SlideShare a Scribd company logo

Heartlandpt3

Download as PPTX, PDF
G
grimesjo
1 of 23
Security check – Heartland payment systems EASy Security Project: Part 3-- Synthesis Through Recommended Changes in Control Practice 
Summary of audit Objectives 5.1 Manage Security Measures 5.2 Identification, Authentication and Access 5.3 Security of Online Access to Data 5.5 Management Review of User Accounts 5.7 Security Surveillance 5.9 Central Identification and Access Rights Management 5.10 Violation and Security Activity Reports 5.11 Incident Handling 5.12 Reaccreditation 5.13 Counterparty Trust 5.14 Transaction Authorization 5.16 Trusted Path 5.17 Protection of Security Functions 5.18 Cryptographic Key Management 5.19 Malicious Software Prevention, Detection and Correction 5.20 Firewall Architectures and Connections with Public Networks
5.1- Manage Security Measures Control Objective- IT security should be managed such that security measures are in line with business requirements. This includes: 1) Translating risk assessment information to the IT security plans. 2) Implementing the IT security plan. 3) Updating the IT security plan to reflect changes in the IT configuration. 4) Assessing the impact of change requests on IT security. 5) Monitoring the implementation of the IT security plan. 6) Aligning IT security procedures to other policies and procedures.   Recommendation: The security beach at Heartland Payment Systems would not have happened if security measures were correctly measured and all aspects of business, and security risks were taken under consideration while creating the security measures for the company. Heartland needs to implement (or reorganize) their IT security measures to ensure proper protection for card holders and company data. I recommend that Heartland hire a penetration testing organization for intrusion detection testing.   Plan of Action: People?   CIO, Director of IS, IS-Infrastructure teams, third party auditing company. Procedures? Create a sufficient IT security plan to keep Heartland Payment Systems data safe. Hardware?  Existing hardware Software? Existing software Telecommunications?  None Cost? Cost of employee labor, cost of an Auditor and Penetration Tester
5.2-Identification and Authentication Access Control Objective- The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g. regular password changes).   Recommendation: We recommend that Heartland Payment Systems implement new identification, authorization, authentication, and access procedures to monitor the users that are traversing the Heartland network. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. (Payment Card Industry (PCI) Data Security Standard, 2010)   Plan of Action: People?   CIO, Director of IS, IS-Infrastructure teams Procedures? Implementation of a secure user authentication procedure Hardware?  Existing hardware Software? Existing software Telecommunications?  None Cost? Labor costs 
5.3-Security of online access to data Control Objective- In an online IT environment, IT management should implement procedures in line with the security policy that provides access security control based on the individual’s demonstrated need to view, add, change or delete data.   Recommendation: Heartland Payment Systems has a problem with online access to data, or with intruders from outside of company boundaries being able to access Heartlands internal operations.  Heartland’s response to its data breach rested on two pillars aimed at the merchant acquiring and processing side of the payment system: improve data sharing and better secure data, particularly data in transit (Cheney, 2010). I recommend Heartland implement end-to-end encryption (to secure data in transit), and tokenization. Tokenization is a way for merchants to protect credit card information (Cheney, 2010). The process replaces card data after authorization with randomized numbers, which are useless to thieves. The real data (credit card information) is then deleted from the merchants database (Metzger, 2010). End-to-end encryption is the process of encrypting a massage (credit card data) from one end of the communication media to the other.   Plan of Action:  People?   CIO, Director of IS, IS-Infrastructure teams Procedures? Implement end-to-end encryption between data links, and implement token technology. Hardware?  Existing hardware Software? Tokenization software, encryption software (can be hardware based by using existing hardware equipment) Telecommunications?  None Cost? Software cost, labor costs 
5.5 Management Review of User Accounts CONTROL OBJECTIVE-  Management should have a control process in place to review and confirm access rights periodically. Periodic comparison of resources with recorded accountability should be completed to help reduce the risk of errors, fraud, misuse or unauthorized alteration.    Recommendation:  Evidence exists that it was possible for intruders to enter through servers and systems that were considered less critical.  According to an article titled Lessons from the Data Breach at Heartland , "Big companies have hundreds of these things, and they think they're not worth worrying about or they're managed by a third party," Tippett says. "Bad guys will go after anything they can knock over (King, 2009).   Plan of Action:  People?   Internal Risk Management and the business unit process owners. Procedures? Implement a daily audit control that compares user accounts and access logs on systems that have data classified as sensitive.  This includes read, write, and update functions.  Only exceptions should be reported to Risk Management, who will in turn take action.  Hardware?  Existing hardware Software?   Existing audit tools will be used, but a new report will need to be created. Telecommunications?  None Cost? Small Audit control enhancement: 40-80 hours, resources loaded rate of $65 per hour.
5.7-Security Surveillance Control Objective- IT security administration should ensure that security activity is logged, and any indication of imminent security violation is reported immediately to all who may be concerned (internally and externally) and acted upon in a timely manner. Recommendation: According to msnbc.com “Heartland said it was alerted by Visa and MasterCard of unspecified suspicious activity surrounding processed card transactions and enlisted the help of auditors to investigate. The investigation last week uncovered "malicious software" that compromised data in Heartland's network, it said” (Heartland Payment Systems Hacked-Technology & Science - Security, 2009). This concludes that the security surveillance of Heartland was not adequate enough to detect the security breach at an earlier time. I recommend that Heartland upgrade their existing network surveillance software/hardware and implement new procedures for detecting malicious behavior on the Heartland network.   Plan of Action: People?   CIO, Director of IS, IS-Infrastructure teams Procedures? Upgrade existing network surveillance software/hardware and implement new procedures for detecting malicious behavior on the Heartland Network Hardware?  Existing hardware (possibly upgrade to better hardware) Software? Existing Software (possibly upgrade to better software) Telecommunications?  None Cost? Cost of labor, and optional cost of hardware/software
5.9 Central Identification and Access Rights Management CONTROL OBJECTIVE- Controls are in place to ensure that the identification and access rights of users as well as the identity of system and data ownership are established and managed in a unique and central manner to obtain consistency and efficiency of global access control.  Recommendation:  Evidence exists that it was possible for intruders to enter through corporate servers and plant the malware.  Once they gained access to a corporate system, the hackers planted sophisticated packet-sniffing tools and other malware to detect and steal payment card data flowing over the victim companies' networks, according to court documents (Vijayan,2009).   Plan of Action: People?   Risk Management, Security Management, and Network Server Team Procedures?  A server security standardization project should be planned and implemented. Hardware?  Existing Software?   Existing Telecommunications?  None Cost?  Small sized project  (500-1000 hours, $25,000- $50,000)
