Forensics , Governance & Risk Management , PCI Standards
Compromising Data for Profit
Investigator: Fraudsters Targeting Personal Data, Payment CardsToday's fraudsters are targeting not just payment data, but personal information as well. That's because both are profitable targets, says breach investigator Erin Nealy Cox of forensics firm Stroz Friedberg.
See Also: Webinar | Securing Cloud Architectures: Implementing Zero Standing Privileges
Cox, who consults businesses after network breaches and subsequent data leaks, says Payment Card Industry information and personally identifiable information are both highly sought-after targets for cyber-attackers.
"Oftentimes, payment-card information is targeted by organized hacking rings," Cox says in an interview with Information Security Media Group [transcript below]. "I do think PCI data is a very profitable target for attackers because that data can be sold on the black market and converted."
But coming into focus is the increase in attacks aimed at PII, Cox says.
"We're seeing more personally identifiable information being targeted simply because we're seeing a lot of healthcare records go online, as well as [attackers] achieving infiltration into HR records," she explains.
"The PCI information is more easily converted right now, but the PII information can certainly be converted for purposes of identity theft," Cox adds.
Protecting both PCI and PII data takes a combination of product and personnel, she says. "It's a layered protocol," Cox says. "It's the addition of good products with good personnel and a very vigilant system of ensuring security."
Unfortunately, too many organizations focus on their compliance obligations, rather than a security strategy, she says. "[Organizations] get a report of compliance from the PCI auditors that they're compliant with PCI-DSS and then they rely too heavily on that," Cox explains. "It has to be a very vigilant marriage of product and personnel to keep any network secure."
During this interview, Cox discusses:
- Insights from recent breach investigations;
- How and why the lines between PII and PCI are blurring;
- The skills set necessary to become a forensics investigator.
At Stroz Friedberg, Cox manages operations for the firm's Dallas office while also maintaining client assignments in the areas of digital forensics, cybercrime investigations, data breach response and electronic discovery processing. She supervises assignments for government agencies, major law firms and corporate management and information systems departments in criminal, civil, regulatory and internal corporate matters. Previously, she served as an assistant U.S. attorney for the Northern District of Texas for nearly 10 years. While there, she served as the computer hacking and intellectual property coordinator for four years and was appointed to a nationwide working group responsible for coordinating and prosecuting complex cybercrime cases across the United States.
Areas of Expertise
TRACY KITTEN: Can you give us a little background about the work you do and the investigations that you look in to?
ERIN NEALY COX: Stroz Friedberg is a global digital risk management and investigations firm. We specialize in data breach and cybercrime response. We also have a security risk assessment and consulting division, digital forensics, e-discovery, as well as a business intelligence and investigations unit. What makes us unique is that we employ, typically, former military or formal federal government technical forensics examiners in our labs across the world that bring deep knowledge of cybersecurity principles as well as an overlay of investigative knowledge.
In addition to that, we have folks like me who come typically from a background of legal training. I was a federal prosecutor for almost 10 years specializing in cybercrime and economic espionage cases, and we view the pairing of the technical personnel with the engagement manager as something that assists the enterprise in looking at the breach, or whatever cybersecurity-related problem they're having, in a holistic way, using it to approach the breach as an enterprise risk management technique.
Post-Breach Investigations
KITTEN: What's the process that you follow when you conduct some of these investigations?
COX: Initially, we're engaged by the entity. They've either suffered from what they have confirmed as a breach, or they have some anomalous activity on their network that they would like for us to look in to. We typically collaborate very heavily with their internal IT security resources. Our forensics personnel will go onsite. They will start looking at what the internal team is looking at and they'll bring to the table their knowledge of attacks that we've been responding to all across the world, and that supplements the internal IT security team and knowledge of their own network. We'll begin looking at what the anomalous activity is. We'll start by trying to ascertain an attack vector or an exfiltration or infiltration point and we'll, over a period of days and weeks work very collaboratively with the IT security team in-house, to understand whether the entity was breached, how it was breached, to contain and to respond to the incident, as well as to implement a remediation plan.
Determining the Root Cause
KITTEN: Is there a difference in the investigations you conduct, based on the type of attack or the type of industry that's targeted?
