Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC) 3 3 Sept 2014 CYBER SAFETY: A Systems Thinking and Systems Theory.

Slides:



Advertisements
Similar presentations
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Advertisements

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
ELOC Bank Table Top Exercise Executive Leadership of Cybersecurity Austin, TX December 3,
Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Analysis and Recommendations. PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures.
Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Ryan Paulsen Chris Lafferty Nilesh Nipane.  Intruders gained access to credit card information between  ~50 million credit card and debit.
Lecture 11 Reliability and Security in IT infrastructure.
Why Comply with PCI Security Standards?
Payment Card Industry (PCI) Data Security Standard
Session 3 – Information Security Policies
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – (IC) 3 Cyber Safety: A Systems Thinking and Systems Theory Approach.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
System Theoretic Approach To Cybersecurity:
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
A GENERIC PROCESS FOR REQUIREMENTS ENGINEERING Chapter 2 1 These slides are prepared by Enas Naffar to be used in Software requirements course - Philadelphia.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Liability Issues for TRIO Programs Managing Your Project’s Risk.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
TransArmorSM A Secure Transaction ManagementSM Solution
Pro-active Security Measures
Enterprise Cybersecurity Strategy
1 Executive Leadership of Cybersecurity Austin, TX December 3, 2014 ELOC Bank Table Top Exercise.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.
VeriShield Protect Revolutionary technology that simplifies PCI DSS compliance with no system upgrades Now available on V x Solutions!
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
IS3220 Information Technology Infrastructure Security
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
By: Ted Worthington.  About TJ Max  Discovery  How the break in occurred  The Payment Card Industry-Data Security Standard  Lawsuit and Investigation.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Principles Identified - UK DfT -
MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – (IC)3 Cyber Safety: A Systems Thinking and Systems Theory Approach.
Payment card industry data security standards
Security Standard: “reasonable security”
Breaches by Merchant Type
Data Compromises: A Tax Practitioners “Nightmare”
MIS 5121: Real World Control Failure - TJX
Today’s Risk. Today’s Solutions. Cyber security and
Systems Theory Approach to Managing Cybersecurity –
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Managing IT Risk in a digital Transformation AGE
Anatomy of a Common Cyber Attack
Presentation transcript:

Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC) 3 3 Sept 2014 CYBER SAFETY: A Systems Thinking and Systems Theory Approach to Managing Cybersecurity – Applied to TJX Case Hamid Salim Professor Stuart Madnick 1

Agenda 1.TJX (TJ Max and Marshalls stores) Case 2.System-Theoretic Accident Model and Processes (STAMP) and Causal Analysis based on STAMP (CAST) 3.STAMP/CAST Applied to TJX 4.Contributions 2

1. Background of the TJX (TJ Maxx and Marshalls stores) Case 3

4 Mar 29, 2007

1.Major off-price US based retailer, revenues > $25 billion (FY2014) 2.Victim of largest (by number of cards) cyber-attack in history, when announced in Cost to TJX > $170 million, per SEC filings. 4.Cyber-attack launched from a store on Miami, FL in 2005 by exploiting Wi-Fi vulnerability. 5.Hackers ultimately reached corporate payment servers and stole current transaction data. 6.Cyber-attack lasted for over 1.5 years Sources: Federal/State Court records (primary), TJX SEC Filings, Others (NYT, WSJ, Globe, FTC, Academic papers, Journal articles). 5 TJX (TJ Maxx & Marshalls) Case Study – Some Highlights

6 Breaching Marshalls Store 1.AP- Open authentication vs Shared Key authentication. 2.WEP publically known weak algorithm compromised. 3.Sniffers used to monitor data packets. 4.Hackers steal store employee account information and gain access to TJX corporate servers.

7 Hackers Establish VPN Connectivity 1.Hackers use Marshalls AP to install VPN connection. 2.VPN is between TJX corporate server and hacker controlled servers in Latvia. 3.Code installed on TJX corporate payment processing server.

