Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel

Enterprises should rethink their approach to IT security, panelists say

WASHINGTON, D.C. -- Cyber Forensics: Digital CSI Event -- Here at the U.S. Spy Museum, breaches are taken seriously. And in a panel held here last night, four top security experts had some serious advice for enterprises and security professionals.

"Before Jan. 12, 2008, Heartland Payment Systems was not a very well-known company," said Robert Carr, chairman and CEO of Heartland, which revealed a breach of millions of credit card records on that date. "The future was looking good. But things changed very fast."

Carr and the other panelists warned attendees that breaches and compromises can happen quickly, without warning. "And once you've been hacked, you might as well paint a big red bull's-eye on your head because others will see that you have weaknesses, and they will come after you," said Jim Jaeger, director of cyber defense and forensics at General Dynamics Advanced Information Systems, which investigates major breaches and compromises at corporations and government agencies.

And if you're waiting for law enforcement to protect your company, you're making a mistake, said Dan Kaminsky, director of penetration testing at IOActive and one of the world's best-known ethical hackers. "There is a lot of money to be made [in cybercrime], and there are a lot of entrepreneurs out there, but we can't find them or bust them," he said. "Law is based on jurisdiction, and jurisdiction is based on geography. The Internet erases geographic boundaries. On the Internet, your next-door neighbor might be operating from half a world away."

If companies are going to defend themselves against the onslaught of attacks, panelists said, they need to change the way they approach the security problem. Carr observed that the Heartland breach -- which turned out to be one of some 300 compromises orchestrated by a single group of attackers -- might have been detected and stopped much earlier if companies and law enforcement agencies had shared the information they had about the SQL injection malware that was responsible for the leaks.

"After it happened, I contacted the other payment systems companies and offered to share the malware with them so that they would know what to look out for," Carr said. "That was the beginning of something. We're now sharing data between us, even though many of us are bitter competitors in the market. Some of them ran scans for the malware and found it on their systems. We've had the FBI come to us and share malware with us, as well. These are things that might never have happened a year ago."

And if cybercriminals are to be caught, companies must share what they know with law enforcement agencies, which are often the only ones that can follow the bad guys to where they live, experts said.

"The recent indictment of eight people -- several of them Estonian nationals -- is a good example," said John Woods, a partner at the law firm of Hunton & Williams, which does legal forensics in post-breach situations. "We've seen a sea change within the FBI and Secret Service recently: Previously, they wanted companies to give them data, but they wouldn't give any feedback themselves. That's beginning to change now."

Aside from changing their attitudes about information sharing, enterprises should also reconsider their attitudes about hacks and threats, the experts said. While security professionals often turn their heads to look at innovative and "cool" attacks, most breaches stem from exploitation of known vulnerabilities for which patches are available, Jaeger said.

"Over the last two years, about 40 percent of the cases we've investigated have involved SQL injection," Jaeger said. "These are known vulnerabilities, nothing particularly creative, but they are very, very effective."

Carr said the payment systems industry is using recent breaches to rethink their attitudes about encryption. "If the data was encrypted right from the beginning -- right from the mag stripe data's entry into the network -- then the data that hackers get would be mostly useless," he said. "We have to find ways to perform a reverse Rumpelstiltskin. We need to spin valuable data into straw so that what they get is not something they can use."

Companies also should be prepared for the possibility that even their best defenses will be compromised, the experts said. "At Heartland, we built a transaction network that was completely separate from our corporate network," Carr said. "But we were breached from the corporate network. It took the hackers about six months to find a way to get into our payment network from our corporate network, but they found it."

Heartland met all of the PCI security compliance standards, but became the victim of a malware attack anyway, Carr observed. Once the attack was detected, the payment systems company hired three different forensics companies to investigate, but the malware was not discovered for more than three months, he said.

"The bad guys developed a custom injection that was targeted directly at us," Carr said. "That's something that's very difficult to detect."

And this sort of complexity and difficulty of detection is not unusual, Kaminsky said. "Digital forensics is much harder than crime forensics," he said. "When there's a murder, there's a body. There's evidence everywhere. In digital forensics, there's no body. You might not even know there has been a murder until months after it happened."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
PUBLISHED: 2019-05-17
Typora (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...