More Details of Heartland's Breach Emerge

More details available as to how the breach occurred at Heartland resulting in potentialy the biggest breach ever of nearly 100m credit card transactions.  Investigators discovered that a piece of malware was hillden in an unallocated portion of disk on one of the Heartland servers

What puzzles me though is;

  • How did a user have the rights to install the malware on the system? Was it an administrator that was duped into loading the malware?
  • Why did the monitoring of the logs on the servers not detect any strange behaviour?
  • Where was the pilfered data being sent to?  If external to Heartlands network surely egress filtering or monitoring of outgoing traffic would have flagged the suspicious behaviour?

The CEO of Heartlands has also said that if other payment processors who had previously suffered breaches had shared their experiences then maybe Heartland would have been better prepared to prevent this type of attack.  It will be interesting to see if he live up to his own statement and publishes details of this attack so others can learn from it.

Do take the time to read the article as it is a fascinating read into how the breach occurred.

Largest Breach Ever

Courtesy of Brian Krebbs from the Washington Post it appears that the largest ever breach of credit card data may have occurred.  It appears that a payment processor company in the United States, Heartland Payment Systems, discovered malware on their network that may have captured the credit and debit card details of over 100 million credit cards.    The data captured include names, credit and debit card numbers and expiration dates.

There are no details yet as to how the malware got onto their network or indeed what type malware it is or the type of systems infected.  Often when I do security assessment for clients I see strong malware controls on desktops and servers but often the network is one area that is overlooked.  Routers, switches and other network components are often never looked at once they have been installed.  These devices invariably are not included in any vulnerability or patch management strategies and will probably not have been upgraded, reviewed or tested since they were installed.  This leaves a gaping hole in your security infrastructure as once an attacker controls a router or switch they have access to all the data that passes through it.

Another item to consider is what monitoring was in place to detect any suspicious behaviour.  Again this is often something I find clients overlook as part of their information security infrastructure.  The article does explain that Heartland found the malware as the result of an investigation so to be fair it is possible that their monitoring systems alerted them to some suspicious behaviour.  However, until more details are available we can only rely on speculation at the moment.

No doubt questions will be asked as to whether or not Heartland was PCI compliant.  To me this is a non-issue.  If you have implemented a strong information security infrastructure then PCI compliance, or indeed any compliance, will practically be a side benefit.  As always I will repeat the mantra, just because you are compliant does NOT mean you are secure.

I await more details on this breach with interest.  As always we should use all of these breaches as an opportunity for ourselves to learn how better to protect our own networks and data.

Implementing ISO 27001 In A Windows Environment

9781905356782_-_largeOne of the biggest projects I worked on last year was writing my first book.  The book is called “Implementing ISO 27001 in a Windows Environment“.   I wrote this book in response to the many questions clients have asked me on how best to put in place the various controls and goals outlined in the ISO 27001 Informration Security Standard (formerly BS 7799). 

Very often these people were IT Managers who were mandated by their senior management to implement the standard in order to provide the business that they were using recognised best practises to secure their information assets.

However these managers suddenly faced a number of major challenges.;

  • They had to first become familiar with the ISO 27001 Information Security Standard and understand how it works.
  • Identify what controls were applicable to their organisation based on their risk assessment and resultant required controls.
  • How to ensure that the controls that required technical configurations were being properly implement
  • Last but not least how to do all the above in the most effective and cost efficient manner possible.

As someone who has a lot of experience with implementing the standard, and also a strong technical background, I decided to write this book to help address those issues.  I also decided to focus on how to leverage some of the existing Microsoft technology, such as Microsoft Windows Server 2008, Microsoft Windows Vista and various other Microsoft secruity tools, that most organisations have employed.

So last summer my journey as an author began.  It is been a long and at times challenging journey but I am happy to say that it is coming to an end. 

My book “Implementing ISO 27001 In a Windows Environment” will be published on February the 3rd 2009 and is now available for pre-order at the IT Governance website.   If you are considering rolling out ISO 27001 in your organisation, I would recommend that you purchase the book as it may save you a lot of time, money and frustration.

Irish Ways and Irish Laws

 I am regularly asked by clients, training course attendees and contacts in non-Irish companies looking to expaned into Ireland what is the most relevant legislation relating to information security for organisations in Ireland.  So here is my top list of legislation that you should be concerned about regarding information security and your business in Ireland; I hasten to point out that I am no legal expert and that the information below is purely for guidance and should be verified with your own legal team.  If anyone else I have forgotten any items then please let me know ;

The ones of concern to most companies would be The Data Protection Act, 1988 & Data Protection (Amendment) Act 2003.  Under the above an organisation is obliged to ensure the confidentiality of personal information of customers and staff. This means ensuring that information is available only to those who need it and only for the purposes gathered.

