Published on February 26, 2014
Who is the Next Target and How is Big Data Related? Ulf Mattsson CTO, Protegrity ulf . mattsson [at] protegrity . com
The Changing Threat Landscape 2
Data loss worries IT pros most Source: 2014 Trustwave Security Pressures Report 3
Targeted Malware Topped the Threats 62% said that the pressure to protect from data breaches also increased over the past year. Source: 2014 Trustwave Security Pressures Report 4
US and Canada - Targeted Malware Top Threat In the United States and Canada, targeted malware was the top threat IT pros felt pressured to secure against, and in the U.K. and Germany, the top threat was phishing/social engineering. Respondents in each country surveyed said viruses and worms caused the lowest pressure. Source: 2014 Trustwave Security Pressures Report 5
The Cost of Cyber Crime Source: Symantec 2013 7
Risk of Cyberattacks is a Real and Growing Threat Organizations worldwide are not "sufficiently protected" against cyberattac Cyberattacks fallout could cost the global economy $3 trillion by 2020 The report states that if "attackers continue to get better more quickly than defenders," as is presently the case, "this could result in a world where a 'cyberbacklash' decelerates digitization." Source: McKinsey report on enterprise IT security implications released in January 2014. 8
Energy Sector a Prime Target for Cyber Attacks 74 targeted cyberattacks per day between July 2012 and June 2013, with the energy sector accounting for 16.3% of them, which put it in second place behind government/public sector at 25.4%. The U.S. government's Department of Homeland Security (DHS) reported last year that its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to more than 200 incidents between Oct. 2012 and May 2013 — with 53% aimed at the energy sector. There have, so far, not been any successful catastrophic attacks on the grid, and there is ongoing debate about how high the risk is for what both former Defense secretary Leon Panetta and former Homeland Security secretary Janet Napolitano called a "cyber Pearl Harbor" attack. Source: www.csoonline.com/article/748580/energy-sector-a-primetarget-for-cyber-attacks 9
Breach Discovery Methods Verizon 2013 Data-breach-investigations-report 10
Security Improving but We Are Losing Ground 11
Identity Theft Source: www.pcworld.com/article/2088920/target-credit-card-data-was-sent-toserver-in-russia.html 12
Half of Americans Worry about Identity Theft The Wall Street Journal reported that financial institutions have spent big bucks—more than $200 million alone in the case of the Target episode—to ease our concerns • The vast majority of that total ($172 million) covers the costs of replacing cards that have been compromised Half of American adults said they are ―extremely concerned‖ about their personal data when paying for goods at stores with plastic, according to a recent Associated Press-GfK poll Source: www.cuinsight.com/target-shoppers-shrug-off-massive-creditcard-data-breach.html 13
Identity Theft Exploding with Massive Data Breaches ―Last year, some 13.1 million consumers suffered identity fraud,‖ Those numbers don’t include the more than 110 million victims of the holiday breach, which, as it ripples through the population, will send the figures up like a rocket A stranger takes over someone’s life about once every two seconds And 1 in 3 of us now already has undesired personal experience with that upsetting fact, according to • Even worse, that number is certain to grow dramatically this year ―Four years ago, the number of identity-fraud victims was 1 in 9, and last year it was 1 in 3. We think the way it is going, and given the … breach, that number will likely increase.‖ Source: Javelin Strategy & Research’s 2014 Identity Fraud Report and nypost.com/2014/02/22/identity-crisis-exploding-with-massive-data-breaches/ 14
IRS Warns about Identity Theft In many cases, an identity thief uses a legitimate taxpayer’s identity to fraudulently file a tax return and claim a refund The agency’s work on identity theft and refund fraud continues to grow. For the 2014 filing season, the IRS has expanded its efforts to better protect taxpayers and help victims Taxpayers can call the IRS’ Identity Protection Specialized Unit at 800-908-4490 Source: www.burlingtoncountytimes.com/business/irs-warns-aboutscams/article_8d01916b-1af0-5960-8790-7991ef0bc20a.html 15
