Security check – Heartland payment systems EASy Security Project: Part 2-- Analysis of the Security Incident using COBIT (DS5: Ensure Systems Security)
5.1- Mange Security Measures WE think this breach would not have happened if the security measured were correctly measured and every aspect was taken under consideration while creating the security measures and constantly monitoring the security measure and updating as needed. According to Brian Krebs of the Washington Post “A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.” If the security measures were managed properly and put into place in the right areas (or all areas for that matter) the malicious code could not have been planted within the organization infrastructure. IT Security should be managed such that security measures are in line with business requirements. An IT security plan should include translating risk assessment, implementing the IT security plan,, monitoring the security plan, and aligning the IT security plan with all policies and procedures within the organization.
5.2-Identification and Authentication Access If strong authentication methods are practiced and are changed on a rotational basis (i.e. usernames, passwords, authentication methods and security) it makes it harder for people on the outside to disguise themselves as regular a user to breach internal operations. Access to and use of IT computing and infrastructure resources should be restricted by the implementation of strong identification, authentication, and authorization mechanisms and techniques.
5.3-Security of online access to data This is probably the most important approach to go along with our security incident. Not only does network access from internal operations need to be secure, but from outside the company boundaries as well. There seems to always be a way for intruders to infiltrate an organizations network from outside the company and the strongest security measures need to be implemented to try and stop this. This needs to also be monitored on a 24/7 basis. Traffic needs to be analyzed constantly and any suspicious behavior should be logged and investigated. According to Robert HB Baldwin Jr., president and chief financial officer of Heartland “Heartland was alerted in the late autumn to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, Baldwin said.” This should have been seen as an outside or inside intruder by Heartland Inc. itself.
5.4-User Account Management The management and supervisors of Heartlands infrastructure teams should have established strict procedures for user account control. Requesting, establishing, issuing, suspending, and closing user accounts for employees will ensure all user accounts are being managed and will keep intruders from high jacking stray user accounts to steal data. Formal approvals need to be issued involving all changes to user accounts and all third-party access to internal user accounts needs to be done contractually. This will ensure security of Heartlands employee user accounts.
5.5 Management Review of User Accounts One of the malware sources of the security breach resulted from a basic SQL injection error. This puts into question the control that confirms access rights. A review of user accounts and what objects they are authorized to access may have alerted Heartland security auditors to the breach early when the SQL was accessed. The absence of this control allowed the SQL/breach to go undetected, only to be alerted much later by the credit card companies’ fraud control processes, which in turn notified Heartland. Periodic comparisons of resources with recorded accountability should be completed to help reduce the risk of fraud or unauthorized alteration of software code/SQL.
5.6 User Control of User Accounts If hackers gained access to a user’s account that had access to implant the malware that caused the breach, this control could have provided information mechanisms to notify the user of abnormal activity or unusual time stamps on activity. This again may have alerted the user the first time he/she logged in after the unusual activity occurred, stating a chain reaction to alert security, 3rd party credit card companies, and authorities. Systematic controls on user activity, especially data base activity may have helped to mitigate this incident.
5.7-Security Surveillance This should be put into place to recognize patterns based on historical data. The implementation of the malicious code, and the consequences of the malicious code, should have been detected, destroyed, and constantly monitored. This would have ensured it never to happen again. Effective and efficient investigation of the security breach was put into place. Heartland called U.S. Secret Service and hired two breach forensics teams to investigate, which is when the malicious code was surfaced. The IT security administration of Heartland should have ensured that security activity is logged and any indication of security mishaps need to be reported.
5.9 Central Identification and Access Rights Management Global access to data, in this case sensitive credit card data was possible. Controls to insure access rights to data and ensure ownership in a central identification process may have prevented execution and access to this data. In this incident, it was possible for intruders to access the system and implant code, if a central system authorization routine had been in place this may have not been possible. This control enables identity of a system and data ownership and management in a unique and central manner.
5.10-Violation and Security Activity reports System abuse and security violations cannot go undetected and security breaches cannot continue for a prolonged period of time. The malicious code and the damage that it caused went on for about 2 weeks. This should not have happened. The security breach should have been detected, logged, and the Security incidents needed to be reviewed and exceptions followed up to find root causes. Appropriate reporting and escalation need to be put in place. The breach should have been detected early and followed up on to ensure no more damage was done and fixes need to be put into place to ensure it would not happen again.
