cyber & privacy risks: a point-of-sale (pos) perspective · 2019. 5. 10. · like backoff are...
TRANSCRIPT
CYBER & PRIVACY RISKS:A POINT-OF-SALE (POS) PERSPECTIVE
AuthorGamelah Palagonia, FounderCIPM, CIPT, CIPP/US, CIPP/G, ARM, RPLU +
This document includes confidential and proprietary information of and regarding Privacy Professionals LLC and Privacy Professionals Insurance Services LLC (PRI-
PRO®). You may not use this document except for informational purposes, and you may not reproduce this document in whole or in part, without the prior written
consent of PRIPRO®. Copyright © 2013 Privacy Professionals LLC/Privacy Professionals Insurance Services LLC (PRIPRO®) All Rights Reserved
Executive SummaryPage 3-4
Cyber Attack: A Menu ItemPage 6
BoardroomResponsibilitiesPage 9
SummaryPage 12
Point-of-Sale (POS) & Other Third-Party Risks
Page 5
PCI DSS CompliancePage 7
Standards and Frame-worksPage 8
California & New York Attorneys Speak
Page 10-11
Table of contents
Executive Summary
3
Hackers have demonstrated that they can penetrate networks with the greatest of ease, camp out until they get what they want and then leave without a trace. Data breaches are getting larger, more costly and happening at greater frequency. Large scale security incidents like the Backoff Point-Of-Sale (POS) Malware attack that infected over 1,000 U.S. businesses should serve as a wake-up call to business leaders everywhere to take their exposure to cyber and privacy risks more seriously.
On August 22, 2014, the Department of Homeland Security and United States Secret Service issued an advisory notice concerning the family of Backoff malware. Since then, Backoff has plagued retailersnationwide exposing millions of consumers’ payment card information. Backoff was behind cyberattacks aimed at POS systems that lead to the major data breaches at Target, Neiman Marcus,Michaels, White Lodging, P.F. Chang’s, Jimmy John’s and Sally Beauty. Following the Backoff POSattack, the Payment Card Industry Security Standards Council issued a bulletin warning businesses about the risks associated with the Backoff POS malware and provided an updated Best Practices Guide for maintaining Payment Card Industry Data Security Standards compliance, which includesexamples of publicly available governance framework resources that can be used to complementcontrols and enhance data security effectiveness.
The latest attacks against UPS in September plus Kmart, Dairy Queen, Home Depot, Staples and TripAdvisor inOctober underscore the vulnerability of U.S. retailers’ payment systems. Gamelah Palagonia, Founder Privacy Professionals
4
Symantec Intelligence Report 2014:Top Causes of Data Breaches
Acci
dent
ally
Mad
e Pu
blic
Hac
kers
Thef
t/Lo
ss o
f Com
put-
er/D
rive
Insi
der
Thef
t
Frau
d/U
nkno
wn
49%
23%
21%
7% 1%
October 2014 Headlines
Kmart Stores Hit by Data Breach Dairy Queen Data Breached With Sprinkles JP Morgen Chase Reveals 76 Million Households Affected AT&T Hit By Insider Data Breach Staples Latest Retailer Probing Data Breach
Spear-phishing, spam loaders, botnets, and keystroke loggers and memory scraper malware like Backoff are very popular means of intrusion for hackers. Organizations must be diligent and committed to the long-term goal of mitigating the risks associated malware.
Hackers are getting better and moresophisticated every day but the majority ofsuccessful hacking attacks are executed by using simple means. Once attackers have an email
According to the 2014, Symantec IntelligenceReport, there were 266 data breaches that ex-posed 574 Million identities just from June 2013 to June 2014 with hackers leading the charge as the top cause of those breaches.
address, all they need to do is guess the user’s password to get the keys to the enterprisekingdom. Employers must insist that strong passwords be used to access corporate networks and require Multi-Factor Authentication (MFA) for employees and third party service providers with remote access. Birthdays and names of children, spouses or pets posted on social media for the world to see should never be used as a password to access corporate networks. A strong password has a minimum of eight (8) digits but thirteen (13) digits are preferable, inclusive of upper case and lower case letters, symbols and numbers.
