How to Rebuild the Controls and Confidence after Data Exfiltration Occurs

How to Rebuild the Controls and

Confidence after Data Exfiltration Occurs

Brian BlankenshipOperations Information Security OfficerHeartland Payment Systems

Dump truck racing = InfoSec Career

Topics / Agenda

Heartland Payment Systems

– Who is Heartland Payment Systems?

– What Happened in the Heartland Breach?

– What Did We Do About It?

– What Are We Doing Now?

– Key Risk Mitigations

– Information Sharing – how it works

Is your company a target?

– Some current threats

– Breach Statistics

Information Security Perspective

Topics / Agenda












5

Heartland – A Full Service Payments Processor

• Card Processing• Credit/debit/prepaid cards:

• Process over 10 million transactions a day• Process over 3.9 billion transactions annually

• Payroll Processing (PlusOne Payroll)• Check Management (Check 21, ExpressFunds, StopLoss)• Online Payment Processing• MicroPayments – Vending, Laundry, Campus Solutions• Gift Cards and Loyalty Processing• Heartland Gives Back

Heartland – Our People

• HQ: Princeton, NJ• IT: Plano, TX

• 300 employees• Servicing: Louisville, KY

• 800 employees

• Heartland CaresFoundation

7

Heartland - 15 Years Ago ... and Today

1997 (1st Trans 6/15/97) Today•2,350 clients 255,000 clients•25 employees 3000+ employees•#62 in US #5 processor in U.S.•$0.4 billion portfolio $68 billion portfolio

2004 2005 2006 2007 2008

Net Revenue Net Income EPS

0.26137,796

8,855

1.08

383,708

41,840

0.50

186,48619,093

0.71

245,652

28,544

0.90

294,771

35,870

Heartland - Financials

Heartland – EPS in 2009…

Heartland CEO’s granddaughter

10

Heartland – The Recovery• 2009

• Total Revenues $1,652 m (up 6.93%*)• Net Income -52 m (down 224%)• EPS -1.38 (down 223%)

• 2010• Total Revenues $1,864 m (up 12.8%)• Net Income 35 m (up 167%)• EPS 0.88 (up 163%)

• 2011• Total Revenues $1,996 m (up 7.1%)• Net Income 44 m (up 25.7%)• EPS 1.09 (up 23.9%)

*All percentages year-over-year

Topics / Agenda












The Threat

It’s all about the money ….

What Happened? – The Penetration Very Late 2007 – SQL Injection via a customer facing web page in our

corporate (non-payments) environment. Bad guys were in our corporate network.

Early 2008 – Hired largest approved QSA to perform penetration testing of corporate environment

Spring 2008 – CEO learned of Sniffer Attack on Hannaford’s , Created a Dedicated Chief Security Officer Position and filled that position

April 30, 2008 – Passed 6th Consecutive “Annual Review” by Largest QSA

Very Late 2007 – Mid-May 2008 – Unknown period but it is possible that bad guys were studying the corporate network

Mid-May 2008 – Penetration of our Payments Network

What Happened?

The Investigation and The Announcement Late October 2008 – Informed by a card brand that several issuers

suspected a potential breach of one or more processors. We received sample fraud transactions to help us determine if there was a problem in our payments network. Many of these transactions never touched our payments network.

No evidence could be found of an intrusion despite vigorous efforts by HPS employees and then two forensics companies to find a problem.

January 9, 2009 – We were told by QIRA that “no problems were found” and that a final report reflecting that opinion would be forthcoming.

January 12, 2009 – January 20, 2009 – Learned of breach, notified card brands, notified law enforcement and made public announcement.

