Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
3/19/2012
08:51 AM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Lessons From Heartland Breach In Keeping Sensitive Data From Bad Guys

Substituting the notion of hacker-proof invincibility for inevitably empowers IT, changes outcomes, and gives rise to resilient infrastructures

As an industry we're (mostly) good, sometimes great, at finding ways to try and prevent unauthorized data from leaving our network. In fact, by now our collective arsenal of solutions comes in every flavor, evolution and scale you can imagine.

Still, no matter what you're using today or plan to use tomorrow, the assumption is that you always have something (e.g., data) the "bad guys" want. But what would it mean to you and your business if there simply wasn't any valuable data to steal, to essentially perform the equivalent of data alchemy by giving any would-be hackers lead instead of gold?

My inspiration for this post was a recent interview with Heartland Payment Systems' CTO, Kris Herrin. In the Q&A, Herrin not only provides a real-world glimpse into how the card-processing giant has recovered since its infamous 2008 breach of more than 100 million customer credit and debit cards, but he also serves up valuable, even revelatory insights on how to make sensitive customer data vanish even before it can be breached.

While dismissing outright the attack on his network as an advanced persistent threat (APT), at least in the charged way the media intends, Herrin concedes that persistence was the quality that most defined the quality of that breach: "We know that the very first breach to our corporate network was December 2007. It was detected at the time, and we believed it was cleaned up, but it wasn't completely. It turned out to be much more persistent than anyone thought. They spent a lot of time avoiding detection and finding new ways to move around laterally and get into information."

Moreover, he believes that "advanced" is not even the key that picks the lock. It is, as Herrin suggests, "the resources, time, effort and energy that hackers are willing to spend to try to get to your data. They won't just try a few times, quit and give up. They'll spend months and years mapping information about the network, mining data, studying the personnel database, finding the right person to spearfish. So to me, APT refers to any hacker that will spend a lot of time, effort and energy finding weaknesses, and once they're in, they'll insert multiple hooks and multiple ways to get back in."

That all seems pretty straightforward and consistent on how we believe hackers behave. But it's how companies, moving forward, should approach data security -- changing OUR behavior and OUR mindset -- that really opens up alternative outcomes that favor us, instead of the bad guys.

The first tenet in this behavioral shift is to substitute the notion of invincibility for inevitability. As Herrin boldly asserts, assume your systems are compromised. And while I let that reality sink in, when you really think about it as a CSO (or an immediate charge), it makes a lot of sense. If you believe you’re invulnerable, then you are less likely to be sensitive to anomalies occurring on your network. In fact, you may dismiss any changes in network performance or database availability as coincidence. Besides, "No one's getting on your network without you knowing about it" has always been your mantra and, as far as you’re concerned, nothing has ever happened, at least on your watch, to change that outlook. And, after all, what data could hackers be possibly interested in on your network? Your company is far too small and the information it holds is of limited value.

If, on the other hand, you believe you've already been compromised, then you'll be more likely to pay attention to changes on your network, overt or otherwise. If there's one attribute our industry needs more of, it's being suspicious of behaviors occurring on our networks that look or simply feel out of place. In fact, I'll go so far as to contend it’s this very desensitization, even outright IT security neglect, that actually enables vulnerability.

The second tenet Herrin fosters -- and really the most provocative tine of his multipronged approach -- is to get rid of the data they're after. In Herrin and Heartland's case, of course, that means "replacing sensitive data with tokens, encrypted values or other enabling technologies. These approaches will protect against threats not only from APT but also consumerization of IT, people bringing in their own iPhones, data moving to the cloud or employees getting into social media."

Bridging the first and second tenets, Herrin urges a mindset that concedes no matter how good your security solution, you simply can't protect all mobile devices or stop downloads from an app store. Instead, he suggests "focusing your limited resources on ensuring that valuable data is safely handled so you don’t have to worry about it being lost."

Herrin's third tenet is closely related to his second. Not only get rid of select data, but get rid of data you don't need to be handling. Herrin places in this category things like Social Security numbers, which at one time were used to identify a customer, and, for merchants and call centers, the full credit card number, which today he argues requires routine replacement by tokens.

By integrating all three tenets -- assume you're (already) compromised, remove sensitive as well as incidental or legacy data, and apply end-to-end encryption -- the customer's transaction with a merchant is shielded from being breached, and both the merchant as well as the processor's risk is dramatically reduced.

Herrin also believes that this approach can be unilaterally applied for individuals wanting to make payments through mobile devices: "If you encrypt the data as soon as the card is swiped, you don't have to worry about the device at all because the technology ensures it's encrypted before it gets to the device."

While not all of us support brick-and-mortar stores or online commerce, I think Herrin's experience, insights, and knowledge on protecting data by making it vanish has lessons for us all.

Granted, it's hard to think of the networks we maintain and the data we store as vulnerable to a host of malware that we believe our (generally updated) patches and antivirus will certainly sniff (and virtually) snuff out. But that clearly isn't always the case, and we need to adapt our thinking accordingly to fit the reality.

While the industry at large isn’t subject to strict PCI-DSS regulation as merchants are, thanks to cloud computing, virtualization, and mobile devices, our playing field has a wider if not deeper breadth. By encrypting all data at all times, both at-rest and in-flight (and, by the way, that requirement extends to data stored in the cloud), you remove any sensitive data hackers could be interested in. By removing legacy data from our networks entirely, it becomes easier to manage server traffic and network congestion and avoid user temptation. By enforcing encryption policies associated with Bring Your Own Device (BYOD) and spontaneous (e.g., nonauthorized) use of cloud storage services like Dropbox, you effectively keep sensitive data private and shielded from anyone on your network who isn't already preauthorized to access it.

Interestingly, the confluence of these dynamics points in a familiar direction. As security professionals, we talk a lot in this industry about reducing the attack surface. As Herrin detailed, using strategies in place since the 2008 "incident" -- getting rid of the data where it's not needed and taking the data out of [PCI] scope -- "you can get to a much, much smaller risk profile if you focus on the data." Contextually I think in this case we're both singing from the same songbook. In any case, the desired outcome is the same.

While it's not strictly a fourth tenet, I think Herrin's parting words offer insights that readily apply to all industries that are continually subject to data breaches, e.g., the sharing of knowledge.

Offering a nod to the Payments Processing Information Sharing Council he helped form that reports on phishing attempts and techniques used to combat them, Herrin believes the Heartland breach -- in spite of its comprehension, efficacy, and duration -- in many ways was monolithic in that the definitive indicators (of malware) did not change. For Herrin it suggested the hackers had a limited set of tools from which they did not vary. Sharing that knowledge candidly helps other companies identify and mitigate threats.

"Two years in, this is a phenomenal group that shares threat intelligence on a daily basis ... Now, when there's an incident, there are people to reach out to, both for help and to see if they're also seeing things. Tearing down the walls and barriers is a must. We can't be silenced -- the bad guys are talking to each other all day long."

When you put it that way, that communication and collaboration is stronger than the most persistent malware, it's a difficult argument to refute.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, Web threats, endpoint and data protection, mobile security, cloud computing, and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.