SANS InstituteInformation Security Reading RoomData Loss Prevention and aPoint of Sales Breach______________________________Nicholas KollaschCopyright SANS Institute 2020. Author Retains Full Rights.This paper is from the SANS Institute Reading Room site. Reposting is not permitted without expresswritten permission.
Data Loss Prevention and a Point of Sales BreachGIAC (GSEC) Gold Certification Author: Nicholas Kollasch, [email protected]Advisor: Richard Carbone Accepted: July 12th 2014 Abstract Target could have used a data loss prevention solution to mitigate the success of its infamous data breach. However, organizations typically deploy data loss prevention with simple policies and rules that detect 15- or 16-digit number strings that might represent a credit card number; this strategy, would not be effective in the case of the Target attack due to the attackers packaging the “loot” with Base64 encoding directly on the point of sales systems. Therefore, a security practitioner requires alternative detection measures to detect this type of anomalous activity. Data loss prevention can support an organization’s ability to implement the Critical Security Controls, thereby providing the capability to detect such a sophisticated attack during the key stage of the Kill Chain model: Actions on Objective. Data loss prevention, when implemented with robust rules that reflect current attack tactics, techniques, and procedures, can reduce the likelihood of success by making it a bit more difficult to extract the valuable data.
Data Loss Prevention and a Point of Sales Breach2 Introduction Data breach headlines seem to appear quite frequently in our daily news sources, and retail breaches involving credit card numbers are no exception. The specifics of the breach might vary to a certain degree, and the number of credit card numbers might be tens of thousands, hundreds of thousands, or even millions. However, the overarching trend indicates that these types of headlines will continue at the current rate without any notable shifts in our protection measures. One of the most widely publicized attacks involving the exfiltration of credit card numbers involved Target, which reported a breach of approximately 40 million customer credit and debit card numbers in December 2013; the attackers also managed to acquire the personally identifiable information (PII) of another 70 million customers shortly thereafter in January 2014 (Jarvis & Milletary, 2014). Jarvis and Milletary (2014), who authored an analysis of the Target malware for Dell SecureWorks, noted that the malware was one of the many variants of RAM “scrapers” or “skimmers” at the disposal of attackers. The sheer volume of account information and PII has certainly contributed to the amount of exposure and analysis of this attack.