Strong passwords are essential but keeping the bad guys out is the best way to protect dataassets, brand equity and company networks from compromise, which starts at the keyboard.
Considering escalating cybercrime, advancingprivacy threats and evolving legislation,businesses of all sizes in every industry must get everyone in the enterprise, especially the topexecutives involved in cyber and privacy risk mitigation. All employees must understand their duties, responsibilities and the major roles they all play in protecting their organizations.
Point-of-Sale (POS) & Other Third-Party Risks
5
“Don’t let a crisis force you to take stock of your brand as-sets. Don’t get caught navel gazing like we did... If you just respond, you will be too late.” Jeff JonesChief Marketing Officer Target
Brand value and business reputation suffer following a data breach. Studies have quantified those losses and show just how much that damage can be, with breach of customer data being the most costly.
A study conducted by the Ponemon Institute compared
the impact of the loss of confidential customer or employee information and sensitive business information with the loss of brand and business reputation. The Ponemon study indicated that as a percentage of annual gross revenues, the economic value of corporate brand reputation ranged from less than 10 percent to greater than five times annual gross revenue, and depend-ing on the type of data lost in the breach, brand value and reputation could decline as much as 17 percent to 30 percent.
Whether businesses suffer a cyber attack, data breach, loss of data or become infected withmalware, such incidents can have devastating consequences on brand value. Taking improper actions following a data breach can also have a significant impact on brand integrity.
1234
567
7 49
30 4
324
Cyber Attack: A Menu Item
6
Retailers are more likely to experience multiple data breaches because retailers’ payment systems, particularly restaurants, have become a major target of hackers. Franchise brands are particularly at risk because in many cases the individual franchises are independently owned and operated businesses. However, as the recent data breaches sustained by Jimmy John’s and Dairy Queen illustrate, image and brand integrity are linked to franchisees. Restaurant franchises are more vulnerable as they are favored targets. News of the Jimmy John’s data breach came in the midst of reports that the Delaware Restaurant Association was warning its members about a possible breach of consumer payment card data that appeared to be linked to LogMeIn, a remote access and systems management provider. Restaurant Delivery Services (RDS) may offer restaurants many benefits, including the ability to market their restaurants, accept and dispatch orders, manage drivers, analyze logistics, all on an online platform for pennies per order. Sounds like a good deal, but RDS also poses significant risks that should be considered because a security compromise on a web-based platform can affect all subscribers.
Hackers are pervasive and getting moreinnovative daily. A perfect illustration of hacking innovation is the NY Times article titled, Hackers Lurking in Vents and Soda Machines. Hackers were apparently unable to break into a big oil company, so they infected the online menu of a Chinese restaurant that was popular with the company’s employees. As unsuspectingemployees browsed the menu, they inadvertently
downloaded malicious code that let hackers get into the company’s network; this method ofintrusion is called a watering hole attack.
Vulnerabilities in remote access paymentmanagement systems like Backoff are behind many of recently reported data breaches. Backoff illustrates that threat detection and mitigation measures must go beyond traditional anti-virus and firewalls. Just like human viruses spread and infect people, malware and digital viruses do the same, only faster and more efficiently. Digital viruses don’t make a sound, and may not cause any symptoms until it’s too late. In Trustwave’s 2014 Global Security Report, the median number of days from the time of infection or compromise was 87 days in 2013, and 71 percent of those victim organizations did not detect the breach themselves.
Simple measures such as requiring Strong Passwords, using Multi-Factor Authentication (MFA), deploying Anti-Key-logging Software, and ensuring that POS terminals are not used forsecondary functions such as email or webbrowsing could have prevented many businesses from Backoff infection. Complying with PCI DSS requirements can also significantly reduce risks.
PCI DSS Compliance
7
All businesses that accept credit cards are subject to compliance with Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is a proprietary information security standard created to increase controls around cardholder data inorder to reduce credit card fraud fororganizations that handle cardholder information for the major payment card brands .
