data breaches credit card fraud front page news are you
play

Data Breaches, Credit Card Fraud, Front Page News Are You Next? - PowerPoint PPT Presentation

Mar 02, 2023 •147 likes •495 views

Data Breaches, Credit Card Fraud, Front Page News Are You Next? Calvin Weeks EnCE, CEDS, CRISC, CISSP, CISM Computer Forensics Manager www.eidebailly.com 1 Home Depot Breach CBS News 2,200 stores compromised Up to 60 million

  1. Data Breaches, Credit Card Fraud, Front Page News …Are You Next? Calvin Weeks EnCE, CEDS, CRISC, CISSP, CISM Computer Forensics Manager www.eidebailly.com 1

  2. Home Depot Breach • CBS News • 2,200 stores compromised • Up to 60 million customers • Only 10% to 15% will see fraud activity • As much as $3 billion in bogus purchases • Krebs on Security • Variant of the code from the Target attack • Compromised CC #’s were first sold on Ukraine website www.eidebailly.com 2

  3. Lawsuits / Lawyers and Settlements • Retailers not prepared for hack attacks • Companies breached include UPS, Goodwill, P.F. Chang’s, Sally Beauty, Michael’s and Neiman Marcus • Solak et al v. The Home Depot, Inc., Case No. 1:2014-cv-02856, filed September 4, 2014 at The Eleventh Circuit, Georgia Northern District Court www.eidebailly.com 3

  4. How did the Breach occur? • All compromises were a direct result of human failure at all levels • Not one compromise has been attributed to hardware, operating system or application failures www.eidebailly.com 4

  5. Complaints with Loss Statistics Complaints with Financial Loss FBI Internet Crime Report 115903 114908 COMPLAINTS WITH LOSS 106079 100000 102000 104000 106000 108000 110000 112000 114000 116000 118000 2011 2012 2013 www.eidebailly.com 5

  6. Total Loss Statistics Total Financial Loss FBI Internet Crime Report $485 TOTAL LOSS IN MILLIONS $525 $574 $440 $460 $480 $500 $520 $540 $560 $580 $600 2011 2012 2013 www.eidebailly.com 6

  7. Why is Data Security Important? The DATA has VALUE • Many organizations feel they have nothing worth stealing or they are too small and invisible. • Your data has value to an attacker. • 40M records X $2/record = $80M attacker profit. www.eidebailly.com 7

  8. All Data Has Value Recent Breaches • Goodwill (Sept. 2014 – 330 stores in 20 states) • Home Depot (Sept. 2014 – 56,000,000 cards) • P.F. Chang (pre-June, 2014 – 33 locations) • Sally Beauty Supply (March 2014 – 25,000 records) • Target (2013 – 70,000,000 customers’ data) • Sony (2011 – 100,000,000 customers’ data) • Heartland Payment Systems (2009 – 130,000,000 accounts) • TJX (2007 – 90,000,000 accounts) • Card Systems (2005 – 40,000,000 accounts) www.eidebailly.com 8

  9. Data Value 9 www.eidebailly.com

  10. Frameworks • Implement Strong Access Control • PCI Measures • Build and Maintain a Secure • Restrict access to CHD by need- Network to-know • Firewall • Identify/authenticate access to • No vendor-supplied defaults system components (passwords/parameters) • Restrict physical access • Protect CHD • Regularly Monitor and Test • Stored (at rest) Networks • Encrypted transmission across • Track/monitor all access to open, public networks network resources and CHD • Maintain Vulnerability • Regularly test security systems Management Program and processes • Protect against malware, update • Maintain Information Security AV Policy • Develop/maintain secure systems • Address information security for and applications all personnel 10 www.eidebailly.com

