Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
How to Rebuild the Controls and Confidence after Data Exfiltration Occurs
1. How to Rebuild the Controls and
Confidence after Data Exfiltration Occurs
Brian Blankenship
Operations Information Security Officer
Heartland Payment Systems
3. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
4. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
5. Heartland – A Full Service Payments Processor
• Card Processing
• Credit/debit/prepaid cards:
• Process over 10 million transactions a day
• Process over 3.9 billion transactions annually
• Payroll Processing (PlusOne Payroll)
• Check Management (Check 21, ExpressFunds, StopLoss)
• Online Payment Processing
• MicroPayments – Vending, Laundry, Campus Solutions
• Gift Cards and Loyalty Processing
• Heartland Gives Back
5
6. Heartland – Our People
• HQ: Princeton, NJ
• IT: Plano, TX
• 300 employees
• Servicing: Louisville, KY
• 800 employees
• Heartland Cares
Foundation
7. Heartland - 15 Years Ago ... and Today
1997 (1st Trans 6/15/97) Today
• 2,350 clients 255,000 clients
• 25 employees 3000+ employees
• #62 in US #5 processor in U.S.
• $0.4 billion portfolio $68 billion portfolio
7
8. Heartland - Financials
Net Revenue Net Income EPS
1.08
41,840
0.90 383,708
35,870
0.71
28,544 294,771
0.50
245,652
0.26 19,093
186,486
137,796
8,855
2004 2005 2006 2007 2008
10. Heartland – The Recovery
• 2009
• Total Revenues $1,652 m (up 6.93%*)
• Net Income -52 m (down 224%)
• EPS -1.38 (down 223%)
• 2010
• Total Revenues $1,864 m (up 12.8%)
• Net Income 35 m (up 167%)
• EPS 0.88 (up 163%)
• 2011
• Total Revenues $1,996 m (up 7.1%)
• Net Income 44 m (up 25.7%)
• EPS 1.09 (up 23.9%)
*All percentages year-over-year 10
11. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
13. What Happened? – The Penetration
Very Late 2007 – SQL Injection via a customer facing web page in our
corporate (non-payments) environment. Bad guys were in our corporate
network.
Early 2008 – Hired largest approved QSA to perform penetration testing of
corporate environment
Spring 2008 – CEO learned of Sniffer Attack on Hannaford’s , Created a
Dedicated Chief Security Officer Position and filled that position
April 30, 2008 – Passed 6th Consecutive “Annual Review” by Largest QSA
Very Late 2007 – Mid-May 2008 – Unknown period but it is possible that
bad guys were studying the corporate network
Mid-May 2008 – Penetration of our Payments Network
14. What Happened?
The Investigation and The Announcement
Late October 2008 – Informed by a card brand that several issuers
suspected a potential breach of one or more processors. We received
sample fraud transactions to help us determine if there was a problem in
our payments network. Many of these transactions never touched our
payments network.
No evidence could be found of an intrusion despite vigorous efforts by HPS
employees and then two forensics companies to find a problem.
January 9, 2009 – We were told by QIRA that “no problems were found”
and that a final report reflecting that opinion would be forthcoming.
January 12, 2009 – January 20, 2009 – Learned of breach, notified card
brands, notified law enforcement and made public announcement.
15. Why I came to Heartland…
• The way the breach was handled
• High degree of transparency
• Knew that security would be #1 priority
• Heartland was changing the perception of
breaches, and how they should be handled
16. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
17. PANIC
DENIAL
ANGER
BARGAINING
DEPRESSION
ACCEPTANCE
FIX THE PROBLEM
18. Vectors of Trust
• After any major incident, there are multiple
vectors of trust that have to be rebuilt
– Trust from your customers
– Trust from your investors
– Trust from your own employees
– Trust from your competitors
• Heartland has worked hard to rebuild these
19. The Real Response
1/20/09 - Call to arms of all Heartland employees to visit clients and talk to
partners
HPY share price drops from $15.16 on 1/16 to $8.18 on 1/22
HPY 4Q08 Earnings Call – HPY drops to $3.43 on March 12; a 77.6% drop
since the breach announcement
3/14/09 – Delisted from Visa list of approved vendors
4/30/09 – Certified PCI compliant by VeriSign and reinstated on Visa list of
approved vendors
5/11/12 – HPY Closed at $30.41
20. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
21. Industry Security Advancements
• Chip & PIN (EMV)
– Helps authenticate the card
• Tokenization
– Reduces risk of storing card data
• Both help, but don’t address data
in transit
22. Heartland Approach to E3
• End to End Encryption
E3 Security • Continuous protection of the confidentiality and integrity of
Model transmitted information by encrypting at the origin and
decrypting at the destination.
• Build devices that use Tamper Resistant Security Modules
E3 Device to encrypt payment data at the point of swipe or data entry.
• Collaborate with existing device vendors and encryption
Strategy solution providers.
• Protect cardholder and merchant data wherever it
E3 Data resides on Heartland’s systems.
