Site Menu

Another day, another 100 million records

By Jim Hietala
Published 01/20/2009

Wow! Another retail/credit card breach, potentially 100 million credit cards at risk, as reported here:
Heartland Payment Systems, a credit card processor, announced today, January 20th, that up to 100 Million credit cards may have been disclosed in what is likely the largest data breach in history

Until we know more, it probably isn't fair to discuss the PCI compliance angle. But what initially struck me about this is that the last few really big retail security breaches have all involved malware being planted in the retailer/processors network. This software, after capturing card data has to send it somewhere, through some communications channel. To me the really obvious key questions are:

1) How did this software end up on the network?
2) How do we stop this from happening in the future?

The less obvious question is why didn't they spot this sooner? Presumably these attackers have to send the valuable data they are stealing out of the processors network, else it is worthless. Richard Bejtlich wrote a terrific book, Extrusion Detection, that is a pretty thorough analysis of how to use Snort and other tools to look at outgoing (to the internet) data flows, and spotting anomalous behavior that is usually indicative a security problem, whether involving people or technology. Sure it would be better to figure out how to stop this stuff getting on one's network in the first place. But putting an extrusion detection capability in place as a tripwire would be of great benefit in limiting the scope and duration of attacks like this.

Jim

Jim Hietala

Jim Hietala, CISSP, GSEC, is Research Director and a principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. He is also the Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities.

Jim has provided research and consulting services to organizations such as SANS, The Open Group, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

An industry veteran, he has held leadership roles at ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric Network, and Digital Pathways. He developed and launched the industry’s first remote access VPN service (Concentric RemoteLink) and encrypting ISDN router (at Network Express), and launched a compliance and risk management software start-up in the IT-GRC market.

He holds a B.S. in Marketing from Southern Illinois University.

Blog: www.compliancefocus.com

Twitter: http://twitter.com/jim_hietala

LinkedIn: http://www.linkedin.com/in/jimhietala

Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com