  11. Other Frameworks - NIST Critical Infrastructure Cybersecurity Table 1: Function and Category Unique Identifiers Function Category Unique Function Unique Category Identifier Identifier ID.AM Asset Management ID.BE Business Environment ID Identify ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy PR.AC Access Control Preventative PR.AT Awareness and Training PR.DS Data Security PR Protect Information Protection Processes and PR.IP Procedures PR.MA Maintenance PR.PT Protective Technology DE.AE Anomalies and Events Detective DE Detect DE.CM Security Continuous Monitoring DE.DP Detection Processes RS.RP Response Planning RS.CO Communications RS Respond RS.AN Analysis Corrective RS.MI Mitigation RS.IM Improvements RC.RP Recovery Planning RC Recover RC.IM Improvements RC.CO Communications 11 www.eidebailly.com

  12. How about Compliance? • Being compliant does not mean you're secure, and being secure does not mean you're complaint • The Truth About Home Depot's Security Breach: Hacking Was Easy - By Jason Abbruzzese Sep 10, 2014 www.eidebailly.com 12

  13. Established Standards • Security standards began in the 50’s with the launch of the Russian Sputnik satellite • In October 1967 a computer security task force was created • The results of the task force was published in 1970 and was named the Rand 609 report • The Rand R-609-1 report was reissued on October 1979 • The standards established are still the same today even as technology advances regularly www.eidebailly.com 13

  14. Further Established Standards • Manufacturer established standards for specific products • After 2001 the National Institute of Standards and Technology (NIST) expanded special publications for technology standards • NIST established Information Systems Management and Operational Standards for executives www.eidebailly.com 14

  15. Basic Security Concept Cyber Security Operations • Prevent • Monitor/Detect • Respond www.eidebailly.com 15

  16. Prevent • Establish budgets • Follow best practices • National Institute of Standards and Technology (NIST) • Obtain advance training • Employ appropriate expertise • Strategize to prevent every ATTEMPT www.eidebailly.com 16

  17. Monitor & Detect • Establish centralized logging • Collect logs from all systems, networks, applications and all reported issues • Correlate and aggregate all logs • Setup rules and signature databases for alarms and alerts • Collection should have no filters • Establish robust search, filtering and reporting capability • Strategize to detect every ATTEMPT www.eidebailly.com 17

  18. Respond • Establish a response capability • Include members from executive, IT, HR, security, legal, public relations and others as appropriate • Review reports from monitoring activities • Meet regularly to make informed decisions • Strategize to respond to every ISSUE • Making an informed decision to do nothing is acceptable www.eidebailly.com 18

  19. IT/Security Operational Model www.eidebailly.com 19

  20. IT/Security Operational Model www.eidebailly.com 20

  21. Security & Risk Assessments • Vulnerability Assessments and Penetration Testing are technical options, but do not go far enough • Just because you are vulnerable and your system and networks can be compromised does not address the business question of what is the priority • A properly performed security & risk assessment will help you set priorities that match business goals and objectives www.eidebailly.com 21

  22. The Experts • IT Professionals will help keep your systems and networks up and running • Security Professionals will help keep your systems and networks protected • Computer Forensics Professionals will help respond and investigate issues involving technology for HR, Legal and executive purposes www.eidebailly.com 22

  23. IT Professional vs. Forensic Examiner • IT Professional training does not include handling of evidence • Primary focus is keeping system up and running • Can be witness on system, network, internet operations • Not trained or prepared to testify as an expert • Forensic Examiner understands the rules of evidence • Primary focus are collecting, preserving and examining relevant data • Can provide assistance with technical legal strategies • Trained and prepared to testify as an expert www.eidebailly.com 23

  24. Examples IT Professional vs. Forensic Examiner • A police officer’s daily work involves knowing, understanding and applying laws, but that does not make them an attorney. • A bookkeeper knows the accounting of their books and how to apply accounting practices everyday, but this does not make them a CPA. • An IT Professional knows how to setup, operate and maintain computer and network systems, but this does not make them qualified to investigate and testify, nor should they. www.eidebailly.com 24

