Pci dss and target what went wrong michael haney cs 7493 fall 2014
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

PCI-DSS And Target: What Went Wrong Michael Haney CS 7493, Fall 2014 PowerPoint PPT Presentation


  • 57 Views
  • Uploaded on
  • Presentation posted in: General

PCI-DSS And Target: What Went Wrong Michael Haney CS 7493, Fall 2014. The Payment Card Industry. Card Brands: Visa, MC, AmEx, Discover, JCB Merchants (Retailers) Banks, Processors, Gateways, and Acquirers Security Standards Council (SSC) The Standards: DSS PA-DSS PTS HMS P2PE.

Download Presentation

PCI-DSS And Target: What Went Wrong Michael Haney CS 7493, Fall 2014

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Pci dss and target what went wrong michael haney cs 7493 fall 2014

PCI-DSS And Target:What Went WrongMichael HaneyCS 7493, Fall 2014


The payment card industry

The Payment Card Industry

  • Card Brands: Visa, MC, AmEx, Discover, JCB

  • Merchants (Retailers)

  • Banks, Processors, Gateways, and Acquirers

  • Security Standards Council (SSC)

  • The Standards:

    • DSS

    • PA-DSS

    • PTS

    • HMS

    • P2PE


Compliance process

Compliance Process

  • 3-year standards cycle

    • Previous version: v2.0 released October 2010

    • Current version: v3.0 released October 2013

  • Merchant Levels

    • Level 1 – 4, based on size, unless you’re breached.

  • Who to report to?

  • ROC, AOC, and SAQ

  • QSAs, ASVs, QIRs, ISAs, etc., etc.

  • Breaches and Compliance


Verify your qsa

Verify Your QSA

https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_employee.php

  • Employee of Member in good standing

  • Annual Training

  • Annual Fees Paid ($1500 per person)

  • Suspended if reports fail QA review process externally.

  • Revoked if caught “hacking”.

  • Mine expired yesterday


Target and trustwave

Target and Trustwave

  • Trustwave is (was) Target’s QSA. Individuals were assigned the Target account to perform the annual testing and audit.

  • Target Stores were compliant with PCI-DSS (v2.0) and had submitted a ROC to their acquirers annually. Most recent in September 2013.

  • 12 requirements, many sub-requirements, many specific sub-sub-requirements must be evaluated by observation, interview, screenshots, and testing.

  • For example, an ASV scanned Target’s external IP addresses quarterly and reported on any vulnerabilities.

    • All medium and high-risk vulns must be addressed (per Requirement 11.2, 11.2.1, 11.2.2, 11.2.3)


Target breach timeline part 1

Target Breach Timeline, Part 1


Target breach timeline part 2

Target Breach Timeline, Part 2


Target breach timeline part 3

Target Breach Timeline, Part 3


Target breach timeline part 4

Target Breach Timeline, Part 4

  • Between December 2 and December 15:

    • CC’s and mag stripe data is sent from POS in all Target stores to central servers for “staging”

    • Additional customer information database is pilfered

    • Hacker group begins exfiltrating data to several world-wide hosting sites, eventually to Odessa, Ukraine

    • Only uploaded data manually, via FTP between 10am and 6pm CST.

    • Over 2 weeks, 11GB are uploaded


Target breach malware identified

Target Breach Malware Identified

  • BlackPOS sold on crime market for $1800

  • POSWDS on ThreatExpert (pulled down)

  • Virustotal.com reports “30503 POS malware from FBI source” – in June, 2013.

  • Modified and referred to as BladeLogic with specific servers and username/passwords in Target environment: “Best1_user” with pw: “BackupU$r”

  • Servers include \\TTCOPSLI3ACS\ and \\TCMPSPRINT04P\ .

