Check Point - Hartford Tech Summit
Download
Report
Transcript Check Point - Hartford Tech Summit
RETAIL SECURITY
Hartford Tech Summit
Nuno Sousa | Check Point Security Engineer
Eric O’Malley | Check Point Strategic Account Manager
Dan Greco| Iovations Account Manager
©2015
©2015 Check
Check Point
Point Software
Software Technologies
Technologies Ltd.
Ltd.
[Protected] Non-confidential content
1
Home Depot - Neiman Marcus –
Michaels - Sally Beauty - P.F. Chang's –
Goodwill - Jimmy John's - UPS – Dairy
Queen - Kmart – Staples – BeBe - Yellow Cab Checker Cab - Shop 'n Save - Shoppers Food –
Albertsons – Acme - Flagship Car Wash - Cub Foods Farm Fresh - Supervalu - Hornbacher's - Jewel-Osco - Shaw's Star Market - Taxi Affiliation Services- Dispatch Taxi - Micrologic Associats - Signature
Systems Inc.- Roman Delight - Antonellis Pizza - Italian Touch - Lost Pizza Co. - Pizza King - Joe's
Pizza and Pasta - Lott - Springdale Pizza - Skin Flints - Grecco's Pizza - Blue Moon Bakery SaraBella Pizzeria & Desserts - Mister Jim's Submarines - Paisano's Pizza - Pizza King - Angelina's
Pizzeria & Restaurant - Giuseppe's Pizza - Piero's Italian Restaurant - Bagel Boys - Donatis Pizza Glenside Pizza - DeNiros Pizza & Subs - Luigis Pizzarama - Warrington Pizza - Wings to Go - The
Pizza Shop II - Spatola's - Casa D'Amico - Wings to Go - Friends Bar & Grill - Paisano's
Kingstowne - Joanie's - Hambinos Pizza Co - Joe's Pizza - Middle River Pizzeria - Tony's NY Pizza - Uncle Paul's Pizza - The
Corner Cafà - Paisano's Pizza - Pizza Classica - Costello's Italian Ristorante - Uncle Charlie's Pizza - Joes Pizza & Pasta Romanellis - Rosatis - Paisano's Pizza - Uncle Oogie's - Tonelli's - Community Pizza - Fat Boys Pizza – Pizza Tugos - Santucci's Pizzeria Scotty - Casa D' Mama - Johnnys Pizza Di Fiores Pizzeria and Italian Restaurant - Uncle Joe's Pizza - Santucci's - All Town
Pizza - Dominick's - Wild West Pizzeria - Abate Apizza - Rosati's - Abate Restaurant - Austin's Bar & Grill - Mister P Pizza & Pasta La Fogata - Mario's Pizza - Lee's Hoagie House of Horsham - VJ's Diner & Rest - Apollo Pizza - Epheseus Pizza - Garden City Pizza
- Valentino's Pizza - The Pizza Place and More - Positano's - Bella Pizza - Rosatis Pizza Pub - Don Franco's - Brother Bruno's - Deniro's Dolce Carini- Dominick's Pizza & Carryout - Doreen's Pizzeria II - Garlicknot - Joes Pizza & Pasta - Oreland Pizza - Papa Nick's - Royal Pizza - SaraBella Trattoria Peppino - American United Taxi - Blue Diamond Taxi - Express Systems - Scrubbs - Matt and Jeff's Car - Checkerd Flag Hand Carwash - Desert
Express - Atlas Car Wash - Splash Carwash - Mariner Car Wash - Express Car Wash – Legends - Paradise Bay - Classic Auto Spa - Dons Car Wash - Shield
System Carwash - Auto Spa - Key Road Car Wash - Blue Wave Car Wash - Spotless Auto Laundrine - Personal Touch Car Wash- Broadway Minute - American
Car Wash - Magic Suds Car Wash - Dynamite Auto Wash - The Car Wash - Quick Quack - Waterworks - Mister Car Wash - Wiggy Wash - Supersonic Carwash
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
2
Cards stolen per breach continues to rise
56000000
40000000
96000
146000
Michaels
Subway
©2015 Check Point Software Technologies Ltd.
2400000
Schnucks
[Protected] Non-confidential content
Target
Home Depot
3
Credit Cards Compromised
Mar 30 2013
Dec 18 2013
January
March
Schnucks: 2.4M
Target: 40M
Neiman Marcus:
1.1M
Michaels: 3M
Taxi POS
Sally Beauty:
282K
June
July
August
September
Carwash POS
P.F. Chang’s: 7M
Jimmy John’s
Goodwill: 868K
UPS
Dairy Queen
Supervalu
Signature Systems
October
December
Kmart
Staples: 1.6M
BeBe
©2015 Check Point Software Technologies Ltd.
Home Depot: 56M
Poor security of POS provider
effects hundreds of small
businesses.
[Protected] Non-confidential content
4
Global PoS Malware Infections
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
5
Card Fraud goes International
Chip and Pin
Magnet Strip
Stolen card
numbers from US
are used globally
©2015 Check Point Software Technologies Ltd.