It is important to note that PCI DSS is not a state or federal regulation, but a set of standards and controls established by the major payment card brands. However, certain states such as Minne-sota, Massachusetts and Nevada have codified certain PCI DSS requirements into law. The latest expanded version, PCI DSS 3.0, is made up of 12 requirements and 304 controls.
Many businesses mistakenly believe that they are relieved of PCI DSS compliance if they utilize third-party payment processors for all credit card transactions. The reality is that all businesses with a merchant ID, regardless of size, must attest that they and their third party credit card processors and credit card storage providers (Clouds) are PCI DSS complaint. Merchants that suffer credit card data breaches that are not PCI DSS compliant at the time of the breach, may be fined as much as $500,000 per incident plus reimbursement of the associated data breach containment costs and risk mitigation efforts.
Certain states such as Minnesota, Nevada,Massachusetts, Texas and Washington State have codified certain PCI DSS requirements into law.
For example, under Minnesota’s Plastic CardSecurity Act, financial institutions that issuepayment cards may sue merchants conducting business in Minnesota for financialreimbursement for costs and expensesassociated with data breaches involving their payment cards, including but not limited to:
Cancelling existing debit or credit cards and the replacement of such cardsClosing or reopening financial accounts, stopping payments or blockingtransactions Issuing refunds or credits to cardholders for unauthorized transactions Notifying cardholders affected by data breaches
The Minnesota financial reimbursement provision imposes a strict liability standard on merchants, which means liability is not attributable tonegligence or poor information security practices. In Minnesota, a merchant who suffers a datasecurity breach can apparently be held strictlyliable for the costs incurred by financialinstitutions, even when the merchant was in full compliance with PCI DSS requirements. One of the PCI standards prohibits the storage ofsensitive authentication data, such as magnetic stripe data, credit card security code numbers, or debit card PIN authentication numbers.
Standards and Frameworks
NIST Framework
NIST Framework - 5 Major Functions
Develop the organizational understanding to manage risk to systems, assets, data, and capabilities.Identify
Develop and implement the appropriate safeguards to ensure delivery of critical (infrastructure) services. Protect
Develop and implement the appropriate activities to takeaction during a detected security event. Respond
Develop and implement the appropriate activities to maintain resilience and restore capabilities or services that wereimpaired due to a security event.
Develop and implement the appropriate activities to identify the occurrence of a security event. Detect
Recover
8
Businesses that are not subject to PCI DSS requirements can utilize another standard or framework. Although regulations do not specify security standards, controls or frameworks that businesses must follow to secure their systems, they do, however, require that those systems be secure. A security standard is a set of controls comprising best information security practices that sets the stage for an actionable framework to prevent, detect and respond to security incidents.
There are many information security standards for businesses to adopt. Certain regulated industries are required by law to implement specific information security controls such as HIPAA/HITECH in the healthcare sector; and GLBA and SOX in the financial sector. Non-regulated industries may follow other security standards like ISO 27001 published by the International Organization for Standardization (ISO) or the NIST Cyber Security Framework provided by the National Institute of Standards and Technology (NIST).
The NIST Cyber Security Framework was released in February 2014 by the National Institute of Standards and Technology (NIST). Although the NIST Framework was created in response to President Obama’sExecutive Order 13636, “Improving Critical Infrastructure Cyber Security”, and was intended to be used by companies involved in the delivery of critical infrastructure services, any business can adopt the Framework’s five major functions to mitigate privacy and cyber security risks.
Boardroom Responsibilities
9
Boards of directors are responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk. Cyber and privacy risks also must be considered as part of board’s overall risk oversight.
The National Association of Corporate Directors recently released a new handbook titled, Cyber Risk Oversight, that offers the following five principles to guide boards of directors in helping theirorganizations address cyber security threats:
Adopting an understanding that cyber security is an enterprise wide risk management issue, not just an IT issue, continues to be a challenge for many boards of directors. However, accepting that privacy protection is an enterprise risk management issue, not just a compliance issue is even more challenging.
Directors need to understand and approach cyber securityas an enterprise widerisk management issue,not just an IT issue.