  • UserIDs of hackers include “Rescator” and “Crysis1089”


Target breach timeline part 5

Target Breach Timeline, Part 5


Target breach timeline part 6

Target Breach Timeline, Part 6


Target breach timeline part 7

Target Breach Timeline, Part 7


A closer look at pci dss 12 requirements

A Closer Look at PCI-DSS 12 Requirements

  • Requirement 1: Firewalls

    • 1.1

      • 1.1.6

      • 1.1.7

    • 1.2

      • 1.2.1

    • 1.3

      • 1.3.5

  • Requirement 2: Vendor-supplied Defaults

    • 2.1

  • Requirement 3: Protect Storage of Cardholder Data

    • 3.1

    • 3.2

      • 3.2.3

    • 3.4

  • Requirement 5: Protect systems against malware

    • 5.1

      • 5.1.1

    • 5.2

    • 5.3

  • Requirement 7: Restrict access to business need-to-know

    • 7.1

      • 7.1.2

    • 7.2


A closer look at pci dss 12 requirements1

A Closer Look at PCI-DSS 12 Requirements

  • Requirement 10: Track and monitor all access

    • 10.1

    • 10.2

      • 10.2.2

      • 10.2.4

    • 10.6

      • 10.6.1

  • Requirement 8: Identify and authenticate access

    • 8.1

      • 8.1.1

      • 8.1.2

      • 8.1.5

    • 8.3

    • 8.5

    • 8.7

  • Requirement 11: Regularly test security systems

    • 11.3

    • 11.4

    • 11.5

  • Requirement 12: Maintain a policy

    • 12.5

      • 12.5.2

      • 12.5.3

      • 12.5.5

    • 12.8

      • 12.8.4

    • 12.10

      • 12.10.5


Could anything have prevented this

Could Anything Have Prevented This?

  • EMV and Chip-and-PIN cards

    • How they work: use encryption on the card.

    • Use time factor to prevent replay.

    • Counterfeiting cards is much harder

    • PIN requires “something you know” as 2-factor.

  • But clever hackers will find another way

  • Memory-scraping is hard to prevent

  • Fully complying with PCI-DSS would have prevented several stages of this attack


Pci dss and target what went wrong michael haney cs 7493 fall 2014

Questions?


References

References

  • Verify a QSA:

    https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_employee.php

  • PCI statement about the Target breach (December 20):

    https://www.pcisecuritystandards.org/news_events/statements/2013_12_20.php

  • Breach announced (December 19):

    http://www.wired.com/threatlevel/2013/12/target-hack-hits-40-million/http://arstechnica.com/security/2013/12/secret-service-investigating-alleged-credit-card-breach-at-target/

  • POS Malware identified (January 16):

    http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

    http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/

  • Target Breach Used Stolen Vendor Access Credentials (January 30, 2014)

    http://www.govinfosecurity.com/target-breach-credentials-stolen-a-6452

    http://www.informationweek.com/security/attacks-and-breaches/target-hackers-tapped-vendor-credentials/d/d-id/1113641

    http://www.zdnet.com/target-traces-security-breach-to-stolen-vendor-credentials-7000025780/

    http://www.computerworld.com/s/article/9245877/Target_says_attackers_stole_vendor_credentials?taxonomyId=17

    http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-in-widely-used-server-software/

    http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/

  • Target and Neiman Marcus Executives Testify at Senate Committee Hearing (February 4 & 5, 2014)

    http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472

    http://www.nbcnews.com/tech/security/senators-grill-target-cfo-after-massive-credit-card-data-hack-n22131

    http://www.scmagazine.com//retailers-testify-before-senate-judiciary-committee-push-chip-cards/article/332868/

    http://www.computerworld.com/s/article/9246070/Target_and_Neiman_Marcus_execs_defend_security_practices?taxonomyId=17

  • Target Attackers Phished for HVAC Company Network Access Credentials (February 12 & 13, 2014)

    http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/

    http://arstechnica.com/security/2014/02/epic-target-hack-reportedly-began-with-malware-based-phishing-e-mail/

    http://www.nextgov.com/cybersecurity/2014/02/heres-how-hackers-stole-110-million-americans-data-target/78740/?oref=ng-channeltopstory

    http://www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/

  • CIO Beth Jacob resigns (March 6):

    http://www.computerworld.com/s/article/9246773/Target_CIO_resigns_following_breach?taxonomyId=17

