Data Breaches: Heartland Payment Systems ...Is There An End Sight?

On January 20, 2009 Heartland Payment Systems (Princeton, NJ), reported what promises to be the largest data breach in history to date. For those of you who are not aware of Heartland Payment Systems or their core business, they are in the business of payments processing. One might ask why this is important given that breaches and disclosures occur with an eerie frequency. I believe it's important for two reasons (though I am not limiting myself to these):

1. The size of the breach the subsequent weight of the breach warrant it being deemed and considered 'important' especially given the nature of the data and the business in which Heartland is involved


2. The nature of the alleged perpetrators warrant it being deemed important as this further undscores what many in the information security research community have been asserting for quite sometime; that the motive for enterprise / system compromise has changed and so to have the players involved (a 'global cyber fraud operation')

I am not surprised by the fact that breach occurred. I am suprised that in the age of regulation & compliance (especially in the financial industry), that accurate measures were not taken to ensure the risk posture prior said breach occured. It is, of course, speculation on our part to assume that said measures were not undertaken (PCI DSS 2.0 anyone?), however in light of the breach the logical conclusion is that either the measures leveraged were insufficient (good enough security simply not being good enough) or that the level of sophistication associated with the exploit superceded the mitigative solutions in place within the enterprise be they located on the host or within the enterprise. Just who and what this 'global cyber fraud operation' is has yet to be determined and / or disclosed but regardless of who they are it is important to note that their activity was not indiscriminate and their potential to profit from the compromise was worth the risk associated with their potential apprehension. Regardless of what occurred, the end result is that Heartland, a well respected entity in its industry has reported a breach. According to Robert H.B. Baldwin Jr, Heartland's president and CFO, they believe the breach is contained and are co-operating with the US Secret Service and Department of Justice. Heartland asserts that, no merchant data or cardholder Social Security Numbers, unencryped personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. This is a good thing however only time and due diligence (along with the contracted services of forensics experts), will tell tale in the end. Additionally it is assumed that non of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms. Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

Heartland's breach is of course not unique but should serve as a reminder that 'good enough' security is often not simply 'good enough' and that there is no subsitute for a defense in depth strategy executed against a well articulated and exhaustively tested risk based framework.

http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP

http://www.snl.com/irweblinkx/file.aspx?IID=4094417&FID=7231254

House Keeping -- A Note From the Team

Apologies on behalf of the team here for delays in between posts. Much has been underway here at 'Not Another S3CUR1TY Blog' and as such much good is to come of it. Look for entries coming soon on profiteering from the threat landscape, the revolution of evolutionary ideas in malware, breaches and lack of technological involvement to cause them to be successful, and a host of other compelling features, commentaries and yarns. Additionally, look for featured contributors and guest authors to come!

10 Tech People You Should Know -- Networkworld January 5, 2009

Earlier this month Network World posted a supplemental article titled “Ten Tech
People You Should Know” -- http://www.networkworld.com/supp/2009/outlook/010509-tech-people-to-know.html?page=4

This list brought together an impressive list of industry leaders, shapers, dreamers and thinkers. The list included:

John Chambers, CEO, Cisco Systems
Paul Maritz, CEO, VMware
Mike Neil, General Manager of virtualization strategy, Microsoft
Steven Sinofsky, Senior Vice President of the Windows and Windows Live engineering group, Microsoft
The Google triumvirate: Eric Schmidt, CEO; Larry Page, president of products; Sergey Brin, president of technology
John Lilly, CEO, Mozilla
Sheryl Sandberg, COO, Facebook
Joshua Corman, principal security strategist, IBM Internet Security Systems division
Amit Jasuja, vice president of product development for identity management, Oracle
Kenneth Brill, executive director, Uptime Institute

Some of these people are quite familiar, others less so however no less important by virtue of their inclusion on this list. Josh Corman falls into this latter category. Many in the industry and no doubt several reading this blog today do not know who Josh is or why he’s on this list. I encourage them all to get to know Josh’s work and name as they’ll be seeing more of both to come. I know Josh both personally and professionally. In fact, he’s not only my friend but a trusted confidant and sounding board of ideas. He’s dedicated, articulate, and sincere in his work and relationships. Josh and I first became acquainted while being in the employ of Internet Security Systems (ISS), now IBM Internet Security Systems where Josh still resides. We quickly became friends and tight colleagues and I’m proud of his achievement as I believe he’s worked diligently to arrive in this position. It’s an honor to be nominated and included amongst such names in the industry; it is, I imagine both humbling and exhilarating. Josh and I spoke about his inclusion and on the list and I wanted to publicly give him the credit he deserves and say job well done. Josh, you deserve it and I couldn’t be happier for you! Keep up the good work, the industry needs more folks to take up the charge and challenge that which is considered the ‘standard’ in order to ensure that we faint not in our endeavors and struggles to secure ourselves and our futures. Kudos Josh!

For more on some of Josh’s work see the following link:

http://www.networkworld.com/news/2008/050108-interop-dirty-security-secrets.html

NEW BLOG!!!

We've changed the name of the blog! It's no longer Veritas et Aeuqtias however we still think that is a cool statement and may use it in some other capacity later. The spirit behind that name will live on here however we felt it needed to go because:

1. That name is too hard for people to remember
2. It sounds like a religious blog
3. It sort of sucks
4. People don't speak Latin regularly anymore and if mistyped it takes you to a video game site

Having said that, the new name is 'Not Another S3CUR1TY Blog' and we dig it; we're hoping you do as well. In the spirit of newness and a fresh start this initial post will be short and sweet. The goal of this blog is to provide a fresh insight into the information security, risk management and threat landscapes accordingly while insuring the highest degree of integrity and professionalism. Having said that, that doesn't mean there isn't room for humor and / or interesting observations which your author(s) will no doubt interject from time to time. As this is the 'kick off' entry, we're keeping it short and sweet with the intent being that we'll have lots to discuss and comment on in 2009 and beyond!