Data Breaches, Credit Card Fraud, Front Page News Are You Next? - - PowerPoint PPT Presentation

data breaches credit card fraud front page news are you
SMART_READER_LITE
LIVE PREVIEW

Data Breaches, Credit Card Fraud, Front Page News Are You Next? - - PowerPoint PPT Presentation

Mar 02, 2023 147 likes •500 views

Data Breaches, Credit Card Fraud, Front Page News Are You Next? Calvin Weeks EnCE, CEDS, CRISC, CISSP, CISM Computer Forensics Manager www.eidebailly.com 1 Home Depot Breach CBS News 2,200 stores compromised Up to 60 million

slide-1
SLIDE 1

www.eidebailly.com

Calvin Weeks

EnCE, CEDS, CRISC, CISSP, CISM

Computer Forensics Manager

Data Breaches, Credit Card Fraud, Front Page News …Are You Next?

1

slide-2
SLIDE 2

www.eidebailly.com

Home Depot Breach

  • CBS News
  • 2,200 stores compromised
  • Up to 60 million customers
  • Only 10% to 15% will see fraud activity
  • As much as $3 billion in bogus purchases
  • Krebs on Security
  • Variant of the code from the Target attack
  • Compromised CC #’s were first sold on Ukraine

website

2

slide-3
SLIDE 3

www.eidebailly.com

Lawsuits / Lawyers and Settlements

  • Retailers not prepared for hack attacks
  • Companies breached include UPS, Goodwill, P.F.

Chang’s, Sally Beauty, Michael’s and Neiman Marcus

  • Solak et al v. The Home Depot, Inc., Case No.

1:2014-cv-02856, filed September 4, 2014 at The Eleventh Circuit, Georgia Northern District Court

3

slide-4
SLIDE 4

www.eidebailly.com

How did the Breach occur?

  • All compromises were a direct result of human failure

at all levels

  • Not one compromise has been attributed to

hardware, operating system or application failures

4

slide-5
SLIDE 5

www.eidebailly.com

Complaints with Loss Statistics

106079 114908 115903

100000 102000 104000 106000 108000 110000 112000 114000 116000 118000 COMPLAINTS WITH LOSS

Complaints with Financial Loss FBI Internet Crime Report

2011 2012 2013

5

slide-6
SLIDE 6

www.eidebailly.com

Total Loss Statistics

$574 $525 $485

$440 $460 $480 $500 $520 $540 $560 $580 $600 TOTAL LOSS IN MILLIONS

Total Financial Loss FBI Internet Crime Report

2011 2012 2013

6

slide-7
SLIDE 7

www.eidebailly.com

Why is Data Security Important?

The DATA has VALUE

  • Many organizations feel they have nothing worth

stealing or they are too small and invisible.

  • Your data has value to an attacker.
  • 40M records X $2/record = $80M attacker profit.

7

slide-8
SLIDE 8

www.eidebailly.com

All Data Has Value

Recent Breaches

  • Goodwill (Sept. 2014 – 330 stores in 20 states)
  • Home Depot (Sept. 2014 – 56,000,000 cards)
  • P.F. Chang (pre-June, 2014 – 33 locations)
  • Sally Beauty Supply (March 2014 – 25,000 records)
  • Target (2013 – 70,000,000 customers’ data)
  • Sony (2011 – 100,000,000 customers’ data)
  • Heartland Payment Systems (2009 – 130,000,000

accounts)

  • TJX (2007 – 90,000,000 accounts)
  • Card Systems (2005 – 40,000,000 accounts)

8

slide-9
SLIDE 9

www.eidebailly.com

Data Value

9

slide-10
SLIDE 10

www.eidebailly.com

Frameworks

  • PCI
  • Build and Maintain a Secure

Network

  • Firewall
  • No vendor-supplied defaults

(passwords/parameters)

  • Protect CHD
  • Stored (at rest)
  • Encrypted transmission across
  • pen, public networks
  • Maintain Vulnerability

