Heartland « SecureThinking

Posts tagged Heartland

Tuesday, June 8, 2010

What do you do when a security breach occurs?

By Pete Russo, Senior Marketing Manager, BT Global Services

Today I read an interesting article in Information Security Magazine that urges companies to share information when a security breach occurs. As cybercriminals continue to become increasing sophisticated, organizations have become more skittish about being forthright with information following a breach. This not only ties the hands of companies that are working hard to fight cybercriminals, it helps increase criminals’ arsenal.

To help convenience your CEO and Legal Department not to cover up a breach but rather to work with law enforcement if a criminal act has occurred, Information Security Magazine offers the following three points:

1. Reduced legal fees –

It’s becoming increasingly clear that you can’t hide a significant data breach from law enforcement or the public; eventually they will find out. And the more roadblocks you put up trying to cover up the breach, the more subpoenas you will have to fight, which will only increase the amount of resources, time and legal fees spent — resources that could be put toward catching those responsible for the attack. In the credit card heists involving TJX and Heartland Payment Systems hacker Albert Gonzalez, organizations that spent resources to conceal their identity were eventually forced to reveal who they were when the case reached the criminal courts. Trying to conceal the compromise likely ended up costing more in the end.

Instead of fighting to conceal your identity as long as you can, consider how to get in front of a data breach by viewing law enforcement as a partner instead of an enemy. It is a far better strategy to have your legal team prepped on how they can work with law enforcement while putting measures in place that are sensitive to the needs of your business as you cooperate.

2. Lower forensic investigation costs –

Because cybercrime gangs use the same tactics to target multiple companies, law enforcement may know more about how they got into your system than the forensic team you bring in. You can save time and resources right away by cooperating and obtain valuable intelligence for your forensic team so they will know where to begin looking or how to better adjust their technology solution. This information can help you strengthen your network or mitigate the problem faster.

3. It’s the right thing to do –

We all need to work together to fight organized cybercrime. The longer an organization stays silent, the more time and opportunities the cybercriminal has to use the same tactics to target another organization. Not cooperating only increases their profit margin, which they then re-invest to become better at attacking us.

Data breach victims not coming forward is akin to a neighborhood riddled with gang crime and no witnesses. We end up watching helplessly as the community continues to be terrorized. As we watch these hacking rings get into multiple systems, many feel the effect when one victim decides not to cooperate. By not cooperating, you hurt the greater community.

Are there other points that you raise to your CEO when a breach occurs? Please drop us a comment and let us know.

Thursday, April 1, 2010

Does the Punishment Fit the Crime? The Sentencing of Albert Gonzalez

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Albert Gonzalez was sentenced on Thursday, March 25, to two concurrent 20-year sentences for the TJX and Dave & Busters attacks, and another 20 years (also concurrent) on Friday, March 26, for the Heartland case. The Federal Government’s recommendation to the two District Court judges was 25/20/25 years, respectively, so the judges clearly adhered closely to those suggestions.

The scale of Gonzalez’s crimes was certainly unprecedented, and given both the magnitude, the size of damages, and the willful intent exhibited by Gonzalez and his associates, Federal sentencing guidelines would have tolerated a recommendation of incarceration for life. Without the plea bargain, they likely would have pursued that kind of sentence.

The question, however, is not whether Gonzalez was sentenced appropriately, but whether the investigation and subsequent trial and outcome will serve as a useful deterrent. These crimes were unusual in the cyber-crime arena because they were often committed in person, close to the target stores, so they don’t really go to the heart of the major threat of cyber-crime. This is the ability to perform criminal acts from thousands of miles away, in a different country or jurisdiction. And all signs continue to point to increasing connectivity between corporate networks, private MPLS or other WAN systems, and the internet.

Folks will continue to deploy wireless access points in default or minimally-secure configurations, and open the front door to the corporate network as a result. But we can’t simply blame bad wireless implementations for the losses suffered by Gonzalez’s victims, because there are plenty of other ingress points.

This case should serve as a wakeup call to anyone who operates a network in the public space – not that bad guys might get caught and jailed, but that there are lots more bad guys trying to get into your network next. There is no excuse for not implementing sound security architecture and practices from the outset. And the scale of losses suffered by TJX, Heartland, and the rest serves to illustrate the consequences of neglecting a sound defense. These are not nice-to-have additions — they should be fundamental to the project, budgeted up-front and anticipated for ongoing testing and enhancement.

Given the choice, I think Heartland would have still preferred not to lose $170M or suffered such damage to their brand, rather than see the perpetrator go to jail.

Friday, February 12, 2010

Are you driving yourself insane with compliance?

By Pete Russo, Senior Marketing Manager, BT Global Services

Is compliance enough for your organization to be secure? BT’s Jason Stradley recently wrote in CSO magazine how companies confuse a completed compliance checklist with ironclad security. Interestingly, Stradley says, “… compliance is a poor excuse for security”:

Approaching this from the direction of building specific solutions or groups of solutions to answer each compliance requirement will ultimately lead to an overall security posture that is lacking basic elements and is inherently insecure. Such an approach may create a security function that is more reactionary than it was prior to having the regulatory compliance variable factored into the mix. This leads us to the undeniable realization that while a byproduct of security is compliance, the reverse couldn’t be further from the truth. Given that realization, hopefully we can all be somewhat in agreement that compliance is a poor excuse for security!

