1 / 22

PCI-DSS And Target: What Went Wrong Michael Haney CS 7493, Fall 2014

PCI-DSS And Target: What Went Wrong Michael Haney CS 7493, Fall 2014. The Payment Card Industry. Card Brands: Visa, MC, AmEx, Discover, JCB Merchants (Retailers) Banks, Processors, Gateways, and Acquirers Security Standards Council (SSC) The Standards: DSS PA-DSS PTS HMS P2PE.

sona
Download Presentation

PCI-DSS And Target: What Went Wrong Michael Haney CS 7493, Fall 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI-DSS And Target:What Went WrongMichael HaneyCS 7493, Fall 2014

  2. The Payment Card Industry • Card Brands: Visa, MC, AmEx, Discover, JCB • Merchants (Retailers) • Banks, Processors, Gateways, and Acquirers • Security Standards Council (SSC) • The Standards: • DSS • PA-DSS • PTS • HMS • P2PE

  3. Compliance Process • 3-year standards cycle • Previous version: v2.0 released October 2010 • Current version: v3.0 released October 2013 • Merchant Levels • Level 1 – 4, based on size, unless you’re breached. • Who to report to? • ROC, AOC, and SAQ • QSAs, ASVs, QIRs, ISAs, etc., etc. • Breaches and Compliance

  4. Verify Your QSA https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_employee.php • Employee of Member in good standing • Annual Training • Annual Fees Paid ($1500 per person) • Suspended if reports fail QA review process externally. • Revoked if caught “hacking”. • Mine expired yesterday

  5. Target and Trustwave • Trustwave is (was) Target’s QSA. Individuals were assigned the Target account to perform the annual testing and audit. • Target Stores were compliant with PCI-DSS (v2.0) and had submitted a ROC to their acquirers annually. Most recent in September 2013. • 12 requirements, many sub-requirements, many specific sub-sub-requirements must be evaluated by observation, interview, screenshots, and testing. • For example, an ASV scanned Target’s external IP addresses quarterly and reported on any vulnerabilities. • All medium and high-risk vulns must be addressed (per Requirement 11.2, 11.2.1, 11.2.2, 11.2.3)

  6. Target Breach Timeline, Part 1

  7. Target Breach Timeline, Part 2

  8. Target Breach Timeline, Part 3

  9. Target Breach Timeline, Part 4 • Between December 2 and December 15: • CC’s and mag stripe data is sent from POS in all Target stores to central servers for “staging” • Additional customer information database is pilfered • Hacker group begins exfiltrating data to several world-wide hosting sites, eventually to Odessa, Ukraine • Only uploaded data manually, via FTP between 10am and 6pm CST. • Over 2 weeks, 11GB are uploaded

  10. Target Breach Malware Identified • BlackPOS sold on crime market for $1800 • POSWDS on ThreatExpert (pulled down) • Virustotal.com reports “30503 POS malware from FBI source” – in June, 2013. • Modified and referred to as BladeLogic with specific servers and username/passwords in Target environment: “Best1_user” with pw: “BackupU$r” • Servers include \\TTCOPSLI3ACS\ and \\TCMPSPRINT04P\ . • UserIDs of hackers include “Rescator” and “Crysis1089”

  11. Target Breach Timeline, Part 5

  12. Target Breach Timeline, Part 6

  13. Target Breach Timeline, Part 7

  14. A Closer Look at PCI-DSS 12 Requirements • Requirement 1: Firewalls • 1.1 • 1.1.6 • 1.1.7 • 1.2 • 1.2.1 • 1.3 • 1.3.5 • Requirement 2: Vendor-supplied Defaults • 2.1 • Requirement 3: Protect Storage of Cardholder Data • 3.1 • 3.2 • 3.2.3 • 3.4 • Requirement 5: Protect systems against malware • 5.1 • 5.1.1 • 5.2 • 5.3 • Requirement 7: Restrict access to business need-to-know • 7.1 • 7.1.2 • 7.2

  15. A Closer Look at PCI-DSS 12 Requirements • Requirement 10: Track and monitor all access • 10.1 • 10.2 • 10.2.2 • 10.2.4 • 10.6 • 10.6.1 • Requirement 8: Identify and authenticate access • 8.1 • 8.1.1 • 8.1.2 • 8.1.5 • 8.3 • 8.5 • 8.7 • Requirement 11: Regularly test security systems • 11.3 • 11.4 • 11.5 • Requirement 12: Maintain a policy • 12.5 • 12.5.2 • 12.5.3 • 12.5.5 • 12.8 • 12.8.4 • 12.10 • 12.10.5

  16. Could Anything Have Prevented This? • EMV and Chip-and-PIN cards • How they work: use encryption on the card. • Use time factor to prevent replay. • Counterfeiting cards is much harder • PIN requires “something you know” as 2-factor. • But clever hackers will find another way • Memory-scraping is hard to prevent • Fully complying with PCI-DSS would have prevented several stages of this attack

