Data Breach Directions: What to Do After an Attack
In 2009, Heartland Payment Systems announced that it had suffered a devastating breach: 134 million credit cards were exposed through SQL Injection attacks used to install spyware on Heartland’s data systems. The company processes payments for debit, prepaid and credit cards, in addition to online payments and checks and payroll services.
At the time of the breach, Heartland processed 100 million payment card transactions per month for 175,000 merchants, ranging from small to midsized retailers.
According to news reports, Heartland’s computers that were used to process payment card transactions had been breached in 2008. The data compromised included all of the information required to produce counterfeit credit cards, including the data coded on the card’s magnetic strip.
“The breach was discovered after Visa and MasterCard notified Heartland of suspicious transactions from accounts it processed. Heartland found a spyware program planted by the hackers that stole the data over a period of several months in 2008,” reported a blog by Kevin Judge of Comodo. “In fact, the breach was a very slow moving event,” he said. “It started with an ‘SQL Injection’ attack in late 2007 that compromised their database. An SQL Injection appends additional database commands to code in Web scripts. Heartland determined that the code modified was in a Web login page that had been deployed eight years earlier, but this was the first time the vulnerability had been exploited. The hackers then spent eight months working to access the payment processing system while avoiding detection from several different antivirus systems used by Heartland. They eventually installed a type of spyware program called a ‘sniffer’,” Judge wrote, “that captured the card data as payments were processed. Sniffer programs are used to monitor network traffic for the purposes of analyzing and solving problems. Unfortunately, they can also be used to capture data for nefarious purposes. In this case the sniffer provided the thieves with the proverbial ‘keys to the Kingdom,’ that is all the data required to counterfeit cards.”
The fallout was severe. Heartland temporarily lost its compliance with the Payment Card Industry Data Security Standard (PCI DSS). (Credit card providers such as Visa require PCS DSS validation to be allowed to process their card’s payments.) In terms of revenue, Heartland reportedly had to pay $145 million in compensation for fraudulent payments, according to Judge. In 2009 three men were indicted for the Heartland breach.
About nine months after the breach, John R. South joined Heartland Payment Systems as CSO, when it still was recovering from the incident. Previously, he had held information security leadership roles for a variety of companies including Convergys (Intervoice) and Alcatel-Lucent, where he spent several years in Antwerp and Paris leading Alcatel’s European information security operations.
As CSO of Heartland Payment Systems, South leads the company’s security and IT compliance programs which encompass the protection of sensitive data through risk and threat modeling and compliance with internal as well as industry and regulatory obligations.
South served on the Board of Directors of the Financial Services Information Sharing and Analysis Center (FS-ISAC), the primary industry forum for collaboration on critical security threats facing the financial services sector. He also recently served on the Board of Advisors of the Payment Card Industry Security Standards Council (PCI SSC) to help strengthen security standards and protect cardholder data against threats worldwide.
Outside of the corporate world, South is an Adjunct Professor at the University of Dallas where he teaches a course on the legal and compliance implications of security. He co-founded, with Dr. John Nugent, the university’s Information Assurance Program, which focuses on corporate security and risk management. The program has been designated a National Security Agency Center of Excellence since its inception.
Additionally, South has been an active participant with the United States Secret Service North Texas Electronic Crimes Task Force since its inception in 2003. He is also the founding president of the Federal Bureau of Investigation’s North Texas InfraGard Program, and is a member of the Information Systems Security Association and the Information Systems Audit and Control Association.
South has also been awarded the 2011 Information Security Executive (ISE) of Year Award for the Central United States and the ISE Central Executive of the Decade Award, both by The Executive Network, and was designated a 2012 Computerworld Premier 100 IT Leader. He holds the CISSP and CISA designations and is certified as an Information Technology Infrastructure Library (ITIL) Service Manager.
So clearly, he was qualified. Yet, some might question South taking on the CSO role at Heartland, especially so soon after the breach. Was it worth the risk? “Absolutely,” South says. “It was a challenge, for sure. But I knew some of the people who were working there to remediate the breach, and I had confidence in the CEO and the management, so I didn’t see it as a risk but more of an opportunity to do some good.”
By the time that South joined Heartland, he said that most of the issue had been rectified. “The turnaround on it was intense; Heartland went from being delisted from the Visa website to relisted in six weeks, so it was a huge effort from a lot of people to remediate the issues that had existed to build a stronger and more robust system.”
With CEO Robert O. Carr, South has tried to make a positive out of the situation. Carr, for example, has been very public with Heartland’s story to encourage companies to share information about attacks and band together against cybercriminals. In addition to participating in media interviews, he co-founded an organization called the Payments Processor Information Sharing Council that encourages companies in the payments industry to share information.