  25. Computer Forensics vs E-Discovery e-Discovery is Electronic Discovery • Production of known responsive info for litigation • Indexed database searching and filtering • Provides data statistics • Also refers to Federal Rules of Civil Procedures, Process or Service Computer Forensics • Investigation and recovery of relevant info • Provides the details in context • Provides transactional details • Scientifically supports or disputes statements made by parties • Identifies and demonstrates facts about the activities found on a computer or electronic device www.eidebailly.com 25

  26. Example: Business Sale Made-up • A business owner discussed the sale of his business over public internet e-mail. An offer to sell was made in the amount of $1,000,000. After several months without a deal, the purchaser sued and as evidence produced a “PRINTED” copy of a reply e-mail from the seller asking to sell the business in the amount of $100,000. www.eidebailly.com 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

(Machine) Learning To Detect Fraudsters Hany Elemary Sarah LeBlanc CREDIT CARD FRAUD

(Machine) Learning To Detect Fraudsters Hany Elemary Sarah LeBlanc CREDIT CARD FRAUD

(Machine) Learning To Detect Fraudsters Hany Elemary Sarah LeBlanc CREDIT CARD FRAUD TRANSACTION APPLICATION CARD NOT FOUND 2 FRAUD DETECTION MODEL PLOT Not Fraud Fraud Application Count False Negatives False Positives 0 0.2 0.4

357 views • 24 slides
A Prototype for Credit Card Fraud Management Alexander Artikis 1 , 2 , Nikos Katzouris 2 , Ivo

A Prototype for Credit Card Fraud Management Alexander Artikis 1 , 2 , Nikos Katzouris 2 , Ivo

A Prototype for Credit Card Fraud Management Alexander Artikis 1 , 2 , Nikos Katzouris 2 , Ivo Correia 3 , Chris Baber 4 , Natan Morar 4 , Inna Skarbovsky 5 , Fabiana Fournier 5 and Georgios Paliouras 2 1 University of Piraeus, Greece, 2 NCSR

707 views • 43 slides
Training for Cardholders Introduction to the P-Card Program What is a P-Card? VISA credit

Training for Cardholders Introduction to the P-Card Program What is a P-Card? VISA credit

Purchasing Card Program Training for Cardholders Introduction to the P-Card Program What is a P-Card? VISA credit card issued by Bank of America Used to make purchase of goods and some services of $2,500 or less P-Card Controls

933 views • 26 slides
What are we protecting? Student Data (SSN, Grades, DOBs, Credit card) Employee Data

What are we protecting? Student Data (SSN, Grades, DOBs, Credit card) Employee Data

Freeze your credit will stop someone from opening a new line of credit in your name FREE! You can unfreeze your credit at any time Get an annual copy of your credit report and review it ALSO FREE! What are we protecting? Student

885 views • 31 slides
UC SAN DIEGO CREDIT CARD PAYMENT TUTORIAL From tritonlink.ucsd.edu home page, login to

UC SAN DIEGO CREDIT CARD PAYMENT TUTORIAL From tritonlink.ucsd.edu home page, login to

UC SAN DIEGO CREDIT CARD PAYMENT TUTORIAL From tritonlink.ucsd.edu home page, login to MyTritonLink Enter User ID/PID and password (students only). Click on balance amount or account details to go to the BILLING & PAYMENT menu.

188 views • 18 slides
Would You Sell Your Mothers Data? Personal Data Disclosure in a Simulated Credit Card

Would You Sell Your Mothers Data? Personal Data Disclosure in a Simulated Credit Card

Would You Sell Your Mothers Data? Personal Data Disclosure in a Simulated Credit Card Application Miguel Malheiros Sacha Brostoff Charlene Jennett M. Angela Sasse Information Security Research Group, Department of Computer Science, UCL

497 views • 20 slides
Overdraft Fee and Credit Card Practices: Overdraft Fee and Credit Card Practices: New Regulations

Overdraft Fee and Credit Card Practices: Overdraft Fee and Credit Card Practices: New Regulations

