Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel

Enterprises should rethink their approach to IT security, panelists say

Tim Wilson, Editor in Chief, Dark Reading, Contributor

December 2, 2009

5 Min Read

WASHINGTON, D.C. -- Cyber Forensics: Digital CSI Event -- Here at the U.S. Spy Museum, breaches are taken seriously. And in a panel held here last night, four top security experts had some serious advice for enterprises and security professionals.

"Before Jan. 12, 2008, Heartland Payment Systems was not a very well-known company," said Robert Carr, chairman and CEO of Heartland, which revealed a breach of millions of credit card records on that date. "The future was looking good. But things changed very fast."

Carr and the other panelists warned attendees that breaches and compromises can happen quickly, without warning. "And once you've been hacked, you might as well paint a big red bull's-eye on your head because others will see that you have weaknesses, and they will come after you," said Jim Jaeger, director of cyber defense and forensics at General Dynamics Advanced Information Systems, which investigates major breaches and compromises at corporations and government agencies.

And if you're waiting for law enforcement to protect your company, you're making a mistake, said Dan Kaminsky, director of penetration testing at IOActive and one of the world's best-known ethical hackers. "There is a lot of money to be made [in cybercrime], and there are a lot of entrepreneurs out there, but we can't find them or bust them," he said. "Law is based on jurisdiction, and jurisdiction is based on geography. The Internet erases geographic boundaries. On the Internet, your next-door neighbor might be operating from half a world away."

If companies are going to defend themselves against the onslaught of attacks, panelists said, they need to change the way they approach the security problem. Carr observed that the Heartland breach -- which turned out to be one of some 300 compromises orchestrated by a single group of attackers -- might have been detected and stopped much earlier if companies and law enforcement agencies had shared the information they had about the SQL injection malware that was responsible for the leaks.

"After it happened, I contacted the other payment systems companies and offered to share the malware with them so that they would know what to look out for," Carr said. "That was the beginning of something. We're now sharing data between us, even though many of us are bitter competitors in the market. Some of them ran scans for the malware and found it on their systems. We've had the FBI come to us and share malware with us, as well. These are things that might never have happened a year ago."

And if cybercriminals are to be caught, companies must share what they know with law enforcement agencies, which are often the only ones that can follow the bad guys to where they live, experts said.

"The recent indictment of eight people -- several of them Estonian nationals -- is a good example," said John Woods, a partner at the law firm of Hunton & Williams, which does legal forensics in post-breach situations. "We've seen a sea change within the FBI and Secret Service recently: Previously, they wanted companies to give them data, but they wouldn't give any feedback themselves. That's beginning to change now."

Aside from changing their attitudes about information sharing, enterprises should also reconsider their attitudes about hacks and threats, the experts said. While security professionals often turn their heads to look at innovative and "cool" attacks, most breaches stem from exploitation of known vulnerabilities for which patches are available, Jaeger said.

"Over the last two years, about 40 percent of the cases we've investigated have involved SQL injection," Jaeger said. "These are known vulnerabilities, nothing particularly creative, but they are very, very effective."

Carr said the payment systems industry is using recent breaches to rethink their attitudes about encryption. "If the data was encrypted right from the beginning -- right from the mag stripe data's entry into the network -- then the data that hackers get would be mostly useless," he said. "We have to find ways to perform a reverse Rumpelstiltskin. We need to spin valuable data into straw so that what they get is not something they can use."

Companies also should be prepared for the possibility that even their best defenses will be compromised, the experts said. "At Heartland, we built a transaction network that was completely separate from our corporate network," Carr said. "But we were breached from the corporate network. It took the hackers about six months to find a way to get into our payment network from our corporate network, but they found it."

Heartland met all of the PCI security compliance standards, but became the victim of a malware attack anyway, Carr observed. Once the attack was detected, the payment systems company hired three different forensics companies to investigate, but the malware was not discovered for more than three months, he said.

"The bad guys developed a custom injection that was targeted directly at us," Carr said. "That's something that's very difficult to detect."

And this sort of complexity and difficulty of detection is not unusual, Kaminsky said. "Digital forensics is much harder than crime forensics," he said. "When there's a murder, there's a body. There's evidence everywhere. In digital forensics, there's no body. You might not even know there has been a murder until months after it happened."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights