% 56% 45%
All external connectivity points and network topology including firewalls, routing schema, VLANs, etc. between compromised systems and surrounding networks A review of the entire debit and or credit processing network to identify all compromised or affected systems
Establish how compromise occurred Identify the type of data stored, sniffed, and transferred out of the network (Visa/Plus/Interlink/Pre-Paid accounts) Recover data deleted by intruder Number of accounts at risk (stored, sniffed, and transferred) Determine the timeframe of compromise Determine transaction dates of compromised cardholder data
Questions + Answers
Thank You
Jonathan Care, Verisign ESS jcare@verisign.com Tel: 0800 032 2101 IR&F: 01344 609313