Presenting a live 90 minute webinar with interactive Q&A Overdraft Fee and Credit Card Practices: Overdraft Fee and Credit Card Practices: New Regulations and Litigation Trends Minimizing Litigation Exposure and Preparing for Heightened

1.4k views • 80 slides
UNLOCKING THE VALUE OF DATA THROUGH DATA SOURCES, CUSTOMER ATTRIBUTES & TRAINING MATTHEW

UNLOCKING THE VALUE OF DATA THROUGH DATA SOURCES, CUSTOMER ATTRIBUTES & TRAINING MATTHEW

UNLOCKING THE VALUE OF DATA THROUGH DATA SOURCES, CUSTOMER ATTRIBUTES & TRAINING MATTHEW PETERS JENNY CREDIT CARD PROSPECT JENNY CREDIT CARD PROSPECT JENNY CREDIT CARD PROSPECT JENNY CREDIT CARD PROSPECT JENNY CREDIT CARD PROSPECT

567 views • 22 slides
Payment Card Industry (PCI) Challenges and Issues for RACF Systems Jim Yurek Vanguard Integrity

Payment Card Industry (PCI) Challenges and Issues for RACF Systems Jim Yurek Vanguard Integrity

Payment Card Industry (PCI) Challenges and Issues for RACF Systems Jim Yurek Vanguard Integrity Professionals February 28, 2011 Session Number 8507 The Problem: Credit Card Breaches As long as we have the Internet and a Black Market for

643 views • 39 slides
Test Your Tech The dangers of phishing include A. Sharp hooks and nightcrawlers. B. Credit-card

Test Your Tech The dangers of phishing include A. Sharp hooks and nightcrawlers. B. Credit-card

Test Your Tech The dangers of phishing include A. Sharp hooks and nightcrawlers. B. Credit-card fraud at a look-alike Web site that mimics your bank. C. High mercury content in fish from polluted oceans. D.A. Clements, UW Information School 1

525 views • 25 slides
GSA Contractors and Credit Card Acceptance Adding Level III Data to your transactions saves

GSA Contractors and Credit Card Acceptance Adding Level III Data to your transactions saves

GSA Contractors and Credit Card Acceptance Adding Level III Data to your transactions saves money Federal P Card = GSA 708-449-1010 800-388-9790 info@GSACreditCardProcessing.com

519 views • 6 slides
In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user data passwords stored in readable format 1B 600M 0.5M Data Breaches Cost of a Data Breach Study www.ibm.com/security/data-breach

677 views • 35 slides
Improving Regional PCE Estimates Using Credit Card Transaction Data Abe Dunn Ledia Guci Mahsa

Improving Regional PCE Estimates Using Credit Card Transaction Data Abe Dunn Ledia Guci Mahsa

Improving Regional PCE Estimates Using Credit Card Transaction Data Abe Dunn Ledia Guci Mahsa Gholizadeh Bryn Whitmire June 10 th 2016 Exploratory work with First Data/ Palantir Data and coverage Aggregate Market Data ~ 50% of all

417 views • 20 slides
Industry Data Security Standards Christopher Kennedy Presentation Updated 2015-04-10 56

Industry Data Security Standards Christopher Kennedy Presentation Updated 2015-04-10 56

Payment Card Industry Data Security Standards Christopher Kennedy Presentation Updated 2015-04-10 56 Million Credit Card Numbers Stolen 70 Million Credit Card Number Stolen 130 Million Credit Card Numbers Stolen Payment Card Industry Data

617 views • 15 slides
ACCT 420: Logistic Regression for Corporate Fraud Session 7 Dr. Richard M. Crowley 1 Front

ACCT 420: Logistic Regression for Corporate Fraud Session 7 Dr. Richard M. Crowley 1 Front

ACCT 420: Logistic Regression for Corporate Fraud Session 7 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning objectives Theory: Economics Psychology Application: Predicting fraud contained in annual reports

869 views • 66 slides
ACCT 420: Logistic Regression for Corporate Fraud Session 6 Dr. Richard M. Crowley 1 Front

