Contact Us
| SecureWorks - On the Radar Newsletter - April 2008 | |
|---|---|
 |
|
Ask the Expert: Erik Petersen on PCI and the Hannaford Breach
Last month, the disclosure of a data breach at supermarket chain Hannaford Brothers made headlines throughout the security industry. So far, the breach has been linked to at least 2,000 known cases of credit card fraud. Erik Petersen, VP of Professional Services at SecureWorks, discusses the incident in the context of the Payment Card Industry Data Security Standard (PCI DSS).
Was Hannaford compliant with the PCI Data Security Standard when they were breached?
EP: According to their spokeswoman in this article, Hannaford was certified as being PCI compliant "as recently as February." Does that mean they were compliant when they were breached? No it doesn't, and that's an important distinction that's been overlooked in many of the news reports you'll read about the incident. The attestation that companies receive after they successfully go through the PCI audit and certification process only validates their compliance at that point in time – it's a snapshot that says "Yes, you're compliant right now, at this moment." Two weeks from now, who knows? Business networks are dynamic. Your firewall admin could make an ill-conceived rule change that opens the floodgates five minutes after you pass your latest quarterly PCI scan. Are you still compliant then? Of course not.
If it turns out that Hannaford was compliant, what sort of impact will this have on the PCI Data Security Standards?
EP: If Hannaford was compliant at the time of the breach, I believe that the breach may indicate some kind of gap in the PCI standard. Perhaps this breach shows that a new control area needs to be added to PCI DSS. Ultimately, the card brands run a good compliance program, but PCI is just a standard – not a panacea that eliminates all security risk. PCI has resulted in better security for many merchants and service providers, but it isn't perfect and there will always be room to make it better. There will always be breaches of compliant organizations, no matter how the DSS is written. The PCI Security Standards Council has done a good job of improving the standard over time. They have a tough job. In the marketplace there's a bad tendency to equate being compliant to being absolutely secure, rather than reasonably secure. I think this is a side effect of standards in general, in that some people assume that if they're 100% compliant, they're going to be 100% secure which isn't true by any means.
How does the Hannaford breach compare to the TJX breach?
EP: The TJX incident had a ripple effect and ended up costing a lot of money for the banks who had to reissue cards and clean up a lot of the mess. To avoid being sued by the issuing banks, TJX agreed with Visa to pay $40 million dollars to cover some of the costs. Considering the TJX breach reportedly involved about 100 million card accounts and total cost estimates for reissuing cards can be up to $30 per card, $40 million seemed like a good bargain for TJX. And despite all of the news focus on the breach, TJX is still standing and people are still spending money at their stores.
It looks like Hannaford is going to be similar in that they're going to experience some initial losses and maybe some fines or lawsuits, while issuing banks will have to shoulder much of the cost to re-issue cards to the people who were affected. And just like TJX, people will continue to shop at Hannaford's grocery stores. It will be interesting to see what sort of fines or payments Hannaford will end up having to make to satisfy the card brands and issuing banks.
Will the PCI Safe Harbor provisions stand?
EP: The Safe Harbor provisions, which are part of Visa's Cardholder Information Security Program (CISP), could protect Hannaford from fines and some liability but it depends on how the forensic investigation of the breach turns out. If they were really PCI compliant at the time of the breach – and that's a big "IF" – then our understanding of the Safe Harbor provisions suggest that there is some protection for Hannaford.
There's some debate about how much protection the Safe Harbor provisions would really provide in a situation like this. Safe Harbor is specific to Visa, so unless MasterCard, American Express and other card brands choose to honor the provision, Hannaford could face fines and penalties from them. Plus, Safe Harbor is technically subject to Visa's discretion. This means that even if Hannaford was PCI compliant at the time of the breach, there's no guarantee that Visa won't penalize them.
What should other merchants learn from the Hannaford breach?
EP: Based on the reports I've seen, which may or may not be accurate, nearly all of their stores' servers were infected with malware that sniffed unencrypted card numbers as they were coming from the POS systems. At this point, no one has reported how the malicious software got there in the first place.
I don't know anything about Hannaford's security infrastructure and the controls they may have had in place to protect against an attack like this. But I do believe that a well-managed defense-in-depth security program, with multiple layers of security controls like firewalls, intrusion detection and prevention systems, log monitoring, and antivirus in addition to sound policies and procedures should most likely have prevented the initial attack that installed the malware on the servers – or at least alerted Hannaford's security team that they had been infected so they could minimize the breach. End-to-end encryption also seems to be something that should have helped Hannaford avoid this breach based on the reports that have surfaced so far.
There's also the need for merchants to start looking harder at applications, particularly payment applications, and the Point of Sale (POS) systems that handle card data outside of the network. Many newer POS systems support end-to-end encryption, which might have prevented the malware in the Hannaford breach from being able to gather card numbers by sniffing network traffic. Hannaford would still have a problem on their hands with infected systems on their network, but at least the card data would be safe.
Erik Petersen is SecureWorks' VP of Professional Services. Erik is a risk management and IT control expert. He has led teams and built professional consulting practices that specialize in applying sound risk management and information security best practices for organizations seeking to manage their business risks. He has over 18 years of experience in technology and security. Mr. Petersen has extensive experience in strategic consulting, compliance, technology integration and implementation, security architecture, and IT controls, and is the inventor on 3 patents pending. Mr. Petersen graduated magna cum laude from Brown University.
