Payment Security Update - Conexxus · 2018-08-30 · Payment Security Update Rick Dakin, CEO &...
Transcript of Payment Security Update - Conexxus · 2018-08-30 · Payment Security Update Rick Dakin, CEO &...
Payment Security Update
Rick Dakin, CEO & Cofounder
October 2, 2014
Agenda
Coalfire Introduction
Changing Environment Threats Technology Compliance
Mobile Security
Recent Data Breaches
Risk Management Strategies
About Coalfire
3
Focused expertise in Healthcare (HIPAA), Retail (PCI),Banking (GLBA), Utilities (NERC) and Cloud (FedRAMP)
Over [200] employees and contractors across [8] offices: UK, Denver, Seattle, New York, Atlanta, Los Angeles, San Francisco and Dallas
Full suite of IT GRC solutions: compliance audit, risk and vulnerability assessment, application security, penetration testing and forensic analysis
Served over [1,500] clients to date, including Oracle, Epic, IBM,Ford, Nordstrom, EchoStar, Microsoft, Intuit, Overstock, Savvis
ITGovernance
Risk and Compliance
Leading independent provider of IT Governance, Risk and Compliance(IT‐GRC) solutions
Changing Environment
4
New attack vectors More active Nation StatesNew attack surfaces
Payments ‐ Yesterday and Today
What’s a consumer mobile device?
Sensitive data goes mobile
• Payment data
• Corporate email
• Corporate apps
• VPN credentials
• Banking data
• Healthcare ePHI
• Home automation
• Automotive
• Social
• Dropboxes We can’t wait to manage sensitive data on mobile.
What are Mobile Payments? • Consumer electronic device – this is generally assumed to be a
widely available device that runs one of the “mobile” operating systems currently available. Form factor, and the term “mobile,” is becoming increasingly irrelevant, but will include devices not capable of meeting traditional PCI DSS requirements around host or server based security.
• iOS, Android, Windows Mobile• Devices can serve many functions including payment
capture, payment presentment, client access for ecommerce transactions, store use, etc.
• Purpose‐built payment device – these devices fall into one of the categories described in the PCI PTS standard
• Traditional card swipe and PIN capture devices• SCR – Secure card readers can be attached using USB,
serial, audio jack, dedicated device ports, etc.
More Mobile Payments• Wallets, e‐wallets, digital wallets – These are applications
and/or services that facilitate the access to, storage and presentment of consumer payment details
• Wallet applications can be enabled using various techniques and technologies (QR codes, NFC, Web transfer, etc)
• It is generally (and wrongly) assumed that wallets store payment details securely using consumer electronic device protections or other means (secure element or secure cloud storage)
• Mobile POS or mPOS – an increasingly difficult use case to define, but generally refers to the use of a non‐traditional POS application/system/tool to facilitate the consumer checkout process in a face‐to‐face situation
Mobile Payment Options
Wallets
Google Wallet PayPal MasterCard PayPass
Payment Applications
Square Paypal Here Verifone Mobile Pay Apple Pay
Can this possibly be safe?
Threats and attacks are increasing
“Repackaging”
Spy‐ads
Malware
Phishing
Loss / Theft
QR attacks
Wi‐Fi
Botnet
Smartphones are 90% more likely to be lost than laptops
Phishing is many times more successful on mobile devices
Android Market had over 400,000 downloads of malicious apps identified in 2011
Legitimate‐sounding applications from the Dark Side
Multi‐media whiz‐bang idea, can be used for evil
Man‐in‐the middle attacks, just like using a laptop
An emerging threat to organizational infrastructure
Mobile’s proliferation and access to sensitive data make it an enticing target
Vulnerabilities of the mobile platform today
Security awareness and usage Confusion over security “ownership” Small size increases loss and theft Authentication and access control not
designed for multi‐user or secure application management
Mobile security standards are immature and not consistently deployed … even when available
o No firewallso No system hardening or patchingo No Monitoring or alertingo No antivirus
Payment security trends on mobile devices
Deploy encrypting sled devices provide fastest way to reduce risk for merchant acceptance on consumer mobile … stay on current POS platform (Verifone, Ingenico, etc)
Integrate a 3rd party payment gateway that handles all encryption on the POS and decrypts authorization request in the cloud (Square, Shift 4, Verishield, etc)
Close you eyes and hope for the best. “Deploy a dongle.” While the most popular route today, it does not offer any risk mitigation and no ability to achieve PCI compliance.