So for example if you buy something of a shop and they ask for your mobile number to facilitate delivery this is all they are allowed to use that data for. If you then get a SMS message from them advertising new services they are in breach of the Data Protection Act and could face fines of up to €3,000 per message.

Similarly if your organisation was to misuse personal information in a similar manner you could face the same fines. You can also face fines for not securing the information properly. The Data Protection Commissioner have a good video on their site outlining the obligations

You also need to be aware of the European Convention on Human Rights

Under the above everyone has the right to privacy in all their communications.  This means that a company cannot read employee’s emails or monitor their phone calls or their Internet usage.  In order to do so you need to make staff aware of this in an Acceptable Usage Policy so that in effect waive this right.

The Employment Equality Act 1998 obliges you to provide a safe working environment for all without fear of discrimination. An area that could be of issue is if a member of staff feels they are being sexually harassed due to the content other members’ of staff view on their computer. It is important that all staff are aware of what they are allowed and not allowed to do when using organisational resources such as computers and what type behaviour is acceptable. This would be outlined in an Acceptable usage Policy. Ideally this should then be managed and monitored to ensure people are not breaching the policy and disciplinary action taken where appropriate.

The Copyright and Related Rights Act 2000.

Under this act any copyrighted material found on your systems could result in a prosecution against the directors of the company and NOT the individual who violated the agreement. So if a member of staff copies the latest Spiderman movie onto their PC it is the board of directors that could face prosecution and not the individual.

Finally you are also obliged to protect credit card data in accordance with the PCI DSS Credit Card standard. This is a standard produced by the credit card companies to ensure retailers secure credit card information belonging to customers. If you are found to be in violation of this standard which resulted in credit card information being compromised the organisation will face increased credit card charges, possible fines and will have sanctions such as annual third party audits enforced on the organisation.

UPDATE – 22/05/08
For those of you based in the United States the following post on “10 ways you might be breaking the law with your computer” may be of interest.

Over 100 Computers Lost By Irish Government in 5 Years

lost-data.jpgThe SiliconRepublic published a story highlighting how questioning from Ruairi Quinn, spokesperson on Education and Science for the Labour party, exposed how over 100 laptop and desktop computers, 14 Blackberry phones and 11 portable media devices were lost over the past 5 years.

While there are no details available as to whether or not any sensitive data were stored on this devices it appears that many of the lost computers were not encrypted.  These findings, together with recent revelations of data breaches in Irish government departments and the loss of two CDs in the UK containing records of 25 million people, highlight the need for government agencies to take the security of personal information belonging to citizens seriously.

In the above cases it may be the loss extends to just the value of the equipment.  However, given the nature of how data is passed around within organisations, both private and public, I suspect some of those lost devices contain very sensitive information either relating to the department themselves, staff or the citizens who entrusted their personal data to the care of the state. 

People often forget that portable devices contain sensitive information in many formats, either as documents, databases or spreadsheets containing data or within emails, or as attachments to emails that are stored on locally cached mail stores on the device.  I hope that each department, whether affected by the above or not, will take heed of this story and take steps to ensure future leakages are prevented in the future.

I also suspect that the numbers uncovered by Mr. Quinn are well on the conservative side and it would be interesting to see how much data has been lost by staff using unofficial mobile equipment such as their own USB keys, laptops, portable storage devices and mobile phones.

While we mostly have a choice with what private organisations, i.e. we do business with them or not, we share our information with we often do not have the same flexibility with government departments.  That is why it is incumbent on government departments to ensure they maintain the highest standards with regards to data protection.

The fact that this information only came to light following questions raised in the Dail by Mr. Quinn also highlights the need for more people to support our call for Data Breach Disclosure laws here in Ireland.

The next meeting of the ISSA on February 21st will be on Security Breach Reporting.  If you feel strongly about this issue, on either side, it would be great to have you there to share your thoughts.  If you cannot make then please feel free to contribute here via the comments feature.

An Overview of Information Security Standards

Over the years numerous people have asked me various questions about Information Security standards.  In the main I get asked the same questions.  I thought it would be a good idea to try and summarise them here for others to benefit from. 

Can you explain what a security standard is?

