Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services, CISSP, CISM, CISA, PCI QSA and Ben Rothke, Senior Security Consultant, BT Global Services, CISSP, PCI QSA

When we look back on the past year, one thing is for certain: the year of breaches and security incidents is just getting bigger.  Now that we’re at the end of 2009, we’ve come together to discuss the incidents in the security industry that stood out the most to us.  If you have others to add, just leave a comment below.

1. The sixth biggest payment processor became the target of the largest scale credit card security breach – Heartland Payment Systems. This breach sits at number 1 on our top security impacts for the year.

The numbers are simply staggering – 130 million records were compromised.  Heartland has had more than 30 lawsuits filed against them as a result of the breach; and about 700 banks announced losses as well.

The good news, though, is that Heartland piloted their end-to-end encrypted solution for payment systems this year.  Heartland’s new tamper-resistant security module terminal is meant to stop hackers from sniffing data beginning at the point of sale until it reaches the end point at the payment processor. This proves that within every cloud there is a business opportunity.

1. Cloud based system grow and increasingly organization are interested in looking to decrease their own IT complexity and decrease costs by using software, storage or services in the cloud. The cloud is increasingly in the news as Internet speeds increase and organizations look to the opportunity to reduce costs. The reality of the complexities of securing infrastructure that you don’t own which might be shared and is possibly located in a country with different laws and regulations opens up a hereto unimagined complexity.  Organizations such as the Cloud Security Alliance and the Jericho Forum are now at the forefront promoting the use of best practices for providing security assurance within cloud computing,
2. Albert Gonzalez was indicted for his role in the Heartland and Hannaford breaches.  Gonzales and 10 others are allegedly responsible for the security breaches at TJX, OfficeMax, Dave & Busters restaurant chain and other companies.

These hackers did not exactly use cutting-edge hacking techniques; the breaches were perpetrated by exploiting well-known vulnerabilities. The thefts occurred over a period of time using malware installed on the corporate network.

Speaking of oldies but goodies, SQL injection attack wins top place for the attack that has resulted in more payment card data than any other. The continuous and ongoing struggle to bring some kind of order to applications and patching.

1. 2009 increasingly brings to mind spaghetti. Increasingly disparate networks with vanishing perimeters and devices of unknown security plugging into the corporate network, create a complex mesh of dangerous security spaghetti.  We see an increasing use of use of network access control and encryption.

Contrary to some security vendors, there is however no instant fix.  The desire for functionality and cost reduction is currently outpacing security knowledge and processes. It is true that we can’t create a world without risk, but in an increasingly interconnected world the stakes are becoming higher.

Much of the computing infrastructure in place today is designed for functionality on systems where no security was originally designed in.  Often acceptable business risk is applied to the uncontrolled environment that most businesses functions in because the cost and complexities of securing infrastructures is regarded as out weighing the cost of doing business.

This is a questionable equation that companies are making and not one that the FTC agrees with.  The FTC has taken action by claiming that organizations have engaged in unfair practices in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a) and this was the action taken against TJX. There have been in 2009 an increasing number of regulations including the groundbreaking Massachusetts law Standards for The Protection of Personal Information of Residents of the Commonwealth. This as government attempts to legislate companies into understanding that accepting or processing personal information is a position of trust and it is never an acceptable risk to treat confidential data without securing it appropriately

1. No list of 2009 security incidents could be complete without giving bots a mention. Conficker was in the news in early 2009. Conficker has more than seven million computers now under its control—government, business and home computers in more than 200 countries, according to the New York Times.

Conficker downloads a virus that warns the computer user that their computer is infected by a harmful computer virus and requires the faux anti-virus software Spyware Protect 2009 that costs $49.95. The user’s credit card information is stolen and the new program goes on to perform more mischief on the user’s computer. No other bot achieved the notoriety that Conficker did and the bot actually featured in the evening news . There are many other bots perhaps more damaging such as Torpig which is believed to be a “malware service” accessible to third parties for a fee but the crown of notoriety remains with Conficker. Not bad for some malware that was exploiting vulnerability that Microsoft released a patch for in October 23^rd 2008.

To paraphrase Bruce Schneier, once a security issues has hit the news it really isn’t worth worrying about. The biggest risks lie in the areas that have not been subject to the same level of scrutiny as the very public security breaches involving credit card data.

Will 2010 bring new types of security woes?

It is worth nothing that Brazil’s power companies just got hit in November 2009 which cast the city into darkness for two days. The increasing IP enablement of critical networks is opening us up to new risks. The possibility of security vulnerabilities in computer networks that could allow passengers to access the plane’s control systems, the ability to affect flight control systems, power, water and military systems. It is still the very, very early era of cyber terrorism.