In his role back then and today, South has focused his efforts on staying ahead of future breaches, employing security technology to do so and working to increase communication with industry colleagues.
His daily challenge, he says, is to continue to understand how breaches can happen. “We have to ensure that the application environment is secure,” he explains. “That includes understanding the issues that arise from being in an application-based environment, to being able to remediate the issues before they are put into production. We also have to secure coding practices and employees so that they are educated and don’t create the errors in an application-based environment, and ensure the architectures around the app are secure. Then we constantly test that process, including vulnerability testing and penetration testing.”
To accomplish all that, South needs security technology, he says, that allows for the ability to do effective testing, as well as being able to visualize the problems in the environment. “We collect a lot of security data over the course of a day, so being able to effectively visualize where problems can occur needs to be solved. That makes us as proactive as possible; to mitigate events before they occur.”
“You also need a knowledgeable team that can look at the lifecycle of the data in your environment. Data comes in, it gets processed and stored, and throughout that lifecycle of data you have security obligations and teams that need to be in place. There are also other ‘blocking and tackling’ things like user access and physical security that also need to be attended to. Overall you have to step forward and look at potential problems and how they could occur if someone wanted to exploit your network.”
Another key part, he says, and one that he has brought to Heartland’s security strategy, is an intelligence gathering capability; to share and receive information on potential threats. “If I see a threat that hit a competitor of mine and we are sharing that information, the odds are that I can be proactive and block the indicators of that type of threat to hit us. That was the essence of what came out of Heartland breach. If we had seen that data ahead of time we might have been able to stop it. Today we can do that. And that’s become an effective tool. The capability is getting better and the private and public relationships are increasing, to where we can share data.”
You’ve Been Breached. What Do You Do?
A recent survey by the Ponemon Institute showed the average cost of cybercrime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber-attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.
Despite those costs, in 2014 there were a number of expensive and brand damaging data breaches, including:
- Target. In January 2014, Target announced an additional 70 million individuals’ contact information was taken during a December 2013 breach, in which 40 million customers’ credit and debit card information was stolen.
- Neiman Marcus. Between July and October 2013, the credit card information of 350,000 individuals was stolen, and more than 9,000 of the credit cards have been used fraudulently since the attack.
- Michaels Stores. Between May 2013 and January 2014, the payment cards of 2.6 million Michaels customers were affected.
- eBay. Cyberattacks in late February and early March led to the compromise of eBay employee log-ins, allowing access to the contact and log-in information for 233 million eBay customers.
- U.S. Investigations Services. U.S. Investigations Services, a subcontractor for federal employee background checks, suffered a data breach in August, which led to the theft of employee personnel information.
- Community Health Services. At Community Health Service (CHS), the personal data for 4.5 million patients were compromised between April and June.
- Home Depot. Cyber criminals reportedly used malware to compromise the credit card information for 56 million shoppers in Home Depot’s 2,000 U.S. and Canadian stores.
- Google. Allegedly, 5 million Gmail usernames and passwords were compromised.
- Apple iCloud. Hackers reportedly used passwords hacked with brute-force tactics and third-party applications to access Apple user’s online data storage.
- Bartell Hotels. The information for up to 55,000 customers was reportedly stolen between February and May.
- U.S. Transportation Command contractors (transportation). A Senate report revealed that networks of the U.S. Transportation Command’s contractors were breached 50 times between June 2012 and May 2013. At least 20 of the breaches were attributed to attacks originating from China.
- J.P. Morgan Chase. An attack in June was reported in August, and the contact information for 6 million households and 7 million small businesses was compromised.
- Snapsave. Reportedly, the photos of 200,000 users were hacked from Snapsave, a third-party app for saving photos from Snapchat, an instant photo-sharing app.
Steve Chabinsky, General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, network security penetration testing, assessments and incident response, and former Deputy Assistant Director of the FBI’s Cyber Division, has advised companies about the correct way to respond to a cyber attack or data breach. Chabinsky is also Cyber Tactics columnist for Securitymagazine.
Security: Who is the first person that a CSO, security director or IT director should call when he/she discovers a security breach or hacking?
Steve Chabinsky: After the systems administrator and someone from IT security, next in line in my view, is the legal department. There are potential notification and compliance requirements including to your insurance company if you have cyber coverage, to customers and employees if there’s a data breach, and potentially even to regulators and shareholders. I’m also seeing outside counsel being brought in more often as the first external call, not only for their added subject matter expertise regarding legal obligations, but also to assert legal privileges during the hiring and direction of incident response firms. That may come as a surprise, that law firms increasingly are getting called before the outside forensic firms. If it doesn’t delay getting the right help, I view it as a good thing.
Security :How many people are brought in after the first calls?
