Security check – Heartland payment systems EASy Security Project: Part 3-- Synthesis Through Recommended Changes in Control Practice
Summary of audit Objectives 5.1 Manage Security Measures 5.2 Identification, Authentication and Access 5.3 Security of Online Access to Data 5.5 Management Review of User Accounts 5.7 Security Surveillance 5.9 Central Identification and Access Rights Management 5.10 Violation and Security Activity Reports 5.11 Incident Handling 5.12 Reaccreditation 5.13 Counterparty Trust 5.14 Transaction Authorization 5.16 Trusted Path 5.17 Protection of Security Functions 5.18 Cryptographic Key Management 5.19 Malicious Software Prevention, Detection and Correction 5.20 Firewall Architectures and Connections with Public Networks
5.1- Manage Security Measures Control Objective- IT security should be managed such that security measures are in line with business requirements. This includes: 1) Translating risk assessment information to the IT security plans. 2) Implementing the IT security plan. 3) Updating the IT security plan to reflect changes in the IT configuration. 4) Assessing the impact of change requests on IT security. 5) Monitoring the implementation of the IT security plan. 6) Aligning IT security procedures to other policies and procedures.
Recommendation: The security beach at Heartland Payment Systems would not have happened if security measures were correctly measured and all aspects of business, and security risks were taken under consideration while creating the security measures for the company. Heartland needs to implement (or reorganize) their IT security measures to ensure proper protection for card holders and company data. I recommend that Heartland hire a penetration testing organization for intrusion detection testing.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure teams, third party auditing company. Procedures? Create a sufficient IT security plan to keep Heartland Payment Systems data safe. Hardware? Existing hardware Software? Existing software Telecommunications? None Cost? Cost of employee labor, cost of an Auditor and Penetration Tester
5.2-Identification and Authentication Access Control Objective- The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g. regular password changes).
Recommendation: We recommend that Heartland Payment Systems implement new identification, authorization, authentication, and access procedures to monitor the users that are traversing the Heartland network. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. (Payment Card Industry (PCI) Data Security Standard, 2010)
Plan of Action: People? CIO, Director of IS, IS-Infrastructure teams Procedures? Implementation of a secure user authentication procedure Hardware? Existing hardware Software? Existing software Telecommunications? None Cost? Labor costs
5.3-Security of online access to data Control Objective- In an online IT environment, IT management should implement procedures in line with the security policy that provides access security control based on the individual’s demonstrated need to view, add, change or delete data.
Recommendation: Heartland Payment Systems has a problem with online access to data, or with intruders from outside of company boundaries being able to access Heartlands internal operations. Heartland’s response to its data breach rested on two pillars aimed at the merchant acquiring and processing side of the payment system: improve data sharing and better secure data, particularly data in transit (Cheney, 2010). I recommend Heartland implement end-to-end encryption (to secure data in transit), and tokenization. Tokenization is a way for merchants to protect credit card information (Cheney, 2010). The process replaces card data after authorization with randomized numbers, which are useless to thieves. The real data (credit card information) is then deleted from the merchants database (Metzger, 2010). End-to-end encryption is the process of encrypting a massage (credit card data) from one end of the communication media to the other.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure teams Procedures? Implement end-to-end encryption between data links, and implement token technology. Hardware? Existing hardware Software? Tokenization software, encryption software (can be hardware based by using existing hardware equipment) Telecommunications? None Cost? Software cost, labor costs
5.5 Management Review of User Accounts CONTROL OBJECTIVE- Management should have a control process in place to review and confirm access rights periodically. Periodic comparison of resources with recorded accountability should be completed to help reduce the risk of errors, fraud, misuse or unauthorized alteration.
Recommendation: Evidence exists that it was possible for intruders to enter through servers and systems that were considered less critical. According to an article titled Lessons from the Data Breach at Heartland , "Big companies have hundreds of these things, and they think they're not worth worrying about or they're managed by a third party," Tippett says. "Bad guys will go after anything they can knock over (King, 2009).