ACCT 420: Logistic Regression for Corporate Fraud Session 6 Dr. Richard M. Crowley 1 Front

ACCT 420: Logistic Regression for Corporate Fraud Session 6 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning objectives Theory: Economics Psychology Application: Predicting fraud contained in annual reports

898 views • 86 slides
Terrain Unitys Terrain editor islands topographical landscapes Mountains And

Terrain Unitys Terrain editor islands topographical landscapes Mountains And

Terrain Unitys Terrain editor islands topographical landscapes Mountains And more 12. Create a new Scene terrain and save it 13. GameObject > 3D Object > Terrain CS 491 / DES 400

761 views • 50 slides
Culture eats strategy for breakfast - Peter Drucker 2 12/2/18 Collective Impact Backbone Staff

Culture eats strategy for breakfast - Peter Drucker 2 12/2/18 Collective Impact Backbone Staff

12/2/18 Everyone Leads: Building the Culture for Collective Impact Paul Schmitz @paulschmitz1 www.leadinginsideout.org www.collectiveimpactforum.org What could you put in place to have the worst collaboration possible? 1 12/2/18 Culture

207 views • 9 slides
Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a

Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a

Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a statistical Markov model in which the system being modeled is assumed to be a Markov process with unobserved (hidden) states. We call the observed event

741 views • 13 slides
ESG integration in the long-term investment process AUTHOR: Matt Whineray CEO, NZ SUPER FUND

ESG integration in the long-term investment process AUTHOR: Matt Whineray CEO, NZ SUPER FUND

TITLE: ESG integration in the long-term investment process AUTHOR: Matt Whineray CEO, NZ SUPER FUND EVENT | PRESENTATION: KangaNews-Westpac NZ Sustainable Finance Summit 2018 15 November 2018 C2 - INTERNAL USE ONLY \ FILE INFO \ PG 2

517 views • 8 slides
Mitigation Journey Richard Ottley Head, Manufacturing Excellence The Response to Crisis

Mitigation Journey Richard Ottley Head, Manufacturing Excellence The Response to Crisis

Our Covid-19 Mitigation Journey Richard Ottley Head, Manufacturing Excellence The Response to Crisis Natural Response to Crisis = Fear and Uncertainty Success in the face of crisis comes when we are able to transition from fear and

540 views • 15 slides
How can we strengthen financial market preparedness? Kerstin af Jochnick First Deputy Governor

How can we strengthen financial market preparedness? Kerstin af Jochnick First Deputy Governor

Cyber risks in focus How can we strengthen financial market preparedness? Kerstin af Jochnick First Deputy Governor of the Riksbank 20 August 2019 Increased uncertainty over international developments Trade conflict USA - China Brexit

761 views • 18 slides
2/7/2019 MIDC LEADERSHIP CONFERENCE FEBRUARY 2019 1 2 OBJECTIVES Meet other leaders around

2/7/2019 MIDC LEADERSHIP CONFERENCE FEBRUARY 2019 1 2 OBJECTIVES Meet other leaders around

2/7/2019 MIDC LEADERSHIP CONFERENCE FEBRUARY 2019 1 2 OBJECTIVES Meet other leaders around Michigan Learn about systems statewide Share ideas about indigent defense reform 3 1 2/7/2019 OVERVIEW OF SYSTEMS 4 SOURCES FOR

947 views • 22 slides
C. Mallorca 260 08008 Barcelona Tel. 932 155 989 www.auren.com Non Financial Information: key

C. Mallorca 260 08008 Barcelona Tel. 932 155 989 www.auren.com Non Financial Information: key

C. Mallorca 260 08008 Barcelona Tel. 932 155 989 www.auren.com Non Financial Information: key for entities sustainability AIDC 16 octubre 2020 Antoni Gomez Member SMP AG (IFAC) President AMA, Arco Mediterrneo de Auditores Why Non Financial

501 views • 14 slides

More recommend