Target Data Breach 16
iSIGHT partnered with the U.S. Secret Service iSIGHT Partners has a deeply comprehensive understanding of the entire code family as well as that from several other victims The USSS has permitted us to share limited details surrounding these types of attacks 17
How The Breach at Target Went Down Credentials were stolen from Fazio Mechanical in a malwareinjecting phishing attack sent to employees of the firm by email • Resulted in the theft of at least 40 million customer records containing financial data such as debit and credit card information. • In addition, roughly 70 million accounts were compromised that included addresses and mobile numbers. The data theft was caused by the installation of malware on the firm's point of sale machines • Free version of Malwarebytes Anti-Malware was used by Target The subsequent file dump containing customer data is reportedly flooding the black market • could be used to pilfer cash from accounts, be the starting point for the manufacture of fake bank cards, or provide data required for identity theft. Source: Brian Krebs and www.zdnet.com/how-hackers-stole-millions-of-creditcard-records-from-target-7000026299/ 18
Memory Scraping 19
FBI warns of Memory-scraping Malware in wake of Target breach In its warning titled, "Recent Cyber Intrusion Events Directed Toward Retail Firms", the FBI said in the past year it has uncovered around 20 cases of cyberattacks against retailers year that utilized similar methods to those uncovered in the Target incident "We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," said the FBI in the report, seen by Reuters Source: searchsecurity.techtarget.com/news/2240213143/FBIwarns-of-memory-scraping-malware-in-wake-of-Target-breach 20
Researchers: Another ring of Attackers on Retailers Researchers at RSA's First Watch cybersecurity team: • Similar to the gang that tapped into the point-of-sales systems at Target, Neiman-Marcus and Michaels • That gang used a memory parsing program called POSRAM. • This most recently discovered ring of thieves makes use of a similar piece of malware dubbed ChewBacca Source:www.usatoday.com/story/cybertruth/2014/02/03/hackingof-point-of-sales-systems-escalates/5060523/ 21
Malware Collected 11GB of Data from Target The stolen credit card numbers of millions of Target shoppers took an international trip—to Russia ―The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity,‖ according to a Jan. 14 report from iSight Partners, a Dallas-based information security company. Security company Seculert found that data stolen in the Target breach was received by a compromised U.S. server, then sent to a Russian server. 22
Memory Scraping Malware – Target Breach Payment Card Terminal Point Of Sale Application Authorization, Settlement … Memory Scraping Malware Web Server Russia
Attacks using memory scrapers Attacks using memory scrapers can target any application that processes credit card numbers In the past, memory scraping often required the attacker to have a small amount of target environment knowledge to configure the capture tool • The trend is toward generic discovery tools that could identify the desired information in a list of preconfigured processes or all running processes Source: http://www2.trustwave.com/rs/trustwave/images/2013-Global-SecurityReport.pdf 24
Malware 2014 Trustwave Security Pressures Report • The rate and sophistication of malware and data breaches continue to accelerate, a trend that is proving seemingly impossible for businesses to counter. Memory scraping • Used at Target: 110 million … • It’s next to impossible to stop data leakage. • You can’t beat it completely • detecting or intercepting related malware-dropping attacks aimed at those POS devices may be quite difficult to detect. • That's because attackers can use antivirus evasion techniques or packing tools to give the malware executable a never-before-seen checksum. 25
Old Security Approaches Old security is like "boiling the ocean― • Since you are trying to ―patch‖ all possible data paths and sensitive data stores, and May not even find a trace of the attack. • Malware • Data leaks 26