Plan of Action: People? Internal Risk Management and the business unit process owners. Procedures? Implement a daily audit control that compares user accounts and access logs on systems that have data classified as sensitive. This includes read, write, and update functions. Only exceptions should be reported to Risk Management, who will in turn take action. Hardware? Existing hardware Software? Existing audit tools will be used, but a new report will need to be created. Telecommunications? None Cost? Small Audit control enhancement: 40-80 hours, resources loaded rate of $65 per hour.
5.7-Security Surveillance Control Objective- IT security administration should ensure that security activity is logged, and any indication of imminent security violation is reported immediately to all who may be concerned (internally and externally) and acted upon in a timely manner. Recommendation: According to msnbc.com “Heartland said it was alerted by Visa and MasterCard of unspecified suspicious activity surrounding processed card transactions and enlisted the help of auditors to investigate. The investigation last week uncovered "malicious software" that compromised data in Heartland's network, it said” (Heartland Payment Systems Hacked-Technology & Science - Security, 2009). This concludes that the security surveillance of Heartland was not adequate enough to detect the security breach at an earlier time. I recommend that Heartland upgrade their existing network surveillance software/hardware and implement new procedures for detecting malicious behavior on the Heartland network.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure teams Procedures? Upgrade existing network surveillance software/hardware and implement new procedures for detecting malicious behavior on the Heartland Network Hardware? Existing hardware (possibly upgrade to better hardware) Software? Existing Software (possibly upgrade to better software) Telecommunications? None Cost? Cost of labor, and optional cost of hardware/software
5.9 Central Identification and Access Rights Management CONTROL OBJECTIVE- Controls are in place to ensure that the identification and access rights of users as well as the identity of system and data ownership are established and managed in a unique and central manner to obtain consistency and efficiency of global access control. Recommendation: Evidence exists that it was possible for intruders to enter through corporate servers and plant the malware. Once they gained access to a corporate system, the hackers planted sophisticated packet-sniffing tools and other malware to detect and steal payment card data flowing over the victim companies' networks, according to court documents (Vijayan,2009).
Plan of Action: People? Risk Management, Security Management, and Network Server Team Procedures? A server security standardization project should be planned and implemented. Hardware? Existing Software? Existing Telecommunications? None Cost? Small sized project (500-1000 hours, $25,000- $50,000)
5.10-Violation and Security Activity reports Control Objective: IT security administration should ensure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity. The logical access to the computer resources accountability information (security and other logs) should be granted based upon the principle of least privilege or on a need-to-know basis.
Recommendation: We recommend that Heartland review and rewrite their procedures for completing violation and security activity reports to comply with precautions taken to stop future security breaches. Heartland should Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations (Payment Card Industry (PCI) Data Security Standards Requirements and Security Assessment Procedures version 2.0., 2009).
Plan of Action: People? CIO, Director of IS, IS-Infrastructure teams Procedures? Implement new violation and security activity reporting procedures to ensure proper escalation and logging of security incidents. Hardware? Existing hardware Software? Existing Software Telecommunications? None Cost? Cost of labor
5.11 Incident Handling CONTROL OBJECTIVE- Management should establish a computer security incident handling capability to address security incidents by providing a centralized platform with sufficient expertise and equipped with rapid and secure communication facilities. Incident management responsibilities and procedures should be established to ensure an appropriate, effective and timely response to security incidents
Recommendation: As a result of this breach, incident handling should include a prioritization. In future incidents when outside forensics companies or other security/audit related specialist are used, a classified data/system will determine the order of importance based on criticality to the business. In late 2008, Heartland hired two forensics companies it hasn't identified. Both scoured the network, but it wasn't until Jan. 12 that one found strange-looking data coming from Heartland's system that let Heartland employees uncover the intrusion (King, 2009). This will allow focused network scans to systems that hold sensitive data to be executed first.
Plan of Action: People? IS Help Desk, Risk Management, Security Management, External consultant Procedures? Internal procedure change across internal IS teams Hardware? None Software? None Telecommunications? None Cost? Small procedure enhancement: 20-40 hours, resources loaded rate of $65 per hour.
