Presentation is loading. Please wait.

Presentation is loading. Please wait.

What are they and how can you stop them? 24th March 2012

Published byChristina Shields Modified over 6 years ago

Similar presentations

Presentation on theme: "What are they and how can you stop them? 24th March 2012"— Presentation transcript:

1 What are they and how can you stop them? 24th March 2012
Data Security Risks in 2012 What are they and how can you stop them? 24th March 2012

2 Agenda Trends in Data Breaches How well are Companies responding?
Where are the Threats for this Decade? Top 10 tips for 2012

3 Data Breaches and Trends
Nearly every week in 2011 brought reports of data breaches in the media., ranging from the theft of personally identifiable information to sensitive government documents to credit card data. Cyber criminals target many diverse organisations as this slide shows and they all have 1 thing in common : valuable data. The food and beverage industry remains a key target whilst such businesses typically represent a smaller reward for attackers in comparison to a large ban or payment processes they continue to be a target due to well known payment system vulnerabilities and poor security practices on behalf of those responsible for the upkeep of these systems. Last year industries with franchise models became the new cyber targets with more than a third of 2011 investigations occurring in franchise businesses. This is largely because standardised computer systems exist across franchises (think pizza chains) and in the event a security deficiency exists within a specific system these deficiencies will be duplicated across the entire franchise base. Happy days for the cyber criminal. I’ll talk abit later about the importance of working with secure third parties Organised crime groups seem to be targeting hospitality industry High levels in Government – attackers looking for trade secrets Source Trustwave 2012 Global Security Report

4 Types of Data at Risk As expected payment card fraud is big business
In terms of the types of data at risk, 85% involve Payment Card data, personally identifiable information and other records such as addresses. Active addresses of consumers are valuable to attackers as they can lead to further attacks like the traditional phishing or more sophisticated attacks. Cyber criminals continue to focus their efforts in this area due to the large number of available targets and well established black markets where criminals are quickly able to turn items such as a payment card data into cash with minimal effort. Money laundering para Sensitive Customer data and customer records also made up a slide of the pie As expected payment card fraud is big business Source Trustwave 2012 Global Security Report

5 Detection As most of you in the audience will already be aware, payment card issuers today use a variety of very advanced fraud monitoring systems . When a card is reported stolen or odd patterns of activity are spotted information is passed to the card brand and the suspect merchants processing bank for investigation. Last year about 60% of detection was this way. The study however found that ..... 60% detection through the card brand using advanced fraud monitoring systems BUT Source Trustwave 2012 Global Security Report

6 Typical Attack Methodology
Payment Service Provider hacked, multiple servers and WAN and over 1,000 hosts attacked Hacker identified an internal development system and re wrote a rootkit (bit of code) to function on the operating system Malicious scripts harvested card holder data Attack went unidentified for 18 months The payment service providers environment was not PCIDSS compliant

7 Threats Past and Future
1980’s – Physical 1990’s - Network 2000’s – , Wireless 2010’s – Mobile, Social Networking

8 10 Top Tips Embrace Social Networking but Educate Staff Why? How?
It’s not going away any time soon – brand awareness, cost reduction will drive more business use Risks associated with this such as public exposure of private company info Cyber criminals will mine these sites for personal information How? Establish a policy of what can and can’t be shared Educate staff and provide training on how to avoid attacks

9 10 Top Tips Develop a Mobile Security Programme Why? How?
Staff carry these devices everywhere and lose them! How? Evaluate the various platforms and work out which ones are most vulnerable Put in place suitable end point security to gain control Ensure there is an easy way to report loss inside your organisation

10 10 Top Tips Introduce or Empower Incident Response Teams Why?
Accidents will happen Under the new EU Data Protection Act directive companies will be required to report a breach to the ICO in 24 hours AND inform customers affected How? Ensure the team has access to security notifications and logs Check your existing event management system Investigate even the most obscure of issues

11 10 Top Tips Enforce Security on Third Party Relationships Why?
Third parties introduce vulnerability into your systems They may not operate to the same security standards as you do They often have insecure remote access implementations How? Undergo regular security testing with larger partners and share results If transferring marketing data do so using secure file transfer and add dummy data in transit to ensure you’re aware if the data has been stolen

12 10 Top Tips Implement an Organisation Wide Security Awareness Programme Why? Security awareness training may not stop an insider with malicious intent but it can mean early detection and notification This is particularly true for social engineering Poor/shared passwords are rife in organisations Employees are your weakest link How? Implement at induction and then at regular intervals Test knowledge – plenty of compliance tools to “enforce” compliance Penetration tests unearthed levels of password rubbish

13 Barclays plc

14 10 Top Tips Eradicate Clear Text Traffic Why?
Cybercriminals know that businesses send sensitive data over private networks in the clear How? Implement SSL certificates for web based transactions, using encryption or using end to end encryption for transaction processing systems

15 10 Top Tips Security Framework – Risk Assessments Why?
Without a clear framework for assessing risks there is no way for an organisation to have a structured way to mitigate against data loss Risk = Threat x Vulnerability X Impact How? Plenty of tools and consultancies to help The DMA has a good (free) standard template

16 10 Top Tips Maintain Visibility of where Cardholder Data is Stored
Why? You never know when you are going to need to communicate with card holders How? Maintain an asset register so you know what data is stored where and on what servers Ensure your response team have a clear process for what to do in the event that you do need to communicate with customers Have a trial run

17 10 Top Tips Penetration Testing Why?
Keep testing your internal systems and processes Poor passwords are everywhere in businesses Top 25 passwords Password cracking by Trustwave (on a system that cost <£1k) took 10 hours Of the 2.5m passwords analysed they recovered 200k How? Ask an expert

18 10 Top Tips Keep Up to Date with Technology and Trends Why?
Think like the cybercriminal – they are always going to be one step ahead New technologies can really help with the fight against them How? Ensure your IS team get the proper training Bring in experts as necessary – even if it’s just to give you a quick assessment

19 Summary Security threats are on the increase
Payment card fraud continues to be big business Organisations – end users and intermediaries can fight this crime with well thought out defence plans Level 3 and 4 merchants should be encouraged to consider their plans

20 Register for our Free DataIQ journal www.dqmgroup.com/dataiq
Register for our Free DataIQ journal

Download ppt "What are they and how can you stop them? 24th March 2012"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Wonga example Register Question- What risks do you think businesses face due to IT developments?

Wonga example Register Question- What risks do you think businesses face due to IT developments?
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
PCI: As complicated as it sounds? Gerry Lawrence CTO

PCI: As complicated as it sounds? Gerry Lawrence CTO
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
Cyber Security & Fraud – The impact on small businesses.

Cyber Security & Fraud – The impact on small businesses.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
© 2010 Verizon. All Rights Reserved. PTE14626 07/10 2011 DBIR.

© 2010 Verizon. All Rights Reserved. PTE / DBIR.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,

Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
MANAGING RISK. CYBER CRIME The use of the internet and developments in IT bring with it a risk of cyber crime. Credit card details are stolen, hackers.

MANAGING RISK. CYBER CRIME The use of the internet and developments in IT bring with it a risk of cyber crime. Credit card details are stolen, hackers.

Similar presentations

Ads by Google