Merchant acceptance strategies – not clear cut The risks highlighted previously are compounded when
mobile is now an aggregating point of sensitive data.
Are customers demanding the replacement of their credit card with a mobile device?
Should a merchant consider cloud‐based wallets, carrier payment solutions or mobile‐based store loyalty/gift programs?
Compliance Strategies – Not clear cut
PCI DSS Special Interest Groups Mobile Task Force Working Groups
Guidance Published
• Mobile Payment Acceptance Security Guidelines for Developers (Sept 2012)• Use secure and dedicated payment sleds• Prefer PTS approved device … accept PIN transactions
• Mobile Payment Acceptance Security Guidelines for Merchants (Feb 2013)• You own all the risk for non‐validated payment devices
Mobile Guidance
• Category 1 – PTS approved device• Category 2 – Single-Use device• Category 3 – Multi-Use device
Compliance Strategies – part 2
Visa Ready
“The program provides innovators a path for the certification of devices, software and solutions used to initiate or accept Visa payments as well as guidance and best
practices to access the power of the Visa network.”
http://usa.visa.com/business/why-pay-with-visa/visa-ready.html
Acquirers
Ultimately, it is up to the acquirer to determine what mobile acceptance platforms are acceptable
Third party evaluation may be acceptable in the interim
Merchant PCI Compliance ConcernsUsing an “un‐validated” mobile POS solution?
PCI DSS ROC Scope:• No assurance that Track Data isn’t captured and
stored insecurely• Wireless is in scope at merchant retail
environments• Centralized logging and monitoring is virtually
impossible PCI DSS SAQ Risk:
• Up to the responsible merchant to accurately determine scope and applicability
Mobile security action items Mobile is here … deal with the risk
o Awarenesso New policies and security controlso Trainingo Risk Assessment before integration of 3rd parties or
deployment of new technologieso Require encryption and tokenizationo Enhance physical security
Enhance testing and oversight while new technologies are being deployed
o Validated applications and service providers … make it mandatory … even without PCI requirement
Make users aware that their wallets have no firewalls, security controls or fraud protection … NOT YOUR JOB TO PROTECT THEM
NFC mobile payments – just around the corner?
Legacy paradigm of plastic cards represented by a mobile device expands the security challenges for PCI.
The mobile wallet contains the valuable assets – now who is the “owner”?
Billions of mobile devices will now contain “toxic” cardholder data – so much for limiting the footprint.
Mobile security management solutions take on an even greater importance
Card Issuer
Now … Apple Pay is here with a new security strategy
21
Mobile Wallet Merchant NFC Card Processor or Acquiring Bank
1. Request Mobile card
2. User identified
3. Card and associated token issued
4. . Token installed in wallet
5. Token presented to merchant
5. Transaction receipt
6. Authorization request with token
7. Transaction authorized
Vault
Token exchange
And … What is up with all those data breaches?
22
A wake‐up call – the cyber threat is increasing
23
Current Cyber Attack Data
24
Heartbleed Bug opens new vulnerabilities
25
User / Admin Credentials Captured Web sites are no longer secure
Perimeter devices (firewalls and routers) are vulnerable
A single credential can be escalated to compromise entire access control mechanisms
Criminals don’t have to take some of the data … they can take it all!
Kill Chain Analysis Report
Missed Opportunities
27
28
Lessons Learned
New VISA Guidance to Retailers
29
Compliance
Security
Risk Management
VISA Strategy Enhance network security
Control administrative accounts
Harden POS platforms
Secure web accessible applications
Mitigate 3rd Party Risk
Deploy more secure applications EM Encryption Tokenization
Beyond compliance – focus on security
30
Defense in Depth Secure Applications Physical and logical access controls in
place (focus on admin users) Sufficient network segmentation FIM or White List solution SIEM solution & Monitoring (become
agile)
New Security Technology EMV, Tokenization or Encryption
Static to Active Security Continuous Monitoring Integrated Incident Response Change Management
CEO IT Security Scorecard
31
1. Are we already compromised but simply do not know it yet?
2. How would I know if we had a serious alert and when it would be escalated?
3. If we have a serious vulnerability, how would the senior executive team know if it has been remediated to an acceptable level of risk?