Why I came to Heartland…

• The way the breach was handled

• High degree of transparency

• Knew that security would be #1 priority

• Heartland was changing the perception of breaches, and how they should be handled

Topics / Agenda












PANIC

DENIAL

ANGER

BARGAINING

DEPRESSION

ACCEPTANCE

FIX THE PROBLEM

Vectors of Trust

• After any major incident, there are multiple vectors of trust that have to be rebuilt– Trust from your customers– Trust from your investors– Trust from your own employees– Trust from your competitors

• Heartland has worked hard to rebuild these

The Real Response

1/20/09 - Call to arms of all Heartland employees to visit clients and talk to partners

HPY share price drops from $15.16 on 1/16 to $8.18 on 1/22

HPY 4Q08 Earnings Call – HPY drops to $3.43 on March 12; a 77.6% drop since the breach announcement

3/14/09 – Delisted from Visa list of approved vendors

4/30/09 – Certified PCI compliant by VeriSign and reinstated on Visa list of approved vendors

5/11/12 – HPY Closed at $30.41

Topics / Agenda












Industry Security Advancements

• Chip & PIN (EMV)– Helps authenticate the card

• Tokenization – Reduces risk of storing card data

• Both help, but don’t address datain transit

Heartland Approach to E3

•End to End Encryption

•Continuous protection of the confidentiality and integrity of transmitted information by encrypting at the origin and decrypting at the destination.

E3 Security Model

•Build devices that use Tamper Resistant Security Modules to encrypt payment data at the point of swipe or data entry.

•Collaborate with existing device vendors and encryption solution providers.

E3 Device

Strategy

•Protect cardholder and merchant data wherever it resides on Heartland’s systems.

• Directly influence industry security standards and practices to strengthen data protection.

E3 Data

Strategy

Merchant Bill of Rights, Sales Professional Bill of Rights, Durbin

http://www.spbor.com/http://www.merchantbillofrights.org/http://getyourdurbindollars.com/

http://www.spbor.com/

http://www.merchantbillofrights.org/

http://getyourdurbindollars.com/

Topics / Agenda












Key Risk Mitigations

Data Loss Prevention

Network and Application Penetration Testing

Platform Security

Static and Dynamic Code Analysis

Topics / Agenda












27

The New Paradigm

• During investigation of Heartland breach• Found other processors knew of the

breach indicators• Several had seen or know about them• No one shared that information

• Started the PPISC (Payment ProcessorsInformation Sharing Council) in 2009

• Charter – bring processors to tableto discuss threat indicators and tactics

• Avoid any discussion on business related topics to avoidanti-trust

• Everyone brings to table topics that they are seeing through their various intel sources (internal and external)

Intelligence Sharing – PPISC

Malware signatures currently being shared with input of Secret Service and other agencies

Participation in threat exercises (CAPP – Cyber Attack Against Payment Processes)

Changes in Breach Perceptions

• For Heartland, the impact was immediate and very high

• People have come to understand that any company can be breached

• Acceptance becoming the norm

Topics / Agenda


– Who is Heartland Payment Systems

– What Happened in the Heartland Breach









Targeted Attacks

Is your company a target…?

SpyEye: targets financial institutions

northerntrust.com treasury.pncbank.com ssl.selectpayment.com svbconnect.com onlinebanking.banksterling.com texascapitalbank.com web-access.com nashvillecitizensbank.com singlepoint.usbank.com sso.unionbank.com commercial.wachovia.com wellsoffice.wellsfargo.com mandtbank.com online.corp.westpac.com paymentech.com appliedbank.com

heartlandmerchantcenter.com reporting.worldpay.us firstnational.com merchante-solutions.com portal.mercurypay.com 1fbusa.com logon.merrickbank.com mybmwcard.com gotomycard.com cardmemberservices.net nordstromcard.comstatefarm.com tnbonlinebanking.com accountcentralonline.com chase.com wellsfargofinancialcards.com credit.compassbank.com rcam.target.com partnercardservices.com accessmycardonline.com creditcards.citi.com commercebank.com hsbccreditcard.com neteller.com mypremiercreditcard.com

penfed.org bankofamerica.com hsbc.com huntington.com usaa.com citibank.com paypal.com

34

Adversary Attributes

• Advanced• Well funded adversary• Advanced technical capabilities• Ability to identify zero-day exploits• Weaponize exploits• Trained professionals • Backing of nation state or organized crime

• Persistent• Sustained presence with target organization• Remains undetected • Takes time needed reach objective and exfiltrate information

• Threat• Covert threat or alteration of sensitive information

• Political or military advantage• Strategic or tactical advantage• Economic advantage or financial gain

Can a system be completely secure?