Management Program

  • Protect against malware, update

AV

  • Develop/maintain secure systems

and applications

  • Implement Strong Access Control

Measures

  • Restrict access to CHD by need-

to-know

  • Identify/authenticate access to

system components

  • Restrict physical access
  • Regularly Monitor and Test

Networks

  • Track/monitor all access to

network resources and CHD

  • Regularly test security systems

and processes

  • Maintain Information Security

Policy

  • Address information security for

all personnel

10

slide-11
SLIDE 11

www.eidebailly.com

Other Frameworks - NIST Critical Infrastructure Cybersecurity

Table 1: Function and Category Unique Identifiers Function Unique Identifier Function Category Unique Identifier Category ID Identify ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy PR Protect PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Processes and Procedures PR.MA Maintenance PR.PT Protective Technology DE Detect DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes RS Respond RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements RC Recover RC.RP Recovery Planning RC.IM Improvements RC.CO Communications 11

Preventative Detective Corrective

slide-12
SLIDE 12

www.eidebailly.com

How about Compliance?

  • Being compliant does not mean you're secure, and

being secure does not mean you're complaint

  • The Truth About Home Depot's Security Breach:

Hacking Was Easy - By Jason Abbruzzese Sep 10, 2014

12

slide-13
SLIDE 13

www.eidebailly.com

Established Standards

  • Security standards began in the 50’s with the launch of the

Russian Sputnik satellite

  • In October 1967 a computer security task force was created
  • The results of the task force was published in 1970 and was

named the Rand 609 report

  • The Rand R-609-1 report was reissued on October 1979
  • The standards established are still the same today even as

technology advances regularly

13

slide-14
SLIDE 14

www.eidebailly.com

Further Established Standards

  • Manufacturer established standards for specific

products

  • After 2001 the National Institute of Standards and

Technology (NIST) expanded special publications for technology standards

  • NIST established Information Systems Management

and Operational Standards for executives

14

slide-15
SLIDE 15

www.eidebailly.com

Basic Security Concept

Cyber Security Operations

  • Prevent
  • Monitor/Detect
  • Respond

15

slide-16
SLIDE 16

www.eidebailly.com

Prevent

  • Establish budgets
  • Follow best practices
  • National Institute of Standards and Technology (NIST)
  • Obtain advance training
  • Employ appropriate expertise
  • Strategize to prevent every ATTEMPT

16

slide-17
SLIDE 17

www.eidebailly.com

Monitor & Detect

  • Establish centralized logging
  • Collect logs from all systems, networks, applications and all

reported issues

  • Correlate and aggregate all logs
  • Setup rules and signature databases for alarms and alerts
  • Collection should have no filters
  • Establish robust search, filtering and reporting capability
  • Strategize to detect every ATTEMPT

17

slide-18
SLIDE 18

www.eidebailly.com

Respond

  • Establish a response capability
  • Include members from executive, IT, HR, security, legal,

public relations and others as appropriate

  • Review reports from monitoring activities
  • Meet regularly to make informed decisions
  • Strategize to respond to every ISSUE
  • Making an informed decision to do nothing is acceptable

18

slide-19
SLIDE 19

www.eidebailly.com

IT/Security Operational Model

19

slide-20
SLIDE 20

www.eidebailly.com

IT/Security Operational Model

20

slide-21
SLIDE 21

www.eidebailly.com

Security & Risk Assessments

  • Vulnerability Assessments and Penetration Testing

are technical options, but do not go far enough

  • Just because you are vulnerable and your system

and networks can be compromised does not address the business question of what is the priority

  • A properly performed security & risk assessment will

help you set priorities that match business goals and

  • bjectives

21

slide-22
SLIDE 22

www.eidebailly.com

The Experts

  • IT Professionals will help keep your systems and

networks up and running

  • Security Professionals will help keep your systems

and networks protected

  • Computer Forensics Professionals will help respond

and investigate issues involving technology for HR, Legal and executive purposes

22

slide-23
SLIDE 23

www.eidebailly.com

IT Professional vs. Forensic Examiner

  • IT Professional training does not include handling of

evidence

  • Primary focus is keeping system up and running
  • Can be witness on system, network, internet
  • perations
  • Not trained or prepared to testify as an expert
  • Forensic Examiner understands the rules of evidence
  • Primary focus are collecting, preserving and

examining relevant data

  • Can provide assistance with technical legal strategies
  • Trained and prepared to testify as an expert

23

slide-24
SLIDE 24

www.eidebailly.com

Examples

IT Professional vs. Forensic Examiner

  • A police officer’s daily work involves knowing,

understanding and applying laws, but that does not make them an attorney.

