230 likes | 396 Views
The Financial Industry vs. Advanced Persistent Threats. Tom Patterson CSO, MagTek Inc . Security.magtek.com Tom.Patterson@MagTek.com. A Discussion in Two Parts APTs Among Us What the Financial Sector is Doing About Them. SCREWED. “.
E N D
The Financial Industryvs.Advanced Persistent Threats • Tom Patterson • CSO, MagTek Inc. • Security.magtek.com • Tom.Patterson@MagTek.com
A Discussion in Two Parts • APTs Among Us • What the Financial Sector is Doing About Them
“ “The United States is fighting a cyber-war today, and we are losing.”The United States is fighting a cyber-war today, and we are losing. ” - Mike McConnell
“Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication. While both the threats and technologies associated with cyberspace are dynamic, the existing balance in network technology favors malicious actors, and is likely to continue to do so for the foreseeable future.” -Dennis Blair
Today… • ID the “Mark” • Get Inside • Scope it out • Customize the Attack • Steal and Blast • Go underground and wait Robin Sage
Defense in Depth? • Encryption • DLP • Authentication • Antivirus • Firewalls • Cracking tools • Encryption • Social Engineering • Polymorphic • Trusted users
“ Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures ” - Google SEC Filing
Newish Attack Vectors • Clickjacking • Tapjacking • BlueJacking • Social Engineering • “Trusted” relationships
$20 Bucks on eBay and NOT ILLEGAL! 6 small batteries connected to micro switches Magnetic Read Head Micro Switches More than just money! Transmitter Antenna
Fight Back withInformation Sharing • FS/ISAC • FICO • FBI Domain • Infragard • USSS ECTF Take Down in London Financial Services Sector is the Most Advanced in terms of Information Sharing
Fight Back withSCIENCE A scientific discovery by a University of Washington (Illinois) professor called a Magnetic Fingerprint
AUTHENTICATE THE CARD, Not Just the data! • unchangeable & non-replicable
…the card itself cannot be duplicated. but Card data can be duplicated…
No Two Cards Are Alike!.. The random micro-particle structure of every magnetic stripe is unique This unique feature is a byproduct of the manufacturing process Every mag-stripe card has this feature
GHKG7890schzhc89^&^&TYz7Z&GZBlIUZY*&Z^GBILY(*&(*7yhy898HIUO8Y98SD7Y*y8769Y89yyuiy98789897df890s7fdds89f7hcusahca976789s76df89as7acha8sca89ysc8a9yccya89sdy8a9syda89dyh8&GHKG7890schzhc89^&^&TYz7Z&GZBlIUZY*&Z^GBILY(*&(*7yhy898HIUO8Y98SD7Y*y8769Y89yyuiy98789897df890s7fdds89f7hcusahca976789s76df89as7acha8sca89ysc8a9yccya89sdy8a9syda89dyh8& Each swipe – new password HKA*(CHJCHBHOC*(CHOIAHCOA*&(*AYHCYX*(YC(*C(*AYC()*&AYCIULACGI^&CRTI^AGCBO&*AYC*&(TCAO*&GC*&OAGC*O&GAC*O&A*G&A(CA(*PCH()*CY(HC*(Y09*)(*()*)(*)(*)UJ)*Y(*Y*&G*&GG& Gdhjagdhjkgcs8dict78igclho8 7r9w87vcpo98uy0960n pc98n opqwnp90nv9274pc8wyrnw89n6rcvlw83yv9s8v460b34tw93nv39w8ow38o984tyo9w386on9 w84t vo984tn ty8tmp84irt vbsdase3 !#&^%&^(*&(*^$%^&(*_)+_(*&&%%^$%$#$%#^%%&*^(*&)(*_)*)*^&%%^#$@@$$^*(&()*_*_)*)(&(^^*%&%$^#%^$#$(&^)(&_*_*_+*_*_(*(^^&%^#%#@#@$^^&*&(&*()(*_)*_)*(&&*^^&%%^$$%#$@#@$%%^& HGH&&A&A&&hs7sdyd8ddfjsdfgs0f98s0d9fsklfsjhf7sfaslkfjalkfhiuahfkajhfkjahfkjahfkjahfiuaysfiuahcauischiuaschiuwhiuhciuaschiuwcbiucbiubiuwbciuwfbiuwbfiuwehfiuwehfiuwehfieuhjkwhrjwhrjkwhrkjwhjkrhkj Cannot be repeated 010101011101010101010101010101011111011910101011901010101019101010101010101011091010101010101011010191910911919109101010101011010101101010110101010101010101010101010110 Cannot be duplicated Real-time forensics Device/Host Verification
Strong Encryption Reduces card data loss from the system Dynamic Card Data Creates dynamic data with each swipe = Nothing to Steal Stops Counterfeit Cards from being approved = reduces Fraud Card Authentication
We’ve got to out-innovatethe bad guyswith solutions that work, have staying power, are cheap to install, and simple to use.
Read about the science and business aspects of the Magnetic Fingerprint (MagnePrint) at www.NoCardFraud.com If you like the elegance and security of this solution, please leave a public comment or blog about it to your constituents.
Tom.Patterson@MagTek.comSecurity.Magtek.com 1.562.546.6315 For More Info…