Securing your peanut butter

Our business

Stores Operations

Clients Employees

Attacker changed the keys of your home while you were away and blackmails

you

Attacker is holding you ransom

The new trend of ransomware

WannaCry

>> No collection of bitcoins

>> Still looking for real motivation

NotPetya

>> Cloaked wiper attack

Attacking stores: ransomware

It happens at

home, at work..

..but in stores,

really?

Stores

Attacking stores: Ransomware Stores

Protecting stores: Ransomware

It’s a lot about hygiene!

Almost 100% of malware is built

on old vulnerabilities – already

patched!

At work and home alike

Patch…

Upgrade…

Everything

Don’t get phished

Stores

>> “Think before you click "attitude

>> Beware of the unsubscribe feature

>> Continuous awareness training is key

Attacking stores: stealing payment information

No one wants to be a Target

70M customer accounts stolen

40M payment (credit card) information stolen

$250M cost to the company

>> Attacker used weak credentials of partner + web back door

Eating at Wendy’s

Malware running in over 1000 stores

Malware captured all transactional data

Could not pinpoint how many clients impacted

>> Attacker used old unpatched systems

Stores

Protecting stores: securing payment information Stores

It is still about hygiene, but it’s also about:

Your partners

and their

security

posture

Your

applications how

they’re coded

and how they’re

configured

Awareness,

which should be

reinforced

everywhere – in

stores too!

Attacking stores: the age of IoT

IoT hacking is on the rise..

New wave of DDOS:

Using embedded devices

Taking control of embedded

devices

Stores

Attacking stores: the age of IoT

Smart transportation applications

Predictive equipment maintenance: add sensors to

refrigerators

Wi-Fi foot-traffic monitoring

Self-scanner guns

IP cameras

Stores

Time to hack a store environment

Many devices

I want to wreak

havoc

I need a low

hanging fruit

1SITUATION

Penetrate the

transport

logistics system

Trick the

sensors

Don’t get

caught

2PLAN

I modify the

supposed

location at will

and send

drivers on a

wild goose

chase

3

RESULT &

IMPACT

Health of

customers/employees

Leakage of financial

information

Reputation of the

company

PII customers/employee

Financial loss

Replenishment process

4POTENTIAL DAMAGE

Protecting stores: the age of IoT

Change default credentials

Restrict physical access

Account for all interfaces

Choose patchable & upgradable

devices and do it!

All – ware matter:

Hardware

Firmware

Software

Wetware

Stores

Attacking employees and clients:

stealing private information

Sometimes it’s about money… Sometimes it’s not!

In 2016, usernames, email addresses, passwords for sites including

Adult Friend Finder and Penthouse.com

>> No financial motivation!

Employees &

Clients

In 2016, Indian hackers leaked data they stole the year before in

response to Snapchat CEO allegedly stating they had no plans to

expand to 'poor countries' like India.

Attacking operational activities:

stealing crown jewels

Six new episodes stolen

No idea where from and where the data was

Additional IP stolen: offer letters to high executives

HBO held ransom for $6M

Securing sensitive data goes beyond payment and private data..

Operations

..you need to know what your crown jewels are

..you need to know where your crown jewels are

..you need to know who has access to your crown jewels

Attacking operational activities: stealing IP

Perform some OSINT to find a good target1

Use social media to meet target2

Get them to disclose trade secrets3

Use a “safe” platform and execute bad deed4

Protecting operational activities:

securing crown jewels

Yes, organizations have a lot on

their plate

Proper hygiene – of their partners too!

Guarding sensitive data:

• Encryption

• Isolation

• Etc.

>> Proper detecting and monitoring

>> Good incident response

mechanism in place

>> Meet all regulatory requirements

But security is everyone’s responsibility

>> “See something, say something” attitude

>> Remember that everything you publish

might end up public

>> Be careful whom you add to your social

networks

>> Choose your passwords carefully

>> Be wary of impersonation!

Operations

A constant battle

A lot on our plate already..

..and the constantly increasing attack surface

Good news…new technologies helping in craft new exploits

will also help us defend ourselves

17

Thank you