Escolar Documentos
Profissional Documentos
Cultura Documentos
WELL-KNOWN ATTACKS
In 2012, about 40 million sets of PCI were compromised by a hack of Adobe
Systems.
In July 2013, press reports indicated four Russians and a Ukrainian were indicted in
New Jersey for what was called the largest hacking and data breach scheme ever
prosecuted in the United States.
INFORMATION TO PROTECT
https://www.pcisecuritystandards.org/smb/why_secure.html
SOURCES OF RISK
Risky Behavior A survey of businesses in the U.S. and Europe
reveals activities that may put cardholder data at risk.
81% store payment card numbers 73% store payment card
expiration dates
71% store payment card verification codes
57% store customer data from the payment card magnetic
stripe
16% store other personal data
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
Ensure all system components and software have the latest vendorsupplied patches (critical patches installed within a month)
Establish a process to identify new vulnerabilities (Alert services,
vulnerability scans/services)
Use facility controls to limit and monitor physical access in the data environment
Ensure all visitors are authorized before allowing entry to sensitive areas
Physically secure all paper and electronic media containing cardholder data
Record audit trail entries for each event including user id, type of event,
date and time, success/failure, identity or name of affected date
Synchronize all critical system clocks and times
Secure audit trails to prevent alteration
Review logs for security functions (at least) daily
Retain audit trail history for at least one year with 3 months being
immediately available for analysis
Tailgating
PHISHING
Based on the idea that if you cast a large enough net, you are
bound to catch some phish.
Frequently attacks come through emails asking a user to respond
with information, click on an infected link, or visit a compromised
website.
Be suspicious of unsolicited emails
Dont click on links. Go to the website through its known URL
Dont download attachments that arent digitally signed
Report suspected phishing attempts to your security team
If it sounds too good to be true, it probably is.
PRETEXTING
An attacker uses the pretext that they have a legitimate need for the information.
For example, a credit card company calls and tells you that there has been a
problem with your card. They then ask for your card number and other information
A service rep calls and needs to reset your password because your system has
been compromised
An urgent need to gain access to a sensitive room due to a gas leak or some
other environmental issue
These attacks often use urgency as a tool to add pressure to the victim.
Follow company policy. When in doubt refer to a supervisor to make the decision.
Be skeptical.
BAITING
Promising something good in exchange for an action or
information
A USB stick found in the parking lot might have
interesting information on it.
PIGGYBACKING/TAILGATING
Entering a building directly behind someone who has used
their credentials for access.
Often facilitated by users holding door open for someone
behind them.
Takes advantage of the fact that many people strive to be
courteous
Ask to see credentials, and if credentials cant be provided,
escort to security