The Cellar - View Single Post - Yawn.....Another multi-million dollar data breach

mbpark · 01-25-2009, 12:09 PM

Hello,

I can tell you that they wanted to bury this under the Obama-mania.

This is a big deal, and it is because EVERY major set of regulations mandates version checking and proper change management for critical systems.

In other words, PCI-DSS, HIPAA, and other regulations (specifically the DODi 8500.1 and DODi 8500.2 overarching IA ones for government systems, and the DNS, UNIX, and Active Directory STIGs for DOD systems) specify that:

1. Every piece of data coming into the network needs to be examined.
2. The integrity of the systems doing the processing need to be checked using third-party tools such as Tripwire (7.5V works for Windows, Linux, and third-party platforms, and does send changes in real-time). This extends to systems that are in any way, shape, or form involved in processing of data, and many people do not understand that.
3. There needs to be multiple layers of protection at the host and network levels, using multiple layers of IDS/IPS systems, anti-virus (yes, these are available for Linux and UNIX), log analysis and correlation from multiple devices (again, if you cough up enough $$$ to IBM Global Services, Symantec, TriGeo, Quest or McAfee, they will provide you this), and the staff to handle this.
4. The staff to monitor and handle these logs, plus Job Rotation, is mandated by almost every major security best practice out there.
5. The fact that a third-party firm found this, rather than internal discovery, means that the internal staff which should have been checking this 24/7 didn't.
6. The fact that they didn't have a date as to when this was done shows that they weren't doing integrity checking on their critical systems.
7. The fact that they apparently aren't checking ports & protocols for incoming and outgoing traffic shows that they don't even know if the traffic is going to Russian Business Network or not. This is really bad! If you're in this business, you know who your partners are, and you only allow the ones you need to to business with inside. Even then, you check every damn packet going in or out, and the integrity of the systems themselves. There's a reason why every major critical system I am in charge of security of that has access to the outside world has IBM ISS, Tripwire, and a full Ports & Protocols workup for outgoing and incoming traffic done.
8. Don't even get me started on their apparent lack of ability to patch. Most of these breaches are caused by known public security holes that companies don't properly patch against, or assume that firewalls and NAT will protect against.
9. If the documentation for changes isn't there, they're dead. PCI-DSS mandates this too as part of the change management process.

If they processed Government payment cards in any way, shape, or form, it could be game over for them. GSA may see them for not following PCI-DSS regs, and put out a 2-sentence ruling that will kill their business.

I would not want to be Heartland Payment Systems now. I would want to be the competition or the third-party Audit Firm which will be brought in to remediate the situation (probably Deloitte).

01-25-2009, 12:09 PM	#13
mbpark Lecturer Join Date: Jan 2001 Location: Carmel, Indiana Posts: 761	Hi, I do InfoSec for a living Hello, I can tell you that they wanted to bury this under the Obama-mania. This is a big deal, and it is because EVERY major set of regulations mandates version checking and proper change management for critical systems. In other words, PCI-DSS, HIPAA, and other regulations (specifically the DODi 8500.1 and DODi 8500.2 overarching IA ones for government systems, and the DNS, UNIX, and Active Directory STIGs for DOD systems) specify that: 1. Every piece of data coming into the network needs to be examined. 2. The integrity of the systems doing the processing need to be checked using third-party tools such as Tripwire (7.5V works for Windows, Linux, and third-party platforms, and does send changes in real-time). This extends to systems that are in any way, shape, or form involved in processing of data, and many people do not understand that. 3. There needs to be multiple layers of protection at the host and network levels, using multiple layers of IDS/IPS systems, anti-virus (yes, these are available for Linux and UNIX), log analysis and correlation from multiple devices (again, if you cough up enough $$$ to IBM Global Services, Symantec, TriGeo, Quest or McAfee, they will provide you this), and the staff to handle this. 4. The staff to monitor and handle these logs, plus Job Rotation, is mandated by almost every major security best practice out there. 5. The fact that a third-party firm found this, rather than internal discovery, means that the internal staff which should have been checking this 24/7 didn't. 6. The fact that they didn't have a date as to when this was done shows that they weren't doing integrity checking on their critical systems. 7. The fact that they apparently aren't checking ports & protocols for incoming and outgoing traffic shows that they don't even know if the traffic is going to Russian Business Network or not. This is really bad! If you're in this business, you know who your partners are, and you only allow the ones you need to to business with inside. Even then, you check every damn packet going in or out, and the integrity of the systems themselves. There's a reason why every major critical system I am in charge of security of that has access to the outside world has IBM ISS, Tripwire, and a full Ports & Protocols workup for outgoing and incoming traffic done. 8. Don't even get me started on their apparent lack of ability to patch. Most of these breaches are caused by known public security holes that companies don't properly patch against, or assume that firewalls and NAT will protect against. 9. If the documentation for changes isn't there, they're dead. PCI-DSS mandates this too as part of the change management process. If they processed Government payment cards in any way, shape, or form, it could be game over for them. GSA may see them for not following PCI-DSS regs, and put out a 2-sentence ruling that will kill their business. I would not want to be Heartland Payment Systems now. I would want to be the competition or the third-party Audit Firm which will be brought in to remediate the situation (probably Deloitte).