PCI DSS Part 2 - Attacks and Sources of Risk

Video Activity

Despite increased awareness of security threats to financial data such as cardholder information, the frequency of data breaches doesn't appear to be slowing down. Some of the more well-known cardholder data breaches occurred over recent years at Adobe, Target, Neiman-Marcus, Target, and Home Depot. Target reported that around 40 million card numbe...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

1 hour 15 minutes
Video Description

Despite increased awareness of security threats to financial data such as cardholder information, the frequency of data breaches doesn't appear to be slowing down. Some of the more well-known cardholder data breaches occurred over recent years at Adobe, Target, Neiman-Marcus, Target, and Home Depot. Target reported that around 40 million card numbers were stolen, but it's suspected that the actual number was much higher. Securing such data requires strong enforcement and begins a the top of the organization. Senior management either gets it or they don't. In this video we cover the sources of attacks, the various types, and policies and procedures to thwart them. Attacks can originate either internally or externally. Most attacks occur from external sources (64%), but internal attacks are still a large area of concern. Where external attacks are most often malicious, internal ones can also be unintentional and the result of carelessness or ignorance. Stolen laptops, scams, and social engineering are the most common exploits from within. The information, or more accurately, the assets that require protecting consists of the standard credit card information such as card number, expiration date, and security code. Protecting this data comes under the umbrella of risk management, which consists of risk assessment, risk analysis, and risk mitigation. We'll discuss these particular processes in more detail in the other videos in this module.

