Billion Dollar Breach

The World’s First Billion Dollar Breach?

The Heartland breach could be ushering in the next wave of major criminal security breaches, targeting credit card processors, which deal with a much higher volume of stored credit card data than traditional retailers. Although the company has not indicated exactly how many records have been compromised, and they may not know, Heartland has acknowledged processing 100 million credit card transactions each month and other sources suggest as many cards may be at risk.

The cost for replacing a credit card is around $15, apparently. So, the breach at Heartland could cost credit card issuers $1.5 billion in replacement costs alone – ignoring the impact of any fraudulent transactions. Even if a much smaller fraction of the processed records was affected, the cost will still run into hundreds of millions of dollars. To put the cost into context: This is TJX on steroids.

The question is: who will end up paying these clean up costs? It seems unlikely Heartland will carry them all, though the breach occurred on their watch. Initially, the credit card companies bear most of the cost, but they will undoubtedly seek to pass these fees on to insurers, merchants and consumers alike.

At least Heartland is seeking to shut the door after the horse has bolted – a well-trodden security path. They claim to be implementing “a next-generation program designed to flag network anomalies in real-time” which is to be welcomed. Such new behavioural-based approaches are essential to spot the kind of sophisticated exploits which so easily defeat discredited signature-based systems.

Hack chain, held together by database attacks, linked at each end

As the western world enters their festive season the spirit of good will and peace to all men has most computer users lowering their guard. The rush to search the internet for gifts to buy and the process of ordering online has given those not winding down for Christmas (i.e. the attackers) a bumper harvest.

Following on from my previous post we see Microsoft issuing advice on how to mitigate newly exploited vulnerabilities in their web-browser that forms one link in a chain of vulnerabilities. What is really neat is that each end of the chain of this exploit requires an attack on a database. Initially, malware is force-fed into web-sites using a SQL Injection attack to poison an external database serving the web-site. Visitors of these sites accidentally load malware into their browser as served by the site. The malware then exploits the browser to masquerade as the computer user on the user’s own corporate network. Now the attacker is pretending to be an authorized user on the corporate network. The next part of the attack uses internal credentials to connect to an internal corporate database and then exploits vulnerabilities on the database to gain complete control of it. This includes stealing data and controlling the network further.

Organisation's internal databases are not well protected, and they typically expect their perimeter firewall to keep the outsiders out. Given the chain of events that allows an external attacker to get access to internal databases whilst appearing to be an insider, the perimeter firewall is totally ineffective. A database firewall is called for here. The best form of defence is to not trust any database accesses – regardless of whom and from where they come. This requires building active control policies for database usage and enforcing them. At Secerno, the DataWall™ product-line achieves just this by utilising the SynoptiQ™ Engine.

Break the chain of successful attacks! Proactively control and protect all your databases – from those on the inside – and those on the outside! It is no longer possible to safely discriminate who is who.

Steve Moyle