Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential.

Published byKarin Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential."— Presentation transcript:

1 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential.

2 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian and the marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein are the trademarks of their respective owners. No part of this copyrighted work may be reproduced, modified, or distributed in any form or manner without the prior written permission of Experian. Experian Confidential. Things that go bump in the night Stephen Scharf Global Chief Information Security Officer

3 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 3  Adversaries  Attack scenarios – sample  Fraud we see  Products that don’t work  Products that work  Products that don’t exist  Conclusions Content

4 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 4 Adversaries Script kiddies MOTIVATION: Hacking for fun and respect Fame (either externally or internally) Hactavists MOTIVATION: Hacking to free the world and punish corporate greed and abuse Punish those that deserve punishing (whom they decide) Organized crime MOTIVATION: Hacking to support illegal criminal activities that generate profit Money, money, money Hostile nation states MOTIVATION: Hacking to steal intellectual property and empower themselves Power All things that make a country powerful – Improve yourself and weaken your enemies

5 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 5 Denial of service  Trying to disrupt services and revenue  These attacks can be via extortion events or through organized hacktavist activities  Tools provided for free  Times and targets broadcasted via underground channels Phishing  I wish this was limited to the Nigerian scam email  Now attacks are highly sophisticated and targeted  Evolved into “spear phishing” and “whaling” and now a slight variation called “water-holing” Attack scenarios

6 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 6 SQL injection  Abuse client side data and manipulate fields used for dynamic SQL queries  Lack of server side validation creates exposures APTs (Advanced Persistent Threats)  Getting all the buzz lately  Highly targeted highly sophisticated attacks  Often leverage 0-day issues and operate “low and slow” Attack scenarios

7 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 7 Trusted insider  Authorized individuals doing unauthorized things  Higher risk around system administrators and genius product developers  This includes acts of malicious intent and acts of noble intent but done in an unsafe manner Social engineering  Pretending to be someone you are not in an attempt to gain access to something you should not have Abuse of products  Using stolen credentials, gaming system logic, hacking client PCs Attack scenarios

8 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 8 Submission of fake documents  Fake police reports  Fake court orders  Fake drivers license  Fake affirmations from legitimate creditor Submission of fake positive data  Data furnishers with fake data to bolster credit files  Paid offers to become delegated / authorized users on credit cards  Credit clinics that attempt to flood the system with bogus challenges Login abuse via B2B and B2C channels Fraud we see (and combat)

9 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 9 Entire societies exist off the grid and on the “dark Web”  These private channels are used for everything imaginable; hackers for hire, CC for sale, illegal pornography, identities for sale, illegal weapons, drugs, usernames / passwords, etc.  Some entities monitor this traffic (such as Garlk) and attempt to alert upon identifying concerning activities The “evil” underground

10 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 10  Systems like TOR (the onion router) make anonymous communication very easy to use and very difficult to track ► Only recently have we seen TOR node anonymity come under question. First developed by the U.S Naval Research Lab and DARPA  When you combine anonymous payment systems like bitcoin with anonymous communication systems like TOR, you create an opportunity for abuse  More and more companies are professing to have dark Web listeners and human capital for collecting threat intel The “evil” underground

11 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 11 Products / techniques that (usually) don’t work PasswordsAntivirus Intrusion detection systems Firewalls Knowledge-based Authentication (by itself)

12 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 12  Device identification – aka 41st Parameter ®  Adaptive authentication  Malware detection via controlled virtual exploitation  Password vaulting  Data loss prevention  Active scanning with indicators of compromise (IoCs)  System and application containerization / virtualization Products that work

13 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 13 Seamless flushing of device(s) upon attack detection  The ability to reset a device to a known good state upon the detection of malicious activity True security data intelligence  High volume data aggregation and interpretation to identify various attacks across the enterprise – also known as big security data  Bring together dissimilar data elements to discover previously undiscovered malicious patterns PC micro-virtualization with no impact to user experience  Systems that protect each component from every other component, but still allow legitimate user experience to flow unimpeded Products that don’t exist (because it’s hard to do)

14 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. 14  We are targeted every day  Adversaries are very smart, very well-funded and very patient  We have to be right every time, they just have to be right one time  Products like 41 st Parameter ® actually make a difference  Some products have lost value over time  It is a continual arms race with both attackers and defenders constantly refining their arsenal  Have a nice day Conclusions

15 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. #FOIC2014

16 ©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential. Name Title Company e: t: m: Stephen Scharf Chief Information Security Officer Experian e:stephen.scharf@experian.com t:1.714.830.3351 m:1.714.363.7356

Download ppt "©2014 Experian Information Solutions, Inc. All rights reserved. Experian Confidential."

Similar presentations

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.

Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Wonga example Register Question- What risks do you think businesses face due to IT developments?

Wonga example Register Question- What risks do you think businesses face due to IT developments?
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.

COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.

Similar presentations

Ads by Google