8 Flow for Sales of Stolen Payment Card Information. Via Bank in Latvia

2. System-Theoretic Accident Model and Processes (STAMP) and Causal Analysis based on STAMP (CAST) 9

10 STAMP Model

STAMP Hierarchical Control Model 11

12 No.STAMP/CAST Analysis Steps 1Identify the system(s) and hazard(s) associated with the accident or incident. 2Identify the system safety constraints and system requirements associated with that hazard. 3Document the safety control structure in place to control the hazard and ensure compliance with the safety constraints. 4Ascertain the proximate events leading to the accident or incident. 5Analyze the accident or incident at the physical system level. 6Moving up the levels of the hierarchical safety control structure, establish how and why each successive higher level control allowed or contributed to the inadequate control at the current level. 7Analyze overall coordination and communication contributors to the accident or incident. 8Determine the dynamics and changes in the system and the safety control structure relating to an accident or incident, and any weakening of the safety control structure over time. 9Generate recommendations. CAST Steps for Analyzing Accidents or Incidents

3. STAMP/CAST Applied to TJX 13

System(s) – TJX payment card processing system Hazard(s) – at system level – System allows for unauthorized access 14 Step #1: Identify System(s) and Hazard(s) Step #2 (1/2): Define System Safety Constraints and Requirements System Safety Constraints – at system level 1.Protect customer information from unauthorized access. 2.Provide adequate training to staff for managing security technology infrastructure. 3.Minimize losses from unauthorized access to payment system.

15 Step #3: Hierarchical Control Structure Components of Control Structure Loop numbers

16 Step #4: Proximate Event Chain, (1/2) 1.In 2005 TJX decided not to upgrade to a stronger encryption algorithm and continued using deprecated WEP encryption. 2.In 2005, hackers use war-driving method to discover a misconfigured Access Point (AP) at a Marshalls store in Miami, FL. 3.Hackers join the store network and start monitoring data traffic. 4.In 2005, they exploited inherent encryption algorithm weaknesses at the store, and decrypted the key to steal employee account and password. 5.Using stolen account information, hackers accessed corporate payment card processing servers in Framingham, MA. 6.In late 2005 hackers downloaded customer payment card data from TJX corporate transaction processing servers in Framingham, MA using Marshalls store connection in Florida. 7.In 2006 hackers discover vulnerability, that TJX was processing and transmitting payment card transactions without encryption.

17 Step #4: Proximate Event Chain, (2/2) 8.In 2006 hackers installed a script on TJX corporate servers to capture unencrypted payment card data. 9.In 2006 hackers used TJX corporate servers as staging area and create files containing customer payment card data and started downloading files using Marshalls store network. 10.In late 2006 hackers installed a dedicated VPN connection between TJX server in Framingham, MA and a server in Latvia. 11.In 2006 hackers started moving files directly from TJX server to the Latvian server. 12.In December 2006, TJX was alerted by a credit card company of possible data breach of TJX systems, initiating an investigation. 13.In January 2007, TJX announced publically that it was a victim of a cyber-attack.

18 Step #5: Analyzing the Physical Process (TJX Retail Store System), (1/2)

19 1. Safety Requirements and Constraints Violated: a.Prevent unauthorized access to customer information. 2. Emergency and Safety Equipment (Controls): a.AP authentication b.WEP encryption c.Use of account id/password 3. Failures and Inadequate Controls: a.Access Point (AP) misconfigured b.Inadequate monitoring of Wi-Fi. c.TJX collecting customer information that was not required d.Inadequate encryption technology – WEP 4. Physical Contextual Factors: a.TJX was an early adopter of first generation Wi-Fi technology at its over 1200 retail stores in 2000 b.Requiring a significant learning curve, training, and a new knowledge base in a short span of time. Step #5: Analyzing the Physical Process (TJX Retail Store System), (2/2)

20 Step #6: Analysis of Higher Levels of the Hierarchical Safety Control Structure

21 1. Safety-Related Responsibilities: a.Payment card data is encrypted. b.TJX systems should be PCI-DSS compliant. ( Compliance with PCI-DSS is required by retailers accepting credit cards). c.Provide data retention process/procedures. d.Systems pass rigorous testing. 2. Context: TJX not in compliance with PCI-DSS. 3. Unsafe Decisions and Control Actions: a.Inadequate compliance with PCI-DSS. b.Retained more customer data than needed/for longer periods than required. c.Inadequate testing of systems/lack of awareness of PCI-DSS. d.Payment data briefly stored and then transmitted unencrypted to the bank. e.Visa issued a warning to FT Bancorp that TJX needed to be fully compliant, but (a) Fifth Third Bancorp had limited influence on TJX and (b) Visa had already granted TJX suspended fines until Process Model Flaws : a.Belief that Fifth Third Bancorp’s compliance with PCI-DSS implies compliance by TJX. b.Inadequate understanding of full scope of PCI-DSS Step #6: Analysis of Higher Levels of the Hierarchical Safety Control Structure