“The only secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”

Gene Spafford – Purdue University

Getting in can be easy…

The malware code was obfuscated:

Encoded: Zero AV Detection

Decoded: detected by 8 of 43 AV engines

Blackhole Explotation Kit

Social Engineering:

• Manipulating people into performing actions or divulging confidential information

• Pretexting: creating an invented story to engage a target in a way that makes them more likely to divulge the desired information.

• Usually involves: sympathy, intimidation, flattery, or fear

• Most companies are vulnerable to SE

Example SE scenario…

What would you do if…• Receive call from your Helpdesk• Caller ID shows correct number• Said there is suspicious activity coming

from your computer, need you to run a scan by visiting the following URL.

• http://onlinesecurityscanner.com

http://heartlandsecurityscan.com/

• After the scan runs, you are informed that your system checked out fine. Sorry for the inconvenience.

For more info on Social Engineering: http://social-engineer.org

Example SE scenario…

Topics / Agenda












Are attacks on the rise?

• Increased media coverage over the last year– Much like “shark attack” coverage

• New motivations– Political– Limelight / Ego– Embarrassment– Retaliation

Are attacks on the rise…???

The number of incidents reported has been increasing

• 2010 – 800 new compromise incidents

• 2004-09 - just over 900

source: 2011 Verizon DBIR

Records Compromised

• The total number of records compromised annually has declined

2011 – 4 million 2010 – 144 million 2009 – 361 million


Who is behind data breaches?

• 92% - stemmed from external agents (+22%)

• 17% - implicated insiders (-31%)

• <1% - resulted from business partners (-10%)


How do breaches occur?

• 50% utilized some form of hacking (+10%)

• 49% incorporated malware (+11%)

• 29% involved physical attacks (+14%)

• 17% resulted from privilege misuse (-31%)

• 11% employed social tactics (-17%)


How do breaches occur?

83% of victims were targets of opportunity

92% of attacks were not highly difficult (+7%)

76% of all data was compromised from servers (-22%)

86% were discovered by a third party (+25%)

96% of breaches were avoidable through simple or intermediate controls

89% of victims subject to PCI-DSS had not achieved compliance (+10%)


Where should mitigations be focused?

Eliminate unnecessary dataEnsure essential controls are metCheck the above againAssess remote access servicesTest and review web applicationsAudit user accounts and monitor privileged

activityMonitor and mine event logsExamine ATMs and other payment card input

devices for tampering


Topics / Agenda












Ever work with a security guy like this?

Information Security Balance

Purpose is to secure assets without adversely affecting business functions.

Ultimate Security

Needs of a Business

Con

fiden

tialit

y

Availability

Integrity

Information Security Balance

CIATriad

Security Systems

Firewalls IPSFIMSoftware AgentsMalware AppliancesStatic/Dynamic Code Analyzers Vulnerability ScannersWAFDLPSIEMAnti-Virus

Security Systems

• Purchasing a “checklist” of security devices is not enough..!

• You need skilled personnel to manage these devices.

• Most of these technologies require a large amount of time to manage effectively.

58

Summary

• Businesses can recover from a major breach• HPS has recovered and is growing• PCI Security Standards Council Board of Advisors• FS-ISAC Board of Directors

• Every company is a target, make yours a hard one• Assume you have been compromised• Focus on detection, data elimination

• Get involved• Information Sharing (FS-ISAC, PPISC, Infragard)• Local security chapters

ISSA, ISACA, OWASP

[email protected]

Thank you!

Economy & Finance

How to Rebuild the Controls and Confidence after Data Exfiltration Occurs