Rick Management Strategies
32
Increasing Maturity for Cyber Risk Management
33
Compliance Validation (ITGC)PCI, HIPAA, SSAE16, FISMA, FedRAMP
Technical TestingVulnerability Scans, Pen Testing
Depth of Service
Mat
urity
of S
ervi
ce
Continuous DiagnosticsAppSec, Forensic, APT, Sand Box
AnalysisCCM, Risk Assessment
Risk ManagementAdvisory, Governance
Enterprise IT Risk Management
Baseline Compliance Management
34
Market Maturity 2014 – Cyber Risk Management
1. Governance – early efforts focused on policies and compliance reporting.
2. Compliance – The early winner for resources. Organizations did not want to be negligent and made baseline compliance investments.
3. Security Operations – While compliance achieved baseline results, operations remain sporadic and largely ineffective against current threats.
4. Security Testing – Basic vulnerability testing and light pen testing has become commonplace. However, effective infrastructure, application security and 3rd
party integration is largely unserved.
5. Threat Management – The hackers and adversarial nation states are winning. While tools are becoming available, the skills and resources to counter more sophisticated threats remains weak.
0
1
2
3
4
5Governance
Compliance
Security OperationsSecurity Testing
Threat Management
Industry Cyber Maturity Rating ‐ 2014
1. Initiated – early efforts with an informal organization.
2. Piloted – functional expertise and some early repeatability. Getting the job done.
3. Deployed – Baseline operations achieved and deployment teams in place.
4. Institutionalized – The entire organization operates with consistency and quality.
5. Optimized – This visionary and collaborative state allows for all to contribute to include partners and clients.
35
Market Maturity – Cyber Risk Management Definitions
Compliance1. IT General Controls Matrix
and Metrics2. IT GC testing and operational
response3. Internal Compliance
Validation4. External Compliance
Validation5. Beyond Compliance Testing
and Reporting
Technical Testing1. Vulnerability Scanning2. Vulnerability Management –
includes remediation tracking3. Penetration Testing4. Application Testing and
Validation5. Red Team Testing and
integrated control validation through forensic testing
Security Operations1. Network and system security2. Logging, monitoring and
response3. Application security and 3rd
party controls4. Integrated forensic analysis
and incident response5. Continuous diagnostics and
enterprise dashboard reporting
Threat Management1. Threat advisory processing2. Malware protection3. Application White Listing4. APT Detection and Response5. Threat Intelligence Management and
integration into industry threat groups
Governance1. Policies and enforcement2. Security plans (Disaster Recovery, Incident Response,
3rd Party Management)3. Compliance Reporting4. Risk Analysis and Advisory5. Risk Management and appropriate Cyber Insurance
36
Market Maturity 2016 – Opportunity for GrowthWhile the need for enhanced compliance management will grow, it will not grow at the rate or complexity of the other cyber risk management components. The following opportunities will dominate.• Sec Ops - Become more nimble at security
operations. Convert static security perimeters and fragile systems to dynamic event monitoring and response.
• Security Testing – Expand routine vulnerability scans to include continuous application level testing. Extend pen tests to full red team exercises.
• Threat Management – An emerging area that will determine winners and losers is threat management. New tools for detecting APT and other threats will enable better responses and proactive planning for security operations.
• Governance - Governance will move upstairs. Executives and boards are just now starting to interact with IT leadership to manage cyber risk. They need better dashboards, testing and analysis.
00.51
1.52
2.53
3.54
4.55
Governance
Compliance
Security OperationsSecurity Testing
Threat Management
Industry Cyber Maturity Rating ‐ 2016
QuestionsRick DakinCoalfire CEO