The Heartland Data Breac
h situation can teach us all a number of fundamental security lessons. The actual breach was in fact not a single event but a sustained set of intrusions starting back in 2006. In addition, the victims also included Hannaford Bros. and 7-Eleven.
Lesson #1: don’t just read the headlines, dig a little deeper.
The perpetrators prepared for these intrusions for a long time. They developed a set of malware programs and then ran a variety of third-party and public domain antivirus programs against the malware to ensure that it would not be detected by normal antiviral scanning activities.
Lesson #2: intruders are willing to expend as much effort as you do to achieve their goal.
Most of the intrusions were successful using relatively common attack techniques. To use a well-known analogy; if a robber can just open your front door because it’s not locked and you’re not home, there is no need to try to outsmart a sophisticated and monitored burglar alarm system next door. Sometimes, a determined intruder wants to get into your house; most times, a burglar just wants to get into some house – so get into the house that’s easiest to get into. On the Internet, it’s often the same thing.
Lesson #3: many intrusions are the result of finding the easiest opportunity.
Heartland had recently passed a PCI DSS assessment. As we all know, however, passing an assessment, audit, or even being deemed compliant is not an end-goal, but a point in time evaluation. IT environments are constantly changing and therefore there are always challenges in keeping your security stance stable.
Lesson #4: passing an audit probably means you’re safer, but it doesn’t mean you’re safe.
Everybody understands the importance of perimeter security. Unfortunately, it still begs the question: where does my network really start and end? The problem is that it is often difficult to know just who has access to your network and who doesn’t. In the Heartland et al situation, the intruders found their way onto several networks and placed software that went undetected for months on end. Once the software was installed, they were on the “inside” and not subjected to same controls one has when trying to get to the inside.
Lesson #5: be just as concerned about what goes out of your network as what comes in.
All of these lessons point to fundamental security concepts: make sure you understand the details, accept that intruders will try just as hard as you, many intrusions are successful using simple exploits, passing an audit doesn’t guarantee your safety, and you should assume you don’t know who is on your network and protect resources accordingly.
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.