Data Breaches. Are you next? What does the data say?
1. Data Breaches:
Are you next?
What does the data say?
Phil Agcaoili,
VP & Chief Information Security Officer, Elavon
ATPS Worldwide
3rd-4th December 2014
2. Fear, uncertainty and
doubt (FUD)
…Generally a strategic attempt to
influence perception by
disseminating negative and
dubious or false information…
The term originated to
describe disinformation tactics…
FUD is a manifestation of the
appeal to fear.
Truth
Truth is most often used to
mean being in accord with
fact or reality, or fidelity to
an original or to a standard
or ideal.
FUD and Cyber Security
ATPS Worldwide
3rd-4th December 2014
3. Fact: Worst Travel Day of the Year
Fiction: Worst day of the year is the Day Before Thanksgiving
ATPS Worldwide
3rd-4th December 2014
4. //Cyber Security
The interconnection and reliance of physical
lifeline functions over the Internet
(cyberspace) that impacts:
• National security,
• Public health and safety, and/or our
• Economic well-being
Information
Technology
Sector
Transportation
ATPS Worldwide
3rd-4th December 2014
Systems
Sector
Commercial
Facilities
Sector
Financial
Services
Sector
Defense
Industrial Base
Sector
5. We are All Interconnected
ATPS Worldwide
3rd-4th December 2014
6. Heightened Concerns on
Cyber Security
Low Barrier of Entry
High Damage Potential / Lucrative
ATPS Worldwide
3rd-4th December 2014
7. Cost of Data
$102.60
Average black market price for all
of the data on a credit card
$187.44
Cost of taking control of a bank
account
$200K
Average cost of cyber attach to
SMB
$1M-$46M
Average cost of breach to a
large company
$169M
Target breach clean-up costs
$46M
The Home Depot breach clean-up
costs
$350M-1T
Global cost of cyber crime
ATPS Worldwide
3rd-4th December 2014
8. //Cyber Crime
Global and growing industry
Increasing in size and efficiency
Targets everyone and every company
Leveled playing field for criminal activity
Cyber Crime Orgs
Professional Hackers
Spammers
Mafia
Military
Terrorists
ATPS Worldwide
3rd-4th December 2014
9. //APT - Nation States Hacking
and a Cyber Cold War
ATPS Worldwide
3rd-4th December 2014
10. What are your risks?
Have you assessed your risks?
ATPS Worldwide
3rd-4th December 2014
11. Airlines and Airport Security
Complex ecosystems with advanced IT infrastructures
Real-time exchange of sensitive information
Scan and monitor passenger flow
Complex procedures and rules
Security requirements
Vulnerable to a multitude of attacks and IT-based emerging
threats
Information
Technology
Sector
Transportation
Systems
Sector
ATPS Worldwide
3rd-4th December 2014
Commercial
Facilities
Sector
Financial
Services
Sector
Defense
Industrial Base
Sector
14. Merchants Under Attack
Credit cards
What else must be said?
ATPS Worldwide
3rd-4th December 2014
15. Case Studies: The Facts
Nothing new here
All information presented is based on:
Past incidents
Reported cyber attacks
ATPS Worldwide
3rd-4th December 2014
16. 2004 Fact: Sasser Worm and British
Airways at Heathrow Airport
British Airways suffered delays
Worm hit Terminal Four at London's Heathrow Airport,
Also affected call centers
Written by a teenager
ATPS Worldwide
3rd-4th December 2014
17. 2008 Fact: Spanair Flight 5022
Crashed just after take off
Over 150 people died
Only 18 people survived
Accident weakened Spanair's image (reputation risk)
Crash exacerbated company’s financial difficulties
Ceased operations in 2012
Internal report issued by airline revealed:
Malware infected airline's central computer system
May have prevented detection of technical problems
with aircraft
Final report determined crew failure as root cause
ATPS Worldwide
3rd-4th December 2014
18. 2011 Fact: Delhi’s Indira Gandhi
International (IGI) Airport Incident
Passenger processing system failure
Backend server glitch
Common Use passengers Processing System
(CUPPS)
Down for almost 12 hours
Approximately 50 flights delayed
Passengers had to be manually checked in
Central Bureau of Investigation (CBI) of India
Virus attack / malicious code on the system
Used from an unknown remote location
Someone at a remote location operated the
system
ATPS Worldwide
3rd-4th December 2014
19. 2011 Fact: Computer Virus Hits
U.S. Drone Fleet
Virus infected Predator and Reaper drones
One of the US military’s most important weapons
systems
Virus resisted multiple efforts to remove it
Remote cockpits are not connected to the Internet
Virus believed to have spread through removable drives
ATPS Worldwide
3rd-4th December 2014
20. 2014 Facts: Infected Belgian
Charleroi Airport Servers
Belgian Charleroi airport network servers infected with
malware
Turned them into botnet zombies
Airport and customer data stolen
ATPS Worldwide
3rd-4th December 2014
22. 2014 Fact: Account Backdoors on Airport
Scanners, Default Passwords
Blackhat 2014
Backdoor accounts present in airport scanners
Many machines deployed at airport security
checkpoints have embedded accounts with
default passwords that can be abused
Attackers may be able to use the accounts as a
backdoor to get access to the system
ATPS Worldwide
3rd-4th December 2014
Via Billy Rios
23. 2014 Fact: More Backdoors
FTP, Telnet, and Web hardcoded backdoors
~6000 on Internet at major airports
Foreign made
ATPS Worldwide
3rd-4th December 2014
Via Billy Rios
24. 2014 Fact: More Backdoors
Multiple backdoor accounts
ATPS Worldwide
3rd-4th December 2014
Via Billy Rios
25. Internet of Things (IoT)
Embedded systems
Devices with an IP stack
May or may not be connected to the Internet
Think smartphones
Drones
ATPS Worldwide
3rd-4th December 2014
26. Address Cyber Security Now
Raise visibility to senior leadership and Board of
Directors
Use a Cyber Risk Framework
Invest in Cyber Security
Risk Management NIST CSF
ATPS Worldwide
3rd-4th December 2014
27. Your Responsibility
Ensure Basic Cyber Hygiene
It’s Everyone’s Responsibility
Airlines focus:
Defense in-depth and anti-malware programs
Follow the money
Trust, but Verify
Especially with embedded devices
Supply chain
Vendor Management / Third Party Security
Overall security
Hardcoded backdoors
Participate in an Information Sharing & Analysis Center (ISAC)
ATPS Worldwide
3rd-4th December 2014
28. ATPS Worldwide
3rd-4th December 2014
Thanks
Phil Agcaoili
VP & Chief Information Security Officer, Elavon
Contributor, NIST Cybersecurity Framework version 1
Co-Founder & Board Member, Southern CISO Security Council
Distinguished Fellow and Fellows Chairman, Ponemon Institute
Founding Member, Cloud Security Alliance (CSA)
Inventor & Co-Author, CSA Cloud Controls Matrix,
GRC Stack, Security, Trust and Assurance Registry (STAR), and
CSA Open Certification Framework (OCF)
@hacksec
https://www.linkedin.com/in/philA
Notes de l'éditeur
In 2013, they were July 18, 25, and 11, according to airport operations data from the FAA.
Those were the three consecutive Thursdays following US Independence Day on July 4th (which was the 21st least-busiest day to fly).
The day before Thanksgiving, if you were wondering, ranks 27th.
The Friday before Christmas—Dec 20—was the busiest winter day in 2013, ranking 4th overall. This year the Friday before Christmas is Dec 19.