COX: All investigations are trying to get at the root cause of the breach, as well as understanding how the breach can be contained and what the entity can do to remediate and make itself more secure. But I do agree that the differing types of attack lead to different methodologies. For example, if you're looking at an industry that has PCI data, you're going to be more sensitive to the PCI-DSS guideline. You're going to be sensitive to concerns regarding payment-card data, as opposed to looking at an industry that's targeted for perhaps more of an economic-espionage situation where they would be employing more sophisticated malware or more sophisticated techniques that might attribute to a theft of IT or a theft of trade secrets.
Average Investigation Length
KITTEN: How long would you say the average breach investigation takes?
COX: There's really not a simple answer to that. We've worked breach investigations where we could understand very quickly the attack vector. ... We've also worked investigations that are much more sophisticated that it takes months to understand entirely what was going on in the network, and that perhaps the attacker or adversary has been in the client network for months. It really depends on what the attack methodology is, how long the attacker has gone undetected in the network, and how quickly we're brought onboard to see how we can help the internal team.
Common Vulnerabilities
KITTEN: What would you say is the most common vulnerability or investigation characteristic that crosses all of the sectors?
COX: This is generalizing, but if I took a look at the data breaches that we've worked on in the most recent years, I'd say they fall into three different categories. No. 1, the attackers are taking advantage of some type of web-based exploit. They're looking at their external web-based servers and they're seeing if any of the applications on those web-based servers can be exploited, or they're using a technique called a SQL injection to get into the network environment.
The second way that we've seen attackers in recent years compromising networks is spear-phishing, using targeted phishing attacks to essentially socially engineer people within the network to allow them access to the network.
Finally, in the more sophisticated economic-espionage cases, we oftentimes find zero-day malware that allows the attacker access before those applications can be touched.
Targeted Information
KITTEN: Would you say that payment card data is the most often targeted information?
COX: I'm not sure that I would say most often targeted information. We've certainly seen over the last five to seven years a lot of news regarding payment cards being targeted. Oftentimes, payment-card information is targeted by organized hacking rings, organized crime groups, but in the last few years we've seen a large uptick in economic-espionage cases as well. We know, for instance, that there are also state-sponsored espionage cases that have been happening over the last decade. I'm not sure I could put numbers to it. I do think PCI data is a very profitable target for attackers because that data can be sold on the black market and converted, but we also see attacks on networks for personally identifiable information, especially in the context of healthcare associations that deal with lots of patient information. HR data has always been a target, as well as targeting a company's IP or trade secrets.
KITTEN: Would you say that these are on the same level as payment card data, when it comes to breaches and the information that attackers are actually after?
COX: ... We're seeing more personally identifiable information being targeted simply because we're seeing a lot of healthcare records go online, as well as achieving infiltration into HR records. The PCI information is more easily converted right now; but the PII information can certainly be converted for purposes of identity theft. In terms of the intellectual property theft, I think those are more targeted attacks. I know we see those coming through state-sponsored attacks or just domestically infiltrated economic-espionage cases.
Targeting the Retail Sector
KITTEN: Would you say the retail industry is the most vulnerable and/or targeted when it comes to some of these attacks?
COX: They have been vulnerable for a number of years, and they have been a target and will continue to be a target. Ten to 15 years ago, financial institutions were a big target for hackers, but over the last decade they have been really hardening the perimeter, taking their IT security up a notch to defend themselves against what they knew to be attackers trying to get into their networks. The retail industry and the hospitality industry came on after that and they have been for years a target of attackers, because they're both robust repositories of PCI data. I think they'll continue to be targets, but I have seen over the last probably five years the retailers and the hospitality industry take a lot of steps in terms of IT security and IT resources that will help to secure their network.
KITTEN: What seems to be the most typical type of network attack that's aimed at retailers and payment processors?
COX: In terms of retailers and payment processors, we do see web-based intrusions being predominant, as well as spear-phishing attacks.
Malware Attacks
KITTEN: Would you say that these attacks are actually more targeted, and is the malware striking these companies in some way unique?
COX: We have seen a lot of malware in the environment that we've been in targeted specifically for payment-card data. We know that the attackers have a robust repository of malware that can scrape, scan and sniff for PCI data within an environment. Some of this malware is custom-made; some of it is open-source. There's a robust amount of malware out there that can address PCI data, because we know it's being used by these organizations within these environments. I do think that the malware is specific to the PCI data and it does do its job very well.