  • Target was warned of breach (March 13):

    http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

  • Target and the FTC, may face federal charges (March 20):

    http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver

  • Banks sue Target and Trustwave (March 26):

    http://www.scmagazine.com/banks-file-class-action-against-target-and-trustwave-over-massive-breach/article/339760/

    http://www.theregister.co.uk/2014/03/26/banks_lob_sueball_at_trustwave_target/

  • Target Breach Illustrates Value of Limiting Exfiltration (April 2, 2014)

    http://www.darkreading.com/attacks-breaches/operation-stop-the-exfiltration/d/d-id/1171947?

  • Chip-and-PIN and EMV cards:

    http://www.scmagazine.com/mastercard-visa-to-push-emv-nfr-calls-for-use-of-pins/article/338019/


References 1

References (1)

  • Verify a QSA:

    https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_employee.php

  • Breach announced (December 19):

    http://www.wired.com/threatlevel/2013/12/target-hack-hits-40-million/http://arstechnica.com/security/2013/12/secret-service-investigating-alleged-credit-card-breach-at-target/

  • PCI statement about the Target breach (December 20):

    https://www.pcisecuritystandards.org/news_events/statements/2013_12_20.php

  • POS Malware identified (January 16):

    http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

    http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/


References 2

References (2)

  • Target Breach Used Stolen Vendor Access Credentials (January 30, 2014)

    http://www.govinfosecurity.com/target-breach-credentials-stolen-a-6452

    http://www.informationweek.com/security/attacks-and-breaches/target-hackers-tapped-vendor-credentials/d/d-id/1113641

    http://www.zdnet.com/target-traces-security-breach-to-stolen-vendor-credentials-7000025780/

    http://www.computerworld.com/s/article/9245877/Target_says_attackers_stole_vendor_credentials?taxonomyId=17

    http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-in-widely-used-server-software/

    http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/

  • Target and Executives Testify at Senate Committee Hearing (February 4 & 5, 2014)

    http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472

    http://www.nbcnews.com/tech/security/senators-grill-target-cfo-after-massive-credit-card-data-hack-n22131

    http://www.scmagazine.com//retailers-testify-before-senate-judiciary-committee-push-chip-cards/article/332868/

    http://www.computerworld.com/s/article/9246070/Target_and_Neiman_Marcus_execs_defend_security_practices?taxonomyId=17


References 3

References (3)

  • Target Attackers Phished for HVAC Company Network Access Credentials (February 12 & 13, 2014)

    http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/

    http://arstechnica.com/security/2014/02/epic-target-hack-reportedly-began-with-malware-based-phishing-e-mail/

    http://www.nextgov.com/cybersecurity/2014/02/heres-how-hackers-stole-110-million-americans-data-target/78740/?oref=ng-channeltopstory

    http://www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/

  • CIO Beth Jacob resigns (March 6):

    http://www.computerworld.com/s/article/9246773/Target_CIO_resigns_following_breach?taxonomyId=17

  • Target was warned of breach (March 13):

    http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data


References 4

References (4)

  • Target and the FTC investigation, may face federal charges (March 20):

    http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver

  • Banks sue Target and Trustwave (March 26):

    http://www.scmagazine.com/banks-file-class-action-against-target-and-trustwave-over-massive-breach/article/339760/

    http://www.theregister.co.uk/2014/03/26/banks_lob_sueball_at_trustwave_target/

  • Target Breach Illustrates Value of Limiting Exfiltration (April 2, 2014)

    http://www.darkreading.com/attacks-breaches/operation-stop-the-exfiltration/d/d-id/1171947?

  • Chip-and-PIN and EMV cards:

    http://www.scmagazine.com/mastercard-visa-to-push-emv-nfr-calls-for-use-of-pins/article/338019/


  • Login