1
2Directors shouldunderstand the legal implications of cyber-risks as they relate to their company’s specific circumstances
3Boards should have adequate access to cyber securityexpertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda
4Directors should set theexpectation thatmanagement will establish an enterprise-wide, cyber risk management framework with adequate staffing and budget
5Discussion of cyber risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associ-ated with each approach.
California & New York Attorney Generals Speak
10
The financial health of businesses and individuals in California and New York are crucial for ournational economy to flourish.
California has the strictest consumer protection laws in the country and was the first state to pass a data breach notification law in 2003. The law was amended in 2012 requiring organizations to notify the Attorney General of breaches affecting more than 500 California residents in any single breach. California is still leading the charge on privacy legislation and enacted a number of new privacy laws during 2013 and 2014. California Attorney General Kamala D. Harris was the first AG to issue a data breach report in 2013.
New York Attorney General Eric T. Schneiderman is the second AG to issue a detailed data breachreport, which was released on July 15, 2014.
On July 1, 2013, Attorney General Kamala D. Harris issued a Data Breach Report detailing the 131 data breaches reported to her
office during 2012 and provided recommendations based on
their findings. More than 2,500,000 Californians
were put at risk by data breaches in 2012.
California business-es and government agencies experi-enced 300 separate data breaches, ex-
posing the personal information of more than 20 million customers. Half of the hacking attempts statewide in 2012 targeted businesses with fewer than 2,500 employees, and nearly a third of all
attacks were aimed at businesses with fewer than 250 employvees.
During February 2014, AG Harris released Cyber Security in the Golden State: How California Busi-nesses Can Protect Against and Respond to Mal-ware, Data Breaches and Other Cyber Incidents. A 34-page guide that sets forth a few steps that any business can take to help protect itself, with a focus on small to mid-sized businesses that lack the resources to hire full-time cyber security personnel.
On October 28, 2014, AG Harris released the 2013 Data Breach Report detailing the data breaches reported to her office, which increased by 28 per-cent, from 131 in 2012 to 167 in 2013. The num-ber of Californians’ whose records were affected increased by over 600 percent, from 2.5 million in 2012 to 18.5 million in 2013.
California
New York
2006 - 2013
Hacking attacks accounted for over 40 percent of data security breaches.
Retail, Healthcare and Financial sectors had the high-est frequency of breaches.
Five of the 10 largest breaches occurred in the past three years.
Instances of insider wrongdoing have reached a record high of 121 reported instances in 2013.
11
On July 15, 2014, Attorney General Eric T. Schnei-derman issued a report titled “InformationExposed: Historical Examination of Data Security in New York State” based on informationsubmitted to his Office pursuant to the New York State Information Security Breach & Notification Act, over an eight year period. AG Schneiderman’s report examines data breaches and includesrecommended steps that organizations andconsumers can take to protect themselves from data loss.
The AG’s report shows that the number ofreported data security breaches in New York more than tripled between 2006 and 2013,exposing over 22 million personal records of New Yorkers, in nearly 5,000 data breaches.
In 2013 alone, data breaches have cost organi-zations doing business in New York more than $1.37 billion.
Data SecurityBreach Cause
Personal Records Exposed
(% of Total)
Hacking 2,009 (40.78%) 14,416,488 (63.3%) 1167 (23.69%) 6,032,389 (26.51%)
Insider Wrongdoing 511 (10.37%) 1,229,779 (5.40%) Inadvertent 997 (20.24%) 912,547 (4.01%)Recovery By Law Enforcementi 80 (1.62%) 65,974 (0.29%) Other 26 (0.53%) 29,609 (0.13%) Website Compromise 53 (1.08%) 22,460 (0.10%)Third Party Unauthorized Access 14 (0.28%) 14,500 (0.06%) Unknown 32 (0.65%) 14,470 (0.06%)
19 (0.39%) 13,248 (0.06%) Skimming 18 (0.37%) 1,190 (0.01%) Total 4,926 22,752,654
Misplacement/Misdirection
Lost or Stolen Equipment/Documentation
Number ofBreaches
(% of Total)
Summary
“While some companies will be targeted regardless of what they do, most are targeted due to what they don’t do!”