  • A bookkeeper knows the accounting of their books

and how to apply accounting practices everyday, but this does not make them a CPA.

  • An IT Professional knows how to setup, operate and

maintain computer and network systems, but this does not make them qualified to investigate and testify, nor should they.

24

slide-25
SLIDE 25

www.eidebailly.com

Computer Forensics vs E-Discovery

e-Discovery is Electronic Discovery

  • Production of known responsive info for litigation
  • Indexed database searching and filtering
  • Provides data statistics
  • Also refers to Federal Rules of Civil Procedures, Process
  • r Service

Computer Forensics

  • Investigation and recovery of relevant info
  • Provides the details in context
  • Provides transactional details
  • Scientifically supports or disputes statements made by

parties

  • Identifies and demonstrates facts about the activities found
  • n a computer or electronic device

25

slide-26
SLIDE 26

www.eidebailly.com

Example:

Business Sale Made-up

  • A business owner discussed the sale of his business
  • ver public internet e-mail. An offer to sell was made

in the amount of $1,000,000. After several months without a deal, the purchaser sued and as evidence produced a “PRINTED” copy of a reply e-mail from the seller asking to sell the business in the amount of $100,000.

26

slide-27
SLIDE 27

www.eidebailly.com

Example:

Employee Non-Compete

Our client had purchased a business and agreed to employ the previous owner as a sales executive. After a year the CEO suspected that the sales executive was funneling clients and work to a competing business, but had no proof. The difficulty was that as the sales executive it was their job to contact clients and nothing was in her company e-mails showing any suspicious activity.

27

slide-28
SLIDE 28

www.eidebailly.com

Example:

Classified Restrictions

  • Our client was in civil litigation for

misappropriation of federal funds

  • f more than $1.5 million by the

CEO and spouse that was the CFO of a public/private/research

  • program. Attorneys needed all of

the e-mails and files collected to review for financial activities and communications.

28

slide-29
SLIDE 29

www.eidebailly.com

Classified Experience

  • Designed, engineered and implemented systems, networks

and applications in a Top Secret Classified DoD facility

  • Applying concepts and standards introduced in the

presentations met with 100% security compliance

  • Responsible for 35 systems
  • Part of a team of 8 engineers
  • Project consisted of 35 professionals in one facility and

another 15 in another location

29

slide-30
SLIDE 30

www.eidebailly.com

My Classified Experience

  • In two years, two attempts were made to compromise Top Secret

Systems.

  • If it were not for the established monitoring to detect activity, the

attacks would have been successful.

  • Not because security was not applied, but because of unknown

vulnerabilities of the OS.

  • These attempts shutdown all operations of more than 135 people for

more than three weeks.

  • DoD has the money to sustain this kind of operations, but businesses

cannot afford this level of response to compromises, much less only unsuccessful attacks.

30

slide-31
SLIDE 31

www.eidebailly.com

Lesson Learned

  • Once you consider the extremity of operating like a

DoD classified facility then other discussions can take place.

  • If you can quantify your IT and security operations

then a declarative value can be placed on attempts and compromises.

  • Insurance companies can now have a third party

assess the security compliance and capabilities of

  • rganization to begin serious cyber loss coverage.

31

slide-32
SLIDE 32

www.eidebailly.com

Conclusion

Cyberthreats and cyberattacks have increased dramatically

  • ver the past several years. They have exposed sensitive

personal and business information, disrupted the critical

  • perations of institutions, and imposed high costs on the

economy and business operations. That is why it is imperative that companies stay informed about the continuously changing forms of cyberthreats and develop appropriate, cost-effective controls to safeguard their businesses.

32

slide-33
SLIDE 33

www.eidebailly.com

This presentation is presented with the understanding that the information contained does not constitute legal, accounting

  • r other professional advice. It is not intended to be responsive to any individual situation or concerns, as the contents of

this presentation are intended for general informational purposes only. Viewers are urged not to act upon the information contained in this presentation without first consulting competent legal, accounting or other professional advice regarding implications of a particular factual situation. Questions and additional information can be submitted to your Eide Bailly representative, or to the presenter of this session.

Questions?

33

slide-34
SLIDE 34

www.eidebailly.com

Calvin Weeks

cweeks@eidebailly.com 405.858.5591

Data Breaches, Credit Card Fraud, Front Page News …Are You Next?

34