Jon Ramsey on RSA 2008
Last week I attended the RSA Conference, the largest information security conference in the world. Alan Turing was the conference mascot and the question "what would Turing do" was frequently asked. Turing was a brilliant computer scientist, considered the father of modern computing, capable of seeing the math in everything and envisioned an age when machines would be as intelligent as humans. He devised what is known as the Turing test, used to gauge the capabilities of artificial intelligence. We've all taken Turing tests, they're used to guarantee that a human is on the other end of an application or communication stream. For example when you register for a gmail account you see an image that is obfuscated in a way that only humans can decipher, this is called a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). Therefore if the text in the image is read correctly entered there must be a human on the other screen reading it. This is an example of a Turing test.
For more information http://en.wikipedia.org/wiki/Captcha
The theme of the keynote presenters seemed to be a call for information centric security. I think this is appropriate considering they were presenting at a conference hosted by a company that was founded by (and named after) cryptographers who invented the most widely used asymmetric encryption algorithm (RSA) today. Cryptography has always served the purpose of two of the three premises of the information security triad - confidentiality and integrity (the third being availability which, it could be argued, cryptography inhibits). The need to protect information should not obviate the need to continue to protect the infrastructure. We are dependent on the infrastructure for the storage and transit of information and need to protect it.
Compared to last year there appeared to be fewer Network Admission/Access Control (NAC) vendors, fewer Data Loss Prevention (DLP) vendors and fewer Network Behavior Analysis (NBA) vendors. The newest technology based on an old idea is application whitelisting. Application whitelisting changes the logic used by many endpoint security solutions which today allow everything and deny the known bad. Instead application whitelisting denies everything and allows the known good. In an age where more malware is created than legitimate software it makes sense to invert the logic.
Virtualization and its role in security was another theme of the conference, in particular virtualization enabling the consumerization of information technology. Gartner believes that as future generations enter the workforce they will expect a high level of access and functionality as part of their work computing environment. Virtualization on the desktop enables business to provide an image that executes in a virtualized desktop on a device that is administered by the users. Virtualization with regard to server virtualization was raised as a security concern as the security of hypervisors has not yet been vetted by security researchers. Recently, a vulnerability was discovered that allowed a guest operating system to infect the host. Enterprises are rushing to virtualization by consolidating information assets on fewer pieces of hardware in order to reduce data center costs. The more pervasive a technology becomes the larger target it becomes to the criminal community. Virtualization will eventually be used by hackers to rootkit a machine by taking the running operating system and slipping it to a virtualized environment.
Jon Ramsey, SecureWorks' Chief Technology Officer, is an information security expert with policy-making responsibility at SecureWorks in Atlanta, GA. Ramsey has 10 years of hands-on experience at every level: system administrator, software engineer, analyst, security penetration specialist and senior engineer. Prior to joining SecureWorks, Ramsey worked for the Computer Emergency Response Team (CERT), Siemens, and the University of Pittsburgh. Ramsey earned a Master's degree in software engineering from Carnegie Mellon University and a BS in computer science from the University of Pittsburgh. He is a member of IEEE and the association for Computing Machinery (ACM).
Web Search Index Poisoning
Description
In this architecture the attacker has established a set of compromised machines that host websites containing popular search words, links to one another and malicious code. When a user searches for a popular term via a search engine, the malicious website will be returned to the user high in the search results. The popular ranking is due to the large number of links on the site. Finally, the user clicks on the link and browses to the web site serving malicious code.
Objectives
To infect as many systems as possible with malicious code, which is often used to collect and transmit sensitive data (such as credit card numbers or account credentials) that can be used for financial gain.
Trust Model
There are many areas of trust in this architecture being exploited. The search engine's indexer trusts that the sites it is indexing, which are actually hosted on the botnet, are not compromised and have legitimate content on them. When the users receive the search results they trust that the web search site would never send them a link to a malicious page and/or such a popular page has to be safe (because it is so popular after all).
Strengths
Ability to detect: 4 of 5 (Easy to detect) This activity can be detected in when the indexer analyzes the page, it can also look for malicious malware links. This activity potentially can be detected when the user browses to the page hosted on the botnet or some other server. The malware can be detected as it is being downloaded from the website. The malware can be detected when it is attempting to be executed or the browser compromise attempts.
Ease: 4 of 5 (Hard to create) It is fairly costly for the attacker because many different web servers are required to get a high rating in web indexes.
Weaknesses
The biggest weakness in this architecture is the complexity of configuring the botnet. Furthermore in order for this trick to work, it must be highly visible which makes it very easy to detect. Additionally, many of the more popular search engines, such as Google, have recently begun "cracking down" on unscrupulous tactics designed to manipulate search results and page rankings by hackers and deceptive web marketers. This has made it more difficult for this sort of attack to be carried out as effectively.
Detection Points
This attack can be detected at the server to see if there is malicious code and/or that web pages have been changed. This attack can be detected at the client before the code is executed or somewhere in the network.
Prevention Points
In order to protect the client use a reverse proxy with URL content filtering to filter out known bad sites, network intrusion prevention for filtering malicious javascript and web browser and helper application exploits.
