heartlandpt3
TRANSCRIPT
- 1. Security check Heartland payment systems
EASy Security Project:Part 3-- Synthesis Through Recommended Changes in Control Practice
2. Summary of audit Objectives
5.1 Manage Security Measures
5.2 Identification, Authentication and Access
5.3 Security of Online Access to Data
5.5 Management Review of User Accounts
5.7 Security Surveillance
5.9 Central Identification and Access Rights Management
5.10 Violation and Security Activity Reports
5.11 Incident Handling
5.12 Reaccreditation
5.13 Counterparty Trust
5.14 Transaction Authorization
5.16 Trusted Path
5.17 Protection of Security Functions
5.18 Cryptographic Key Management
5.19 Malicious Software Prevention, Detection and Correction
5.20 Firewall Architectures and Connections with Public
Networks
3. 5.1- Manage Security Measures
Control Objective- IT security should be managed such that security
measures are in line with business requirements. This
includes:
1) Translating risk assessment information to the IT security
plans.
2) Implementing the IT security plan.
3) Updating the IT security plan to reflect changes in the IT
configuration.
4) Assessing the impact of change requests on IT security.
5) Monitoring the implementation of the IT security plan.
6) Aligning IT security procedures to other policies and
procedures.
Recommendation:
The security beach at Heartland Payment Systems would not have
happened if security measures were correctly measured and all
aspects of business, and security risks were taken under
consideration while creating the security measures for the company.
Heartland needs to implement (or reorganize) their IT security
measures to ensure proper protection for card holders and company
data. I recommend that Heartland hire a penetration testing
organization for intrusion detection testing.
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure teams, third party
auditing company.
Procedures? Create a sufficient IT security plan to keep Heartland
Payment Systems data safe.
Hardware? Existing hardware
Software? Existing software
Telecommunications? None
Cost? Cost of employee labor, cost of an Auditor and Penetration
Tester
4. 5.2-Identification and Authentication Access
Control Objective- The logical access to and use of IT computing
resources should be restricted by the implementation of adequate
identification, authentication and authorization mechanisms,
linking users and resources with access rules. Such mechanisms
should prevent unauthorized personnel, dial-up connections and
other system (network) entry ports from accessing computer
resources and minimize the need for authorized users to use
multiple sign-ons. Procedures should also be in place to keep
authentication and access mechanisms effective (e.g. regular
password changes).
Recommendation:
We recommend that Heartland Payment Systems implement new
identification, authorization, authentication, and access
procedures to monitor the users that are traversing the Heartland
network. To ensure critical data can only be accessed by authorized
personnel, systems and processes must be in place to limit access
based on need to know and according to job responsibilities.
(Payment Card Industry (PCI) Data Security Standard, 2010)
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure teams
Procedures? Implementation of a secure user authentication
procedure
Hardware? Existing hardware
Software? Existing software
Telecommunications? None
Cost? Labor costs
5. 5.3-Security of online access to data
Control Objective- In an online IT environment, IT management
should implement procedures in line with the security policy that
provides access security control based on the individuals
demonstrated need to view, add, change or delete data.
Recommendation:
Heartland Payment Systems has a problem with online access to data,
or with intruders from outside of company boundaries being able to
access Heartlands internal operations. Heartlands response to its
data breach rested on two pillars aimed at the merchant acquiring
and processing side of the payment system: improve data sharing and
better secure data, particularly data in transit (Cheney, 2010). I
recommend Heartland implement end-to-end encryption (to secure data
in transit), and tokenization. Tokenization is a way for merchants
to protect credit card information (Cheney, 2010). The process
replaces card data after authorization with randomized numbers,
which are useless to thieves. The real data (credit card
information) is then deleted from the merchants database (Metzger,
2010). End-to-end encryption is the process of encrypting a massage
(credit card data) from one end of the communication media to the
other.
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure teams
Procedures? Implement end-to-end encryption between data links, and
implement token technology.
Hardware? Existing hardware
Software? Tokenization software, encryption software (can be
hardware based by using existing hardware equipment)
Telecommunications? None
Cost? Software cost, labor costs
6. 5.5 Management Review of User Accounts
CONTROL OBJECTIVE- Management should have a control process in
place to review and confirm access rights periodically. Periodic
comparison of resources with recorded accountability should be
completed to help reduce the risk of errors, fraud, misuse or
unauthorized alteration.
