Heartland Data Breach Underscores Security NecessityBy Charlene O'Hanlon | Posted 2009-01-22 Email Print
The Myths and Truths of Building a World-Class Cyber Defense REGISTER >
Many companies don't understand the true value of their data and networks to hackers and thieves. Following the compromise of 100 million credit card records, solution providers should double-check their clients' security posture.
The Jan. 20 announcement by Heartland Payment Systems that a security breach left more than 100 million accounts vulnerable underscores the value of a good security system and the opportunity for solution providers to keep their customers' data safe.
"[Security breaches] can and do happen to everyday companies," says Eric Greenberg, vice president of security and risk solutions for Integralis, a managed security services provider in Hartford, Conn. "The thing is these credit card processors have high-value data, and so most companies don't think their data is that valuable. But most companies also don't understand the risk and value of their data."
"This is a prime opportunity for solution providers," says Rob Fitzgerald, founder of the Lorenzi Group, a digital forensic solution provider based in Boston. "Many solution providers have said for years this is what's going to happen. The fact is, it will happen and will continue to happen."
The attack on Heartland, which allegedly was the result of software that had been surreptitiously installed on its systems, was first discovered in October 2008 but wasn't made public until Jan. 20. Heartland discovered the breach only after being alerted by Visa and MasterCard of suspicious activity processing credit card transactions.
"It is difficult to detect this type of attack when you're looking at millions of bits and packets," Greenberg says. "This is why it's so important to have security not just at the perimeter but also at the server level."
Looking for activity at the server level—called host-based intrusion protection and intrusion detection—can help a company analyze data streams at the source and search for unusual behaviors inside the system as well as files that have been tampered with, he says.
"Corporations must have strong rules and enforcement about what employees can install on a machine," he adds. "Most organization are loose—they're doing what they need to do to be in compliance, but the perspective of risk is growing and I would hope now [companies] are understanding that the risk is real."
As an MSSP, Integralis helps its customers understand what the financial risk is of having lax security measures. "This [breach] will cost Heartland enormous amounts of money to get past," Greenberg says. "The cost of preventative systems is typically less, but companies decide what their gamble is."
Fitzgerald notes that an educated employee base often can help stop security breaches at the source—and offering training is one way solution providers can get their foot in the door.
"VARs can go in and just offer employee education," Fitzgerald says. "It's the easiest, cheapest solution there is. They could be taught what should be and should not be done and what to do when they notice things happening that are different from the norm."
But, he says, sometimes the risk lies not with the employees, but with third parties that work with the company. "Many of these events have involved third-party vendors that have come in to work on the systems," Fitzgerald notes. "Who is auditing the policies for the third-party vendors? That is critical and it would be a great thing for a VAR to get involved in."
Companies also must understand how critical it is to have a holistic security solution and keep the components up to date, Fitzgerald says.
"It's a no-brainer for me, but there are plenty of companies who let their security software license lapse," he says. "If a client refuses or decides not to accept a security solution, if I were a VAR I'd request they sign off on a waiver saying they don't accept it and they understand the possible consequences of not having the solution.
"There are too many lawsuits flying around these days … I see them all going downward," he adds.
VARs also need to ensure that their own business is protected, he says.
"VARs themselves can get burned by unscrupulous employees," Fitzgerald says. "They need to run background checks and make sure their employees are on the up and up. The economy and the market [are] creating the perfect storm for more situations like these to happen."