Verizon 2013 DBIR
12
In the past few years, news headlines provided a steady stream of criminal hacker attacks and data breaches. Hacktavists haunted us with their threats while organized criminal syndicates and hacker spy groups stole money, intellectual property, source codes, and whistleblowers leaked government secrets among other things. In 2014, hackers were determined to make our “Heartsbleed” while they told us to “Backoff, now they want to “Shellshock” us and if that doesn’t work — they promise “Mayhem”.
Data breaches of personal information are epic. Approximately, 50 percent of U.S. adults have had their personal data exposed in some form in the past year.According to the FBI, nearly 439 million records were stolen in just the past six months. Approximately 35% of the data thefts were from website breaches, 22% were from cyber espionage, 14% occurred at the Point-of-Sale (POS) at a retail stores and 9% were attributable to credit or debit card swipes.
But it’s not just the risk to our identities that should worry us. It’s the threat to our critical infrastructure — our electricity grid, military networks, power plants, industrial processes, financial systems, healthcare systems, rail and air traffic control systems and more — that poses serious security and economic risks. It is clear that individuals and businesses regardless of industry or size must imple-ment offensive dynamic approaches to mitigate cyber and privacy risks. Businesses should expect and be prepared to respond to an increase in hacker attacks, watering hole attacks, phishing, ransomware, click-jacking, malicious applications and mobile threats.
13
“You're going to be hacked, have a plan”.
Joseph Demarest Assistant Director FBI Cyber Division
Businesses can no longer take the reactive approach to cyber and privacy risk management because the reality is that technology runs our critical infrastructure and our society as a whole. Putting up firewalls and using standard encryption technologies won’t be enough. Master hackers can walk right through firewalls and take down our critical infrastructure. So far, 2014 has been hailed, “The Year of the Retailer Breach”, but as the latest JP Morgan Chase breach affecting 76 million American households illustrates, this is much more than a retailer issue.
Businesses regardless of industry or size must implement offensive dynamic approaches to mitigatecyber and privacy risks.
Businesses that prepare for these risks in advance and have an executable response plan of action will be better positioned to survive data breaches and retain their brand value.
Businesses can’t eliminate all these risks but they can be significantly reduced by developing compre-hensive privacy and data security policies, assessing security measures, processes and procedures to ensure that they are adequately protecting con-sumer data in compliance with PCI DSS require-ments, as well as statutory requirements under federal laws such as HIPAA or GLBA.
About Us
Our Solutions
New York
California
Copyright © 2013 Privacy Professionals LLC/Privacy Professionals Insurance Services LLC (PRIPRO®) All Rights Reserved.
Best Cyber R
isk Innovatio
n of the Year
&
Best Cyber R
isk TeamPRIPRO
® achieve
d
nominations i
n Advisen’s
2014 Cyber R
isk Award
s in tw
o
catego
ries:
Privacy Professionals LLC and Privacy ProfessionalsInsurance Services LLC (PRIPRO®) is a risk advisory fi rm
that specializes in Cyber & Privacy Risk management and insurance solutions. PRIPRO® was launched in response to
the growing demand for businesses to be better protected inreducing and coping with cyber and privacy liability and data breaches.
All the members of the PRIPRO® team are Certifi ed Information PrivacyProfessionals (CIPP) and Cyber & Privacy Liability Insurance experts.
Customized Cyber & Privacy Liability Insurance Solutions
Cyber & Privacy Liability Consulting Services
Privacy Risk Management Services
Virtual Privacy Offi ce Development
Automated Risk Assessments
Incident Response Planning Services
PCI DSS Compliance Services
Data Privacy & Security Employee Training (PCI DSS, HIPAA, GLBA)
Privacy Professionals LLC5 Hanover Square, 22nd Floor
New York, NY 10004
License No. 0178970
Privacy Professionals Insurance Services LLC1460B O’Brien Drive
Menlo Park, CA 94025