Commentary Sophos Labs Insights
Lessons From Heartland Breach In Keeping Sensitive Data From Bad Guys
Substituting the notion of hacker-proof invincibility for inevitably empowers IT, changes outcomes, and gives rise to resilient infrastructures
As an industry we're (mostly) good, sometimes great, at finding ways to try and prevent unauthorized data from leaving our network. In fact, by now our collective arsenal of solutions comes in every flavor, evolution and scale you can imagine.
Still, no matter what you're using today or plan to use tomorrow, the assumption is that you always have something (e.g., data) the "bad guys" want. But what would it mean to you and your business if there simply wasn't any valuable data to steal, to essentially perform the equivalent of data alchemy by giving any would-be hackers lead instead of gold?
My inspiration for this post was a recent interview with Heartland Payment Systems' CTO, Kris Herrin. In the Q&A, Herrin not only provides a real-world glimpse into how the card-processing giant has recovered since its infamous 2008 breach of more than 100 million customer credit and debit cards, but he also serves up valuable, even revelatory insights on how to make sensitive customer data vanish even before it can be breached.
While dismissing outright the attack on his network as an advanced persistent threat (APT), at least in the charged way the media intends, Herrin concedes that persistence was the quality that most defined the quality of that breach: "We know that the very first breach to our corporate network was December 2007. It was detected at the time, and we believed it was cleaned up, but it wasn't completely. It turned out to be much more persistent than anyone thought. They spent a lot of time avoiding detection and finding new ways to move around laterally and get into information."
Moreover, he believes that "advanced" is not even the key that picks the lock. It is, as Herrin suggests, "the resources, time, effort and energy that hackers are willing to spend to try to get to your data. They won't just try a few times, quit and give up. They'll spend months and years mapping information about the network, mining data, studying the personnel database, finding the right person to spearfish. So to me, APT refers to any hacker that will spend a lot of time, effort and energy finding weaknesses, and once they're in, they'll insert multiple hooks and multiple ways to get back in."
That all seems pretty straightforward and consistent on how we believe hackers behave. But it's how companies, moving forward, should approach data security -- changing OUR behavior and OUR mindset -- that really opens up alternative outcomes that favor us, instead of the bad guys.
The first tenet in this behavioral shift is to substitute the notion of invincibility for inevitability. As Herrin boldly asserts, assume your systems are compromised. And while I let that reality sink in, when you really think about it as a CSO (or an immediate charge), it makes a lot of sense. If you believe you’re invulnerable, then you are less likely to be sensitive to anomalies occurring on your network. In fact, you may dismiss any changes in network performance or database availability as coincidence. Besides, "No one's getting on your network without you knowing about it" has always been your mantra and, as far as you’re concerned, nothing has ever happened, at least on your watch, to change that outlook. And, after all, what data could hackers be possibly interested in on your network? Your company is far too small and the information it holds is of limited value.
If, on the other hand, you believe you've already been compromised, then you'll be more likely to pay attention to changes on your network, overt or otherwise. If there's one attribute our industry needs more of, it's being suspicious of behaviors occurring on our networks that look or simply feel out of place. In fact, I'll go so far as to contend it’s this very desensitization, even outright IT security neglect, that actually enables vulnerability.
The second tenet Herrin fosters -- and really the most provocative tine of his multipronged approach -- is to get rid of the data they're after. In Herrin and Heartland's case, of course, that means "replacing sensitive data with tokens, encrypted values or other enabling technologies. These approaches will protect against threats not only from APT but also consumerization of IT, people bringing in their own iPhones, data moving to the cloud or employees getting into social media."
Bridging the first and second tenets, Herrin urges a mindset that concedes no matter how good your security solution, you simply can't protect all mobile devices or stop downloads from an app store. Instead, he suggests "focusing your limited resources on ensuring that valuable data is safely handled so you don’t have to worry about it being lost."
Herrin's third tenet is closely related to his second. Not only get rid of select data, but get rid of data you don't need to be handling. Herrin places in this category things like Social Security numbers, which at one time were used to identify a customer, and, for merchants and call centers, the full credit card number, which today he argues requires routine replacement by tokens.
By integrating all three tenets -- assume you're (already) compromised, remove sensitive as well as incidental or legacy data, and apply end-to-end encryption -- the customer's transaction with a merchant is shielded from being breached, and both the merchant as well as the processor's risk is dramatically reduced.
Herrin also believes that this approach can be unilaterally applied for individuals wanting to make payments through mobile devices: "If you encrypt the data as soon as the card is swiped, you don't have to worry about the device at all because the technology ensures it's encrypted before it gets to the device."
While not all of us support brick-and-mortar stores or online commerce, I think Herrin's experience, insights, and knowledge on protecting data by making it vanish has lessons for us all.
Granted, it's hard to think of the networks we maintain and the data we store as vulnerable to a host of malware that we believe our (generally updated) patches and antivirus will certainly sniff (and virtually) snuff out. But that clearly isn't always the case, and we need to adapt our thinking accordingly to fit the reality.
While the industry at large isn’t subject to strict PCI-DSS regulation as merchants are, thanks to cloud computing, virtualization, and mobile devices, our playing field has a wider if not deeper breadth. By encrypting all data at all times, both at-rest and in-flight (and, by the way, that requirement extends to data stored in the cloud), you remove any sensitive data hackers could be interested in. By removing legacy data from our networks entirely, it becomes easier to manage server traffic and network congestion and avoid user temptation. By enforcing encryption policies associated with Bring Your Own Device (BYOD) and spontaneous (e.g., nonauthorized) use of cloud storage services like Dropbox, you effectively keep sensitive data private and shielded from anyone on your network who isn't already preauthorized to access it.
Interestingly, the confluence of these dynamics points in a familiar direction. As security professionals, we talk a lot in this industry about reducing the attack surface. As Herrin detailed, using strategies in place since the 2008 "incident" -- getting rid of the data where it's not needed and taking the data out of [PCI] scope -- "you can get to a much, much smaller risk profile if you focus on the data." Contextually I think in this case we're both singing from the same songbook. In any case, the desired outcome is the same.
While it's not strictly a fourth tenet, I think Herrin's parting words offer insights that readily apply to all industries that are continually subject to data breaches, e.g., the sharing of knowledge.
Offering a nod to the Payments Processing Information Sharing Council he helped form that reports on phishing attempts and techniques used to combat them, Herrin believes the Heartland breach -- in spite of its comprehension, efficacy, and duration -- in many ways was monolithic in that the definitive indicators (of malware) did not change. For Herrin it suggested the hackers had a limited set of tools from which they did not vary. Sharing that knowledge candidly helps other companies identify and mitigate threats.
"Two years in, this is a phenomenal group that shares threat intelligence on a daily basis ... Now, when there's an incident, there are people to reach out to, both for help and to see if they're also seeing things. Tearing down the walls and barriers is a must. We can't be silenced -- the bad guys are talking to each other all day long."
When you put it that way, that communication and collaboration is stronger than the most persistent malware, it's a difficult argument to refute.
Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, Web threats, endpoint and data protection, mobile security, cloud computing, and data center virtualization.