• Directly influence industry security standards and
Strategy practices to strengthen data protection.
23. Merchant Bill of Rights,
Sales Professional Bill of Rights, Durbin
http://www.spbor.com/
http://www.merchantbillofrights.org/
http://getyourdurbindollars.com/
24. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
25. Key Risk Mitigations
Data Loss Prevention
Network and Application Penetration Testing
Platform Security
Static and Dynamic Code Analysis
26. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
27. The New Paradigm
• During investigation of Heartland breach
• Found other processors knew of the
breach indicators
• Several had seen or know about them
• No one shared that information
• Started the PPISC (Payment Processors
Information Sharing Council) in 2009
• Charter – bring processors to table
to discuss threat indicators and tactics
• Avoid any discussion on business related topics to avoid
anti-trust
• Everyone brings to table topics that they are seeing through their
various intel sources (internal and external)
27
28. Intelligence Sharing – PPISC
Malware signatures currently being shared with input of
Secret Service and other agencies
Participation in threat exercises (CAPP – Cyber Attack
Against Payment Processes)
29. Changes in Breach Perceptions
• For Heartland, the impact was immediate and
very high
• People have come to understand that any
company can be breached
• Acceptance becoming the norm
30. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems
– What Happened in the Heartland Breach
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
34. Adversary Attributes
• Advanced
• Well funded adversary
• Advanced technical capabilities
• Ability to identify zero-day exploits
• Weaponize exploits
• Trained professionals
• Backing of nation state or organized crime
• Persistent
• Sustained presence with target organization
• Remains undetected
• Takes time needed reach objective and exfiltrate information
• Threat
• Covert threat or alteration of sensitive information
• Political or military advantage
• Strategic or tactical advantage
• Economic advantage or financial gain
34
35. Can a system be completely secure?
“The only secure system is one that is powered
off, cast in a block of concrete and sealed in a
lead-lined room with armed guards – and
even then I have my doubts.”
Gene Spafford – Purdue University
41. Social Engineering:
• Manipulating people into performing actions
or divulging confidential information
• Pretexting: creating an invented story to
engage a target in a way that makes them
more likely to divulge the desired information.
• Usually involves: sympathy, intimidation,
flattery, or fear
• Most companies are vulnerable to SE
42. Example SE scenario…
What would you do if…
• Receive call from your Helpdesk
• Caller ID shows correct number
• Said there is suspicious activity coming
from your computer, need you to run a
scan by visiting the following URL.
• http://onlinesecurityscanner.com
43. Example SE scenario…
• After the scan runs, you are informed that
your system checked out fine. Sorry for the
inconvenience.
For more info on Social Engineering:
http://social-engineer.org
44. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
45. Are attacks on the rise?
• Increased media coverage over the last year
– Much like “shark attack” coverage
• New motivations
– Political
– Limelight / Ego
– Embarrassment
– Retaliation
46. Are attacks on the rise…???
The number of incidents reported has
been increasing
• 2010 – 800 new compromise incidents
• 2004-09 - just over 900
source: 2011 Verizon DBIR
47. Records Compromised
• The total number of records
compromised annually has declined
2011 – 4 million
2010 – 144 million
2009 – 361 million
source: 2011 Verizon DBIR
48. Who is behind data breaches?
• 92% - stemmed from
external agents
(+22%)
• 17% - implicated
insiders (-31%)
• <1% - resulted from
business partners
(-10%)
source: 2011 Verizon DBIR
49. How do breaches occur?
• 50% utilized some form of hacking (+10%)
• 49% incorporated malware (+11%)
• 29% involved physical attacks (+14%)
• 17% resulted from privilege misuse (-31%)
• 11% employed social tactics (-17%)
source: 2011 Verizon DBIR
50. How do breaches occur?
83% of victims were targets of opportunity
92% of attacks were not highly difficult (+7%)
76% of all data was compromised from servers
(-22%)
86% were discovered by a third party (+25%)
96% of breaches were avoidable through simple
or intermediate controls
89% of victims subject to PCI-DSS had not
achieved compliance (+10%)
source: 2011 Verizon DBIR
51. Where should mitigations be focused?
Eliminate unnecessary data
Ensure essential controls are met
Check the above again
Assess remote access services
Test and review web applications
Audit user accounts and monitor privileged
activity
Monitor and mine event logs
Examine ATMs and other payment card input
devices for tampering
source: 2011 Verizon DBIR
52. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective
57. Security Systems
• Purchasing a “checklist” of security
devices is not enough..!
• You need skilled personnel to manage
these devices.
• Most of these technologies require a
large amount of time to manage
effectively.
58. Summary
• Businesses can recover from a major breach
• HPS has recovered and is growing
• PCI Security Standards Council Board of Advisors
• FS-ISAC Board of Directors
• Every company is a target, make yours a hard one
• Assume you have been compromised
• Focus on detection, data elimination
• Get involved
• Information Sharing (FS-ISAC, PPISC, Infragard)
• Local security chapters
ISSA, ISACA, OWASP
58