How to Prevent a Heartland-Style Data Breach
The United States Department of Justice announced today the arrest of Albert Gonzalez, a 28-year old Miami man, in the largest identity theft prosecution on record. Gonzalez is accused, along with two as-yet-unnamed Russian co-conspirators, of compromising more than 130 million credit and debit card accounts from a variety of targets including Heartland Payment Systems and 7-Eleven.
While the Department of Justice should be commended for the successful investigation and indictment of Gonzalez, the arrest will not ‘un-breach' accounts that are already compromised and available on the black market. In an ideal world the arrest would deter future identity theft, but it is unlikely. It is still an almost entirely anonymous crime capable of generating significant revenue and would-be ID thieves are more likely to just consider themselves smarter and better than Gonzalez. He made mistakes, but *they* won't get caught.
So, kudos to the Department of Justice, but you still need to watch your back and safeguard your networks and data from similar attacks. Here are three tips to help you protect your data and make sure you don't become the next Heartland Payment Systems.
1. Wireless security. Wireless networks exist in most businesses these days. The thing about wireless networks is that they let employees roam about and still stay connected to the network, but they also provide an opportunity for unauthorized users who are within range of the wireless access point to gain access as well. The data breaches at TJX and Lowes were both made possible through weak or non-existent wireless network security.
Wireless networks should be segregated from the primary network to provide an extra layer of protection. The wireless connection should be secured with WPA or WPA2 encryption at a minimum. It is even better if some other form of authentication is used to access the wireless network. There should also be a policy against setting up unauthorized wireless networks and period scanning to ensure rogue networks don't exist.
2. Compliance. By virtue of accepting, processing, transmitting, or storing credit card transaction data the organizations that were compromised in these attacks fall under the Payment Card Industry Data Security Standards (PCI DSS) requirements. PCI DSS was developed by the credit card industry to provide baseline security requirements for businesses that handle sensitive credit card information.
Many of the companies also fall under other compliance mandates such as Sarbanes-Oxley (SOX), or the Gramm-Leach-Bliley Act (GLBA). It is important for companies to respect the spirit as well as the letter of the compliance requirements. Keep in mind that completing a checklist or passing an audit are not the goals of compliance. The goal is to protect sensitive data and network resources. Doing the bare minimum to scrape by on a compliance audit may leave some weaknesses that could lead to data compromise which mars the reputation of the company and is often much more costly than compliance.
3. Diligence. This is the big one. Security is a 24/7/365 full-time job. Locking down the wireless network and developing a policy prohibiting rogue networks is great, but what if someone violates the policy and deploys a rogue wireless network next week? Passing a PCI DSS compliance audit is great, but employees come and go, computer systems are provisioned and decommissioned, and new technologies are introduced to the network. Just because the network was compliant at the time of the audit doesn't mean it will still be compliant a month later.
Attackers are constantly working to expose weaknesses in network defenses. Network and security administrators have to remain just as diligent at keeping up with attack techniques and countermeasures. More importantly, you have to monitor intrusion detection and prevention system activity, firewall logs, and other data to stay alert for signs of compromise or suspicious activity. The earlier you can identify and stop an attack, the less data will be compromised and the more you will be a hero instead of a zero.
Tony Bradley is an information security and unified communications expert with more than a decade of enterprise IT experience. He tweets as @PCSecurityNews and provides tips, advice and reviews on information security and unified communications technologies on his site at tonybradley.com.