Welcome! Copyright 2017 MAC. All Rights Reserved.

Transcription

1 Welcome! Copyright MAC. MAC. All rights All reserved. Rights Reserved.

2 Why QIR Matters-Breach Case Some large hospitality breaches involve multiple reseller companies across the USA. Because of Geography, the organization mandates a specific POS system that may have a different reseller in each major metro area. For some franchisees they may not know which local POS support company is better than the other. In this case, corporate had remote access to every store to gather nightly sales statistics and other data. 3 major US banks identified a large amount of fraudulent activity and demanded a PFI be conducted. 2

3 A Nationwide breach QIR The QIR companies had a different password per each client location for their use, but unfortunately the attacker had corporate s account. The QIR had outbound firewall rules that prevented the malware from exfiltrating data. The then attacker tried other malware tools but system patching prevented some of the older tools from working. Non-QIR The attacker was exfiltrate data, but also install a secondary remote control tool for later use (his backup plan) Logging was not preserved for a year so the franchisee could not argue the duration (months) of their breach. Because of their liability, this integrator lawyered up and would not assist in the PFI investigation. 3

4 A QIR has these traits over non-qirs QIRs are usually more active in the industry. They network with other similar organizations. They stay in touch with new technology that may keep business costs down, but also prevent breaches. QIRs realize that security cannot be solely the job of the retailer. Its difficult (these days) for a tech support organization to support a system and not be involved in its security. QIRs have often been through training that helps them understand how to identify and respond to data breach scenarios. QIRs are aware that the initial setup of a system is often where things go terribly wrong. 4

5 Mitigate Remote Access Risk Takeaway List Only use remote access applications that offer strong security controls Always use two-factor authentication when connecting Use unique username and passwords and force password changes Remove employee access upon termination Restrict access to only the service provider and only for established time periods Enable logging to monitor access and changes Do not use default or easily-guessed passwords Ensure the latest security patches are applied

6 Is Your Compliance Obstructing Your Security? Case Study; The Merchant: Large merchant with several hundred locations Recently adopted P2PE throughout the CDE (card data environment) Restricted the QSA to only evaluate the CDE

7 Is Your Compliance Obstructing Your Security? Case Study; The Breach: Ransomeware attack against the corporate environment P2PE worked; all credit card data was secure Did not pay the ransom. Elected to restore from backups

8 Is Your Compliance Obstructing Your Security? Case Study; The Bad News: Had not previously attempted to, or tested the process of restoring from backups More than 900 locations were unable to process credit card transactions for nearly three days Despite not losing a single credit card, the data breach cost this merchant $millions in lost revenue.

9 Is Your Compliance Obstructing Your Security? Takeaway List (In addition to all of Chris recommendations) Compliance does not necessarily equal security Train employees to better spot phishing and social engineering attacks o Conduct annual training that includes mock breach response and covert mock-phishing attacks Who is monitoring your security logs? o Someone in your organization must be responsible to monitor IDS/IPS/FIM alerts. The best defense against ransomware are good backups o The backup storage drives should not be connected on the same network o Backups should be tested factor the difficulty of restoring from backups into your incident response plan