CRI Retail Cyber Threats

Cyber Executive Briefing
Presenter: Paul C Dwyer
CEO – Cyber Risk International
Date: Oct 9th 2014
Retail Fraud Leicester 2014

Paul C Dwyer
Paul C Dwyer is an internationally recognised information security expert with over
two decades experience and serves as President of ICTTF International Cyber
Threat Task Force and Co Chairman of the UK NCA National Crime Agency Industry
Group. A certified industry professional by the International Information Systems
Security Certification Consortium (ISC2) and the Information System Audit &
Control Association (ISACA) and selected for the IT Governance Expert Panel.
Paul is a world leading Cyber Security GRC authority. He has been an advisor to
Fortune 500 companies including law enforcement agencies, military (NATO) and
recently advised DEFCOM UK at Westminster Parliament.
He has worked and trained with organisations such as the US Secret Service,
Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by
the National Crime Faculty and is a member of the High Tech Crime Network
(HTCN).
Paul C Dwyer CEO
Cyber Risk International

THE CYBER WORLD AND
THE PHYSICAL ARE INTEGRATED

Cyber fronts in the Ukraine!
Is it War?

What Are Cyber Threats?
Cybercrime
Cyber
Warfare
Cyber
Espionage
Cyber
X Adversary

Cyber Statistics
• Cybercrime costs £27 billion a year in the UK
• £1,000 a second
• 170,000 ID’s are stolen each year – 1 every three seconds
• Theft of IP £9.2 billion
(pharmaceuticals, biotechnology, electronics, IT and chemicals)
Source: UK Cabinet Office

Cybercrime Economy Drivers
It’s a business with an excellent economic model.
Other reasons, you name it:
• Technology
• Internet
• Recession
• “A safe crime”
• It’s easy to get involved
• Part of Something

Crimeware Toolkits
Copyright - Paul C Dwyer Ltd - All Rights Reserved

Economic Model - the Actors
• User – (Account Credentials)
• Financial Institution
• Supplier
• Acquirer/Middlemen
• Agents
• Carding Forum
• Carders
• Fraudster (Consumer)
• Retailer
• Reshipping / drop zone
• Money Mule
Categories
•Wholesalers
•Retailers
•Independent Contractors

“The Daddy” - History
TJ/K Max
Dark Market & Shadow Crew
2002 ->

A Decade on What Have We Learnt?
• Heating/AC Contractors Credentials
• Intrusion Months Before Data Theft
• Waited for US Thanksgiving Day
• Malware KAPTOXA/BlackPOS
7 Months – Average Breach Before Detection
2/3 Cases informed by third party

Cyber Risks for You
• Tangible Costs
– Loss of funds
– Damage to Systems
– Regulatory Fines
– Legal Damages
– Financial Compensation
• Intangible Costs
– Loss of competitive advantage (Stolen IP)
– Loss of customer and/or partner trust
– Loss of integrity (compromised digital assets)
– Damage to reputation and brand
Quantitative vs. Qualitative
46% Reduction in Profits Following Breach

Bottom Line for Retailers
• Arms Race – Cat and Mouse
• Top 5 Target Groups – Continuously Attacked
• You Spend Less on Cyber Security
• Low Risk – High Reward for “Bad Guys” –
Established Market for Data Assets
• Best Data Assets On the Planet
• Compliance is NOT Security

Retail Factors
• Data on networked and distributed systems that are accessible to a
widening array of entry points
• Broad adoption of mobile applications
by retailers adds many other new points of vulnerability
• Complex supply chains - more access and data is given to vendors
and external partners
• Global expansion may require retailers to expand distribution of
their own information around the world

Some Retailers Doors!
• Point-of-sale (POS) terminals in stores
• Mobile POS access points
• Customer-facing e-commerce websites
• Links with each third-party vendor, supply-chain vendor, ecosystem partner and contractor
• Employee-facing access points — including those that may utilise employee-owned mobile devices
— and the social workplace
• Links to connected data centers via the cloud
• Links to financial institutions and payment processors
• Links to managed service providers
• Links to delivery services
• Links to all other contractors who are provided with network access
• B2B, intranet and extranet portals
• In-store wireless routers, kiosks and networks
• The expanding “Internet of Things”: IP-based printers, IP-linked surveillance cameras and similar
devices

I’m not joking!
Hack the Human!