5.10-Violation and Security Activity reports Control Objective: IT security administration should ensure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity. The logical access to the computer resources accountability information (security and other logs) should be granted based upon the principle of least privilege or on a need-to-know basis.   Recommendation: We recommend that Heartland review and rewrite their procedures for completing violation and security activity reports to comply with precautions taken to stop future security breaches. Heartland should Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations (Payment Card Industry (PCI) Data Security Standards Requirements and Security Assessment Procedures version 2.0., 2009).   Plan of Action: People?   CIO, Director of IS, IS-Infrastructure teams Procedures? Implement new violation and security activity reporting procedures to ensure proper escalation and logging of security incidents. Hardware?  Existing hardware Software? Existing Software Telecommunications?  None Cost? Cost of labor
5.11 Incident Handling CONTROL OBJECTIVE- Management should establish a computer security incident handling capability to address security incidents by providing a centralized platform with sufficient expertise and equipped with rapid and secure communication facilities. Incident management responsibilities and procedures should be established to ensure an appropriate, effective and timely response to security incidents    Recommendation:  As a result of this breach, incident handling should include a prioritization.  In future incidents when outside forensics companies or other security/audit related specialist are used, a classified data/system will determine the order of importance based on criticality to the business.  In late 2008, Heartland hired two forensics companies it hasn't identified. Both scoured the network, but it wasn't until Jan. 12 that one found strange-looking data coming from Heartland's system that let Heartland employees uncover the intrusion (King, 2009).  This will allow focused network scans to systems that hold sensitive data to be executed first.   Plan of Action: People?   IS Help Desk, Risk Management, Security Management, External consultant Procedures?  Internal procedure change across internal IS teams Hardware?  None Software?   None Telecommunications?  None Cost?  Small procedure enhancement: 20-40 hours, resources loaded rate of $65 per hour.
5.12 Reaccreditation Control Objective- Management should ensure that reaccreditation of security (e.g., through “tiger teams”) is periodically performed to update the formally approved security level and the acceptance of residual risk.     Recommendation: Heartland went through reaccreditation process for Payment Card Industry Data Security Standard (PCI DSS) certification.  However, Heartlands CEO said that PCI DSS was an insufficient protective measure and that the standard for security was much higher (McGlasson, 2009).  Therefore Heartland knew that there approved security measures were subpar. What Heartland should have put in place was a team of people that looked at their security measures.  The team of people should of went though each step in there payment procedure and find were the risks are in that process. After the team has completed the assessment then the security level should have been updated to the correct standard.   Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams, a team of people (e.g. “Tiger Teams”) to assess the security measures Procedures? To update the accepted security level Hardware?  Existing hardware Software? Existing software Telecommunications?  None Cost? Cost of employee labor, cost of Tiger Team   
5.13 counterparty trust CONTROL OBJECTIVE- Organizational policy should ensure that control practices are implemented to verify the authenticity of the counterparty providing electronic instructions or transactions. This can be implemented through trusted exchange of passwords, tokens or cryptographic keys.    Recommendation:  Evidence suggests a potential weakness in the fact that data must be decrypted to move from Heartland's system to Visa and MasterCard, as credit card companies accept only unencrypted data.  Trusted exchange between parties is an obvious weakness, there’s no telling if that link (which might be over a telecom connection across 2,000 or so miles) can be breached.   A project implementing E3, tokenization, and other methods that allow sensitive data to move through networks encrypted should be launched  (Farrell, 2010).      Plan of Action:  People?   Risk Management, Security Management, External consultant, Business Units, IS, Server Team Procedures? Updated procedures will results from this project. Hardware?   Point of sale, and magnetic card reader Software?     Enhancement of software is likely. Telecommunications?  Recommendation Cost?   Medium sized project  (1000-2000 hours, $50,000- $100,000)  This is not including the cost to merchants for new Point of sale and card readers.
5.14 Transaction Authorization Control Objective- Organizational policy should ensure that, where appropriate, controls are implemented to provide authenticity of transactions and establish the validity of a users’ clamed identity to the system.  This requires use of cryptographic techniques for signing and verifying transactions.    Recommendation: The software that was planted could read and collect unencrypted data in motion (Higgins, 2009). Heartland need to have in place a cryptographic technique so that each transaction is verified before the transaction begins. Heartland needs to have a policy in place so that the validity of a users’ claimed identity can be established.  They will need to update their hardware and software to allow cryptographic techniques to be used.  They also need to ensure that people in the company do not share their credentials with anyone else.  It doesn’t matter how good your encryption is if people in your company share credentials to access a higher security level then they are assigned.       Plan of Action: People? CIO, Director of IS, IS-Infrastructure teams Procedures? Create a cryptographic technique so that each transaction is verified Hardware?  New hardware will need to be purchased if existing hardware does not support cryptographic techniques. Software? New software will need to be purchased if existing software does not support cryptographic techniques. Telecommunications?  Telecommunications will need to be upgraded if it does not support cryptographic techniques.    Cost? Cost of employee labor, new hardware, software, and upgraded telecommunications 
5.16 Trusted Path Control Objective- Organizational policy should ensure that sensitive transaction data are exchanged only over a trusted path.  Sensitive information includes security management information, sensitive transaction data, passwords and cryptographic keys.  To achieve this, trusted channels may need to be established using encryption between users, between users and systems, and between systems.    Recommendation:  A SQL injection was used to capture data as it was being processed (Cheney, 2010). This shows that Heartland did not have trusted channels established.  Heartland needs to have a trusted path for its transactions.  The trusted path needs to include user to user communication, user and system communication, and system to system communication.  Heartland needs to put in place a procedure to ensure that sensitive information is only sent over a trusted path.  This will include secure telecommunications for every step in the payment process from beginning to end.  This will include updating hardware and software to allow encryption techniques to be used.      Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Implementation of a trusted path for secure communications including end to end protection of the payment process Hardware? Upgraded Hardware as needed to insure a trusted path Software? Upgraded Software as needed to insure a trusted path Telecommunications?  Telecommunications will need to be upgraded to secure every step of the payment process Cost? Cost of upgraded telecommunications, upgraded Hardware, upgraded Software