Proactive Data Security 27
The Changing Thechnology Landscape 28
Is it Impossible to Prevent Data Breaches? Chip-and-PIN or EMV, is more secure than the current magnetic stripe technology Cyber criminals can ―easily create cloned cards‖ from magnetic stripe data Major credit card companies have placed a deadline on U.S. merchants to adopt EMV technology by October of 2015, or face increased liability of fraud Source: news.medill.northwestern.edu/chicago/news.aspx?id=228123 29
Use Big Data to Analyze Abnormal Traffic Pattern Payment Card Terminal Point Of Sale Application Authorization, Settlement … Memory Scraping Malware Web Server SIEM Analytics Big Data Russia
Reactionary vs Proactive Data Security Don’t just fix yesterdays problems Compliance vs Security Think like a hacker Malware & Memory Scraping Protect the Data Flow with Tokenization Use Big Data to Analyze Data Traffic 31
What is Big Data? Hadoop • Designed to handle the emerging ―4 V’s‖ • Massively Parallel Processing (MPP) • Elastic scale • Usually Read-Only • Allows for data insights on massive, heterogeneous data sets • Includes an ecosystem of components: Hive Pig Other Application Layers MapReduce HDFS Storage Layers Physical Storage 33
Has Your Organization Already Invested in Big Data? Source: Gartner 34
Vulnerabilities in Big Data 35
Holes in Big Data… Source: Gartner 36
Many Ways to Hack Big Data BI Reporting RDBMS Hackers Pig (Data Flow) Hive (SQL) Sqoop Unvetted Applications Or Ad Hoc Processes MapReduce (Job Scheduling/Execution System) Hbase (Column DB) HDFS (Hadoop Distributed File System) Source: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase 37 Avro (Serialization) Zookeeper (Coordination) ETL Tools Privileged Users
The Insider Threat 38
Sensitive Data Insight & Usability Big Data and Cloud environments are designed for access and deep insight into vast data pools Data can monetized not only by marketing analytics, but through sale or use by a third party The more accessible and usable the data is, the greater this ROI benefit can be Security concerns and regulations are often viewed as opponents to data insight 39
Big Data Vulnerabilities and Concerns Big Data (Hadoop) was designed for data access, not security Security in a read-only environment introduces new challenges Massive scalability and performance requirements Sensitive data regulations create a barrier to usability, as data cannot be stored or transferred in the clear Transparency and data insight are required for ROI on Big Data 40
Threats to Big Data 41
Attacks on Big Data – Honey Pot The honey pot idea is a 10+ years old trick based on fake data (in a pot) and redirection of requests: • Great for monitor what attackers are doing. • A modern approach should be based on tokenization with fake data ―everywhere‖ instead of in ―a pot‖. 42
Attacks on Big Data – Perimeter & Encryption The old perimeter security and encryption : • The discussion should be how to ―balance between security and insight‖. 43
Attacks on Big Data – Access Control The challenge of maintaining a ―classic‖ access control model: • The ―new approach‖ should be based on building the protection into the data (tokenization) • Not be based only on preventing access to data 44
Attacks on Big Data – Data Inference The ―data inference‖ (re-identification) problem: • New problem • Not a Big Data problem A ―balance between security and insight‖ is the right approach The de-tokenization-policy should evaluate combination of data fields that are accessed over time. 45
Attacks on Big Data – Analytical Tools The ―the lack of analytical tools‖ • Can it prevent an attacker from finding sensitive data? Attackers are simply looking for sensitive records • Not interested in advanced analytical results. The attacker will find points in the data flow where sensitive data is easier to find 46
Evolution of Data Security 47
Evolution of Data Security Methods Coarse Grained Security • Access Controls • Volume Encryption • File Encryption Fine Grained Security • Access Controls • Field Encryption (AES & ) • Masking • Tokenization • Vaultless Tokenization 48 Time