Used for
online fraud
globally
[Protected] Non-confidential content
Stolen card
numbers from euro
are used in US with
magnet strips
6
DHS Warns
1000+ US businesses hit by
POS malware
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
7
Cost of Card Replacement
$1.3 Billion
©2015 Check
Check Point
Point Software
Software Technologies
Technologies Ltd.
Ltd.
[Protected] Non-confidential content
8
Cost of identity theft in US
$24.7 Billion in 2012
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
9
Average victim cost
$2,294
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
10
Going rates for stolen POS data
Hacker Products and Services
Price in 2013
Price in 2014
Visa and Master Card (US)
$4
$4
American Express (US)
$7
$6
Discover Card (US)
$8
$6
Visa and Master Card (UK, CA, AU)
$7-8
$8
American Express (UK, CA, AU)
$12-13
$15 (UK, AU),$12 (CA)
Discover Card (AU, CA)
$12
$15 (AU), $10(CA)
Visa and Master Card (EU, Asia)
$15
$18-20
Credit Card with Track I, II Data (US)
$12
$12
Credit Card with Track I, II Data (EU)
$19-20
$19-20
Dell SecureWorks - Underground Economy
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
11
Underground Marketplace
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
12
Carding As A Service
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
13
Black Friday Specials on Black Market
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
14
No Free Ride
Judge rules lawsuits against retailors
are allowed. Banks can proceed to
recoup their costs.
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
15
HOW DID WE
GET HERE?
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
17
Chip and Pin are no silver bullet either!
While slightly more involved, vulnerabilities are
constantly being found such as the Pre-Play
attack and MitM PIN verification.
Having plain-text chip/track data in POS memory
will be more of the same problem.
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
18
Major Risks for PoS Terminals
Similar
configuration
challenges as for
PCs
Old OSs and
difficulties
patching
vulnerabilities
Inadequate
segmentation
from corporate
network
©2015 Check Point Software Technologies Ltd.
On-device
security software
often not
implemented
Moving to Chip
and PIN won’t
stop malware
[Protected] Non-confidential content
19
Attach Vectors
Multiple breaches
performed by
multiple attackers
Used customized
tools that were
tailored to specific
environments
Enterprise desktop
management
systems used to
push attack tools
Tens of thousands
of security events
ignored
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
20
A Look At the Attack Method
Installed malware
on PoS devices
Moved from
third-party
network to
retail store
Spread horizontally
until achieved
footprint on
PoS network
Reconnaissance
found a third-party
network connection
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
21
Ever Evolving Malware
Dexter
StarDust
BlackPOS
vSkimmer
Decebal
Alina
FrameworkPOS
Backoff
kaptoxa
ChewBacca
JackPOS
Nemanja
Soraya
BrutPOS
Baggage
Triforce
OG
Tripple Threat
goo
MAY
net
LAST
ROM
Getmypass
LucyPOS
©2015 Check Point Software Technologies Ltd.
Poslogr
[Protected] Non-confidential content
d4r3|dev1|
22
Exfiltration
Card data
hidden in local
.dll file
©2015 Check Point Software Technologies Ltd.
Malware
copied .dll files
to network
share daily
Known
credentials
used to access
servers
[Protected] Non-confidential content
Card data
moved to
external FTP
server
23
Follow the money
•
Individual credential theft using keyloggers
•
Wide scale credential theft using malware
•
Attacks on bank's databases
•
Attacks on the databases
of card processors
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
24
WHAT CAN WE DO
ABOUT IT?
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
Four Steps to Improve PoS Security
1
Enforce network segmentation
2
Restrict device access, limit
application use and secure data
3
Leverage Threat Prevention
4
Integrate security and
event management
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
26
A View Towards Segmentation
Highest-end
security
throughput
CARD SWIPING DEVICES
POS TERMINALS
(DATABASE SERVER)
PoS systems
isolated from
rest of
network
©2015 Check Point Software Technologies Ltd.
PAYMENT PROCESSING
CENTER
Back-end
system
protected
[Protected] Non-confidential content
27
Use VPNs to Secure Communications
All PoS traffic is
isolated from other
inter-segment
interactions
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
28
Implement Application Controls With
Device Identity Restrictions
• Point of Sale systems can communicate only with
specific protocols
• Logging enabled for forensic purposes
• Device identity enforced in the policy
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
29
Data Security
• Define and enforce the flow of Credit Card and
other critical data to the expected destination
• Any deviation will be prevented
• Generate automated alerts and automated
isolation from the network.
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
30
Threat Prevention is a Must
PCI includes requirements for
anti-malware controls primarily for
desktops
Recommends but does NOT
require additional malware
protections
Need to implement Threat
Prevention across the network
and not just malware monitoring
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
31
Use integrated event management
to follow and break the kill chain
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
32
First View: All Events
Important events
prioritized on a
timeline
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
33
Same Platform Enables Incident
Management
Prevented DLP
incident triggers
event log
With source and
destination
details
Event type and
identifier of
exfiltration
attempt
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
34
Aggregation of Multi-Vector Attack Details
Bot incident
also identified
Correlates to
the same IP
address
Enables attribution
and identification of
method
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
35
Threat Emulation Finds POS Malware
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
36
THANK YOU!
©2015 Check Point Software Technologies Ltd.
[Protected] Non-confidential content
37