5.17 Protection of Security Functions CONTROL OBJECTIVE- Security-related hardware and software should at all times be protected against tampering andagainst disclosure of secret keys to maintain their integrity. In addition, organizations should keep a low profile about their security design, but should not base their security on the design being secret.   Recommendation: According to the report from Cheney, the Heartland Company managers their data 24/7 and that 7% of the information technology staff is focused specifically on security. However, Heartland needs to keep a low profile on their security design and not make it public to the whole company.  The attackers gain access to the corporate network first and was able to perform many activities before gaining access to the processing network (Cheney, 2010).  Heartland needs to keep their sensitive processing information separate from the corporate network to ensure integrity. Also, Heartland needs to ensure that there software is protected against tampering.    Plan of Action:  People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Ensure that security design is not available to whole company and that it software and hardware is protected against tampering.  Hardware? Existing Software? Existing Telecommunications?  Ensure that security communications is kept separate from the rest of the company.  Cost? Employee Labor
5.18 Cryptographic Key Management CONTROL OBJECTIVE- Management should define and implement procedures and protocols to be used for generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure. If a key is compromised, management should ensure that this information is propagated to any interested party through the use of certificate revocation lists or similar mechanisms.   Recommendation: The form that was used in the breach was available for a long period of time but the breach was not until 2007 (Cheney, 2010).  Heartland needs to ensure that cryptographic keys are not modified or disclosed.  Heartland also needs to ensure that if a key is compromised that the correct people are notified.    Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Ensure that cryptographic keys are not modified and not disclosed and ensure that if a key is comprised that the information is communicated Hardware? None  Software? Upgrade encryption software to include cryptographic key management Telecommunications?  Ensure that if a key is compromised that it is communicated to the correct people Cost? Upgraded software
5.19 Malicious Software Prevention, Detection and Correction CONTROL OBJECTIVE- Regarding malicious software, such as computer viruses or Trojan horses, management shouldestablish a framework of adequate preventive, detective and corrective control measures, and occurrence response and reporting. Business and IT management should ensure that procedures are established across the organization to protect information systems and technology from computer viruses. Procedures should incorporate virus protection, detection, occurrence response and reporting.   Recommendation: The focus on the information from the breach was in the form of “data in transit” and not from a stored database, which made masking themselves from detection an easier process (Cheney, 2010). Heartland needs to have a malicious software prevention solution for data in motion. Heartland also needs to have detective, and control measures to protect its infrastructure.  Also Heartland needs to ensure that if malicious software is detected that correct people are notified and that occurrence is responded to.   Plan of Action:  People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Provide a software solution that ensures malicious software prevention and detection, including data in motion.  Hardware? Existing Software? Upgraded software that provides malicious software prevention and detection with support for data in motion Telecommunications?  None Cost? New malicious software, Implementation Cost
5.20 Firewall Architectures and Connections withPublic Networks CONTROL OBJECTIVE- If connection to the Internet or other public networks exists, adequate firewalls should be operative to protect against denial of services, unauthorized access to the internal resources and control any application and infrastructure management flows in both directions.   Recommendation: Heartlands CEO knew that they needed to move to higher standard for security (McGlasson, 2009). Heartland needs to have firewalls in place to ensure control for any application and infrastructure management flows in both directions. Heartland not only needs to ensure that there data is protected from the outside but they need to ensure that there sensitive information from the inside is not allowed to be sent to the outside of the network.   Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Provide a firewall solution that ensures control of data flow in both directions  Hardware? Upgraded firewalls to control data flow in both directions.  Software? None Telecommunications?  Ensure that communications is controlled in both directions Cost? New Firewalls
Summary of Recommendations Organization and Management of Systems New ID / Authentication Solution Better Secure Data Practices Increase of Security Surveillance Encyrption of Data Creation of a Trusted Path to Move Data “Data in Motion” Security Protection Creation of Updated Firewall Rules
Apa Sources Heartland Payment Systems Hacked-Technology & Science - Security. (2009, January 20). Retrieved December 11, 2010, from msnbc.com: http://www.msnbc.msn.com/id/28758856/ns/technology_and_science-security/   In Re Heartland Payment Systems, Inc. Securities Litigation, Case 3:09-CV-01043-Aet-Tjb Document 25. (2009, December 7). New Jersey: UNITED STATES DISTRICT COURT- DISTRICT OF NEW JERSEY.   Payment Card Industry (PCI) Data Security StandardsRequirements and Security Assessment Procedures Version 2.0. (2009, October). Retrieved December 11, 2010, from PCI Security Standards Council: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf   Acohido, B. (2009, January 23). "Hackers Breach Heartland Payment Credit Card System- USATODAY.com.". Retrieved December 11, 2010, from USA Today: http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm
APA sources (continued) Albanesius, C. (2010, May). Inside the Biggest Online Theft Case. PC Magazine, 29(5).   Cheney, J. S. (2010, January). Heartland Payment Systems Lessons Learned from a Data Breach. Retrieved December 11, 2010, from Federal Reserve Bank of Philadelphia: http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2010/D-2010-January-Heartland-Payment-Systems.pdf   Cyprus, B. (2009, June). Wireless POS Makes Your Business More Efficient. Retrieved December 2010, from Vendor Safe Technologies : http://www.vendorsafe.com/images/pdfs/Wireless_POS.pdf   Cyprus, B. (2010, January). Control Your Security, and PCI Will Follow The four most vital actions restaurants can take to accelerate network and credit card data - security. Retrieved December 2010, from Vendor Safe Technologies : http://www.vendorsafe.com/images/pdfs/whitepaper2_control_your_security.pdf   Farrell, F. (2010, June 28). Once Hacked, Twice Paranoid. Forbes, 185(11), pp. 50-50.  
Apa sources (continued) Higgins, K. (2009). Heartland CEO Provides More Details on Big Data Breach. Retrieved December 11, 2010, from http://www.darkreading.com/security/attacks-breaches/214600079/index.html   Howley, E. (October, 2010). UNF Security Breach Affetcs More Than 100,000 IDs. Retrieved November 5, 2010, from Firstcoastnews: http://www.firstcoastnews.com/news/topstories/news-article.aspx?storyid=171731&catid=3   Johnson, A. (2010, March). Guide for Security Configuration Management of Information Systems. Retrieved December 2010, from csrc.nist.gov: http://csrc.nist.gov/publications/drafts/800-128/draft_sp800-128-ipd.pdf   King, R. (2009, July 6). Lessons from the Data Breach at Heartland. Retrieved from Bloomberg Buisinessweek-Special Report: http://www.businessweek.com/technology/content/jul2009/tc2009076_891369.htm   Krebs, B. (2009, January 20). Payment Processor Breach May Be Largest Ever. Retrieved December 11, 2010, from The Washington Post: http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html  
Apa sources (continued) McGlasson, L. (2009). Lawsuit: Heartland Knew Data Security Standards was 'Insufficient'. Retrieved December 11, 2010, from bankinfosecurity: http://www.bankinfosecurity.com/articles.php?art_id=1834   Metzger, T. (2010, February 2). How tokenization works. Retrieved December 11, 2010, from Merchant Account Guide: The Merchant Account Experts: http://www.merchantaccountguide.com/merchant-account-news/how-tokenization-works.php  Our Technology. Payment & Transaction Processing for Merchant Accounts. (n.d.). Retrieved November 5, 2010, from Heartland Payment Systems: http://www.heartlandpaymentsystems.com/Technology/   UNF-President's Office-Strategic Plan 2009-2014. (n.d.). Retrieved November 5, 2010, from University of Northern Florida: http://www.unf.edu/president/Strategic_Plan_2009-2014.aspx   Vijayan. (2009, August 17). U.S. Says SQL Injection Caused Major Breaches. Computer World.    