Use of Enabling Technologies Access controls 1% Database activity monitoring 18% Database encryption 30% Backup / Archive encryption 21% Data masking 28% 28% Application-level encryption 7% 29% Tokenization 22% 91% 47% 35% 39% 23% Evaluating 49
Access Control Risk High – Old and flawed: Minimal access levels so people can only carry out their jobs Low – I Low 50 I High Access Privilege Level
Applying the protection profile to the content of data fields allows for a wider range of authority options 51
How the New Approach is Different Risk High – Old: Minimal access levels – Least Privilege to avoid high risks New: Much greater flexibility and lower risk in data accessibility Low – I Low 52 I High Access Privilege Level
Reduction of Pain with New Protection Techniques Pain & TCO High Input Value: 3872 3789 1620 3675 Strong Encryption Output: !@#$%a^.,mhu7///&*B()_+!@ AES, 3DES Format Preserving Encryption DTP, FPE 8278 2789 2990 2789 Format Preserving Vault-based Tokenization 8278 2789 2990 2789 Greatly reduced Key Management Vaultless Tokenization Low No Vault 1970 53 2000 2005 2010 8278 2789 2990 2789
Fine Grained Data Security Methods Vault-based vs. Vaultless Tokenization Vault-based Tokenization Footprint Large, Expanding. Small, Static. High Availability, Disaster Recovery Complex, expensive replication required. No replication required. Distribution Practically impossible to distribute geographically. Easy to deploy at different geographically distributed locations. Reliability Prone to collisions. No collisions. Performance, Latency, and Scalability 54 Vaultless Tokenization Will adversely impact performance & scalability. Little or no latency. Fastest industry tokenization.
Fine Grained Data Security Methods Tokenization and Encryption are Different Encryption Used Approach Tokenization Cipher System Code System Cryptographic algorithms Cryptographic keys Code books Index tokens Source: McGraw-HILL ENCYPLOPEDIA OF SCIENCE & TECHNOLOGY 55
The Future of Tokenization PCI DSS 3.0 • Split knowledge and dual control PCI SSC Tokenization Task Force • Tokenization and use of HSM Card Brands – Visa, MC, AMEX … • Tokens with control vectors ANSI X9 • Tokenization and use of HSM 56
Security of Different Protection Methods Security Level High Low I I I Basic Format AES CBC Vaultless Data Preserving Encryption Data Tokenization 57 I Encryption Standard Tokenization
Speed of Different Protection Methods Transactions per second* 10 000 000 1 000 000 100 000 10 000 1 000 - 100 I I I I Vault-based Format AES CBC Vaultless Data Preserving Encryption Data Tokenization Encryption Standard Tokenization *: Speed will depend on the configuration 58
How Should I Secure Different Data? Use Case Encryption of Files Simple – Tokenization of Fields Card Holder Data PII PCI Personally Identifiable Information Complex – Protected Health Information I Un-structured 59 PHI I Structured Type of Data
Protegrity Summary Proven enterprise data security software and innovation leader • Sole focus on the protection of data • Patented Technology, Continuing to Drive Innovation Cross-industry applicability • • Financial Services, Insurance, Banking • Healthcare • Telecommunications, Media and Entertainment • 60 Retail, Hospitality, Travel and Transportation Manufacturing and Government
Protegrity CTO and data security thought leader Ulf Mattsson gives his ... Big Data Protector; Database ... “Who is the Next Target? Proactive Approaches ...
The landscape of threats to sensitive data is changing. ... and organizations like Target are failing to react properly to the ... Big Data and Data ...
Report | McKinsey Global Institute Big data: The next frontier for innovation, competition, and productivity May 2011 | by James Manyika, Michael Chui ...
The Next Breach Target and How Oracle can help Ulf Mattsson. ... Target and the next attack against our sensitive data? ... Big Data Appliance can ...
... because Big Data is becoming a ... Target Found Negligent in Data ... approach based on securing the data itself. Ulf Mattsson, ...
On Wednesday Reuters published an article on the Target Data Breach that included ... The Target Breach and Cyber Insurance. ... Ulf Mattsson, CTO ...
InformationWeek shares news, analysis and advice on the tools and strategies that connect the dots across data. Connect with our big data analytics experts.