Recommendation:
Evidence exists that it was possible for intruders to enter through
servers and systems that were considered less critical. According
to an article titled Lessons from the Data Breach at Heartland ,
"Big companies have hundreds of these things, and they think
they're not worth worrying about or they're managed by a third
party," Tippett says. "Bad guys will go after anything they can
knock over (King, 2009).
Plan of Action:
People? Internal Risk Management and the business unit process
owners.
Procedures? Implement a daily audit control that compares user
accounts and access logs on systems that have data classified as
sensitive. This includes read, write, and update functions. Only
exceptions should be reported to Risk Management, who will in turn
take action.
Hardware? Existing hardware
Software? Existing audit tools will be used, but a new report will
need to be created.
Telecommunications? None
Cost? Small Audit control enhancement: 40-80 hours, resources
loaded rate of $65 per hour.
7. 5.7-Security Surveillance
Control Objective- IT security administration should ensure that
security activity is logged, and any indication of imminent
security violation is reported immediately to all who may be
concerned (internally and externally) and acted upon in a timely
manner.
Recommendation:
According to msnbc.com Heartland said it was alerted by Visa and
MasterCard of unspecified suspicious activity surrounding processed
card transactions and enlisted the help of auditors to investigate.
The investigation last week uncovered "malicious software" that
compromised data in Heartland's network, it said (Heartland Payment
Systems Hacked-Technology & Science - Security, 2009). This
concludes that the security surveillance of Heartland was not
adequate enough to detect the security breach at an earlier time. I
recommend that Heartland upgrade their existing network
surveillance software/hardware and implement new procedures for
detecting malicious behavior on the Heartland network.
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure teams
Procedures? Upgrade existing network surveillance software/hardware
and implement new procedures for detecting malicious behavior on
the Heartland Network
Hardware? Existing hardware (possibly upgrade to better
hardware)
Software? Existing Software (possibly upgrade to better
software)
Telecommunications? None
Cost? Cost of labor, and optional cost of hardware/software
8. 5.9 Central Identification and Access Rights Management
CONTROL OBJECTIVE- Controls are in place to ensure that the
identification and access rights of users as well as the identity
of system and data ownership are established and managed in a
unique and central manner to obtain consistency and efficiency of
global access control.
Recommendation:
Evidence exists that it was possible for intruders to enter through
corporate servers and plant the malware. Once they gained access to
a corporate system, the hackers planted sophisticated
packet-sniffing tools and other malware to detect and steal payment
card data flowing over the victim companies' networks, according to
court documents (Vijayan,2009).
Plan of Action:
People? Risk Management, Security Management, and Network Server
Team
Procedures? A server security standardization project should be
planned and implemented.
Hardware? Existing
Software? Existing
Telecommunications? None
Cost? Small sized project (500-1000 hours, $25,000- $50,000)
9. 5.10-Violation and Security Activity reports
Control Objective: IT security administration should ensure that
violation and security activity is logged, reported, reviewed and
appropriately escalated on a regular basis to identify and resolve
incidents involving unauthorized activity. The logical access to
the computer resources accountability information (security and
other logs) should be granted based upon the principle of least
privilege or on a need-to-know basis.
Recommendation: We recommend that Heartland review and rewrite
their procedures for completing violation and security activity
reports to comply with precautions taken to stop future security
breaches. Heartland should Establish, document, and distribute
security incident response and escalation procedures to ensure
timely and effective handling of all situations (Payment Card
Industry (PCI) Data Security Standards Requirements and Security
Assessment Procedures version 2.0., 2009).
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure teams
Procedures? Implement new violation and security activity reporting
procedures to ensure proper escalation and logging of security
incidents.
Hardware? Existing hardware
Software? Existing Software
Telecommunications? None
Cost? Cost of labor
10. 5.11 Incident Handling
CONTROL OBJECTIVE- Management should establish a computer security
incident handling capability to address security incidents by
providing a centralized platform with sufficient expertise and
equipped with rapid and secure communication facilities. Incident
management responsibilities and procedures should be established to
ensure an appropriate, effective and timely response to security
incidents
Recommendation:
As a result of this breach, incident handling should include a
prioritization. In future incidents when outside forensics
companies or other security/audit related specialist are used, a
classified data/system will determine the order of importance based
on criticality to the business. In late 2008, Heartland hired two
forensics companies it hasn't identified. Both scoured the network,
but it wasn't until Jan. 12 that one found strange-looking data
coming from Heartland's system that let Heartland employees uncover
the intrusion (King, 2009). This will allow focused network scans
to systems that hold sensitive data to be executed first.