A security standard is like any other standard within any other industry.  A standard is “a published specification that establishes a common language, and contains a technical specification or other precise criteria and is designed to be used consistently, as a rule, a guideline, or a definition”. Further, according to ISO, standards “contribute to making life simpler, and to increasing the reliability and effectiveness of the goods and services we use”.

In essence a standard is a common set of rules, definitions and agreed “regulations” that all parties can refer to for common reference.  A standard would be a set of minimum requirements that an organisation must meet in order to claim to be compliant with the standard.

Why do we need standards?

Standards provide us with a common set of reference points to enable us to evaluate whether an organisation has processes, procedures and other controls in place that meet an agreed minimum requirement.  If an organisation is compliant/meets a certain standard then it gives third parties such as customers, suppliers and partners confidence in that organisation’s ability to deliver to that standard.  It can also provide an organisation with a competitive advantage over other organisations.  For example an organisation that is compliant with a security standard may have an advantage over a competitor who does not when customers are evaluating their products or services.

In other cases certain regulatory and legal requirements may specify certain standards that must be met.  For example if your company processes credit cards then you must be compliant with the PCI DSS Data Security Standard.  This standard is a standard specified by the major credit card companies such as VISA & Mastercard.  If you are not compliant with this standard then you can either be fined, face higher processing charges or indeed those credit card companies may refuse to do business with you. 

In addition if you are meant to be compliant to a standard but are not and suffer a security breach then you could face potential law suits from those customers impacted by that breach.  TJX, the parent company of TK Maxx, suffered a security breach resulting in over 45 million credit card details being accessed by hackers.  TJX was meant to be PCI compliant but was not and is now facing lawsuits from impacted customers.

Standards can also help organisations meet with regulatory requirements such as the Data Protection Act, SOX, HIPAA etc.  By using a standard to create a strong foundation for managing and securing your systems you will find it easier to meet existing and new regulatory requirements easier than an organisation that does not.

Can you tell me more about ISO 27001?

The following  excerpt from a pevious Blog post titled “Why use ISO 27001?” provides more details on ISO 27001;

ISO 27001 is a vendor and technology neutral internationally recognised standard which provides companies with a risk based approach to securing their information.  It provides organisations with independent third party verification that their Information Security Management System meets an internationally recognised standard.  This provides a company, and its customers and partners, with the confidence that they are managing their security in accordance with recognised and audited best practises. 

However, in my opinion companies that have implemented an ISO 27001 based ISMS can demonstrate many efficiencies and other benefits such as;

Increased reliability and security of systems:
Security is often defined as protecting the Confidentiality, Integrity and Availability of an asset.  Using a standards based approach, which ensures that adequate controls, processes and procedures are in place will ensure that the above goals are met.  Meeting the CIA goals of security will also by default improve the reliability, availability and stability of systems.

Increased profits:
Having stable, secure and reliable systems ensures that interruptions to those systems are minimised thereby increasing their availability and productivity.  In addition to the above, a standards based approach to information security demonstrates to customers that the company can be trusted with their business.  This can increase profitability by retaining existing, and attracting new, customers.

Reduced Costs:
A standards based approach to information security ensures that all controls are measured and managed in a structured manner.  This ensures that processes and procedures are more streamlined and effective thus reducing costs.

Some companies have found they can better manage the tools they have in place by consolidating redundant systems or re-assigning other systems from assets with low risk to those with higher risk.

Compliance with legislation:
Having a structured Information Security   Management System in place makes the task of compliance much easier.

Improved Management:
Knowing what is in place and how it should be managed and secured makes it easier to manage information resources within a company.

Improved Customer and Partner Relationships:
By demonstrating the company takes information security seriously, customers and trading partners can deal with the company confidently knowing that the company has taken an independently verifiable approach to information security risk management.

ISO 27001 can be implemented within an organisation as a framework to work against or indeed the organisation can seek to gain certification against the standard.

What kind of security standards are available?

There are numerous standards available.  These can be broken down into three main sections;

  • Business Standards
  • Product Standards
  • Individual Standards

On my Blog the post “List of Security Certifications”  outlines all the certifications that I am aware of within the information security industry.  As you can see they are many and varied.

You can be assessed and certified against any of the above to demonstrate that you meet the minimum requirements to satisfy the standard.  If you meet those requirements then you can be certified against that standard. 

So a business standard would apply to an organisation and state they meet the requirements for the organisation to satisfy the standard.  Product standards mean when you purchase a product you know it has been independently accessed as being secure according to a predefined criteria.  If you are hiring someone as a member of staff or as a consultant you can determine if they have the minimum knowledge that you require for that role by looking at the standards the have earned. 