5.11 Incident Handling Instead of Heartland merely meeting the required PCI requirements, the company should have focused on implementing an end to end incident handling procedure. Including end to end security and encryption of all sensitive data. Thus, ensuring an appropriate effective and timely response to incidents such as this one. Heartland claimed to meet and exceed all required PCI standards, taking a lot of time to create reports and implement to specification. The opportunity cost was focusing less on end to end security, encryption and immediate incident reporting, monitoring and procedures. The Heartland incident also showed that compliance with standards such as PCI is meaningless unless there is a way of monitoring that compliance on a continuous basis and quickly responding to incidents.
5.12 Reaccreditation The software that was planted went undetected for weeks. With reaccreditation you are preforming updates to the formally approved security level and the acceptance of residual risk. With updating the security levels and acceptance of risk they may have been able to prevent this incident if reaccreditation was done more often. When you reevaluate your security you find holes that may of have been overlooked. However not only can you find flaws with your security but buy taking an extra look at things Heartland may have been able to find the software themselves.
5.14 Transaction Authorization If more cryptographic techniques for verifying transactions were used it could of have stopped the software from being able to record useful data or could have possibly stopped the software from recording anything at all. With proper authenticity you can ensure that only the correct people can have access to sensitive information. Also with cryptographic techniques you have a better chance of ensuring that user’s claimed identity is valid. The software that was used eves dropped on the transaction after it was authenticated. However with stronger cryptographic techniques the information that would be recorded could mean nothing without the cryptographic key.
5.15 Nonrepudiation With trying to make transactions secure as possible you need to ensure that where appropriate transactions cannot be denied by either party to provide nonrepudiation of origin or receipt, proof of submission and receipt of transactions. This is either done with digital signatures or a data hash. The one problem with digital signatures is if they are not safeguarded by the original owner they could fall in the wrong hands and can be forged which is a major concerned.
5.16 Trusted Path When dealing with credit card information you need to insure that the sensitive data is only exchanged over a trusted path. With Heartland this trusted path was breached and allowed the software to record the transactions that were being sent to be processed. To ensure that the path is not breached strong encryption needs to be used between users and systems. Heartland also needs to ensure that there trusted path cannot be spoofed or corrupted.
5.17 Protection of Security Functions It’s obvious that the protection and the security functions of Heartland where breached by data-stealing programs planted by the thieves. The goal of achieving end-to-end protection is a challenging one with so many diverse endpoints in a transaction lifecycle point of sale POS, databases, mainframes, and payment networks all of which need to be protected from corruption, Key management is a critical aspect of all encryption systems and through our partnership with Thales we are able to enhance our End-to-End Encryption solution to protect key management functions and other cryptographic operations in a tamper resistant and security certified environment – an essential requirement in the payments market.”
5.18 Cryptographic Key Management Voltage technology integration allows customers to apply hardened data protection measures at virtually any point along the data path to help achieve the goal of end-to-end protection. By helping to reduce the time and complexity of deploying data protection and by significantly limiting the scope of security audits, the burden of demonstrating regulatory and internal compliance is dramatically reduced. With type of security the thieves wouldn’t have been able to read the data that they stole. End-to-End Encryption is increasingly the leading method of securing data throughout the payment stream and for enterprise security applications. For organizations subject to PCI DSS (Payment Card Industry Data Security Standard), using hardware security modules (HSM) solutions further reduces the scope of PCI audits.
5.19 Malicious Software Prevention, Detection and Correction With Heartland End-to-End Encryption, Heartland is raising the bar in retail payments security, beyond existing security mandates, by deploying End-to-End Encryption to protect cardholder and sensitive authentication data throughout the payment process The Voltage solutionintegrated just works and, in a matter of weeks rather than months, delivered the data protection and key management that Heartland needs to move the payments industry forward.
5.20 Firewall Architectures and Connections withPublic Networks When Heartland was breached their firewall architecture were obviously not up to par where it should have been. As a service to the industry and general public, the company maintains the Voltage Data Breach Index and Map which is continuously updated with global data breach information. Heartland now is active in the standards community and is a PCI Security Standards Council. Voltage has also been issued several patents based upon breakthrough research in mathematics and cryptographic systems. Customers include Global 1000 companies in banking, retail, insurance, energy, healthcare and government.
The organization must become PCI-DSS compliant. For merchants looking for a good place to start, four essential actions will get you started on PCI compliance and help with the most common vulnerabilities found on computer networks today: 1. Do not allow unsecure access from the Internet or wireless networks to your computers. 2. Block internal computers and data transfer protocols to the Internet except to the sites and ports necessary for business functions. 3. Make sure that the POS software storing credit cards is secure. 4. Make sure that the level of security in place is verifiable for mounting a defense.