Bad Guy Targets Individual (Asset)
Chooses Weapon from
underground forum
Reconnaissance Weaponisation Delivery Exploitation C2
Lateral
Movement
Exfiltration Maintenance
Gathers Intelligence About
Employee and Assets
Exploit Run – Comms
Established – Command &
Control Server
Move Laterally Across Network
Exfiltrate Data
Protection – Maint Mode

It’s a IT Cyber Security Problem, Right?

29
Legally It’s a Challenge for the Board!
NO

Regulatory and Legal
EU Data Privacy Directive
EU Network
Information
Security
Directive
European Convention on
Cybercrime
400+ Others
– 10,000+
Controls –
175 Legal
Jurisdictions
Your
Organisation

Responsibility – Convention Cybercrime
All organisations need to be aware of the Convention’s provisions in article 12,
paragraph 2:
‘ensure that a legal person can be held liable where the lack of supervision or
control by a natural person…has made possible the commission of a criminal
offence established in accordance with this Convention’.
In other words, directors can be responsible for offences committed by their
organisation simply because they failed to adequately exercise their duty of care.

Cyber is a Strategic Issue
Strategic Level
Operational
Level
Technical Level
32
Macro Security
Micro Security
How do cyber attacks affect, policies,
industry, business decisions?
What kind of policies, procedures and
business models do we need?
How can we solve our security
problems with technology?

Board Room Discussion
•Loss of market share and reputation
•Legal Exposure CEO
•Audit Failure
•Fines and Criminal Charges
•Financial Loss CFO/COO
•Loss of data confidentiality, CIO integrity and/or availability
CHRO •Violation of employee privacy
•Loss of customer trust
•Loss of brand reputation CMO
Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.

Corporate
Governance
Project
Governance
Risk
Management
Cyber
Governance
Risk
Management
Cyber Governance
Cyber Risk
Legal &
Compliance Operational Technical

Resilience
36
Recognise:
Interdependence
Leadership Role Responsibility
Integrating Cyber Risk Management

BUSINESS ICT REQUIREMENTS
Business
Legal
Regulatory
REQUIREMENT
DRIVERS
The Board
DIRECT
EVALUATE MONITOR
CYBER RISK STRATEGY
REACTIVE PROACTIVE

Thank You – Stay Connected
www.paulcdwyer.com
youtube.com/paulcdwyer
mail@paulcdwyer.com
+353-(0)85 888 1364
@paulcdwyer
WE IDENTIFY, MITIGATE AND MANAGE CYBER RISKS
Cyber Risk International
Clonmel House – Forster Way – Swords – Co Dublin – Ireland
+353-(0)1- 897 0234 xxxxxx
mail@cyberriskinternational.com
www.cyberriskinternational.com

EXTENDED MATERIAL – CRIMEWARE EXAMPLE

Example of Crimeware
Tools, Tutorials, Services (Rent & Buy)
Spyeye $500

Botnets (Rent or Own)
Botnet Herder
Proxy Proxy Command & Control Server
Infected PC Infected PC Infected PC Infected PC Infected PC Infected PC
Spam Spam Spam
Website
DDoS Attack

Spyeye – Toolkit
Botnet Herder
Proxy Spyeye C & C Server

Get CC Info
Botnet Herder
or Upload
List
Infected PC Infected PC Infected PC Infected PC Infected PC Infected PC

Place Something For Sale
Botnet Herder
Uploads, Renames and Claims
Ownership of Software Utility
For Sale on a popular
download store

Automate Transactions
Botnet Herder
Spyeye automates purchases
by form filling at intervals to
avoid detection using the
stolen credit card information

Clean Money
Botnet Herder

Avoid Detection
Botnet Herder
Billing hammer will
send the transaction
through an infected
machine close to the
cardholders address to
avoid detection

CRI Retail Cyber Threats

More Related Content

What's hot

Viewers also liked

Similar to CRI Retail Cyber Threats

More from OCTF Industry Engagement

Recently uploaded

CRI Retail Cyber Threats