If you need evidence, look at the Heartland Payment Systems breach. This major breach has taught us that compliance alone is not enough to stop an attack. While Heartland was compliant with the PCI DSS requirements, the company still experienced the biggest breach ever involving payment card data.

Clearly, compliance is not enough. As more organizations accept this fact, we must look at how we can accomplish a comprehensive security program that is a strategic function of an organization. Here’s what Stradley recommended:

Develop a long term plan or “road map” for information security within your organization and include provisions for the known compliance requirements
Work closely with your senior business executives as you create this “road map,” so that they can understand where you are going, how it will affect their part of the operation, and it will give those business leaders an opportunity to provide you with better information to build it right the first time
Share the vision of your “road map” with your entire security organization and empower them as evangelists of that vision
To the extent that your are able, plan for potential future compliance requirements in your road map
Think of these potential new requirements as you build the various security capabilities within your organization. Try to build in the ability to adapt to new or more stringent compliance requirements without major upheavals to current processes, procedures and controls in place

By following these recommended steps, your security team will become less reactionary and more proactive. This will enable your security programs to become more valuable to your enterprise and a true strategic partner to the business.

Leave us a comment and let us know your thoughts.

Tuesday, January 26, 2010

Heartland Ruling Raises More Questions than it Answers

By Pete Russo, Senior Marketing Manager, BT Global Services

There was an interesting development in the case of Heartland and its 2007/2008 data breach in a New Jersey court last month. Evan Schuman reported in a storefrontbacktalk.com article about the suit brought against the company that alleged its executives failed to provide sufficient protection of data and timely notification to those affected by the theft of credit card data. While ruling on what it means for a company, in particular, a retailer, to have taken adequate precautions, this case is also noteworthy as it was driven by Heartland’s shareholders who bore the brunt of the 80% decline in the company’s stock price once the full extent of the violation was revealed.

Judge Thompson, who presided over the case and dismissed the lawsuit, ruled that “that a retailer can say it has strong security without meaning that it is invulnerable to any attack. “The fact that a company has suffered a security breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security.”

With this ruling providing a precedent for victims of retail data breaches –

What does it mean for a retailer to take computer security seriously? Should Heartland have looked more closely at its entire system once the original payroll breach was discovered?
Does emerging legislation from the states, including Massachusetts 201CMR 17.00, need to become more comprehensive to include shareholders?
Should companies be required to reveal all data breaches and not just those related to the violation of consumers’ personal information?

Leave us a comment and let us know your thoughts.

Wednesday, June 10, 2009

Mass. 201 CMR 17 Compliance

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services, CISSP, CISM, CISA, PCI QSA

Massachusetts has introduced a tough new data protection law designed to prevent security breaches and identity theft. The state law is extremely interesting as it is the most comprehensive law surrounding data protection and could well result in other states following suite as in the case of data disclosure laws.

This law addresses standards to be met by persons who own, license, store, or maintain personal information about a resident of the Commonwealth of Massachusetts and this includes any business that handles Massachusetts residents’ sensitive data regardless of where that business is located.

Introduction

Large scale breaches have become increasingly common and the companies that have made the headlines to name a few are; TJX, Heartland, Hannerford, DSW, Forever21 and the list goes on. The UK government lost 25 million British peoples personal details. Massachutes introduced Mass 201 CMR 17 in what will undoubtedly turn out to be the first of many laws ensuring organizations put appropriate controls in place to prevent the loss of personal information. CMR 17 defines personal data as

A Massachusetts resident’s first name and last name or first initial and last name

In combination with any one or more of the following data elements that relate to such resident:

Social Security number;
driver’s license number or state-issued identification card number;
or financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account

Who Must Comply?

The scope includes every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information

Non-Compliance

If an incident occurs, organizations are required to alert the Office of Consumer Affairs and Business Regulation (OCABR) and the Attorney General as well as the affected party. The law also requires that when a company reports a breach that it also provide details of the steps that have been taken to prevent a breach from occurring again.

Every person who owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before January 1, 2010.

Are you ready for CMR 17

The requirements for CMR 17 are based on the need to protect personal data. Organizations need to develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing personal information. Controls need to be in place to ensure that the appropriate security is in place in line with risk. These are some of the questions that organizations need to ask:

Do you have a written information security program that encompasses protection of personal data?
Do you know where all your personal data is and have you segregated this information from less trusted network segments?
Do you have security monitoring?
Do you run vulnerability scans?
Do you encrypt sensitive data?

How can BT help?

BT is one of the leading companies providing solutions in the data protection space. BT’s world leading professional services team can provide information and solutions that match the security requirements as outlined by CMR 17. BT is recognized by the Payment Card Industry as being authorized qualified security assessors which displays a proven track record in auditing and providing solutions for organizations that need to protect personal information.