22 Step #7: Coordination and Communication 1.Disconnect between the views of CIO and his staff, and executive management view cyber security as a technology issue. a.Operations Management was aware of the compliance criteria but due to lack or inadequate support from executive management those system needs were not communicated to Project Management. b.Payment Card Processing System is controlled by Operations Management (loop #8), and interacts with Fifth Third Bancorp (loop #11). Fifth Third Bancorp relied on TJX to satisfy requirements of PCI-DSS. But TJX had view that PCI-DSS compliance is a technology issue and that First Third Bancorp compliance implies TJX compliance. c.CIO prioritized budget spending because CIO was representing a cost center and not revenue generating function, limited CIO influence at executive level.

23 Step #8: Dynamics and Migration to a High-Risk State According to Leveson, “most major accidents are a result of migration of a system to a high-risk state over time. Understanding the dynamics of migration will help in redesigning the system.” 1.A major change contributing to the cyber-attack was TJX’s move from wired to wireless networking (Wi-Fi) in 2000 in a short span of one year. a.Initially cyber security risk was low because vulnerabilities were unknown to everyone – experts, businesses, and hackers. b.TJX decided against upgrading to a more secure encryption algorithm for cost reasons. 2.Flaws in managerial decision making process. a.Ease of recall bias where recent experiences strongly influence the decision (i.e., no break-ins so far.)

24 3.Confirmation trap is a decision maker’s tendency to favor/seek information that confirms his/her own beliefs and discount contradicting information. “My understanding is that we can be PCI-compliant without the planned FY07 upgrade to WPA technology for encryption because most of our stores do not have WPA capability without some changes. WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future. I think we have an opportunity to defer some spending from FY07’s budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible.” Step #8: Dynamics and Migration to a High-Risk State, (2/2) a.Above is a message from CIO in November 2005 to his staff, requesting agreement on his belief that cyber security risk is low. -- there were only two opposing views, a majority of his staff agreed. b.This confirmation trap led to postponing upgrades.

25 Step #9: Recommendations 1.According to PCI Security Standards Council, compliance is a business issue requiring management attention and need to integrate PCI-DSS requirements within appropriate components on development and operations parts of the control structure. a.Doing so would not ensure full protection against a cyber-attack, but it will help manage the risk more effectively. b.Ensure that TJX is shielded from liability, because TJX was fined $880,000* by VISA for non-compliance plus another $41 million 2.Understand objectives of standards and align them with cyber security and business needs, but PCI-DSS not fully adequate. a.Data must be encrypted when sent over a public network, but not when transmitted within TJX, over intranet or behind a firewall. b.PCI-DSS did not mandate using stronger encryption WPA until 2006, even though WPA was available in 2003.

26 3. Building a safety culture at TJX Specific steps can include: a.Safety critical entities can include encryption technology, hardware components (AP, servers, etc.), data retention/disposal/archival policies, a list of Key Threat Indicators (KTI)* to include in monitoring metric, and prevailing cyber security trends. b.Implement a plan to manage these entities with periodic reviews to update the list of safety critical entities. c. A dedicated executive role with cyber security responsibilities, will allow for a consistent view of TJX security technology across the organization. * KTI can be network traffic beyond an established threshold at TJX stores, number of network connections at odd hours of the day, etc. Step #9: Recommendations

Comparison of Results from FTC and CTC Investigations and STAMP/CAST Analysis No.RecommendationCPCFTCSTAMP/CAST 1 Create an executive level role for managing cyber security risks. No*Yes 2PCI-DSS integration with TJX processes. No Yes 3Develop a safety culture. No Yes 4 Understand limitations of PCI-DSS and standards in general. No Yes 5Review system architecture. No Yes 6Upgrade encryption technology. YesNo* 7Implement vigorous monitoring of systems. YesNo* 8Implement information security program. NoYes* 27 CPC = Canadian Privacy Commission FTC = Federal Trade Commission * = Indicates recommendations that are close to STAMP/CAST based analysis but also has differences.

4. Contributions of this Research 28

29 1.Discussed why traditional approaches are ineffective for managing cyber security risks. 2.Highlighted need for system thinking and systems engineering approach to cyber security. 3.Introduced STAMP/CAST in the context of cyber security. 4.Proposed STAMP/CAST as a new approach for managing cyber security risks. 5.Applied STAMP/CAST to TJX case providing insights not discovered by other methods. 6.Recommendations provide a basis for preventing similar events in the future. Research Contributions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.