Plan of Action:
People? IS Help Desk, Risk Management, Security Management,
External consultant
Procedures? Internal procedure change across internal IS
teams
Hardware? None
Software? None
Telecommunications? None
Cost? Small procedure enhancement: 20-40 hours, resources loaded
rate of $65 per hour.
11. 5.12 Reaccreditation
Control Objective- Management should ensure that reaccreditation of
security (e.g., through tiger teams) is periodically performed to
update the formally approved security level and the acceptance of
residual risk.
Recommendation:
Heartland went through reaccreditation process for Payment Card
Industry Data Security Standard (PCI DSS) certification. However,
Heartlands CEO said that PCI DSS was an insufficient protective
measure and that the standard for security was much higher
(McGlasson, 2009). Therefore Heartland knew that there approved
security measures were subpar. What Heartland should have put in
place was a team of people that looked at their security measures.
The team of people should of went though each step in there payment
procedure and find were the risks are in that process. After the
team has completed the assessment then the security level should
have been updated to the correct standard.
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure Teams, a team of
people (e.g. Tiger Teams) to assess the security measures
Procedures? To update the accepted security level
Hardware? Existing hardware
Software? Existing software
Telecommunications? None
Cost? Cost of employee labor, cost of Tiger Team
12. 5.13 counterparty trust
CONTROL OBJECTIVE- Organizational policy should ensure that control
practices are implemented to verify the authenticity of the
counterparty providing electronic instructions or transactions.
This can be implemented through trusted exchange of passwords,
tokens or cryptographic keys.
Recommendation:
Evidence suggests a potential weakness in the fact that data must
be decrypted to move from Heartland's system to Visa and
MasterCard, as credit card companies accept only unencrypted data.
Trusted exchange between parties is an obvious weakness, theres no
telling if that link (which might be over a telecom connection
across 2,000 or so miles) can be breached. A project implementing
E3, tokenization, and other methods that allow sensitive data to
move through networks encrypted should be launched (Farrell,
2010).
Plan of Action:
People? Risk Management, Security Management, External consultant,
Business Units, IS, Server Team
Procedures? Updated procedures will results from this
project.
Hardware? Point of sale, and magnetic card reader
Software? Enhancement of software is likely.
Telecommunications? Recommendation
Cost? Medium sized project (1000-2000 hours, $50,000- $100,000)
This is not including the cost to merchants for new Point of sale
and card readers.
13. 5.14 Transaction Authorization
Control Objective- Organizational policy should ensure that, where
appropriate, controls are implemented to provide authenticity of
transactions and establish the validity of a users clamed identity
to the system. This requires use of cryptographic techniques for
signing and verifying transactions.
Recommendation:
The software that was planted could read and collect unencrypted
data in motion (Higgins, 2009). Heartland need to have in place a
cryptographic technique so that each transaction is verified before
the transaction begins. Heartland needs to have a policy in place
so that the validity of a users claimed identity can be
established. They will need to update their hardware and software
to allow cryptographic techniques to be used. They also need to
ensure that people in the company do not share their credentials
with anyone else. It doesnt matter how good your encryption is if
people in your company share credentials to access a higher
security level then they are assigned.
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure teams
Procedures? Create a cryptographic technique so that each
transaction is verified
Hardware? New hardware will need to be purchased if existing
hardware does not support cryptographic techniques.
Software? New software will need to be purchased if existing
software does not support cryptographic techniques.
Telecommunications? Telecommunications will need to be upgraded if
it does not support cryptographic techniques.
Cost? Cost of employee labor, new hardware, software, and upgraded
telecommunications
14. 5.16 Trusted Path
Control Objective- Organizational policy should ensure that
sensitive transaction data are exchanged only over a trusted path.
Sensitive information includes security management information,
sensitive transaction data, passwords and cryptographic keys. To
achieve this, trusted channels may need to be established using
encryption between users, between users and systems, and between
systems.
Recommendation:
A SQL injection was used to capture data as it was being processed
(Cheney, 2010). This shows that Heartland did not have trusted
channels established. Heartland needs to have a trusted path for
its transactions. The trusted path needs to include user to user
communication, user and system communication, and system to system
communication. Heartland needs to put in place a procedure to
ensure that sensitive information is only sent over a trusted path.
This will include secure telecommunications for every step in the
payment process from beginning to end. This will include updating
hardware and software to allow encryption techniques to be
used.
