So here we are, just days into 2009, and one of my security predictions has come to be fulfilled.
Back in November, Stephen Northcutt of the SANS Institute asked several of the senior faculty to provide security predictions for 2009. One of those predictions was that sometime in 2009 we would see a major breach of cardholder data (PCI data), larger than that of TJX. Another aspect of the prediction was that this compromise would occur at an organization that was certified to be fully compliant with the PCI/DSS standard. We’ll have to wait on count number two but so far it’s looking good.
Earlier today it was announced by Heartland Payment Systems that they experienced a major compromise as a result of an intrusion involving malware spread across their enterprise. For those affected, or possibly affected, they have set up a website to release details of the incident.
Executives may wonder how it can be that malware such as this could go undetected in an enterprise, especially one that strives to be compliant with a security standard like PCI/DSS. The easy answer is that antivirus software is woefully lacking when it comes to new and customized malware. We won’t dig into this issue here, but the short answer is that our antivirus tools today almost exclusively use signature matching rather than behavioral detection. The frightening thing is that, in my experience, most companies when faced with indicators that there may be custom malware in the organization prefer an easy and safer explanation to the scary but more likely explanation. For example, one client in 2008 who engaged us because they felt that they had been compromised… in fact the FBI told them that they were compromised… steadfastly preferred to imagine that SpySweeper was generating DNS lookups to known malware domains rather than face the truth that they were infected with customize malware that was completely undetected by their corporate solution.
Back to the story at hand, executives also wonder how they can be compliant with PCI/DSS, HIPAA, ISO 27000, etc. yet still be compromised. Afterall, aren’t these standards supposed to protect the organization??? The short answer is that these standards and the compliance audits are just tools in the security equation. While it’s impossible to close every possible security window and remain in business, something more fundamental is necessary.
This is where a real culture of security and effective training of your technical and management staff come in. For instance, in the DEV 536 course that we wrote for SANS, we actually go above and beyond what the PCI/DSS standard requires for secure coding to get at the real root of the security problems, especially when storing sensitive data. In the two day AUD 521 course we teach you and your people what PCI/DSS is really about and how to effectively maintain compliance while remaining very secure. Further, in our AUD 507 course we give you tools and techniques that can be used by auditors, system administrators, network administrators, compliance managers and security officers to create ongoing security with continual baseline auditing and security setting enforcement within the enterprise.
When you’re ready to get serious about securing your enterprise, whether your trying to be compliant with a standard like PCI/DSS, implement a standard like ISO 27000 or just have excellent security and audit practice in your IT environment, come to one of our courses offered through SANS. If you want world-class security, you need to come to the top world-class training.
This is just one of the many topics discussed and taught hands on in David Hoelzer’s class, “Advanced System & Network Auditing”, available through The SANS Institute. David is a Senior Fellow with The SANS Institute and the principal examiner for Enclave Forensics. You can find a variety of topics on his blog.