5.12 Reaccreditation Control Objective- Management should ensure that reaccreditation of security (e.g., through “tiger teams”) is periodically performed to update the formally approved security level and the acceptance of residual risk.
Recommendation: Heartland went through reaccreditation process for Payment Card Industry Data Security Standard (PCI DSS) certification. However, Heartlands CEO said that PCI DSS was an insufficient protective measure and that the standard for security was much higher (McGlasson, 2009). Therefore Heartland knew that there approved security measures were subpar. What Heartland should have put in place was a team of people that looked at their security measures. The team of people should of went though each step in there payment procedure and find were the risks are in that process. After the team has completed the assessment then the security level should have been updated to the correct standard.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams, a team of people (e.g. “Tiger Teams”) to assess the security measures Procedures? To update the accepted security level Hardware? Existing hardware Software? Existing software Telecommunications? None Cost? Cost of employee labor, cost of Tiger Team
5.13 counterparty trust CONTROL OBJECTIVE- Organizational policy should ensure that control practices are implemented to verify the authenticity of the counterparty providing electronic instructions or transactions. This can be implemented through trusted exchange of passwords, tokens or cryptographic keys.
Recommendation: Evidence suggests a potential weakness in the fact that data must be decrypted to move from Heartland's system to Visa and MasterCard, as credit card companies accept only unencrypted data. Trusted exchange between parties is an obvious weakness, there’s no telling if that link (which might be over a telecom connection across 2,000 or so miles) can be breached. A project implementing E3, tokenization, and other methods that allow sensitive data to move through networks encrypted should be launched (Farrell, 2010).
Plan of Action: People? Risk Management, Security Management, External consultant, Business Units, IS, Server Team Procedures? Updated procedures will results from this project. Hardware? Point of sale, and magnetic card reader Software? Enhancement of software is likely. Telecommunications? Recommendation Cost? Medium sized project (1000-2000 hours, $50,000- $100,000) This is not including the cost to merchants for new Point of sale and card readers.
5.14 Transaction Authorization Control Objective- Organizational policy should ensure that, where appropriate, controls are implemented to provide authenticity of transactions and establish the validity of a users’ clamed identity to the system. This requires use of cryptographic techniques for signing and verifying transactions.
Recommendation: The software that was planted could read and collect unencrypted data in motion (Higgins, 2009). Heartland need to have in place a cryptographic technique so that each transaction is verified before the transaction begins. Heartland needs to have a policy in place so that the validity of a users’ claimed identity can be established. They will need to update their hardware and software to allow cryptographic techniques to be used. They also need to ensure that people in the company do not share their credentials with anyone else. It doesn’t matter how good your encryption is if people in your company share credentials to access a higher security level then they are assigned.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure teams Procedures? Create a cryptographic technique so that each transaction is verified Hardware? New hardware will need to be purchased if existing hardware does not support cryptographic techniques. Software? New software will need to be purchased if existing software does not support cryptographic techniques. Telecommunications? Telecommunications will need to be upgraded if it does not support cryptographic techniques. Cost? Cost of employee labor, new hardware, software, and upgraded telecommunications
5.16 Trusted Path Control Objective- Organizational policy should ensure that sensitive transaction data are exchanged only over a trusted path. Sensitive information includes security management information, sensitive transaction data, passwords and cryptographic keys. To achieve this, trusted channels may need to be established using encryption between users, between users and systems, and between systems.