Steve Chabinsky: Well, it’s very fact-specific depending on the initial assessment of what’s happened or what’s still happening. The main point I would get across is that dealing with a major hacking incident goes well beyond asking the techies to “just fix those computers and let’s get on with it!” The Incident Response Team eventually might include a company’s media and investor relations department, Human Resources and a growing list from the C-Suite. You definitely don’t call the CEO every time you find malware. But ultimately, the entire leadership team needs a game plan if the incident isn’t contained or the company’s potential exposure is growing.
Security: What evidence should be preserved? And how?
Steve Chabinsky: Most of the evidence will take the form of network logs. Incident response handlers will use dedicated equipment to copy, store and analyze that information. But it’s not a small, single file we’re talking about. It’s a huge amount of data coming from different sources. Computers are like social media junkies – they can keep track of everything they did, when they did it, with whom they did it and even tell you who they refused to do it with. But, it’s not easy to make sense of it all. NIST (National Institute of Standards and Technology) actually has a document that’s more than 70 pages long dedicated solely to Computer Security Log Handling. Unfortunately, I see a lot of companies getting this part wrong and not even logging information in the first place. That’s like having security cameras installed but not recording anything.
Security: Are computers turned off or kept on?
Steve Chabinsky: Most incident response professionals recommend keeping computers plugged in and keeping them turned on unless files are being destroyed. The reason is that turning off a computer gets rid of volatile memory, and that information can help security experts better understand the intrusion and prevent it from happening again. An alternative to turning off a computer though is to scale back its connectivity. After a breach, it’s worth considering limiting Internet use and other network connections between computers.
Security:Do you keep employees at home, or keep them at work?
Steve Chabinsky: Keep them at work! The business has to continue to operate during an incident, and it’s our role as security professionals to make sure that happens. Fortunately, destructive attacks against a corporation’s entire infrastructure remain rare, so even during an investigation and remediation most employees will continue to have what they need to do their jobs or can be given what they need.
Security: When do you call the FBI or “cyber police?” What information do you need to give them?
Steve Chabinsky: The FBI is a good choice for major breaches. Unfortunately, they just don’t have the resources to help for smaller cases, and neither do any other law enforcement agencies. For smaller crimes, I would consider filing a complaint with the Internet Crime Complaint Center at www.ic3.gov, since they analyze and aggregate everything they get to identify major cases that will be investigated. Law enforcement isn’t concerned with how good or bad your network security was; they are looking for information about the bad guys, basically the logs we talked about earlier. But, that also means they won’t help you fix your system. They’re not locksmiths; they’re the cops. Still, they might have very specific information about the crime you’re seeing that can help you better protect against it from happening again, and they might even be able to stop the individual from doing more damage. Another thing I would add is that, especially in those cases where your company eventually is going to provide public notice of the intrusion, it’s really nice to be able to add that you did everything possible to mitigate the problem once you discovered it, including working with law enforcement.
Security: What should be communicated to employees and what should not?
Steve Chabinsky: It’s important to keep in mind that communications to the entire workforce likely will become public and, if that happens before the company has a good handle on the intrusion and how its systems were compromised, doing so could lead to further breaches and greater damage. So, I look at this as a need-to-know issue. If personally identifiable information was taken, employees may need to be notified, but there may be good reason to delay even that. If the media is tracking the story, employees will wonder how the intrusion impacts them and their jobs, so you will want to provide the workforce with appropriate assurances. But, if the only issue is that network connectivity may be lagging, I think for security reasons, the less said the better.
Security: What should be communicated to shareholders and what should not?
Steve Chabinsky: The SEC has a lot to say about this which they’ve posted on their website. Basically, according to the SEC, if it would be material to an investor, the event should be disclosed. However, there’s a fair amount of flexibility in how a company provides that information. For example, a company doesn’t have to release its vulnerability assessment around an incident and give a roadmap to hackers around the world. All of which brings me back to something I mentioned earlier, have you called your lawyer yet? That’s the better answer.
Security: What is the number one thing to prepare for when a hack takes place?
Steve Chabinsky: Be prepared to address cyber incidents as a multi-disciplinary problem, rather than merely a technical issue. In advance of a breach, there should be a list of people from different parts of the company who understand that they may be contacted depending on the nature of the incident, and who are available regardless of the time of day. Keeping in mind what we’re talking about, it’s a good idea to have a hard copy of that list, together with a more complete Incident Response Plan, both in the office and at home since computer access might be restricted. Also, in advance of a breach, companies should identify and retain outside law firms with specific competence in dealing with breaches, and should have no-cost agreements in place with network forensic firms so they can be engaged quickly. There’s no doubt that proper preparation can make the difference between having a manageable event on your hands rather than a spiraling crisis.