![The Plan
• Minimize Value of Data
– Tokenization and Encryption
• Focus Security Strategy on What Works
– Segmentation of Critical/Sensitive Data
– Two Factor Authentication
– Monitoring and Analytics
• Drill!! Drill!! Drill!
– Documented Incident Response Plan
– War Games and Tabletop Exercises
– Retain External SME’s (Breach Insurance, Communications, Forensics,…)
• Communication Strategy
– “Control The Message”
– Pre Website [hidden] page and Social Media Templates](https://image.slidesharecdn.com/6a123f37-aa05-448e-bbe8-e01ad279274a-150720233209-lva1-app6892/85/NRF-Presentation-v2-9-320.jpg)
NRF Presentation v2
- 1. Retail: An Irresistible Target for Cyber Attacks Pete Pouridis Industry Expert Pouridis Group, LLC Scott Frost CISO, Belk Presented By
- 2. Retail – An Irresistible Target Credit Card Data Dedicated Attacker Defenses: • Tall Tower • Electrical Lines • Watchers
- 3. Metrics on Breaches 2014 Year of the Breach Identity Theft Resource Center (ITRC) Number of reported breaches hit a record high (783) – a 27.5% increase over 2013. Regional chains increasingly becoming targets. Business (Retail, Hospitality and Tourism, Payment Processors, etc.) # of Reported Breaches: 258 # of Reported Records: 68,237,914 % of Reported Breaches: 33.0% % of Reported Records: 79.7%
- 4. • Business Expectations • Targets, Vectors, Actors • The Plan • What Data To Protect • Managing the Risk • Incident Response • Lessons Learned Agenda
- 5. • Threats are Persistent v. Static – Multi-Layered and Zero Day • End Users (aka Customers) are an attack vector – Technology Is In Their Hands • Mobilization of Devices and Payments – Company Issued v. BYOD • Omni Strategy Business Model – Marketing, Advertising and Creative – “Front Door” Blurred Lines Business Expectations
- 6. • High Awareness and Accountability • Collecting More Data – Privacy Spawns Loyalty “Opting In” Strategies – Outsourcing and Off Shoring Data – “The Cloud” • High Price of Procuring Capital Funding Business Expectations
- 7. • No One is Immune • All Sectors – Large and Small • Any Technology End Users – Consumers, Employees, Children • PCI and PII • Social Engineering – SPAM – Whale and Spear PHISHING – VISHING • Conversion Rates – eCommerce v. SPAMMers • Capitalize on Fear and Greed Targets and Vectors
- 8. The Actors • State Funded – i.e. China and Russia • Organized Crime - ORC • Individuals • Hactivists and Social Groups • Insider Threat – Disgruntled Employee – Corporate Espionage
- 9. The Plan • Minimize Value of Data – Tokenization and Encryption • Focus Security Strategy on What Works – Segmentation of Critical/Sensitive Data – Two Factor Authentication – Monitoring and Analytics • Drill!! Drill!! Drill! – Documented Incident Response Plan – War Games and Tabletop Exercises – Retain External SME’s (Breach Insurance, Communications, Forensics,…) • Communication Strategy – “Control The Message” – Pre Website [hidden] page and Social Media Templates
- 10. • Define Company’s “Crown Jewels” – Personally Identifiable Information (PII) – Payment Card Industry (PCI) – Intellectual Property (IP) • Big Repositories – Marketing/Advertising – Loss Prevention/Asset Protection – Human Resources – Finance • Perform Discovery – 1:1 Interviews with Sys and Business Owners – Regular assertions – Vulnerability Scans – Incorporate with other mandatory scanning – DLP Scans Data To Protect
- 11. Managing The Risk • Technology Platforms/Solutions – Governance, Risk and Compliance (GRC) – IT Security Operation Center (SOC) – Firewalls, Network Segregation, SEIM/Event Logging – Data Loss Prevention Solutions – Internet Traffic Monitoring – SPAM/Mail Administration • Well Defined Data Protection Policies/Procedures – Technical and Practical – Permission Controls – Strong Administration of System Credentials – Two Factor Authentication for Remote and DB Users
- 12. • Awareness and Education – Strong Passwords and Not Shared – PHISHing – End User/Customers – Employees • Storing Data • Obtain Data • Protecting Their Data – Auditing – Social Engineering Testing – Vulnerability and Pen Testing Managing The Risk
- 13. “When The Breach Occurs, The Time For Preparation Is Past” • Incident Response Plan – Living, Breathing, Exercised – Written (and shared) – Drilled (often) – Revised • Essential Elements – “Break glass” follow documented steps – stay focused – Communications Plan (internal/external/when/how/who) – Incident Response Partners (Public Relations, Forensics, Breach Insurance Carrier, Acquiring Banks, FBI, …) – Internal/External contact lists – Dedicated crisis communications channels (secure email, conference bridges) Incident Response
- 14. “When The Breach Occurs, The Time For Preparation Is Past” • Key Members – Core Team (HR, Legal, Communications/PR, Operations, Physical Security, Cybersecurity, Network, Operations) – Adhoc Team (Internal Business Partners, Other teams based on the incident) • Essential Goals – “Stop The Bleeding” – Identify IOC and Contain The Incident – “Eradicate And Recover” – Restore Business Processes – “Manage the Message” – Internal and External – Document Your Steps – Post-Incident Activities (Lessons Learned) Incident Response
- 15. Lessons Learned • Elimination – Tokenization and P2PE • Segmentation, Monitoring, and Analytics • Preparation and Prevention (Drill! Drill! Drill!) • Communication – Internal versus External – Immediate, Direct, Honest, Frequent – Control Social Media, Blogger, Pundits • Focus on… – Containment not Blame – Communication not Spin – Depend on Internal not External Resource
- 16. Nominate an attendee or speaker from this session as a PROTECT MVP. #PROTECTMVP THANK YOU! Scott Frost CISO, Belk Scott_Frost@belk.com Pete Pouridis Industry Expert, Merchant and Retail pete@pouridis.com
Editor's Notes
- #3: Have this slide show the actual youtube video of the bear (https://www.youtube.com/watch?v=BwresrBSoS8) A bear, in Canada, climbed a tall electrical tower to reach “an irresistible target” – the nest of a pair of ravens to consume the eggs Though the ravens built their nest on the top of a tall structure, next to high powered electrical lines, and vigorously tried to defend their nest – they were no match for a dedicated attacker As long as retailers have credit card data in the clear – they will be an irresistible target by those with the means and skills to bypass whatever security controls the retailer has put in place.
- #4: Slide sub-heading could be titled, 2013/2014/2015… Year of the Breaches Credit Card data exposures continues to climb
- #6: Mobility and SmartDevices placed Technology in every ones control No longer just the select IT few Front Door – Unified Shopping Cart Ex: BOPS; BISO, BOSS
- #7: High Awareness and Accountability Collecting more Data Privacy Spawns Loyalty – “Opting In” Outsourcing and Off Shoring Data “The Cloud” Capital Funds come with a high price
- #11: Don’t Try and Boil the Ocean