Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel

Enterprises should rethink their approach to IT security, panelists say

WASHINGTON, D.C. -- Cyber Forensics: Digital CSI Event -- Here at the U.S. Spy Museum, breaches are taken seriously. And in a panel held here last night, four top security experts had some serious advice for enterprises and security professionals.

"Before Jan. 12, 2008, Heartland Payment Systems was not a very well-known company," said Robert Carr, chairman and CEO of Heartland, which revealed a breach of millions of credit card records on that date. "The future was looking good. But things changed very fast."

Carr and the other panelists warned attendees that breaches and compromises can happen quickly, without warning. "And once you've been hacked, you might as well paint a big red bull's-eye on your head because others will see that you have weaknesses, and they will come after you," said Jim Jaeger, director of cyber defense and forensics at General Dynamics Advanced Information Systems, which investigates major breaches and compromises at corporations and government agencies.

And if you're waiting for law enforcement to protect your company, you're making a mistake, said Dan Kaminsky, director of penetration testing at IOActive and one of the world's best-known ethical hackers. "There is a lot of money to be made [in cybercrime], and there are a lot of entrepreneurs out there, but we can't find them or bust them," he said. "Law is based on jurisdiction, and jurisdiction is based on geography. The Internet erases geographic boundaries. On the Internet, your next-door neighbor might be operating from half a world away."

If companies are going to defend themselves against the onslaught of attacks, panelists said, they need to change the way they approach the security problem. Carr observed that the Heartland breach -- which turned out to be one of some 300 compromises orchestrated by a single group of attackers -- might have been detected and stopped much earlier if companies and law enforcement agencies had shared the information they had about the SQL injection malware that was responsible for the leaks.

"After it happened, I contacted the other payment systems companies and offered to share the malware with them so that they would know what to look out for," Carr said. "That was the beginning of something. We're now sharing data between us, even though many of us are bitter competitors in the market. Some of them ran scans for the malware and found it on their systems. We've had the FBI come to us and share malware with us, as well. These are things that might never have happened a year ago."

And if cybercriminals are to be caught, companies must share what they know with law enforcement agencies, which are often the only ones that can follow the bad guys to where they live, experts said.

"The recent indictment of eight people -- several of them Estonian nationals -- is a good example," said John Woods, a partner at the law firm of Hunton & Williams, which does legal forensics in post-breach situations. "We've seen a sea change within the FBI and Secret Service recently: Previously, they wanted companies to give them data, but they wouldn't give any feedback themselves. That's beginning to change now."

Aside from changing their attitudes about information sharing, enterprises should also reconsider their attitudes about hacks and threats, the experts said. While security professionals often turn their heads to look at innovative and "cool" attacks, most breaches stem from exploitation of known vulnerabilities for which patches are available, Jaeger said.

"Over the last two years, about 40 percent of the cases we've investigated have involved SQL injection," Jaeger said. "These are known vulnerabilities, nothing particularly creative, but they are very, very effective."

Carr said the payment systems industry is using recent breaches to rethink their attitudes about encryption. "If the data was encrypted right from the beginning -- right from the mag stripe data's entry into the network -- then the data that hackers get would be mostly useless," he said. "We have to find ways to perform a reverse Rumpelstiltskin. We need to spin valuable data into straw so that what they get is not something they can use."

Companies also should be prepared for the possibility that even their best defenses will be compromised, the experts said. "At Heartland, we built a transaction network that was completely separate from our corporate network," Carr said. "But we were breached from the corporate network. It took the hackers about six months to find a way to get into our payment network from our corporate network, but they found it."

Heartland met all of the PCI security compliance standards, but became the victim of a malware attack anyway, Carr observed. Once the attack was detected, the payment systems company hired three different forensics companies to investigate, but the malware was not discovered for more than three months, he said.

"The bad guys developed a custom injection that was targeted directly at us," Carr said. "That's something that's very difficult to detect."

And this sort of complexity and difficulty of detection is not unusual, Kaminsky said. "Digital forensics is much harder than crime forensics," he said. "When there's a murder, there's a body. There's evidence everywhere. In digital forensics, there's no body. You might not even know there has been a murder until months after it happened."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
PUBLISHED: 2021-01-20
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
PUBLISHED: 2021-01-20
Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privile...
PUBLISHED: 2021-01-20
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1...