Our role at Stroz Friedberg is to take a look at the malware that we find in these environments. We reverse this malware, we deconstruct it and we understand its functionality so that we can better investigate its impact on the environment. We also catalog this and can look for this kind of malware in other environments, and card-brands do also alert entities about malware and malware that they have been seeing in investigations, so everybody can start to better protect themselves.
Challenges with Compliance
KITTEN: What challenges would you say retailers, as well as other organizations, face when it comes to ensuring that they're complying with all of the necessary regulations and requirements, such as those that are outlined by the PCI Data Security Standard, after a breach?
COX: Securing any network is not a process of one particular product. It's a layered protocol. It's the addition of good products with good personnel and a very vigilant system of ensuring security. I think the vigilance is one of the most important parts. Sometimes companies can too often place reliance on what we call QSA audit reports, giving them reports of compliance. They get a report of compliance from the auditors that they're compliant with PCI-DSS and then they rely too heavily on that. It has to be a very vigilant marriage of product and personnel to keep any network secure.
What we know from various studies and reports is we've seen many, many breaches of PCI networks that occurred right after a finding of PCI compliance. The fact that a company has a report of compliance does not mean that it's secure for all times. Companies have to be very vigilant about their networks, about securing their networks, and they have to utilize whatever resources they can to make sure that they know what's going on in their networks at all times.
Steps to Maintain Security
KITTEN: What steps are organizations recommended to follow to ensure that they maintain compliance or maintain higher levels of security after a breach?
COX: With a PCI data breach, there are very strict guidelines, in terms of what a company has to do, when they have to hire a forensics expert and when their reporting to the card-brands has to occur. You'll find this in other areas of breaches as well, depending on the type of data that has been breached. There will be disclosure obligations associated with that breach, so, if it's personally identifying information or PCI information, there are going to be disclosure obligations associated with that breach.
First, understand the parameters of the breach and make sure the breach is contained and remediated. Second, take the knowledge from the in-depth understanding of the breach to make required disclosures to be able to better inform people about what happened. What you'll see oftentimes happening is companies - because it's a major PR event for them - want to talk about their breach before they have information. Information on day 10 regarding a breach is often different than information on day 40 regarding a breach, and our advice to the companies is to really allow their internal IT security team, as well as their outside experts, to understand what happened with the breach to make sure the breach has been fully contained and responded to, as well as remediated, and then work with the other enterprise risk stakeholders, such as in-house counsel, outside counsel and c-level executives, to figure out what their disclosure responsibilities are and the timing of that.
Reporting Requirements
KITTEN: Are there any reporting requirements that organizations have to be mindful of if they do learn more about a particular breach or attack after they have closed the investigation?
COX: Absolutely. A company should always be willing to audit and validate what their own internal IT security resources are telling them, which is why outside experts make sense. An IT security personnel's role should be to do what they think is the best for their company's security and then to not be weary of having somebody come in to validate that. After all, the purpose is to make the company and the company's critical digital assets more secure.
As you're determining what happened in a breach, you need to be diligent about being skeptical about first answers and first theories about what happened. You need to find corroborating evidence about what occurred so that you can properly remediate. You don't want to not understand the parameters of a breach and not remediate an aspect of the breach that should have been remediated to prevent the next breach. It's likely if you're a target now, you're going to stay a target, so you need to understand that everything needs to be working cohesively to better protect your network, utilizing all the resources that you can to do that.
Forensics Profession
KITTEN: What advice could you offer to someone who might be interested in entering the forensics profession today?
COX: The forensics profession is really interesting and an exciting profession to be involved in these days. What we look for at Stroz Friedberg are ... cybercredentials. That's why we typically hire from the military or from law enforcement. We also really like an investigative mind. You're not simply checking the IT security box; you're investigating what happened in a breach.
In addition to that, we find that creativity and collaboration among our forensics personnel is really key to coming up with the answers to a lot of these complex cybersecurity problems. I would advise anyone to try and get the very best training that they can. Make sure that they find avenues to gain the experience in the sectors that they want to gain the experience. If you would prefer to be more a digital forensics specialist, work in firms that will give you that kind of expertise. If you prefer to be working on data-breach cases, make sure that you work for firms where you're going to have a lot of repetition, responding to incidents, looking at various networks and understanding the adversary, what the hackers are doing and how they're doing it.