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure Teams
Procedures? Implementation of a trusted path for secure
communications including end to end protection of the payment
process
Hardware?Upgraded Hardware as needed to insure a trusted path
Software? Upgraded Software as needed to insure a trusted
path
Telecommunications? Telecommunications will need to be upgraded to
secure every step of the payment process
Cost? Cost of upgraded telecommunications, upgraded Hardware,
upgraded Software
15. 5.17 Protection of Security Functions
CONTROL OBJECTIVE- Security-related hardware and software should at
all times be protected against tampering andagainst disclosure of
secret keys to maintain their integrity. In addition, organizations
should keep a low profile about their security design, but should
not base their security on the design being secret.
Recommendation:
According to the report from Cheney, the Heartland Company managers
their data 24/7 and that 7% of the information technology staff is
focused specifically on security. However, Heartland needs to keep
a low profile on their security design and not make it public to
the whole company. The attackers gain access to the corporate
network first and was able to perform many activities before
gaining access to the processing network (Cheney, 2010). Heartland
needs to keep their sensitive processing information separate from
the corporate network to ensure integrity. Also, Heartland needs to
ensure that there software is protected against tampering.
Plan of Action: People? CIO, Director of IS, IS-Infrastructure
Teams
Procedures? Ensure that security design is not available to whole
company and that it software and hardware is protected against
tampering.
Hardware?Existing
Software? Existing
Telecommunications? Ensure that security communications is kept
separate from the rest of the company.
Cost? Employee Labor
16. 5.18 Cryptographic Key Management
CONTROL OBJECTIVE- Management should define and implement
procedures and protocols to be used for generation, change,
revocation, destruction, distribution, certification, storage,
entry, use and archiving of cryptographic keys to ensure the
protection of keys against modification and unauthorized
disclosure. If a key is compromised, management should ensure that
this information is propagated to any interested party through the
use of certificate revocation lists or similar mechanisms.
Recommendation:
The form that was used in the breach was available for a long
period of time but the breach was not until 2007 (Cheney, 2010).
Heartland needs to ensure that cryptographic keys are not modified
or disclosed. Heartland also needs to ensure that if a key is
compromised that the correct people are notified.
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure Teams
Procedures? Ensure that cryptographic keys are not modified and not
disclosed and ensure that if a key is comprised that the
information is communicated
Hardware?None
Software? Upgrade encryption software to include cryptographic key
management
Telecommunications? Ensure that if a key is compromised that it is
communicated to the correct people
Cost? Upgraded software
17. 5.19 Malicious Software Prevention, Detection and
Correction
CONTROL OBJECTIVE- Regarding malicious software, such as computer
viruses or Trojan horses, management shouldestablish a framework of
adequate preventive, detective and corrective control measures, and
occurrence response and reporting. Business and IT management
should ensure that procedures are established across the
organization to protect information systems and technology from
computer viruses. Procedures should incorporate virus protection,
detection, occurrence response and reporting.
Recommendation:
The focus on the information from the breach was in the form of
data in transit and not from a stored database, which made masking
themselves from detection an easier process (Cheney, 2010).
Heartland needs to have a malicious software prevention solution
for data in motion. Heartland also needs to have detective, and
control measures to protect its infrastructure. Also Heartland
needs to ensure that if malicious software is detected that correct
people are notified and that occurrence is responded to.
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure Teams
Procedures? Provide a software solution that ensures malicious
software prevention and detection, including data in motion.
Hardware?Existing
Software? Upgraded software that provides malicious software
prevention and detection with support for data in motion
Telecommunications? None
Cost? New malicious software, Implementation Cost
18. 5.20 Firewall Architectures and Connections withPublic
Networks
CONTROL OBJECTIVE- If connection to the Internet or other public
networks exists, adequate firewalls should be operative to protect
against denial of services, unauthorized access to the internal
resources and control any application and infrastructure management
flows in both directions.
Recommendation:
Heartlands CEO knew that they needed to move to higher standard for
security (McGlasson, 2009). Heartland needs to have firewalls in
place to ensure control for any application and infrastructure
management flows in both directions. Heartland not only needs to
ensure that there data is protected from the outside but they need
to ensure that there sensitive information from the inside is not
allowed to be sent to the outside of the network.
Plan of Action:
People? CIO, Director of IS, IS-Infrastructure Teams
Procedures? Provide a firewall solution that ensures control of
data flow in both directions
Hardware?Upgraded firewalls to control data flow in both
directions.