Recommended

Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Heartland
HeartlandHeartland
Heartlandgrimesjo
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010Jim Porell
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Intellinx.z watch
Intellinx.z watchIntellinx.z watch
Intellinx.z watchJim Porell
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7Veronica Pereira
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 

Recommended

Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Heartland
HeartlandHeartland
Heartlandgrimesjo
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010Jim Porell
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Intellinx.z watch
Intellinx.z watchIntellinx.z watch
Intellinx.z watchJim Porell
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7Veronica Pereira
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 
Combating Internal Fraud - 5 Points You Should Think About
Combating Internal Fraud - 5 Points You Should Think AboutCombating Internal Fraud - 5 Points You Should Think About
Combating Internal Fraud - 5 Points You Should Think AboutIntellinx Ltd.
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal ControlsBharath Rao
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityDavid Mai, MBA
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeDavid Mai, MBA
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?ObserveIT
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksResilient Systems
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesJerry Harding
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17SelectedPresentations
 
Task 3
Task 3Task 3
Task 3BIBEKCHAUDHARYBScHon
 
Critical Security And Compliance Issues In Internet Banking
Critical Security And Compliance Issues In Internet BankingCritical Security And Compliance Issues In Internet Banking
Critical Security And Compliance Issues In Internet BankingThomas Donofrio
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and toolsVibhor Raut
 
Cloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionCloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionBharath Rao
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Four essentials for a healthy society
Four essentials for a healthy societyFour essentials for a healthy society
Four essentials for a healthy societyCharles Baker
 
UConn Construction
UConn ConstructionUConn Construction
UConn Constructiondaveyb12
 

More Related Content

What's hot

Combating Internal Fraud - 5 Points You Should Think About
Combating Internal Fraud - 5 Points You Should Think AboutCombating Internal Fraud - 5 Points You Should Think About
Combating Internal Fraud - 5 Points You Should Think AboutIntellinx Ltd.
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample ReportRandy James
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal ControlsBharath Rao
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityDavid Mai, MBA
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeDavid Mai, MBA
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?ObserveIT
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksResilient Systems
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesJerry Harding
 
Critical Security And Compliance Issues In Internet Banking
Critical Security And Compliance Issues In Internet BankingCritical Security And Compliance Issues In Internet Banking
Critical Security And Compliance Issues In Internet BankingThomas Donofrio
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and toolsVibhor Raut
 
Cloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionCloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionBharath Rao
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 

What's hot (20)

Combating Internal Fraud - 5 Points You Should Think About
Combating Internal Fraud - 5 Points You Should Think AboutCombating Internal Fraud - 5 Points You Should Think About
Combating Internal Fraud - 5 Points You Should Think About
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of Attack
 
Audit Sample Report
Audit Sample ReportAudit Sample Report
Audit Sample Report
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal Controls
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threat
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?
 
Information System audit
Information System auditInformation System audit
Information System audit
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their Tracks
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security Practices
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17
 
Task 3
Task 3Task 3
Task 3
 
Critical Security And Compliance Issues In Internet Banking
Critical Security And Compliance Issues In Internet BankingCritical Security And Compliance Issues In Internet Banking
Critical Security And Compliance Issues In Internet Banking
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and tools
 
Cloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionCloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA Profession
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 

Viewers also liked

Four essentials for a healthy society
Four essentials for a healthy societyFour essentials for a healthy society
Four essentials for a healthy societyCharles Baker
 
UConn Construction
UConn ConstructionUConn Construction
UConn Constructiondaveyb12
 
Oilfield Pits & Arsenic Usage, Louisiana
Oilfield Pits & Arsenic Usage, LouisianaOilfield Pits & Arsenic Usage, Louisiana
Oilfield Pits & Arsenic Usage, Louisianalazalice
 
ProcureCrew Network - How it Works
ProcureCrew Network - How it WorksProcureCrew Network - How it Works
ProcureCrew Network - How it WorksProcure Crew
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3grimesjo
 
Multimedia assignment
Multimedia assignmentMultimedia assignment
Multimedia assignmentdaveyb12
 
Barrett oilfield arsenic-2015
Barrett oilfield arsenic-2015Barrett oilfield arsenic-2015
Barrett oilfield arsenic-2015lazalice
 
Recording formats and_editing_softwares
Recording formats and_editing_softwaresRecording formats and_editing_softwares
Recording formats and_editing_softwaresAzizur Rahman
 
Nette Framework 2 at WebExpo 2010
Nette Framework 2 at WebExpo 2010Nette Framework 2 at WebExpo 2010
Nette Framework 2 at WebExpo 2010David Grudl
 
Nette: jak rozbít atom?
Nette: jak rozbít atom?Nette: jak rozbít atom?
Nette: jak rozbít atom?David Grudl
 