  17. Questions?

  18. References • Verify a QSA: https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_employee.php • PCI statement about the Target breach (December 20): https://www.pcisecuritystandards.org/news_events/statements/2013_12_20.php • Breach announced (December 19): http://www.wired.com/threatlevel/2013/12/target-hack-hits-40-million/http://arstechnica.com/security/2013/12/secret-service-investigating-alleged-credit-card-breach-at-target/ • POS Malware identified (January 16): http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/ http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/ • Target Breach Used Stolen Vendor Access Credentials (January 30, 2014) http://www.govinfosecurity.com/target-breach-credentials-stolen-a-6452 http://www.informationweek.com/security/attacks-and-breaches/target-hackers-tapped-vendor-credentials/d/d-id/1113641 http://www.zdnet.com/target-traces-security-breach-to-stolen-vendor-credentials-7000025780/ http://www.computerworld.com/s/article/9245877/Target_says_attackers_stole_vendor_credentials?taxonomyId=17 http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-in-widely-used-server-software/ http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ • Target and Neiman Marcus Executives Testify at Senate Committee Hearing (February 4 & 5, 2014) http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472 http://www.nbcnews.com/tech/security/senators-grill-target-cfo-after-massive-credit-card-data-hack-n22131 http://www.scmagazine.com//retailers-testify-before-senate-judiciary-committee-push-chip-cards/article/332868/ http://www.computerworld.com/s/article/9246070/Target_and_Neiman_Marcus_execs_defend_security_practices?taxonomyId=17 • Target Attackers Phished for HVAC Company Network Access Credentials (February 12 & 13, 2014) http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ http://arstechnica.com/security/2014/02/epic-target-hack-reportedly-began-with-malware-based-phishing-e-mail/ http://www.nextgov.com/cybersecurity/2014/02/heres-how-hackers-stole-110-million-americans-data-target/78740/?oref=ng-channeltopstory http://www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/ • CIO Beth Jacob resigns (March 6): http://www.computerworld.com/s/article/9246773/Target_CIO_resigns_following_breach?taxonomyId=17 • Target was warned of breach (March 13): http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data • Target and the FTC, may face federal charges (March 20): http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver • Banks sue Target and Trustwave (March 26): http://www.scmagazine.com/banks-file-class-action-against-target-and-trustwave-over-massive-breach/article/339760/ http://www.theregister.co.uk/2014/03/26/banks_lob_sueball_at_trustwave_target/ • Target Breach Illustrates Value of Limiting Exfiltration (April 2, 2014) http://www.darkreading.com/attacks-breaches/operation-stop-the-exfiltration/d/d-id/1171947? • Chip-and-PIN and EMV cards: http://www.scmagazine.com/mastercard-visa-to-push-emv-nfr-calls-for-use-of-pins/article/338019/

  19. References (1) • Verify a QSA: https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_employee.php • Breach announced (December 19): http://www.wired.com/threatlevel/2013/12/target-hack-hits-40-million/http://arstechnica.com/security/2013/12/secret-service-investigating-alleged-credit-card-breach-at-target/ • PCI statement about the Target breach (December 20): https://www.pcisecuritystandards.org/news_events/statements/2013_12_20.php • POS Malware identified (January 16): http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/ http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/

  20. References (2) • Target Breach Used Stolen Vendor Access Credentials (January 30, 2014) http://www.govinfosecurity.com/target-breach-credentials-stolen-a-6452 http://www.informationweek.com/security/attacks-and-breaches/target-hackers-tapped-vendor-credentials/d/d-id/1113641 http://www.zdnet.com/target-traces-security-breach-to-stolen-vendor-credentials-7000025780/ http://www.computerworld.com/s/article/9245877/Target_says_attackers_stole_vendor_credentials?taxonomyId=17 http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-in-widely-used-server-software/ http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/ • Target and Executives Testify at Senate Committee Hearing (February 4 & 5, 2014) http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472 http://www.nbcnews.com/tech/security/senators-grill-target-cfo-after-massive-credit-card-data-hack-n22131 http://www.scmagazine.com//retailers-testify-before-senate-judiciary-committee-push-chip-cards/article/332868/ http://www.computerworld.com/s/article/9246070/Target_and_Neiman_Marcus_execs_defend_security_practices?taxonomyId=17

  21. References (3) • Target Attackers Phished for HVAC Company Network Access Credentials (February 12 & 13, 2014) http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ http://arstechnica.com/security/2014/02/epic-target-hack-reportedly-began-with-malware-based-phishing-e-mail/ http://www.nextgov.com/cybersecurity/2014/02/heres-how-hackers-stole-110-million-americans-data-target/78740/?oref=ng-channeltopstory http://www.zdnet.com/how-hackers-stole-millions-of-credit-card-records-from-target-7000026299/ • CIO Beth Jacob resigns (March 6): http://www.computerworld.com/s/article/9246773/Target_CIO_resigns_following_breach?taxonomyId=17 • Target was warned of breach (March 13): http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

  22. References (4) • Target and the FTC investigation, may face federal charges (March 20): http://www.nextgov.com/cybersecurity/2014/03/target-could-face-federal-charges-failing-protect-customer-data-hackers/80824/?oref=ng-channelriver • Banks sue Target and Trustwave (March 26): http://www.scmagazine.com/banks-file-class-action-against-target-and-trustwave-over-massive-breach/article/339760/ http://www.theregister.co.uk/2014/03/26/banks_lob_sueball_at_trustwave_target/ • Target Breach Illustrates Value of Limiting Exfiltration (April 2, 2014) http://www.darkreading.com/attacks-breaches/operation-stop-the-exfiltration/d/d-id/1171947? • Chip-and-PIN and EMV cards: http://www.scmagazine.com/mastercard-visa-to-push-emv-nfr-calls-for-use-of-pins/article/338019/

More Related