Contenu connexe Plus de Internet World (20) A wireless world: combatting security breaches through parallel networking - Lindsay Notwell, Cradlepoint1. ADDRESSING THE BREACH
Offloading Non-Essential and Vendor Applications to
Application-Specific, Parallel Networks Using 4G LTE
June 17, 2014
Lindsay Notwell
VP, Operator & International Business
CradlePoint
Contact:
lnotwell@cradlepoint.com
2. M200
Circa 2006
OUR COMPANY
The trusted global leader in enterprise-grade 4G-LTE
networking solutions for distributed enterprise
2CradlePoint Proprietary and Confidential • © 2014 CradlePoint, Inc. • All Rights Reserved. Information subject to change without notice.
INDUSTRY AWARDS
2014 Top 20
Retail IT Solutions
OPERATOR PARTNERS
Focus: Enterprise grade cloud
managed 3G/4G/LTE solutions
Advantages:
Performance
Protocols
Efficiency
DIFFERENTIATION
Security
WiFi
Flexibility
3. KiosksC-Stores
OUR CUSTOMERS
Distributed Enterprises with Hundreds and Thousands of Locations
3
RestaurantsRetail Stores Digital Signage TransportationBranch Offices
CradlePoint Proprietary and Confidential • © 2014 CradlePoint, Inc. All Rights Reserved. • Information subject to change without notice.
Key Challenges
No Local IT Support
PCI Compliance
WiFi & Mobility
Cloud-based Apps
Business Continuity
4. RETAIL
BRANCH OFFICE KIOSKS, SIGNAGE, ETC TRANSPORTATION
OUR RECORD OF SUCCESS
Over 1,000,000 deployments with leading distributed enterprises
4CradlePoint Proprietary and Confidential • © 2014 CradlePoint, Inc. All Rights Reserved. • Information subject to change without notice.
5. Internet /
Private Network
5CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
TYPICAL BRANCH OFFICE
Server
Employee
Tablet
Back
Office
Customer
Area
Equip
Room
Customer
Smartphone
Primary Network (WAN)
Typically T1, DSL or Cable
6. Internet /
Private Network
6CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
WITH 3G/4G RESILIENCY
Server
Employee
Tablet
Back
Office
Customer
Area
Equip
Room
Customer
Smartphone
Primary Network (WAN)
Typically T1, DSL or Cable
Failover Connection
4G-LTE as a backup WAN connection
4G-LTE
7. Internet /
Private Network
7CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE MONOLITHIC NETWORK
Server
Employee
Tablet
Back
Office
Customer
Area
Equip
Room
Customer
Smartphone
Primary Network (WAN)
Typically T1, DSL or Cable
Failover Connection
4G-LTE as a backup WAN connection
4G-LTE
8. Penetration
– Launched email phishing campaign
– Successfully tricked many users to open the email
– Attackers researched victims and determined suppliers to Target
– Obtained vendor’s credentials, used to access Target’s network
Execution
– Used “pivoting” technique to attack systems on other networks
– Infected POS terminals using customized memory scraping tool
– Established “unauthorized server” inside the Target network
– Exfiltrated credit card data through the compromised servers
Based on Currently-Available Information
THE ATTACK AT TARGET
9. The Exposure
– Up to 110 million customers could have been affected
– 40 million debit and credit cards stolen
– Up to 70 million individuals had personal information stolen
The Cost
– The breach will cost Target $500 million to $1.1 billion USD
some analysts estimate.
– Analysts have cut Target profit estimates for the fiscal years ending
Jan ’14 and Jan ‘15 by about 12.2% and 9.5%, respectively,
Thomson Reuters Starmine data showed.
– Target’s CIO resigned, CEO forced out
Based on Currently-Available Information
9CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE RESULT AND IMPACT
Source:
Source:
10. The Industry Experts’ Analysis
– Target passed its PCI Compliance audit in September
– The company has since moved to isolate its different platforms and
networks to make it harder for a hacker to move between them
a Target executive said.
– So-called segmentation issues, where computer systems that
shouldn't be connected for security reasons are in fact linked, are a
problem at a number of retailers
a person familiar with retail breaches said.
– There shouldn't have been a route between a network for an outside
contractor and the one for payment data
people familiar with large corporate networks said.
