Risk
12/2/2009
07:09 PM
50%
50%

Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel

Enterprises should rethink their approach to IT security, panelists say

WASHINGTON, D.C. -- Cyber Forensics: Digital CSI Event -- Here at the U.S. Spy Museum, breaches are taken seriously. And in a panel held here last night, four top security experts had some serious advice for enterprises and security professionals.

"Before Jan. 12, 2008, Heartland Payment Systems was not a very well-known company," said Robert Carr, chairman and CEO of Heartland, which revealed a breach of millions of credit card records on that date. "The future was looking good. But things changed very fast."

Carr and the other panelists warned attendees that breaches and compromises can happen quickly, without warning. "And once you've been hacked, you might as well paint a big red bull's-eye on your head because others will see that you have weaknesses, and they will come after you," said Jim Jaeger, director of cyber defense and forensics at General Dynamics Advanced Information Systems, which investigates major breaches and compromises at corporations and government agencies.

And if you're waiting for law enforcement to protect your company, you're making a mistake, said Dan Kaminsky, director of penetration testing at IOActive and one of the world's best-known ethical hackers. "There is a lot of money to be made [in cybercrime], and there are a lot of entrepreneurs out there, but we can't find them or bust them," he said. "Law is based on jurisdiction, and jurisdiction is based on geography. The Internet erases geographic boundaries. On the Internet, your next-door neighbor might be operating from half a world away."

If companies are going to defend themselves against the onslaught of attacks, panelists said, they need to change the way they approach the security problem. Carr observed that the Heartland breach -- which turned out to be one of some 300 compromises orchestrated by a single group of attackers -- might have been detected and stopped much earlier if companies and law enforcement agencies had shared the information they had about the SQL injection malware that was responsible for the leaks.

"After it happened, I contacted the other payment systems companies and offered to share the malware with them so that they would know what to look out for," Carr said. "That was the beginning of something. We're now sharing data between us, even though many of us are bitter competitors in the market. Some of them ran scans for the malware and found it on their systems. We've had the FBI come to us and share malware with us, as well. These are things that might never have happened a year ago."

And if cybercriminals are to be caught, companies must share what they know with law enforcement agencies, which are often the only ones that can follow the bad guys to where they live, experts said.

"The recent indictment of eight people -- several of them Estonian nationals -- is a good example," said John Woods, a partner at the law firm of Hunton & Williams, which does legal forensics in post-breach situations. "We've seen a sea change within the FBI and Secret Service recently: Previously, they wanted companies to give them data, but they wouldn't give any feedback themselves. That's beginning to change now."

Aside from changing their attitudes about information sharing, enterprises should also reconsider their attitudes about hacks and threats, the experts said. While security professionals often turn their heads to look at innovative and "cool" attacks, most breaches stem from exploitation of known vulnerabilities for which patches are available, Jaeger said.

"Over the last two years, about 40 percent of the cases we've investigated have involved SQL injection," Jaeger said. "These are known vulnerabilities, nothing particularly creative, but they are very, very effective."

Carr said the payment systems industry is using recent breaches to rethink their attitudes about encryption. "If the data was encrypted right from the beginning -- right from the mag stripe data's entry into the network -- then the data that hackers get would be mostly useless," he said. "We have to find ways to perform a reverse Rumpelstiltskin. We need to spin valuable data into straw so that what they get is not something they can use."

Companies also should be prepared for the possibility that even their best defenses will be compromised, the experts said. "At Heartland, we built a transaction network that was completely separate from our corporate network," Carr said. "But we were breached from the corporate network. It took the hackers about six months to find a way to get into our payment network from our corporate network, but they found it."

Heartland met all of the PCI security compliance standards, but became the victim of a malware attack anyway, Carr observed. Once the attack was detected, the payment systems company hired three different forensics companies to investigate, but the malware was not discovered for more than three months, he said.

"The bad guys developed a custom injection that was targeted directly at us," Carr said. "That's something that's very difficult to detect."

And this sort of complexity and difficulty of detection is not unusual, Kaminsky said. "Digital forensics is much harder than crime forensics," he said. "When there's a murder, there's a body. There's evidence everywhere. In digital forensics, there's no body. You might not even know there has been a murder until months after it happened."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.