Soft(ware) skills (konference Devel.cz, 2013)
Soft(ware) skills (konference Devel.cz, 2013)Soft(ware) skills (konference Devel.cz, 2013)
Soft(ware) skills (konference Devel.cz, 2013)David Grudl
 
WebExpo 2011: Novinky z konference BUILD
WebExpo 2011: Novinky z konference BUILDWebExpo 2011: Novinky z konference BUILD
WebExpo 2011: Novinky z konference BUILDDavid Grudl
 
10.000 followerů na Twitteru snadno a šupem
10.000 followerů na Twitteru snadno a šupem10.000 followerů na Twitteru snadno a šupem
10.000 followerů na Twitteru snadno a šupemDavid Grudl
 
jQuery: full frontal
jQuery: full frontaljQuery: full frontal
jQuery: full frontalDavid Grudl
 

Viewers also liked (17)

Four essentials for a healthy society
Four essentials for a healthy societyFour essentials for a healthy society
Four essentials for a healthy society
 
UConn Construction
UConn ConstructionUConn Construction
UConn Construction
 
Oilfield Pits & Arsenic Usage, Louisiana
Oilfield Pits & Arsenic Usage, LouisianaOilfield Pits & Arsenic Usage, Louisiana
Oilfield Pits & Arsenic Usage, Louisiana
 
ProcureCrew Network - How it Works
ProcureCrew Network - How it WorksProcureCrew Network - How it Works
ProcureCrew Network - How it Works
 
Nightmares
NightmaresNightmares
Nightmares
 
Heartlandpt3
Heartlandpt3Heartlandpt3
Heartlandpt3
 
Multimedia assignment
Multimedia assignmentMultimedia assignment
Multimedia assignment
 
Barrett oilfield arsenic-2015
Barrett oilfield arsenic-2015Barrett oilfield arsenic-2015
Barrett oilfield arsenic-2015
 
Recording formats and_editing_softwares
Recording formats and_editing_softwaresRecording formats and_editing_softwares
Recording formats and_editing_softwares
 
Nette Framework 2 at WebExpo 2010
Nette Framework 2 at WebExpo 2010Nette Framework 2 at WebExpo 2010
Nette Framework 2 at WebExpo 2010
 
Nette: jak rozbít atom?
Nette: jak rozbít atom?Nette: jak rozbít atom?
Nette: jak rozbít atom?
 
Soft(ware) skills (konference Devel.cz, 2013)
Soft(ware) skills (konference Devel.cz, 2013)Soft(ware) skills (konference Devel.cz, 2013)
Soft(ware) skills (konference Devel.cz, 2013)
 
WebExpo 2011: Novinky z konference BUILD
WebExpo 2011: Novinky z konference BUILDWebExpo 2011: Novinky z konference BUILD
WebExpo 2011: Novinky z konference BUILD
 
เล่ม3 เรื่อง 1 ความรู้เบื้องต้น 2
เล่ม3 เรื่อง 1 ความรู้เบื้องต้น 2เล่ม3 เรื่อง 1 ความรู้เบื้องต้น 2
เล่ม3 เรื่อง 1 ความรู้เบื้องต้น 2
 
10.000 followerů na Twitteru snadno a šupem
10.000 followerů na Twitteru snadno a šupem10.000 followerů na Twitteru snadno a šupem
10.000 followerů na Twitteru snadno a šupem
 
jQuery: full frontal
jQuery: full frontaljQuery: full frontal
jQuery: full frontal
 
jadoo k asraat
jadoo k asraatjadoo k asraat
jadoo k asraat
 

Similar to Heartlandpt3

INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEWFREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEWinfosec train
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iiiAshish Desai
 
Information systems and its components ii
Information systems and its components iiInformation systems and its components ii
Information systems and its components iiAshish Desai
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lessonAnne ndolo
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIRJET Journal
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)Ahmed Banafa
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefVisal Thach
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...PascalOtieno
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?Ahmed Banafa
 

Similar to Heartlandpt3 (20)

INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
CISA (1).pdf
CISA (1).pdfCISA (1).pdf
CISA (1).pdf
 
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEWFREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
 
Tft2 Task3 Essay
Tft2 Task3 EssayTft2 Task3 Essay
Tft2 Task3 Essay
 
Information systems and its components iii
Information systems and its components iiiInformation systems and its components iii
Information systems and its components iii
 
Information systems and its components ii
Information systems and its components iiInformation systems and its components ii
Information systems and its components ii
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lesson
 
Chapter 6
Chapter 6Chapter 6
Chapter 6
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data Mining
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-brief
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices Framework
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
What is zero trust model of information security?
What is zero trust model of information security?What is zero trust model of information security?
What is zero trust model of information security?
 