Video Transcription
as we continue our discussion on why P. C. I. D. S s is so very important just to mention a couple. And these are just a handful off the recent attacks that we've seen. Adobe was hacked back in 2012. And if you'll notice 40 million sets of payment card information or
information from the payment card industry were
compromised. All right, Fine. Then we moved on to 2013 in one month's time between November and December, Target and you may have heard of this particular breach,
uh, found that over 40 million credit card numbers had been compromised. And I'll tell you,
independent assessments rink That compromise is much larger than just 40 million credit cards. Although 40 million credit cards is huge. And I mentioned earlier they were victim of a ram scraping attack. But what was most interesting about this was
the way the network was originally
infiltrated with this mechanism. To pull the remnants from ram was because of a contractor and H back contractor heating, ventilation and air conditioning was able to access a system on which he checked his email,
received a bogus email containing an attachment. The attachment got open
and that particular attachment contained essentially a means to allow the Attackers to access the network on which the point of sale systems resided. So this is one of those instances where we can't ever say that we're not vulnerable, that an attack is not possible.
But when you have a contractor who is able to access a network that interfaces with our point of sale systems,
that's a huge breach. That's a huge consideration that's missed their, you know, the just basic principle of isolating out trusted networks from untrusted That's not specific to the payment card industry. That's, you know, throughout all of security and all the elements concerned with security.
So that was a huge breach in There were numerous,
indications of problems that existed with that compromise. Home Depot in 2014 was also compromised. This really hasn't been all that long ago. Somewhere around 56 million pieces of sensitive information were compromised, the account numbers and so on. So
what we're seeing is thes large organizations
again. Either get it or they don't
now. Just because they're compromise doesn't mean that they don't get it. But when you have an organization that fails to follow just basic security principles and protect their data in a means that standard and is accepted by the various industries.
That's certainly a huge concern. So what we need is stronger enforcement, uh, or strong enforcement of security requirements for this payment card information.
Now, where did these attacks come from? Well, either inside or outside,
and of course, that makes sense. But what we have to look at is we have to look at 64% of the attacks come from outside our organization. So obviously the majority comes from the Attackers wherever their origin, looking to compromise this information. However,
we also have 28%.
It doesn't quite add up, does it? 64% 28%. But at any rate, uh, we also have a sizable portion coming from insider attacks as well. Not all attacks are malicious. And by that I mean not all, um,
not all instances that calls loss or breach or disclosure of information.
Certainly not all of those air intentional, um, and internal processor accidentally giving out information over the phone, accidentally deleting a file that's necessary, leaving information in an unsecured manner. All of those would compromise. So
we have the largest portion coming from outside our organization, but still a sizeable portion coming from within.
We have a smaller portion. Malicious incidents from insiders within the network, internal fraud, embezzlement, those source of issues
now, Ah, types of attacks, stolen laptops or computers. And again, this is not unique to the payment card industry, uh, living here in D. C. We've seen various government agencies or employees of those government agencies do things like leave laptops with sensitive information on the subway or
Any time you have a human element, there's always the potential for mistake or for not following policy or procedure
exposure on the Internet or through email. This is gonna go up and up and up. As more and more business is conducted across the Internet, you're going to see more compromise. Email by default is not secured. So when you have people passing information across
the email, Hey, put this charge on my card. Here's my number.
Sending it through text When you have people transmitting any information across the Internet to an unsecured site, meaning using insecure, unsecure protocols, there's always the potential for compromise.
Just a flat out hack, which is really kind of what happened with Target with Home Depot 16%
documents lost in the mail or on disposal. So I order a new credit card. It never makes it to me. Maybe someone steals it out of my Mel box. Someone intercepted in transit or I have a credit card that's lost. And I failed to report it is being lost or
I know what longer want to use a payment card. So
I throw it in the trash. You know, those air instances, scams and social engineering. This is gonna go up and up and up. This seems to be really sort of the the main way that fraud is happening today. And if you look back at some of the major compromises, they usually at least have an origin
in social engineering, tricking someone into divulging information. I have no business knowing I saw a man episode. I think it was on the Today show where they hired a security firm
to set up a kiosk at a local shopping center, and they had a little banner that said, um,
it was for a free no interest credit card for college students and during the course of the day, something like 100 people applied for this credit card.
Now you know, no authentication not tied to any bank not verified. And you think about the information that you fill out when you do apply for a credit card. You know your name, your social security number, pertinent financial information, your address. All of these pieces and over 100 people
turned that information over.
And when I found to be most revealing was at the end of the day, they went back and kind of interviewed some of these people and they said, Well, didn't you think this is suspicious? Did you have any concerns? And what most of the people wound up saying was, Well, I thought it was a little odd, but everybody there was just so nice
as if an attacker couldn't be nice
or what also happens is often These Attackers will hire customer service people to go in. And of course, they're nice. They're trained Coast customer service people, so it's just very interesting. You know, all the reasons that social engineering works,
but we've got the start training our people on social engineering
because this is the way information is getting leaked. And, of course, here it's library. We do have a class on end user security that focuses very heavily on social engineering. Now there is a lot of information on your standard payment card.