Software? None
Telecommunications? Ensure that communications is controlled in
both directions
Cost? New Firewalls
19. Summary of Recommendations
Organization and Management of Systems
New ID / Authentication Solution
Better Secure Data Practices
Increase of Security Surveillance
Encyrption of Data
Creation of a Trusted Path to Move Data
Data in Motion Security Protection
Creation of Updated Firewall Rules
20. Apa Sources
Heartland Payment Systems Hacked-Technology & Science -
Security. (2009, January 20).
Retrieved December 11, 2010, from msnbc.com:
http://www.msnbc.msn.com/id/28758856/ns/technology_and_science-security/
In Re Heartland Payment Systems, Inc. Securities Litigation, Case
3:09-CV-01043-Aet-Tjb
Document 25. (2009, December 7). New Jersey: UNITED STATES DISTRICT
COURT-
DISTRICT OF NEW JERSEY.
Payment Card Industry (PCI) Data Security StandardsRequirements and
Security Assessment
Procedures Version 2.0. (2009, October). Retrieved December 11,
2010, from PCI
Security Standards Council:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Acohido, B. (2009, January 23). "Hackers Breach Heartland Payment
Credit Card System-
USATODAY.com.". Retrieved December 11, 2010, from USA Today:
http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm
21. APA sources (continued)
Albanesius, C. (2010, May). Inside the Biggest Online Theft Case.
PC Magazine, 29(5).
Cheney, J. S. (2010, January). Heartland Payment Systems Lessons
Learned from a Data
Breach. Retrieved December 11, 2010, from Federal Reserve Bank of
Philadelphia:
http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2010/D-2010-January-Heartland-Payment-Systems.pdf
Cyprus, B. (2009, June). Wireless POS Makes Your Business More
Efficient.
Retrieved December 2010, from Vendor Safe Technologies :
http://www.vendorsafe.com/images/pdfs/Wireless_POS.pdf
Cyprus, B. (2010, January). Control Your Security, and PCI Will
Follow The four most vital actions restaurants can take to
accelerate network and credit card data - security.
Retrieved December 2010, from Vendor Safe Technologies :
http://www.vendorsafe.com/images/pdfs/whitepaper2_control_your_security.pdf
Farrell, F. (2010, June 28). Once Hacked, Twice Paranoid. Forbes,
185(11), pp. 50-50.
22. Apa sources (continued)
Higgins, K. (2009). Heartland CEO Provides More Details on Big Data
Breach.
Retrieved December 11, 2010, from
http://www.darkreading.com/security/attacks-breaches/214600079/index.html
Howley, E. (October, 2010). UNF Security Breach Affetcs More Than
100,000 IDs.
Retrieved November 5, 2010, from Firstcoastnews:
http://www.firstcoastnews.com/news/topstories/news-article.aspx?storyid=171731&catid=3
Johnson, A. (2010, March). Guide for Security Configuration
Management of Information Systems.
Retrieved December 2010, from csrc.nist.gov:
http://csrc.nist.gov/publications/drafts/800-128/draft_sp800-128-ipd.pdf
King, R. (2009, July 6). Lessons from the Data Breach at
Heartland.
Retrieved from Bloomberg Buisinessweek-Special Report:
http://www.businessweek.com/technology/content/jul2009/tc2009076_891369.htm
Krebs, B. (2009, January 20). Payment Processor Breach May Be
Largest Ever.
Retrieved December 11, 2010, from The Washington Post:
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html
23. Apa sources (continued)
McGlasson, L. (2009). Lawsuit: Heartland Knew Data Security
Standards was 'Insufficient'.
Retrieved December 11, 2010, from bankinfosecurity:
http://www.bankinfosecurity.com/articles.php?art_id=1834
Metzger, T. (2010, February 2). How tokenization works.
Retrieved December 11, 2010, from Merchant Account Guide: The
Merchant Account Experts:
http://www.merchantaccountguide.com/merchant-account-news/how-tokenization-works.php
Our Technology. Payment & Transaction Processing for Merchant
Accounts. (n.d.).
Retrieved November 5, 2010, from Heartland Payment Systems:
http://www.heartlandpaymentsystems.com/Technology/
UNF-President's Office-Strategic Plan 2009-2014. (n.d.).
Retrieved November 5, 2010, from University of Northern
Florida:
http://www.unf.edu/president/Strategic_Plan_2009-2014.aspx
Vijayan. (2009, August 17). U.S. Says SQL Injection Caused Major
Breaches. Computer World.