Heartlandpt3

  • 1. Security check – Heartland payment systems EASy Security Project: Part 3-- Synthesis Through Recommended Changes in Control Practice 
  • 2. Summary of audit Objectives 5.1 Manage Security Measures 5.2 Identification, Authentication and Access 5.3 Security of Online Access to Data 5.5 Management Review of User Accounts 5.7 Security Surveillance 5.9 Central Identification and Access Rights Management 5.10 Violation and Security Activity Reports 5.11 Incident Handling 5.12 Reaccreditation 5.13 Counterparty Trust 5.14 Transaction Authorization 5.16 Trusted Path 5.17 Protection of Security Functions 5.18 Cryptographic Key Management 5.19 Malicious Software Prevention, Detection and Correction 5.20 Firewall Architectures and Connections with Public Networks
  • 3. 5.1- Manage Security Measures Control Objective- IT security should be managed such that security measures are in line with business requirements. This includes: 1) Translating risk assessment information to the IT security plans. 2) Implementing the IT security plan. 3) Updating the IT security plan to reflect changes in the IT configuration. 4) Assessing the impact of change requests on IT security. 5) Monitoring the implementation of the IT security plan. 6) Aligning IT security procedures to other policies and procedures.   Recommendation: The security beach at Heartland Payment Systems would not have happened if security measures were correctly measured and all aspects of business, and security risks were taken under consideration while creating the security measures for the company. Heartland needs to implement (or reorganize) their IT security measures to ensure proper protection for card holders and company data. I recommend that Heartland hire a penetration testing organization for intrusion detection testing.   Plan of Action: People?   CIO, Director of IS, IS-Infrastructure teams, third party auditing company. Procedures? Create a sufficient IT security plan to keep Heartland Payment Systems data safe. Hardware?  Existing hardware Software? Existing software Telecommunications?  None Cost? Cost of employee labor, cost of an Auditor and Penetration Tester
  • 4. 5.2-Identification and Authentication Access Control Objective- The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g. regular password changes).   Recommendation: We recommend that Heartland Payment Systems implement new identification, authorization, authentication, and access procedures to monitor the users that are traversing the Heartland network. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. (Payment Card Industry (PCI) Data Security Standard, 2010)   Plan of Action: People?   CIO, Director of IS, IS-Infrastructure teams Procedures? Implementation of a secure user authentication procedure Hardware?  Existing hardware Software? Existing software Telecommunications?  None Cost? Labor costs 
  • 5. 5.3-Security of online access to data Control Objective- In an online IT environment, IT management should implement procedures in line with the security policy that provides access security control based on the individual’s demonstrated need to view, add, change or delete data.   Recommendation: Heartland Payment Systems has a problem with online access to data, or with intruders from outside of company boundaries being able to access Heartlands internal operations.  Heartland’s response to its data breach rested on two pillars aimed at the merchant acquiring and processing side of the payment system: improve data sharing and better secure data, particularly data in transit (Cheney, 2010). I recommend Heartland implement end-to-end encryption (to secure data in transit), and tokenization. Tokenization is a way for merchants to protect credit card information (Cheney, 2010). The process replaces card data after authorization with randomized numbers, which are useless to thieves. The real data (credit card information) is then deleted from the merchants database (Metzger, 2010). End-to-end encryption is the process of encrypting a massage (credit card data) from one end of the communication media to the other.   Plan of Action:  People?   CIO, Director of IS, IS-Infrastructure teams Procedures? Implement end-to-end encryption between data links, and implement token technology. Hardware?  Existing hardware Software? Tokenization software, encryption software (can be hardware based by using existing hardware equipment) Telecommunications?  None Cost? Software cost, labor costs 
  • 6. 5.5 Management Review of User Accounts CONTROL OBJECTIVE-  Management should have a control process in place to review and confirm access rights periodically. Periodic comparison of resources with recorded accountability should be completed to help reduce the risk of errors, fraud, misuse or unauthorized alteration.    Recommendation:  Evidence exists that it was possible for intruders to enter through servers and systems that were considered less critical.  According to an article titled Lessons from the Data Breach at Heartland , "Big companies have hundreds of these things, and they think they're not worth worrying about or they're managed by a third party," Tippett says. "Bad guys will go after anything they can knock over (King, 2009).   Plan of Action:  People?   Internal Risk Management and the business unit process owners. Procedures? Implement a daily audit control that compares user accounts and access logs on systems that have data classified as sensitive.  This includes read, write, and update functions.  Only exceptions should be reported to Risk Management, who will in turn take action.  Hardware?  Existing hardware Software?   Existing audit tools will be used, but a new report will need to be created. Telecommunications?  None Cost? Small Audit control enhancement: 40-80 hours, resources loaded rate of $65 per hour.
  • 7. 5.7-Security Surveillance Control Objective- IT security administration should ensure that security activity is logged, and any indication of imminent security violation is reported immediately to all who may be concerned (internally and externally) and acted upon in a timely manner. Recommendation: According to msnbc.com “Heartland said it was alerted by Visa and MasterCard of unspecified suspicious activity surrounding processed card transactions and enlisted the help of auditors to investigate. The investigation last week uncovered "malicious software" that compromised data in Heartland's network, it said” (Heartland Payment Systems Hacked-Technology & Science - Security, 2009). This concludes that the security surveillance of Heartland was not adequate enough to detect the security breach at an earlier time. I recommend that Heartland upgrade their existing network surveillance software/hardware and implement new procedures for detecting malicious behavior on the Heartland network.   Plan of Action: People?   CIO, Director of IS, IS-Infrastructure teams Procedures? Upgrade existing network surveillance software/hardware and implement new procedures for detecting malicious behavior on the Heartland Network Hardware?  Existing hardware (possibly upgrade to better hardware) Software? Existing Software (possibly upgrade to better software) Telecommunications?  None Cost? Cost of labor, and optional cost of hardware/software
  • 8. 5.9 Central Identification and Access Rights Management CONTROL OBJECTIVE- Controls are in place to ensure that the identification and access rights of users as well as the identity of system and data ownership are established and managed in a unique and central manner to obtain consistency and efficiency of global access control.  Recommendation:  Evidence exists that it was possible for intruders to enter through corporate servers and plant the malware.  Once they gained access to a corporate system, the hackers planted sophisticated packet-sniffing tools and other malware to detect and steal payment card data flowing over the victim companies' networks, according to court documents (Vijayan,2009).   Plan of Action: People?   Risk Management, Security Management, and Network Server Team Procedures?  A server security standardization project should be planned and implemented. Hardware?  Existing Software?   Existing Telecommunications?  None Cost?  Small sized project  (500-1000 hours, $25,000- $50,000)
