pci dss and target what went wrong michael haney cs 7493 fall 2014
Download
Skip this Video
Download Presentation
PCI-DSS And Target: What Went Wrong Michael Haney CS 7493, Fall 2014

Loading in 2 Seconds...

play fullscreen
1 / 22

PCI-DSS And Target: What Went Wrong Michael Haney CS 7493, Fall 2014 - PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on

PCI-DSS And Target: What Went Wrong Michael Haney CS 7493, Fall 2014. The Payment Card Industry. Card Brands: Visa, MC, AmEx, Discover, JCB Merchants (Retailers) Banks, Processors, Gateways, and Acquirers Security Standards Council (SSC) The Standards: DSS PA-DSS PTS HMS P2PE.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' PCI-DSS And Target: What Went Wrong Michael Haney CS 7493, Fall 2014' - sona


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the payment card industry
The Payment Card Industry
  • Card Brands: Visa, MC, AmEx, Discover, JCB
  • Merchants (Retailers)
  • Banks, Processors, Gateways, and Acquirers
  • Security Standards Council (SSC)
  • The Standards:
    • DSS
    • PA-DSS
    • PTS
    • HMS
    • P2PE
compliance process
Compliance Process
  • 3-year standards cycle
    • Previous version: v2.0 released October 2010
    • Current version: v3.0 released October 2013
  • Merchant Levels
    • Level 1 – 4, based on size, unless you’re breached.
  • Who to report to?
  • ROC, AOC, and SAQ
  • QSAs, ASVs, QIRs, ISAs, etc., etc.
  • Breaches and Compliance
verify your qsa
Verify Your QSA

https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_employee.php

  • Employee of Member in good standing
  • Annual Training
  • Annual Fees Paid ($1500 per person)
  • Suspended if reports fail QA review process externally.
  • Revoked if caught “hacking”.
  • Mine expired yesterday
target and trustwave
Target and Trustwave
  • Trustwave is (was) Target’s QSA. Individuals were assigned the Target account to perform the annual testing and audit.
  • Target Stores were compliant with PCI-DSS (v2.0) and had submitted a ROC to their acquirers annually. Most recent in September 2013.
  • 12 requirements, many sub-requirements, many specific sub-sub-requirements must be evaluated by observation, interview, screenshots, and testing.
  • For example, an ASV scanned Target’s external IP addresses quarterly and reported on any vulnerabilities.
    • All medium and high-risk vulns must be addressed (per Requirement 11.2, 11.2.1, 11.2.2, 11.2.3)
target breach timeline part 4
Target Breach Timeline, Part 4
  • Between December 2 and December 15:
    • CC’s and mag stripe data is sent from POS in all Target stores to central servers for “staging”
    • Additional customer information database is pilfered
    • Hacker group begins exfiltrating data to several world-wide hosting sites, eventually to Odessa, Ukraine
    • Only uploaded data manually, via FTP between 10am and 6pm CST.
    • Over 2 weeks, 11GB are uploaded
target breach malware identified
Target Breach Malware Identified
  • BlackPOS sold on crime market for $1800
  • POSWDS on ThreatExpert (pulled down)
  • Virustotal.com reports “30503 POS malware from FBI source” – in June, 2013.
  • Modified and referred to as BladeLogic with specific servers and username/passwords in Target environment: “Best1_user” with pw: “BackupU$r”
  • Servers include \\TTCOPSLI3ACS\ and \\TCMPSPRINT04P\ .
  • UserIDs of hackers include “Rescator” and “Crysis1089”
a closer look at pci dss 12 requirements
A Closer Look at PCI-DSS 12 Requirements
  • Requirement 1: Firewalls
    • 1.1
      • 1.1.6
      • 1.1.7
    • 1.2
      • 1.2.1
    • 1.3
      • 1.3.5
  • Requirement 2: Vendor-supplied Defaults
    • 2.1
  • Requirement 3: Protect Storage of Cardholder Data
    • 3.1
    • 3.2
      • 3.2.3
    • 3.4
  • Requirement 5: Protect systems against malware
    • 5.1
      • 5.1.1
    • 5.2
    • 5.3
  • Requirement 7: Restrict access to business need-to-know
    • 7.1
      • 7.1.2
    • 7.2
a closer look at pci dss 12 requirements1
A Closer Look at PCI-DSS 12 Requirements
  • Requirement 10: Track and monitor all access
    • 10.1
    • 10.2
      • 10.2.2
      • 10.2.4
    • 10.6
      • 10.6.1
  • Requirement 8: Identify and authenticate access
    • 8.1
      • 8.1.1
      • 8.1.2
      • 8.1.5
    • 8.3
    • 8.5
    • 8.7
  • Requirement 11: Regularly test security systems
    • 11.3
    • 11.4
    • 11.5
  • Requirement 12: Maintain a policy
    • 12.5
      • 12.5.2
      • 12.5.3
      • 12.5.5
    • 12.8
      • 12.8.4
    • 12.10
      • 12.10.5
could anything have prevented this
Could Anything Have Prevented This?
  • EMV and Chip-and-PIN cards
    • How they work: use encryption on the card.
    • Use time factor to prevent replay.
    • Counterfeiting cards is much harder
    • PIN requires “something you know” as 2-factor.
  • But clever hackers will find another way
  • Memory-scraping is hard to prevent
  • Fully complying with PCI-DSS would have prevented several stages of this attack
references
References
  • Verify a QSA:

https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_employee.php

  • PCI statement about the Target breach (December 20):

https://www.pcisecuritystandards.org/news_events/statements/2013_12_20.php

  • Breach announced (December 19):

http://www.wired.com/threatlevel/2013/12/target-hack-hits-40-million/http://arstechnica.com/security/2013/12/secret-service-investigating-alleged-credit-card-breach-at-target/

