Post Heartland breach analysis and PCI Compliance limitations

Posted on Wednesday, August 19, 2009

Eric Ogren, writing for SearchSecurity.com and Evan Schuman and Fred Aun, from StorefrontBacktalk.com, have some insightful commentary regarding the tactics used by hackers to breach Heartland and how they relate to the limitations of the current PCI Compliance standard. 

I think the key take away here is that compliance does not necessarily equal security. Here are a few highlights from their articles:

Eric Ogren
1. The hackers ran their malware through 20 AV products to test detection avoidance.  AV is very good at stopping known attacks of mass destruction, but is quite a bit less good about catching low profile designer attacks. Effective security should augment AV filters with technology that reflects control over the unique aspects of the organization's server and endpoint configurations. IT has choices here – application whitelisting on locked-down servers will prevent execution of unauthorized software, thin clients prevent attacks from persisting at endpoints, virtual desktops and servers give IT control over endpoint configurations and automated patching systems close windows of vulnerabilities. PCI should be more assertive in recognizing that signature-based schemes and reputation services will not catch low volume activity that is the trademark of malware designed to steal information.

2. It would be nice if PCI could have protected 7-Eleven and others from the same attack technique that befell TJX years earlier.

Evan Schuman and Fred Aun
1. One retail security expert, who has firsthand knowledge of defending against these defendants and who agreed to discuss the indictment if neither her name nor employer was identified, said much in the indictment points out inherent weaknesses in PCI. The back door approach used, a time-honored hacking technique for decades, is a red flag. “Being on the inside, these probably would have passed right through firewalls as the data would be travelling in the ’safe’ direction. Also note that any gains a company would have from a password rotation scheme would be negated by the installation of a back door. My main point there is that password rotation schemes are not an effective defense, and shouldn’t be elevated to such by PCI or corporate ’security policies.’ In any case, Hackers 2, PCI 0.”

2. The SQL injection tactic points out an especially significant PCI flaw, the expert said. “PCI doesn’t say boo about SQL injection attacks. It only says you must maintain secure systems and applications and review the applications annually. But reviews are ineffective on unknown bugs – they can only help recognize bugs the reviewer actually knows about.”

3. Another concern that she listed involved Heartland details. “The attackers installed sniffers to capture the traffic, they did not harvest data intentionally stored by Heartland on hard drives. PCI doesn’t say anything about encrypting data on private networks, only that you must protect stored cardholder data or encrypt data traveling over open, public networks. And the networks obviously have the business need-to-know, that’s what they do: carry data. That’s a three-point shot for the Hackers; Hackers 6, PCI 0.”

4.  Yes, PCI compliance may have successfully defended Heartland against lesser attackers. But the bottom line is that Heartland could have been (and probably was) breached while being 100 percent PCI 1.1 compliant on all their points. The real observation here is that PCI DSS compliance was completely ineffective against these guys, no matter how the PCI guys spin it.

“PCI says that you must regularly test security systems. These hackers dodged every bullet point of PCI. A test would (and probably did) prove nothing more than PCI-test-detectable breaches would have been detected. And finally, the hackers apparently didn’t feel compelled to comply with corporate security policies. Game, set, and match: Hackers 12, PCI 0,”

Comments

Peter, QSA said on Tuesday, December 08, 2009:

Good analysis of the threat vectors. Faulty conclusions. While the PCI DSS addresses these points across multiple requirements, I will below point to a few of the primary requirements which Heartland MUST have failed to maintain in order for the breach to occur.

"PCI should be more assertive in recognizing that signature-based schemes and reputation services will not catch low volume activity" - PCI DSS 11.5 should be detecting the introduction of new and changed files - "Verify the use of file-integrity monitoring products within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities.
Examples of files that should be monitored:
- System executables
- Application executables
- Configuration and parameter files
- Centrally stored, historical or archived, log and audit files"

“Being on the inside, these probably would have passed right through firewalls as the data would be travelling in the ’safe’ direction." - In addition to PCI DSS 1.1.5.a requiring limited access to the cardholder environment and all such access to be documented and reviewed for business justification, even an internal corporate environment is considered to be "remote access" to the cardholder environment as a result of network segmentation and as such requires compliance with PCI DSS 8.2 - "To verify that two-factor authentication is implemented for all remote network access, observe an employee (for example, an administrator) connecting remotely to the network and verify that both a password and an additional authentication item (for example, smart card, token, PIN) are required."

"PCI doesn’t say boo about SQL injection attacks." - Please refer to PCI DSS 6.3.1.1 - "Validation of all input (to prevent cross-site scripting, injection flaws, malicious file execution, etc.)" ...and PCI DSS 6.5.2 - " Injection flaws, particularly SQL injection (Validate input to verify user data cannot modify meaning of commands and queries.)"

"And the networks obviously have the business need-to-know" - Please see earlier response regarding remote access.

"But the bottom line is that Heartland could have been (and probably was) breached while being 100 percent PCI 1.1 compliant on all their points." - This is not true. Please refer to Chief Enterprise Risk Officer, Ellen Richey's quote of, "...no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach." This remains true today. It is the responsibility of the service provider or merchant to achieve, demonstrate, and maintain their compliance. When Heartland failed to maintain their compliance, it was removed from the list of compliant service providers, fined heavily, forensically investigated, remediated, and later revalidated to demonstrate compliance in order to be added to the compliant list once more.

Joseph Forbin said on Friday, February 26, 2010:

This is a great breakdown of the breach. Thanks for the information, Bryan!

Passing the CNA Exam said on Saturday, May 29, 2010:

Great, I never knew this, thanks.

Post a comment



(required, but not displayed)


(optional)


Subscribe via email

Subscribe via RSS

Search

For Starters

Categories

    Creative Commons License
    This work is licensed under a Creative Commons License.
     

    Resources

    New to processing?

    Merchant Account Quick Guides

    PCI Compliance Quick Guides

    Developer Resources

    © 2010 Braintree Payment Solutions. All rights reserved. Braintree is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA