Friday, August 21, 2009

New Details, and Lessons, on Heartland Breach

Via -

Thanks to an anonymous reader, we may have some additional information on how the Heartland breach occurred. Keep in mind that this isn't fully validated information, but it does correlate with other information we've received, including public statements by Heartland officials.

On Monday we correlated the Heatland breach with a joint FBI/USSS bulletin that contained some in-depth details on the probable attack methodology. In public statements (and private rumors) it's come out that Heartland was likely breached via a regular corporate system, and that hole was then leveraged to cross over to the better-protected transaction network.

According to our source, this is exactly what happened. SQL injection was used to compromise a system outside the transaction processing network segment. They used that toehold to start compromising vulnerable systems, including workstations. One of these internal workstations was connected by VPN to the transaction processing datacenter, which allowed them access to the sensitive information. These details were provided in a private meeting held by Heartland in Florida to discuss the breach with other members of the payment industry.

As with the SQL injection itself, we've seen these kinds of VPN problems before. The first NAC products I ever saw were for remote access -- to help reduce the number of worms/viruses coming in from remote systems.

I'm not going to claim there's an easy fix (okay, there is, patch your friggin' systems), but here are the lessons we can learn from this breach:

  1. The PCI assessment likely focused on the transaction systems, network, and datacenter. With so many potential remote access paths, we can't rely on external hardening alone to prevent breaches. For the record, I also consider this one of the top SCADA problems.
  2. Patch and vulnerability management is key -- for the bad guys to exploit the VPN connected system, something had to be vulnerable (note -- the exception being social engineering a system 'owner' into installing the malware manually).
  3. We can't slack on vulnerability management -- time after time this turns out to be the way the bad guys take control once they've busted through the front door with SQL injection. You need an ongoing, continuous patch and vulnerability management program. This is in every freaking security checklist out there, and is more important than firewalls, application security, or pretty much anything else.
  4. The bad guys will take the time to map out your network. Once they start owning systems, unless your transaction processing is absolutely isolated, odds are they'll find a way to cross network lines.
  5. Don't assume non-sensitive systems aren't targets. Especially if they are externally accessible.

Okay -- when you get down to it, all five of those points are practically the same thing.

Here's what I'd recommend:

  1. Vulnerability scan everything. I mean everything, your entire public and private IP space.
  2. Focus on security patch management -- seriously, do we need any more evidence that this is the single most important IT security function?
  3. Minimize sensitive data use and use heavy egress filtering on the transaction network, including some form of DLP. Egress filter any remote access, since that basically blows holes through any perimeter you might think you have.
  4. Someone will SQL inject any public facing system, and some of the internal ones. You'd better be testing and securing any low-value, public facing system since the bad guys will use that to get inside and go after the high value ones. Vulnerability assessments are more than merely checking patch levels.

Patch management isn't new...and it is so critically important, yet many many companies still don't take it serious.

One of the factors that can greatly affect any patch management process is inventory control.

Inventory control is rarely talked about in the realm of patch management, but they go hand-in-hand.

After all, you can't patch what you don't see...

No comments:

Post a Comment