Recommendation: A SQL injection was used to capture data as it was being processed (Cheney, 2010). This shows that Heartland did not have trusted channels established. Heartland needs to have a trusted path for its transactions. The trusted path needs to include user to user communication, user and system communication, and system to system communication. Heartland needs to put in place a procedure to ensure that sensitive information is only sent over a trusted path. This will include secure telecommunications for every step in the payment process from beginning to end. This will include updating hardware and software to allow encryption techniques to be used.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Implementation of a trusted path for secure communications including end to end protection of the payment process Hardware? Upgraded Hardware as needed to insure a trusted path Software? Upgraded Software as needed to insure a trusted path Telecommunications? Telecommunications will need to be upgraded to secure every step of the payment process Cost? Cost of upgraded telecommunications, upgraded Hardware, upgraded Software
5.17 Protection of Security Functions CONTROL OBJECTIVE- Security-related hardware and software should at all times be protected against tampering andagainst disclosure of secret keys to maintain their integrity. In addition, organizations should keep a low profile about their security design, but should not base their security on the design being secret.
Recommendation: According to the report from Cheney, the Heartland Company managers their data 24/7 and that 7% of the information technology staff is focused specifically on security. However, Heartland needs to keep a low profile on their security design and not make it public to the whole company. The attackers gain access to the corporate network first and was able to perform many activities before gaining access to the processing network (Cheney, 2010). Heartland needs to keep their sensitive processing information separate from the corporate network to ensure integrity. Also, Heartland needs to ensure that there software is protected against tampering.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Ensure that security design is not available to whole company and that it software and hardware is protected against tampering. Hardware? Existing Software? Existing Telecommunications? Ensure that security communications is kept separate from the rest of the company. Cost? Employee Labor
5.18 Cryptographic Key Management CONTROL OBJECTIVE- Management should define and implement procedures and protocols to be used for generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure. If a key is compromised, management should ensure that this information is propagated to any interested party through the use of certificate revocation lists or similar mechanisms.
Recommendation: The form that was used in the breach was available for a long period of time but the breach was not until 2007 (Cheney, 2010). Heartland needs to ensure that cryptographic keys are not modified or disclosed. Heartland also needs to ensure that if a key is compromised that the correct people are notified.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Ensure that cryptographic keys are not modified and not disclosed and ensure that if a key is comprised that the information is communicated Hardware? None Software? Upgrade encryption software to include cryptographic key management Telecommunications? Ensure that if a key is compromised that it is communicated to the correct people Cost? Upgraded software
5.19 Malicious Software Prevention, Detection and Correction CONTROL OBJECTIVE- Regarding malicious software, such as computer viruses or Trojan horses, management shouldestablish a framework of adequate preventive, detective and corrective control measures, and occurrence response and reporting. Business and IT management should ensure that procedures are established across the organization to protect information systems and technology from computer viruses. Procedures should incorporate virus protection, detection, occurrence response and reporting.
Recommendation: The focus on the information from the breach was in the form of “data in transit” and not from a stored database, which made masking themselves from detection an easier process (Cheney, 2010). Heartland needs to have a malicious software prevention solution for data in motion. Heartland also needs to have detective, and control measures to protect its infrastructure. Also Heartland needs to ensure that if malicious software is detected that correct people are notified and that occurrence is responded to.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Provide a software solution that ensures malicious software prevention and detection, including data in motion. Hardware? Existing Software? Upgraded software that provides malicious software prevention and detection with support for data in motion Telecommunications? None Cost? New malicious software, Implementation Cost
5.20 Firewall Architectures and Connections withPublic Networks CONTROL OBJECTIVE- If connection to the Internet or other public networks exists, adequate firewalls should be operative to protect against denial of services, unauthorized access to the internal resources and control any application and infrastructure management flows in both directions.
Recommendation: Heartlands CEO knew that they needed to move to higher standard for security (McGlasson, 2009). Heartland needs to have firewalls in place to ensure control for any application and infrastructure management flows in both directions. Heartland not only needs to ensure that there data is protected from the outside but they need to ensure that there sensitive information from the inside is not allowed to be sent to the outside of the network.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Provide a firewall solution that ensures control of data flow in both directions Hardware? Upgraded firewalls to control data flow in both directions. Software? None Telecommunications? Ensure that communications is controlled in both directions Cost? New Firewalls
Summary of Recommendations Organization and Management of Systems New ID / Authentication Solution Better Secure Data Practices Increase of Security Surveillance Encyrption of Data Creation of a Trusted Path to Move Data “Data in Motion” Security Protection Creation of Updated Firewall Rules
Apa Sources Heartland Payment Systems Hacked-Technology & Science - Security. (2009, January 20). Retrieved December 11, 2010, from msnbc.com: http://www.msnbc.msn.com/id/28758856/ns/technology_and_science-security/
In Re Heartland Payment Systems, Inc. Securities Litigation, Case 3:09-CV-01043-Aet-Tjb Document 25. (2009, December 7). New Jersey: UNITED STATES DISTRICT COURT- DISTRICT OF NEW JERSEY.
