Technology Sectors
The Heartland debacle, take two
Thu, 2009-01-29 02:17 PM
Recently, the folks at Heartland Payment Systems announced a data breach. With their tagline being 'The Highest Standards. The Most Trusted Transactions,' I just had to laugh. Not that many people had their identity stolen, but that we've seen this movie before (starring the likes of TJX Corp. and Hannaford Bros.) and we will see it again. Guaranteed.
Why? Because many organizations (dare I say most) continue to believe that compliance equals security. They figure if they are 'compliant' with a standard, their data is secure. Whether that standard is PCI or FISMA or any other, it's of no matter. These myopic organizations believe that once they get that little sticker, certificate or audit finding, they are done.
Well, they aren't. We live in a dynamic world, where the attackers are always coming up with new and innovative ways to separate you from your private data. Due to the general process of how a regulation comes to be, it is, by definition, addressing problems that were top-of-mind two years ago.
For example, the PCI-DSS requirements were updated to version 1.2 back in October, and one of the big new requirements was to eliminate the use of WEP (wired equivalent privacy) in wireless networks. The problem is WEP has been widely known as insecure for years. In fact, it was determined that WEP was one of the contributing factors to the TJX breach, and thus the PCI Security Standards Council moved to eliminate it. Unfortunately, it was a few years too late.
So, if compliance does not equal security, what is a security professional to do? Focus on securing critical information, and focus on reacting faster, basically planning for a compromise by gathering data (via network and system monitoring) to pinpoint the attack and respond to it. Heartland could have used that advice, eh?
To get a bit more specific, a broad and aggressive monitoring program allows organizations to react faster to attacks. Heartland was probably only monitoring its security logs (as prescribed by PCI-DSS) and that allowed configuration changes (to install a network sniffer) and strange network flows (sending data from the compromised servers outside of the organization) to go unnoticed.
Heartland thought it was safe because they were PCI compliant, but the attackers knew that wasn't the case. And now, up to 100 million consumers will also learn that reality, the hard way.
Mike Rothman is senior VP, strategy, and chief marketing officer at eIQnetworks, a security and compliance management specialist. He can be reached at: mike.rothman@eIQnetworks.com
Why? Because many organizations (dare I say most) continue to believe that compliance equals security. They figure if they are 'compliant' with a standard, their data is secure. Whether that standard is PCI or FISMA or any other, it's of no matter. These myopic organizations believe that once they get that little sticker, certificate or audit finding, they are done.
Well, they aren't. We live in a dynamic world, where the attackers are always coming up with new and innovative ways to separate you from your private data. Due to the general process of how a regulation comes to be, it is, by definition, addressing problems that were top-of-mind two years ago.
For example, the PCI-DSS requirements were updated to version 1.2 back in October, and one of the big new requirements was to eliminate the use of WEP (wired equivalent privacy) in wireless networks. The problem is WEP has been widely known as insecure for years. In fact, it was determined that WEP was one of the contributing factors to the TJX breach, and thus the PCI Security Standards Council moved to eliminate it. Unfortunately, it was a few years too late.
So, if compliance does not equal security, what is a security professional to do? Focus on securing critical information, and focus on reacting faster, basically planning for a compromise by gathering data (via network and system monitoring) to pinpoint the attack and respond to it. Heartland could have used that advice, eh?
To get a bit more specific, a broad and aggressive monitoring program allows organizations to react faster to attacks. Heartland was probably only monitoring its security logs (as prescribed by PCI-DSS) and that allowed configuration changes (to install a network sniffer) and strange network flows (sending data from the compromised servers outside of the organization) to go unnoticed.
Heartland thought it was safe because they were PCI compliant, but the attackers knew that wasn't the case. And now, up to 100 million consumers will also learn that reality, the hard way.
Mike Rothman is senior VP, strategy, and chief marketing officer at eIQnetworks, a security and compliance management specialist. He can be reached at: mike.rothman@eIQnetworks.com
Recent Webinars
Thu, 04/26/2012 - 2:00pm - 3:00pm