The following post on my Blog give some of my thoughts on certification schemes

How can we obtain the standards?

In order to obtain a standard I suggest you;

  • Determine which one is suitable to you and/or your organisation or product.
  • Become familiar with that standard.  You can obtain a copy of that standard from the organisations who develop the standard or it may be available from other third parties.
  • Engage someone with knowledge of that standard, either in-house use an external consultant.
  • Determine what gaps currently exist within your organisation against the standard and develop a plan to address those gaps.
  • Engage with a certification body to achieve the standard.

Is there a difference between security standards?

Yes there are differences.  Some are more respected than others, some are more stringent than others.  This is especially so in the individual certifications/standards where some of them would be seen as entry level qualifications.

How do standards get implemented?

The normal process to meet a standard goes along the following lines;

Business

  • Implement the standard.
  • Engage a third party to audit you against the standard.
  • That third party determines if you meet the standard and whether or not you achieve certification against the standard.

Products

  • Select the standard you wish to achieve.
  • Submit your product to the company authorised to test your product against that standard.
  • Have your product tested and if passed it will be certified (note that this can be a very costly exercise)

Individuals

  • Select the standard/certification you wish to achieve.
  • Study against the requirements.
  • Sit an exam
  • Pass the exam.  Some certifications require verifiable work experience in the field on top of passing the exams.

What does it cost to implement a standard?

That can depend.  In most cases the biggest costs is in the time and people involved in trying to get the standard.

Does it make a difference if you are a small business or large corporation when you put security standards in place?

It makes no difference.  The standards apply to all companies of all sizes.  In some cases it may be wise to implement a standard when the company is small so the standard is ingrained as part of the culture of the company.  Often big companies may also have to “re-educate” themselves in how to do things in accordance with the standard and break bad habits that may be in place already.

What happens if you don’t have security standards in place?

Not having security standards in place may have the following implications;

  • If you need to be compliant with certain standards, e.g. PCI DSS, then you may face financial penalties and also loss of business.
  • You may find it more difficult to meet new regulatory and legal requirements as you may have to “reinvent” the wheel for each of these requirements, whereas complying with a standard can give you a solid foundation to meet these new requirements.
  • You may lose business to competitors that are compliant with the standards as they may be viewed as being more reliable by potential customers.

Do all businesses need them?

It depends.  For example, if you operate in certain industries then you may need them or if you process credit cards you need to be compliant with the PCI DSS standard.  In general though it would be viewed as good business practise for your company to be compliant with a security standard, similar to your company being compliant with the ISO 9000 quality standard.

What can potentially go wrong with your security standard?

The biggest problem is paying “lip service” to the standard.  This often happens if companies simply go for the standard for a marketing exercise or simply just to achieve the standard.  This then results in what I call “Tick List Security”. 

Tick List Security is where a company just implements security controls simply to meet a certain standard.  The company does not really care about being secure but simply wants to tick all the boxes on the requirements to meet the standard.  This can be a dangerous play as the organisation thinks they are secure but in reality they are not.

In my experience companies that go for standards for solid business reasons such as improving their processes, procedures and ultimately their security tend to be more successful and get more benefit from the exercise.

The other issue I often see if companies not maintaining their required documentation and record keeping for the standard.

How often do they have to be updated?

That depends on the standard and on your requirements.  If you achieve ISO 27001 you have a series of continuous audits to ensure you are still compliant with the standard.  From time to time the bodies setting the standards may also update/change the standard to keep them in line with the modern environment.

Where can you find out more about security standards and how do you find the one which is right for your business?

Most of the standards are available from the bodies that determine them and in many cases there are third party websites available to provide more guidance and information.

What is involved in being audited against a standard?

Dr. Gary Hinson, founder of Global Security Week and owner of the NoticeBored Blog, has an excellent “Frequently Avoided Questions About IT Auditing” page on his website.  Gary does more justice to this than I possibly could.

I hope my above thoughts offer some insight into the world of information security standards.  I would be very interested to hear your own thoughts and experiences regarding standards.

How to get a free Risk Assessment

During last week’s COSAC conference I had an interesting discussion with one of the other delegates regarding the state of information security.  We lamented the fact that the various options tried by the industry to improve security have failed. 

Technology is failing us, as soon as we have a solution in place the bad guys bypass it.  Not to mention that most security software have their own vulnerabilities, as highlighted in my post “He who lives by the sword, dies by the sword” where I show that 144 vulnerabilities have been reported in security software between 1st January and 1st June 2007.

Security Awareness initiatives have failed.  No matter how many times we tell people, they will still click on an attachment or a link in an email they were not expecting.

Compliance also seems to be failing us.  We hoped that compliance would improve security but it seems the truth is companies are more concerned about being compliant rather than being secure.  So compliance seems to have given us checklist security resulting in compliance not equating to security.

It was then that I suggested insurance companies could improve computer security.  In the real world, a business very often cannot get insurance unless they comply to a list of security requirements imposed on them by their insurance company.  So companies end up installing alarm systems, sometimes with 24×7 monitoring, improved locks on their doors and windows and fire detection and prevention systems.  Depending on the risk exposure facing the company they may also have to deploy additional security solutions such as CCTV, security guards etc. as stipulated by the insurance company.  In addition, all of these systems have to be certified to a certain industry standard, installed and maintained by trained and qualified personnel.  So in the real world would companies go to this extent of investing in physical security?  I argue that no they wouldn’t! They have to do so in order to get insurance, without which they probably could not do business.

With the increasing risk exposure companies face in cyber security and increasing financial risks posed by potential litigation, non-compliance to standards such as PCI DSS and loss of revenue due to breaches, how long will it be before the insurance industry gets a good handle on this aspect of business and start offering insurance in this area?  Then how long will it be before a company wishing to conduct business online will only be able to do so after having to take out a cyber insurance policy?  Which in turn will force these companies to implement security to protect their assets in accordance with the insurance company’s risk assessment.

Insurance companies have been accessing risks for decades and are experts in this area.  So if you want to get a free risk assessment simply ask an insurance company to quote you for cyber insurance and take the results of that assessment.  Of course you can only do this once

Though as my colleague at COSAC did point out, insurance is where you get payment in the event of something that might happen, e.g. fire insurance, whereas assurance is where you get payment when something will happen, e.g. life assurance.  So given the state of our current information security landscape and where we expect at some stage to have a security incident, maybe we should look for cybersecurity assurance rather than cybersecurity insurance?

So do you think the introduction of cybersecurity insurance will help improve the state of information security or will it simply be another false hope?  Let me know what you think within the comments.

Presentations from GSW Seminar now Available

global-security-week-2007-l.jpgThe seminar held in Dublin during Global Security Week based on the theme “Privacy in the 21st Century” was a resounding success. We had excellent key note speakers;

Tony Delaney, Assistant Commissioner, Office of the Data Protection Commissioner

Caspar Bowden, Chief Privacy Advisor EMEA, Microsoft.

The following are copies of the presentations in PDF format;

Seminar Introduction – Brian Honan (pdficon_small.gif 353KB) and the Pizza Privacy movie played during this talk is also available.

A Presentation of Data Protection – Office of the Data Protection Commissioner (pdficon_small.gif 84KB)  by Tony Delaney, Assistant Commissioner, Office of the Data Protection Commissioner highlighted a lot of the items companies operating within Ireland need to consider with regards to Data Protection.  Tony showed a video “My Data – Your Business?” demonstrating the common mistakes companies make with regards to Data Protection.  The video is available at the Office of the Data Protection Commissioner’s website.  Alternatively you can get a copy of the video by writing to the Office of the Data Protection Commissioner or by emailing [email protected].

Privacy and the PCI DSS Data Standard – Mathieu Gorge (pdficon_small.gif 5.5 MB)

Privacy and the ISO 27001 Information Security Standard – Brian Honan (pdficon_small.gif 538KB)

The occassion was also used to call on the Irish Government to implement Data Security Breach Disclosure Laws in Ireland.

We would like to thank once again the speakers who contributed to the seminar and also to those who attended and took part in the panel discussion towards the end.

Call for Breach Disclosure Laws in Ireland

broken-link.JPGThe Friday edition of the Irish Times dated the 31st of August 2007 contains an article where Brian Honan, Senior Consultant for BH Consulting, states that at the forthcoming “Privacy in the 21st Century” seminar, which is part of Global Security Week, he will be calling on the Irish Government to look at implementing breach disclosure laws similar to those in place within certain states within the United States.  In the article Brian highlights that while we have very effective data protection laws in Ireland there are no laws compelling organisations to inform clients if their data has been accessed as a result of a security breach.  The full article is available online on the Irish Times website (paid subscription required), on TMCnet or a summary is available on ElectricNews.Net (ENN).