  • POS Malware identified (January 16):

http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/

  • Target Breach Used Stolen Vendor Access Credentials (January 30, 2014)

http://www.govinfosecurity.com/target-breach-credentials-stolen-a-6452

http://www.informationweek.com/security/attacks-and-breaches/target-hackers-tapped-vendor-credentials/d/d-id/1113641

http://www.zdnet.com/target-traces-security-breach-to-stolen-vendor-credentials-7000025780/

http://www.computerworld.com/s/article/9245877/Target_says_attackers_stole_vendor_credentials?taxonomyId=17

http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-in-widely-used-server-software/

http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/

  • Target and Neiman Marcus Executives Testify at Senate Committee Hearing (February 4 & 5, 2014)

http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472

http://www.nbcnews.com/tech/security/senators-grill-target-cfo-after-massive-credit-card-data-hack-n22131

http://www.scmagazine.com//retailers-testify-before-senate-judiciary-committee-push-chip-cards/article/332868/

http://www.computerworld.com/s/article/9246070/Target_and_Neiman_Marcus_execs_defend_security_practices?taxonomyId=17

  • Target Attackers Phished for HVAC Company Network Access Credentials (February 12 & 13, 2014)

http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/

http://arstechnica.com/security/2014/02/epic-target-hack-reportedly-began-with-malware-based-phishing-e-mail/

http://www.nextgov.com/cybersecurity/2014/02/heres-how-hackers-stole-110-million-americans-data-target/78740/?oref=ng-channeltopstory

http://www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/

  • CIO Beth Jacob resigns (March 6):

http://www.computerworld.com/s/article/9246773/Target_CIO_resigns_following_breach?taxonomyId=17

  • Target was warned of breach (March 13):

http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

  • Target and the FTC, may face federal charges (March 20):

http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver

  • Banks sue Target and Trustwave (March 26):

http://www.scmagazine.com/banks-file-class-action-against-target-and-trustwave-over-massive-breach/article/339760/

http://www.theregister.co.uk/2014/03/26/banks_lob_sueball_at_trustwave_target/

  • Target Breach Illustrates Value of Limiting Exfiltration (April 2, 2014)

http://www.darkreading.com/attacks-breaches/operation-stop-the-exfiltration/d/d-id/1171947?

  • Chip-and-PIN and EMV cards:

http://www.scmagazine.com/mastercard-visa-to-push-emv-nfr-calls-for-use-of-pins/article/338019/

references 1
References (1)
  • Verify a QSA:

https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_employee.php

  • Breach announced (December 19):

http://www.wired.com/threatlevel/2013/12/target-hack-hits-40-million/http://arstechnica.com/security/2013/12/secret-service-investigating-alleged-credit-card-breach-at-target/

  • PCI statement about the Target breach (December 20):

https://www.pcisecuritystandards.org/news_events/statements/2013_12_20.php

  • POS Malware identified (January 16):

http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/

references 2
References (2)
  • Target Breach Used Stolen Vendor Access Credentials (January 30, 2014)

http://www.govinfosecurity.com/target-breach-credentials-stolen-a-6452

http://www.informationweek.com/security/attacks-and-breaches/target-hackers-tapped-vendor-credentials/d/d-id/1113641

http://www.zdnet.com/target-traces-security-breach-to-stolen-vendor-credentials-7000025780/

http://www.computerworld.com/s/article/9245877/Target_says_attackers_stole_vendor_credentials?taxonomyId=17

http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-in-widely-used-server-software/

http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/

  • Target and Executives Testify at Senate Committee Hearing (February 4 & 5, 2014)

http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472

http://www.nbcnews.com/tech/security/senators-grill-target-cfo-after-massive-credit-card-data-hack-n22131

http://www.scmagazine.com//retailers-testify-before-senate-judiciary-committee-push-chip-cards/article/332868/

http://www.computerworld.com/s/article/9246070/Target_and_Neiman_Marcus_execs_defend_security_practices?taxonomyId=17

references 3
References (3)
  • Target Attackers Phished for HVAC Company Network Access Credentials (February 12 & 13, 2014)

http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/

http://arstechnica.com/security/2014/02/epic-target-hack-reportedly-began-with-malware-based-phishing-e-mail/

http://www.nextgov.com/cybersecurity/2014/02/heres-how-hackers-stole-110-million-americans-data-target/78740/?oref=ng-channeltopstory

http://www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/

  • CIO Beth Jacob resigns (March 6):

http://www.computerworld.com/s/article/9246773/Target_CIO_resigns_following_breach?taxonomyId=17

  • Target was warned of breach (March 13):

http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

references 4
References (4)
  • Target and the FTC investigation, may face federal charges (March 20):

http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver

  • Banks sue Target and Trustwave (March 26):

http://www.scmagazine.com/banks-file-class-action-against-target-and-trustwave-over-massive-breach/article/339760/

http://www.theregister.co.uk/2014/03/26/banks_lob_sueball_at_trustwave_target/

  • Target Breach Illustrates Value of Limiting Exfiltration (April 2, 2014)

http://www.darkreading.com/attacks-breaches/operation-stop-the-exfiltration/d/d-id/1171947?

  • Chip-and-PIN and EMV cards:

http://www.scmagazine.com/mastercard-visa-to-push-emv-nfr-calls-for-use-of-pins/article/338019/

ad