Heartland Breach

Summary:

• Level 1 credit card processor fails to prevent data loss effecting hundreds of millions of transactions.
• Attacker installed tools on Heartland server, inside the PCI trust path network
• Tools “sniffed” transactions and sent data to system(s) outside North America

“Heartland has said intruders broke into its systems sometime last year and planted malware that they used to steal the card data. The number of compromised cards still isn't known. But Heartland processes more than 100 million transactions per month.”
- Banks, customers feel the fallout of the Heartland breach. 2/2/2009. Jalkumar Vijayan, Computer World, Security.

Breach analysis:
Root cause includes but is not limited to the following:

• Failure of host based intrusion prevention system (HIPS)
• Failure of network based intrusion prevention systems (IDP)
• Failure of configuration management, to detect changes to host and network configuration
• Failure of separation of duties and detection of abuse or escalation of privilege
• Failure to segment the processor network and enforce a zone of trust

In summary, Heartland failed to properly implement and enforce defense-in-depth, network segmentation and separation of duties. Remember, Heartland is a level 1 PCI processor and was required by regulation to get this right. This means Heartland's auditors failed.

Solution:
Catbird directly addresses all of the above, except for HIPS. HIPS requires an agent on every end-point, this is not a component of our architecture, which is agent-less by design. Our customers are able to implement and enforce defense-in-depth using Catbird TrustZones™ security policies, virtual infrastructure configuration management and virtual machine tracking technologies. These technologies include but are not limited to:

• Policy and detection templates for IDP, to monitor and control network flows between zones and intra-machine flows inside a trust zone
• Policy based configuration monitoring and enforcement using session blocking and quarantine, including quarantine of virtual machines
• Monitoring of virtual administrator activities and enforcement of dual controls for virtual machine connection to network zones
• Catbird TrustZones monitor and enforce network segmentation within and between machines on any network, VLAN or port group
  

In summary, proper deployment of Catbird TrustZones technology would have detected and prevented a data breach like the one that occurred at Heartland.

PCI compliant but still hacked

The malware on the store servers stored up records of these purchases in batches, then transmitted them to an unnamed offshore Internet service provider, the letter states. Foreign crime rings have been blamed in a number of other payment card fraud cases.

Hannaford said in its letter that it was certified a year ago as meeting card security standards and was recertified on Feb. 27. Eleazer said that was the day Visa first notified Hannaford of unusual card activity and began its investigation. That the standards did not stop the thieves, she said, "speaks to the increasing sophistication of the criminal element that propagates these attacks," she said.

It looks to me like Hannaford made the mistake of allowing "multi-level access" in a "single level" network. Servers that handle payment card data must be prevented from access to an unauthorized network or end-point.

These servers and the processors they communicate with should have been in a "PCI trust zone." All other systems would have been in an "untrusted zone." Then it would be a simple matter for IDP/NAC appliance to detect and prevent this type of breach.