Presentation is loading. Please wait.

Presentation is loading. Please wait.

Retail Security and Compliance – Where On Earth is it Headed? An overview of the retail sectors IT threats and how to be more effective in preventing them.

Published byRobin Seaver Modified over 10 years ago

Similar presentations

Presentation on theme: "Retail Security and Compliance – Where On Earth is it Headed? An overview of the retail sectors IT threats and how to be more effective in preventing them."— Presentation transcript:

1 Retail Security and Compliance – Where On Earth is it Headed? An overview of the retail sectors IT threats and how to be more effective in preventing them.

2 Agenda Introduction Retail in the news Why cyber security is important? Where are the threats? What can you do? Additional Resources Questions?

3 About Coalfire Coalfire is a founding member of the PCI Security Standard Councils (SSC) program for Qualified Security Assessors (QSAs) and has been a QSA under Visas CISP initiative since 2003. We are also an Approved Scanning Vendor (ASV) and Payment Application Qualified Security Assessor (PA-QSA). We have completed more than 4,000 PCI projects for merchants, service providers and payment application developers and we are recognized as one of the top five assessors based on the number of Reports on Compliance completed for service providers and Reports on Validation completed for payment application developers.

4 Our clients include… 4

5 About Jeff Messer Senior IT Security Consultant 15+ years of information technology and business experience. Extensive experience in delivering security assessments, compliance auditing, general IT and application controls assessments and system development reviews Industries o Retail, higher education, healthcare, transportation, banking, finance, entertainment and leading edge technologies. Hands-on experience in developing and implementing IT security strategy, directing and managing an IT department and knowledgeable in various areas including: o Network & Systems Security o Risk Management o Vulnerability Assessments o Authentication & Access Control o System Monitoring o Regulatory Compliance o Systems Integration Planning o Penetration Testing Certifications o CISSP - Certified Information Systems Security Professional o CISA - Certified Information Systems Auditor o QSA - Qualified Security Assessor

6 Retail in the news US FBI Warns Retailers of Further Cyber Attacks Similar to Target Data Breach Target - 40 million payment card records and 70 million customers' records Neiman Marcus - 1.1 million cards Michaels (2 nd breach) Sally Beauty - 282,000 cards Sears? According to the FBI there were 20 infections with BlackPOS. So far, Target and Neiman Marcus are the only two to go public.

7 Why cyber security is important? Increasing reliance on technology Attacks are increasing faster than ability to stop them Lots of money can be made from stealing the data Public image can be tarnished quickly Corporate espionage Federal agencies moving to the cloud

8 Where are the threats? POS Software Mobile POS Remote Desktop/Terminal services Wireless Access Access rights Outsourcing managed services Unencrypted data over the network SQL injections Weak controls

9 POS Software Have you patched your POS devices lately? When was the last time you upgraded? Do you perform any vulnerability scans? Have you turned on logging? PA-DSS and P2PE certification options Magnetic Card Reader POS

10 Mobile POS Using an iPad or mobile POS device over wireless? How is the device secured? Is the data cached locally? iPad running POS

11 Remote Desktop/Terminal Services Do you have a device plugged into the internet? If they use cellular or 3G/4G, where is the firewall? Digi International Lantronix Wireless Radio Network Access Server WIFI and Web Access for Ethernet Devices Ethernet Switches

12 Wireless routers How is your network setup? Have you performed a wireless assessment? Rogue access points? Wireless Access Point/Router

13 Access rights Generic and shared accounts? Default accounts? Default passwords? User = Password? Segregation of duties? Logging of root or admin accounts? User Account reviews? User and Access Rights Administration

14 Outsourced managed services What have you outsourced? Have you checked your contract? Are you monitoring their work? Third-party administrating firewall rules

15 Unencrypted data over the network Have you properly segmented your network? Its a private/corporate network, thats safe, right? Where does responsibility begin/end for sending data? We only send unencrypted data across trusted networks. Sniffing the wire

16 SQL Injections Have you escaped or blacklisted any commands? Have you limited the database permissions of the web app? Have you restricted the type of commands, or applied parameterized statements? SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't'; Sample SQL Injection Line

17 Weak controls When was the last time you performed a risk assessment? Do you have an external, independent auditor? Are you experiencing high turnover? Do you do perform background checks? We rely on a third-party and they do it…

18 What can you do? Firewall management Segment your POS network Training PCI compliance Point-to-point encryption (P2PE) Deploy a Security Information and Event Management (SIEM) to monitor network events Use two-factor authentication when accessing payment processing networks. Monitor alerts from Visa, MasterCard, and Amex Ensure you are using certified hardware and software Whitelist programs

19 Enhance your existing cyber security Social engineering Penetration testing Application penetration testing Wireless assessment IT risk assessment POS forensic testing Vulnerability scanning IT Audits

20 Top 5 trends that we see ahead 1.Cyber attacks are going to continue to increase in frequency, complexity and scale. 2.Mobile is no longer the exception. 3.The move to cloud computing will show demonstrable cost savings … but will add new risks 4.Data breaches will continue to drive new security standards and spending 5.Information risk management is no longer an IT problem its a board problem.

21 Additional resources Whitepapers, webinars, blog www.coalfire.com/resourceswww.coalfire.com/resources What to do if you are compromised? http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf Respond to a breach? http://usa.visa.com/download/merchants/cisp_responding_to_a_data_breac h.pdf Identity Theft Resource Center - www.idtheftcenter.org o 2014 ITRC Breach Report ww.idtheftcenter.org/images/breach/ITRC_Breach_Report_2014.pdf o 2014 ITRC Breach Stats Report www.idtheftcenter.org/images/breach/ITRC_Breach_Stats_Report_2014.pdf Incident Response - Best Practices o Data Breach Response & Preparation - http://www.idtheftcenter.org/id- theft/incident-response-best-practices.html Interactive Breach/Hacks Diagram o www.informationisbeautiful.net/visualizations/worlds-biggest-data- breaches-hacks/

22 For additional information, contact… Jeff Messer Senior IT Security Consultant Coalfire 16420 Bake Parkway, Suite 100 Irvine, CA 92618 Office: (949) 271-7014 x7089 Cell: (949) 355-9096 jeff.messer@coalfire.com www.coalfire.com

Download ppt "Retail Security and Compliance – Where On Earth is it Headed? An overview of the retail sectors IT threats and how to be more effective in preventing them."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
BalaBit Shell Control Box

BalaBit Shell Control Box
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Security Controls – What Works

Security Controls – What Works
Mercury Payment Systems Dan Osby Director, Technical Services Technical Lead, Incident Response

Mercury Payment Systems Dan Osby Director, Technical Services Technical Lead, Incident Response
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.

Similar presentations

Ads by Google