  • 9. 5.10-Violation and Security Activity reports Control Objective: IT security administration should ensure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity. The logical access to the computer resources accountability information (security and other logs) should be granted based upon the principle of least privilege or on a need-to-know basis.   Recommendation: We recommend that Heartland review and rewrite their procedures for completing violation and security activity reports to comply with precautions taken to stop future security breaches. Heartland should Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations (Payment Card Industry (PCI) Data Security Standards Requirements and Security Assessment Procedures version 2.0., 2009).   Plan of Action: People?   CIO, Director of IS, IS-Infrastructure teams Procedures? Implement new violation and security activity reporting procedures to ensure proper escalation and logging of security incidents. Hardware?  Existing hardware Software? Existing Software Telecommunications?  None Cost? Cost of labor
  • 10. 5.11 Incident Handling CONTROL OBJECTIVE- Management should establish a computer security incident handling capability to address security incidents by providing a centralized platform with sufficient expertise and equipped with rapid and secure communication facilities. Incident management responsibilities and procedures should be established to ensure an appropriate, effective and timely response to security incidents    Recommendation:  As a result of this breach, incident handling should include a prioritization.  In future incidents when outside forensics companies or other security/audit related specialist are used, a classified data/system will determine the order of importance based on criticality to the business.  In late 2008, Heartland hired two forensics companies it hasn't identified. Both scoured the network, but it wasn't until Jan. 12 that one found strange-looking data coming from Heartland's system that let Heartland employees uncover the intrusion (King, 2009).  This will allow focused network scans to systems that hold sensitive data to be executed first.   Plan of Action: People?   IS Help Desk, Risk Management, Security Management, External consultant Procedures?  Internal procedure change across internal IS teams Hardware?  None Software?   None Telecommunications?  None Cost?  Small procedure enhancement: 20-40 hours, resources loaded rate of $65 per hour.
  • 11. 5.12 Reaccreditation Control Objective- Management should ensure that reaccreditation of security (e.g., through “tiger teams”) is periodically performed to update the formally approved security level and the acceptance of residual risk.     Recommendation: Heartland went through reaccreditation process for Payment Card Industry Data Security Standard (PCI DSS) certification.  However, Heartlands CEO said that PCI DSS was an insufficient protective measure and that the standard for security was much higher (McGlasson, 2009).  Therefore Heartland knew that there approved security measures were subpar. What Heartland should have put in place was a team of people that looked at their security measures.  The team of people should of went though each step in there payment procedure and find were the risks are in that process. After the team has completed the assessment then the security level should have been updated to the correct standard.   Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams, a team of people (e.g. “Tiger Teams”) to assess the security measures Procedures? To update the accepted security level Hardware?  Existing hardware Software? Existing software Telecommunications?  None Cost? Cost of employee labor, cost of Tiger Team   
  • 12. 5.13 counterparty trust CONTROL OBJECTIVE- Organizational policy should ensure that control practices are implemented to verify the authenticity of the counterparty providing electronic instructions or transactions. This can be implemented through trusted exchange of passwords, tokens or cryptographic keys.    Recommendation:  Evidence suggests a potential weakness in the fact that data must be decrypted to move from Heartland's system to Visa and MasterCard, as credit card companies accept only unencrypted data.  Trusted exchange between parties is an obvious weakness, there’s no telling if that link (which might be over a telecom connection across 2,000 or so miles) can be breached.   A project implementing E3, tokenization, and other methods that allow sensitive data to move through networks encrypted should be launched  (Farrell, 2010).      Plan of Action:  People?   Risk Management, Security Management, External consultant, Business Units, IS, Server Team Procedures? Updated procedures will results from this project. Hardware?   Point of sale, and magnetic card reader Software?     Enhancement of software is likely. Telecommunications?  Recommendation Cost?   Medium sized project  (1000-2000 hours, $50,000- $100,000)  This is not including the cost to merchants for new Point of sale and card readers.
  • 13. 5.14 Transaction Authorization Control Objective- Organizational policy should ensure that, where appropriate, controls are implemented to provide authenticity of transactions and establish the validity of a users’ clamed identity to the system.  This requires use of cryptographic techniques for signing and verifying transactions.    Recommendation: The software that was planted could read and collect unencrypted data in motion (Higgins, 2009). Heartland need to have in place a cryptographic technique so that each transaction is verified before the transaction begins. Heartland needs to have a policy in place so that the validity of a users’ claimed identity can be established.  They will need to update their hardware and software to allow cryptographic techniques to be used.  They also need to ensure that people in the company do not share their credentials with anyone else.  It doesn’t matter how good your encryption is if people in your company share credentials to access a higher security level then they are assigned.       Plan of Action: People? CIO, Director of IS, IS-Infrastructure teams Procedures? Create a cryptographic technique so that each transaction is verified Hardware?  New hardware will need to be purchased if existing hardware does not support cryptographic techniques. Software? New software will need to be purchased if existing software does not support cryptographic techniques. Telecommunications?  Telecommunications will need to be upgraded if it does not support cryptographic techniques.    Cost? Cost of employee labor, new hardware, software, and upgraded telecommunications 
  • 14. 5.16 Trusted Path Control Objective- Organizational policy should ensure that sensitive transaction data are exchanged only over a trusted path.  Sensitive information includes security management information, sensitive transaction data, passwords and cryptographic keys.  To achieve this, trusted channels may need to be established using encryption between users, between users and systems, and between systems.    Recommendation:  A SQL injection was used to capture data as it was being processed (Cheney, 2010). This shows that Heartland did not have trusted channels established.  Heartland needs to have a trusted path for its transactions.  The trusted path needs to include user to user communication, user and system communication, and system to system communication.  Heartland needs to put in place a procedure to ensure that sensitive information is only sent over a trusted path.  This will include secure telecommunications for every step in the payment process from beginning to end.  This will include updating hardware and software to allow encryption techniques to be used.      Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Implementation of a trusted path for secure communications including end to end protection of the payment process Hardware? Upgraded Hardware as needed to insure a trusted path Software? Upgraded Software as needed to insure a trusted path Telecommunications?  Telecommunications will need to be upgraded to secure every step of the payment process Cost? Cost of upgraded telecommunications, upgraded Hardware, upgraded Software
