The recent indictment of three people who hacked into Heartland Payment Systems Inc. has once again highlighted the need to keep a firm grip on where enterprise data is and what applications
In the now well-known attack on the payment processing company, attackers used SQL injection to gain access to Heartland's servers. They then installed network sniffers, which captured card data used in financial transactions. The malware was able to avoid detection by different antivirus programs. It's thought that the malicious code captured card data when it was momentarily unencrypted during the transaction authorization process. The intrusion began in May 2008, shortly after the company passed as compliant with the PCI Data Security Standard (PCI DSS) requirements.
1. Map the network: Firstly, use a tool such as Nmap, the freely available scanner, to explore and map devices and applications running on the network. Scan results can then be compared against a known and accepted baseline. Scanning on a regular basis helps build a picture of what and who should and shouldn't be on the network. Anything that looks out of the ordinary can then be investigated further, focusing attention on potential trouble spots.
2. Monitor for anomalies: It is important to monitor what traffic is travelling in, across, and out of the network. To steal data remotely, hackers not only have to find it, but they also must be able to retrieve it. Network behavior analysis continuously monitors traffic and analyses it against a benchmark of normal traffic behavior. Again, abnormal behavior is a potential warning that something is amiss. After noticing abnormal charges linked to Heartland's payment systems, for example, it was Visa and MasterCard that alerted the company that it may have a problem. Intrusion detection systems (IDS), intrusion prevention systems (IPS) and firewall logs also need regular analysis for signs of compromise, anomalies and suspicious activity.
3. Know where data resides: Data loss prevention technology, such as Symantec Corp.'s family of DLP products and McAfee Inc.'s DLP tools, can help ensure that an organization knows where credit card numbers and other critical data are stored and how that sensitive information is used. The technology can also monitor and prevent data from being copied to removable storage devices, which is a critical function in insider attacks.
Data compromise can mar the reputation of a company and is often much more costly than good security. Heartland's stock is still down since the attack was made public, and it is facing various lawsuits and fines. Not being able to keep track of data or the applications that are running on a network makes the enterprise vulnerable to a similar breach, one that can carry on unnoticed for far too long.
As a bare minimum, network administrators should make use of a tool such as Nmap in order to construct an inventory and baseline of what is allowed on the network. Also, with the explosion in communication channels and portable drives that the network has to support, a data loss prevention product is becoming essential to keep control over data usage. If your budget can stretch to a network behavior analysis tool, which will monitor traffic and detect anomalies, so much the better. Network behavior analysis is not an instant fix, and it's a technology that's still maturing. Attacks, however, no matter how sophisticated, are abnormal activity, and this type of detection is one of the best ways of uncovering a system compromise.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in October 2009