Based on Currently-Available Information
10CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE RESULT AND IMPACT
Source:
11. Legitimate looking emails
Relevant, somewhat inside information
Think of grifters, con men, etc.
Click on the link or attachment
Phishing, Spear Phishing, Whaling
SOCIAL ENGINEERING ATTACKS
13. Internet /
Private Network
13CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE MONOLITHIC NETWORK
Server
Employee
Tablet
Back
Office
Customer
Area
Equip
Room
Customer
Smartphone
Primary Network (WAN)
Typically T1, DSL or Cable
Failover Connection
4G-LTE as a backup WAN connection
4G-LTE
14. The Industry Experts’ Analysis
–So-called segmentation issues, where
computer systems that shouldn't be
connected for security reasons are in
fact linked, are a problem at a number of
retailers
a person familiar with retail breaches said.
–There shouldn't have been a route
between a network for an outside
contractor and the one for payment data
people familiar with large corporate networks said.
Based on Currently-Available Information
14CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE RESULT AND IMPACT
Source:
15. 15CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
SEGMENTATION ISSUES?
16. 16CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
AND THEN…
17. 17CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
AND THEN…
18. Internet /
Private Network
18CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
THE MONOLITHIC NETWORK
Server
Employee
Tablet
Back
Office
Customer
Area
Equip
Room
Customer
Smartphone
Primary Network (WAN)
Typically T1, DSL or Cable
Failover Connection
4G-LTE as a backup WAN connection
4G-LTE
19. Internet /
Private Network
19CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
4G-LTE
VoIP Phone Network
Separate 4G Network
Server
Employee
Tablet
Back
Office
Customer
Area
Equip
Room
Customer
Smartphone
Kiosks
Separate 4G Network
for 3rd-Party
4G-LTE4G-LTE
Digital Signage
Separate 4G Network
for 3rdParty
HVAC System
Separate 4G Network
for 3rd-party vendor
4G-LTE
Customer WiFi Network
Separate 4G Network for
non-secure customer access
4G-LTE
Store-in-a-Store
Separate 4G Network
for 3rd-Party
4G-LTE
Employee Network
Separate 4G Network for
secure enterprise access
4G-LTE 4G-LTE
Security System
Separate 4G Network
for 3rd-party vendor
4G-LTE
Energy Mgmt System
Separate 4G Network
for 3rd-party vendor
POS Device Network
Separate 4G Network
for security-sensitive devices
4G-LTE
PARALLEL NETWORKING
Primary Network (WAN)
Typically T1, DSL or Cable
Failover Connection
4G-LTE as a backup WAN connection
4G-LTE
20. Point-of-Sale Device Network
Separate 4G Network
for security-sensitive devices
4G-LTE
Internet /
Private Network
20CradlePoint Proprietary and Confidential | © 2014 CradlePoint, Inc. | All Rights Reserved. | Information subject to change without notice.
PARALLEL NETWORKING
4G-LTE
VoIP Phone Network
Separate 4G Network
Server
Employee
Tablet
Back
Office
Customer
Area
Equip
Room
Customer
Smartphone
Kiosks
Separate 4G Networks
for 3rd-Party
4G-LTE4G-LTE
Digital Signage
Separate 4G Network
for 3rdParty
HVAC System
Separate 4G Network
for 3rd-party service provider
(Heating, Ventilation & Air Conditioning)
4G-LTE
Customer WiFi Network
Separate 4G Network
for non-secure
customer access
4G-LTE
Store-in-a-Store
Separate 4G Network
for 3rd-Party
4G-LTE
Employee Network
Separate 4G Network
for secure enterprise access
4G-LTE 4G-LTE
Security System
Separate 4G Network for
3rd-party service provider
Failover Connection
4G-LTE as a backup
WAN connection
4G-LTE4G-LTE
Energy Mgmt System
Separate 4G Network for
3rd-party service provider
Primary Network (WAN)
Typically T1, DSL or Cable
22. ADDRESSING THE BREACH
Offloading Non-Essential and Vendor Applications to
Application-Specific, Parallel Networks Using 4G LTE
QUESTIONS?
Contact : lnotwell@cradlepoint.com
Lindsay Notwell
VP, Operator & International Business
CradlePoint