  • 15. 5.17 Protection of Security Functions CONTROL OBJECTIVE- Security-related hardware and software should at all times be protected against tampering andagainst disclosure of secret keys to maintain their integrity. In addition, organizations should keep a low profile about their security design, but should not base their security on the design being secret.   Recommendation: According to the report from Cheney, the Heartland Company managers their data 24/7 and that 7% of the information technology staff is focused specifically on security. However, Heartland needs to keep a low profile on their security design and not make it public to the whole company.  The attackers gain access to the corporate network first and was able to perform many activities before gaining access to the processing network (Cheney, 2010).  Heartland needs to keep their sensitive processing information separate from the corporate network to ensure integrity. Also, Heartland needs to ensure that there software is protected against tampering.    Plan of Action:  People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Ensure that security design is not available to whole company and that it software and hardware is protected against tampering.  Hardware? Existing Software? Existing Telecommunications?  Ensure that security communications is kept separate from the rest of the company.  Cost? Employee Labor
  • 16. 5.18 Cryptographic Key Management CONTROL OBJECTIVE- Management should define and implement procedures and protocols to be used for generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure. If a key is compromised, management should ensure that this information is propagated to any interested party through the use of certificate revocation lists or similar mechanisms.   Recommendation: The form that was used in the breach was available for a long period of time but the breach was not until 2007 (Cheney, 2010).  Heartland needs to ensure that cryptographic keys are not modified or disclosed.  Heartland also needs to ensure that if a key is compromised that the correct people are notified.    Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Ensure that cryptographic keys are not modified and not disclosed and ensure that if a key is comprised that the information is communicated Hardware? None  Software? Upgrade encryption software to include cryptographic key management Telecommunications?  Ensure that if a key is compromised that it is communicated to the correct people Cost? Upgraded software
  • 17. 5.19 Malicious Software Prevention, Detection and Correction CONTROL OBJECTIVE- Regarding malicious software, such as computer viruses or Trojan horses, management shouldestablish a framework of adequate preventive, detective and corrective control measures, and occurrence response and reporting. Business and IT management should ensure that procedures are established across the organization to protect information systems and technology from computer viruses. Procedures should incorporate virus protection, detection, occurrence response and reporting.   Recommendation: The focus on the information from the breach was in the form of “data in transit” and not from a stored database, which made masking themselves from detection an easier process (Cheney, 2010). Heartland needs to have a malicious software prevention solution for data in motion. Heartland also needs to have detective, and control measures to protect its infrastructure.  Also Heartland needs to ensure that if malicious software is detected that correct people are notified and that occurrence is responded to.   Plan of Action:  People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Provide a software solution that ensures malicious software prevention and detection, including data in motion.  Hardware? Existing Software? Upgraded software that provides malicious software prevention and detection with support for data in motion Telecommunications?  None Cost? New malicious software, Implementation Cost
  • 18. 5.20 Firewall Architectures and Connections withPublic Networks CONTROL OBJECTIVE- If connection to the Internet or other public networks exists, adequate firewalls should be operative to protect against denial of services, unauthorized access to the internal resources and control any application and infrastructure management flows in both directions.   Recommendation: Heartlands CEO knew that they needed to move to higher standard for security (McGlasson, 2009). Heartland needs to have firewalls in place to ensure control for any application and infrastructure management flows in both directions. Heartland not only needs to ensure that there data is protected from the outside but they need to ensure that there sensitive information from the inside is not allowed to be sent to the outside of the network.   Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams Procedures? Provide a firewall solution that ensures control of data flow in both directions  Hardware? Upgraded firewalls to control data flow in both directions.  Software? None Telecommunications?  Ensure that communications is controlled in both directions Cost? New Firewalls
  • 19. Summary of Recommendations Organization and Management of Systems New ID / Authentication Solution Better Secure Data Practices Increase of Security Surveillance Encyrption of Data Creation of a Trusted Path to Move Data “Data in Motion” Security Protection Creation of Updated Firewall Rules
  • 20. Apa Sources Heartland Payment Systems Hacked-Technology & Science - Security. (2009, January 20). Retrieved December 11, 2010, from msnbc.com: http://www.msnbc.msn.com/id/28758856/ns/technology_and_science-security/   In Re Heartland Payment Systems, Inc. Securities Litigation, Case 3:09-CV-01043-Aet-Tjb Document 25. (2009, December 7). New Jersey: UNITED STATES DISTRICT COURT- DISTRICT OF NEW JERSEY.   Payment Card Industry (PCI) Data Security StandardsRequirements and Security Assessment Procedures Version 2.0. (2009, October). Retrieved December 11, 2010, from PCI Security Standards Council: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf   Acohido, B. (2009, January 23). "Hackers Breach Heartland Payment Credit Card System- USATODAY.com.". Retrieved December 11, 2010, from USA Today: http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm
  • 21. APA sources (continued) Albanesius, C. (2010, May). Inside the Biggest Online Theft Case. PC Magazine, 29(5).   Cheney, J. S. (2010, January). Heartland Payment Systems Lessons Learned from a Data Breach. Retrieved December 11, 2010, from Federal Reserve Bank of Philadelphia: http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2010/D-2010-January-Heartland-Payment-Systems.pdf   Cyprus, B. (2009, June). Wireless POS Makes Your Business More Efficient. Retrieved December 2010, from Vendor Safe Technologies : http://www.vendorsafe.com/images/pdfs/Wireless_POS.pdf   Cyprus, B. (2010, January). Control Your Security, and PCI Will Follow The four most vital actions restaurants can take to accelerate network and credit card data - security. Retrieved December 2010, from Vendor Safe Technologies : http://www.vendorsafe.com/images/pdfs/whitepaper2_control_your_security.pdf   Farrell, F. (2010, June 28). Once Hacked, Twice Paranoid. Forbes, 185(11), pp. 50-50.  
  • 22. Apa sources (continued) Higgins, K. (2009). Heartland CEO Provides More Details on Big Data Breach. Retrieved December 11, 2010, from http://www.darkreading.com/security/attacks-breaches/214600079/index.html   Howley, E. (October, 2010). UNF Security Breach Affetcs More Than 100,000 IDs. Retrieved November 5, 2010, from Firstcoastnews: http://www.firstcoastnews.com/news/topstories/news-article.aspx?storyid=171731&catid=3   Johnson, A. (2010, March). Guide for Security Configuration Management of Information Systems. Retrieved December 2010, from csrc.nist.gov: http://csrc.nist.gov/publications/drafts/800-128/draft_sp800-128-ipd.pdf   King, R. (2009, July 6). Lessons from the Data Breach at Heartland. Retrieved from Bloomberg Buisinessweek-Special Report: http://www.businessweek.com/technology/content/jul2009/tc2009076_891369.htm   Krebs, B. (2009, January 20). Payment Processor Breach May Be Largest Ever. Retrieved December 11, 2010, from The Washington Post: http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html  
  • 23. Apa sources (continued) McGlasson, L. (2009). Lawsuit: Heartland Knew Data Security Standards was 'Insufficient'. Retrieved December 11, 2010, from bankinfosecurity: http://www.bankinfosecurity.com/articles.php?art_id=1834   Metzger, T. (2010, February 2). How tokenization works. Retrieved December 11, 2010, from Merchant Account Guide: The Merchant Account Experts: http://www.merchantaccountguide.com/merchant-account-news/how-tokenization-works.php  Our Technology. Payment & Transaction Processing for Merchant Accounts. (n.d.). Retrieved November 5, 2010, from Heartland Payment Systems: http://www.heartlandpaymentsystems.com/Technology/   UNF-President's Office-Strategic Plan 2009-2014. (n.d.). Retrieved November 5, 2010, from University of Northern Florida: http://www.unf.edu/president/Strategic_Plan_2009-2014.aspx   Vijayan. (2009, August 17). U.S. Says SQL Injection Caused Major Breaches. Computer World.