So obviously all of this information falls under
payment card information and can be used as part of identity theft or fraud. So if you look where the little red arrows are, they'll tell you where sensitive information would be. So, first of all, many of the chips, many of the cards have the chip and are often used in conjunction with the personal I D number.
This is a much more secure environment than just relying on
the magnetic strip on the back. As a matter of fact, the folks with the European Union have been using the chip in pen mechanism to protect their payment cards for years and years and years. The ideas information stored on this magnetic strip can easily be intercepted
and then can be reapplied to a new card on a new magnetic strip
for the purposes of fraud. Well, it's a little bit more difficult with the chip. This is actually a process a processor that's able to transmit this information and encrypted and storing transmit in encrypted fashion. So that's much better than just a plain, static
set of information on that strip.
What we see here is we see the primary account number, and that's gonna be referred to as the pan throughout the presentation. This is one of the most significant pieces of information because it's the hardest. It would be the hardest for me to guess. Once I have your account number. Often I can I can use other forms
in order to get
the the security code or the expiration date. But once that primary count numbers compromised, I'm very, very close to having my goal.
Expiration date is needed That's the security code looks a little different for American Express than it would for Discover MasterCard and Visa J. C. B on the back. It's usually three digit code for those other organizations, so all of this information must be protected
in order to prevent theft of identity and fraud.
So where do our risks come from? And one of the things that I always talk about when I talk about security is really security is nothing more than risk management.
And if you're familiar with the steps off risk management, you look at certain elements. The very first thing that you do is you identify your assets. We often refer to that as risk assessment. What do I have? One of my protecting and what's it worth
now, when we think about $14 billion worth of loss due to credit card fraud and theft, that's a pretty valuable asset now. The problem with some of these less tangible assets is they're very difficult to get an accurate cost for, you know,
you look a okay. Here's the amount that could be compromised with identity theft.
Well, what about the loss to a company's reputation? Should these credit card numbers or payment card numbers be compromised? It's very difficult to put a loss on or value on a company's reputation. Now you can do it and risk advisors do that all the time.
But what we really have to understand is loss comes in a variety of different directions,
and all that's gonna play into the value of the assets that we protect. Okay, so with risk assessment, identify your assets and how much they're worth evaluate them
the next step. Let's look at the things that have the potential to harm those assets. Let's do risk analysis. So what I want with risk analysis is I wanna look at the threats, the things that could harm my asset and the vulnerabilities where my week
and those two together give me a risk. Now, when we talk about a risk event, what I want to know is how likely is the risk to occur
And if it occurs, how big an impact, you know, is this compromise that happens once every 50 years and has a 500.1 impact will. That may not be something I devote a lot of money to, but when I have the potential for loss in the millions that happens to five times a year, well, yeah, that's going to get my attention.
So with risk analysis, what we're looking to do
is get both the qualitative and quantitative value for risks. Ah, qualitative value, subjective. It's high, medium low would be qualitative words. This is highly likely. This has a moderate chance of happening. There's a qualitative, but what we really want to get our hands on is a quantitative analysis.
Tell me the dollars. What is my loss potential in dollars and cents
because that is going to drive the decisions I make in the next step, which is risk mitigation. What are the strategies I'm gonna implement? What controls am I gonna put in place to reduce the likelihood and or impact of this risk event?
Rarely do we talk about eliminating risks, and we certainly can't eliminate all risks, right? It's impossible to eliminate every risk, but what we can do is we can reduce the risk so that it's small enough to fall within our range of tolerance.
That's often decided by senior management, the board of directors, whoever that may be.
But ultimately our goal is to mitigate or to reduce that risk, a smallest possible now the final step. So we assessed, we analyze, we mitigated. And in the final step of risk management is ongoing analysis. You are never, ever done dealing with risks, especially in an organization that holds financial
information, payment card information.
There will always be risks, new risks on the horizon. So we're constantly monitoring for these risk events that have happened, and we're analyzing and assessing new risks as they have the potential.
When we talk about risks, we have to look at some things that we do that make ourselves vulnerable, and we do many, many things. And again it usually comes back the senior management either getting it or not so to speak. And when I say that, I mean senior management either has buy in
for the threat potential for loss
or they don't.
So if you look at some of these instances 81% of businesses surveyed in the U. S and Europe store payment card numbers,
we'll talk about that, a minimization, and we'll talk about the fact that you have no need to store these numbers once you get authorization.
The more information I collect and the more information I store, the more vulnerable I am. So if I have a database with millions of credit card numbers, that's a very, very attractive database to an attacker.
All right, so 81% store payment card numbers, usually the primary account number
73% store the expiration date, 71% store payment cards and 57% store customer data from the card and the magnetic strip
and 16% store other personal data on top of all this other stuff.
So what we have is we have an industry. Ah, retail industry or and again, I don't want unfairly single out retail. But ultimately, we have a collection of industries really that don't understand the vulnerabilities
that they are or the ways that they're making themselves vulnerable.
When you're storing this information, you become a target.
Up Next

This series covers the framework governing the self-regulated payment processing industry. Compliance with these standards is critical. Learn the 12 elements of the framework and how they pertain to risk management in relation to cardholder data.

Instructed By