Payment Card Industry (PCI) Data Security StandardsRequirements and Security Assessment Procedures Version 2.0. (2009, October). Retrieved December 11, 2010, from PCI Security Standards Council: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Acohido, B. (2009, January 23). "Hackers Breach Heartland Payment Credit Card System- USATODAY.com.". Retrieved December 11, 2010, from USA Today: http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm
APA sources (continued) Albanesius, C. (2010, May). Inside the Biggest Online Theft Case. PC Magazine, 29(5).
Cheney, J. S. (2010, January). Heartland Payment Systems Lessons Learned from a Data Breach. Retrieved December 11, 2010, from Federal Reserve Bank of Philadelphia: http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2010/D-2010-January-Heartland-Payment-Systems.pdf
Cyprus, B. (2009, June). Wireless POS Makes Your Business More Efficient. Retrieved December 2010, from Vendor Safe Technologies : http://www.vendorsafe.com/images/pdfs/Wireless_POS.pdf
Cyprus, B. (2010, January). Control Your Security, and PCI Will Follow The four most vital actions restaurants can take to accelerate network and credit card data - security. Retrieved December 2010, from Vendor Safe Technologies : http://www.vendorsafe.com/images/pdfs/whitepaper2_control_your_security.pdf
Farrell, F. (2010, June 28). Once Hacked, Twice Paranoid. Forbes, 185(11), pp. 50-50.
Apa sources (continued) Higgins, K. (2009). Heartland CEO Provides More Details on Big Data Breach. Retrieved December 11, 2010, from http://www.darkreading.com/security/attacks-breaches/214600079/index.html
Howley, E. (October, 2010). UNF Security Breach Affetcs More Than 100,000 IDs. Retrieved November 5, 2010, from Firstcoastnews: http://www.firstcoastnews.com/news/topstories/news-article.aspx?storyid=171731&catid=3
Johnson, A. (2010, March). Guide for Security Configuration Management of Information Systems. Retrieved December 2010, from csrc.nist.gov: http://csrc.nist.gov/publications/drafts/800-128/draft_sp800-128-ipd.pdf
King, R. (2009, July 6). Lessons from the Data Breach at Heartland. Retrieved from Bloomberg Buisinessweek-Special Report: http://www.businessweek.com/technology/content/jul2009/tc2009076_891369.htm
Krebs, B. (2009, January 20). Payment Processor Breach May Be Largest Ever. Retrieved December 11, 2010, from The Washington Post: http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html
Apa sources (continued) McGlasson, L. (2009). Lawsuit: Heartland Knew Data Security Standards was 'Insufficient'. Retrieved December 11, 2010, from bankinfosecurity: http://www.bankinfosecurity.com/articles.php?art_id=1834
Metzger, T. (2010, February 2). How tokenization works. Retrieved December 11, 2010, from Merchant Account Guide: The Merchant Account Experts: http://www.merchantaccountguide.com/merchant-account-news/how-tokenization-works.php Our Technology. Payment & Transaction Processing for Merchant Accounts. (n.d.). Retrieved November 5, 2010, from Heartland Payment Systems: http://www.heartlandpaymentsystems.com/Technology/
UNF-President's Office-Strategic Plan 2009-2014. (n.d.). Retrieved November 5, 2010, from University of Northern Florida: http://www.unf.edu/president/Strategic_Plan_2009-2014.aspx
Vijayan. (2009, August 17). U.S. Says SQL Injection Caused Major Breaches. Computer World.