“I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks,” stated Robert O. Carr, Heartland’s founder, chairman and chief executive officer of Heartland Payment systems. Heartland Payment systems is a large provider of credit and debit payment and check management services based in NJ.
In a Networkworld.com article, “Debit-card processor claims data breach part of global fraud operation”, Ellen Messmer, senior editor for Networkworld.com, explains how Heartland was hit by a massive security breach that compromised customer card data that crossed Heartland’s network.
Robert H.B. Baldwin Jr., Heartland’s president and CFO, said “About 100 million card transactions per month occur on the affected systems which provide processing to merchants and businesses.”
I’m sure several initial questions were asked like, “How did this happen?” “Why didn’t the firewall and IDS prevent this?” “Why didn’t antivirus pick this up?” “What security do we have?!!!” I wonder what the answers were. Crickets with the occasional whimper? “Yes, it is a problem and we are working on it…” , “I don’t know.”
Baldwin says the computer forensics conducted by the company has uncovered evidence of multiple instances of malicious software on the Heartland network, although he didn’t disclose the exact number of identified instances.
In the Heartland Official Press Release there was a clue as to how the breach was carried out. “Cyber criminals to use the same or slightly modified techniques over and over again.”
So the picture is starting to look like a modified worm and or trojan was created to circumvent antivirus was introduced to the network internally, or through an open port. Once the right nodes or servers were infected, open season on credit card information collection was initiated.
The last paragraph of the Networkworld article Baldwin states “The company is taking steps to improve its network security by adding what it referred to as “a next-generation program designed to flag network anomalies in “real-time” to better identify possible criminal activity but didn’t go into details.”
In today’s world anybody can learn how to hack and create worms and viruses by a simple Google search, increasing the sophistication and the number of people looking to steal information. At the core of the attack, symptoms and network behavior are actually very similar. This is why real-time network traffic anomaly detection is a critical step in securing a network and by Heartland’s published statements they seem to agree.
A tool that would have likely caught this breach is the Netflow Behavior Analysis(NBA) module for the Scrutinizer Netflow Analyzer. It’s a system designed to look for malicious traffic trends that are flying under the radar of existing conventional countermeasures.
Scrutinizer NBA continually tallies and sizes up the conversations from all flow sending devices and helps identify:
• Zero-day worms, SYN Floods and DoS attacks
• ICMP Destination Unreachable
• Bleeding Edge Attacks
• Policy violations and internal misuse
• Poorly configured and unauthorized devices
• Unauthorized Application Deployments
• Suspicious NetBIOS-based services
• Excessive Multicast Traffic
• Unauthorized or incorrectly configured server activity
• P2P traffic, such as Bit Torrent (even if encrypted)
• Root causes of network slow downs
• Serious vs. trivial network incidents
What happened to Heartland is an example of why having a real-time network behavior analysis tool in place like Plixer’s Netflow Behavior Analysis module can be the key to avoiding catastrophic security breaches.
Plixer offers free evaluations of Scrutinizer and The Flow Analytics/NBA module, so there’s no reason why you shouldn’t check it out, if you don’t already have it.
Check out the Netflow Behavior Analysis Brochure on the Plixer website.
Good luck to Heartland and I hope they’re able to recover from this.