It’s one week later. With limited public announcements, what is this post going to tell you? Well, let’s start off by stating what it won’t tell you. You won’t find any gory details about the breach or the other parties involved. You won’t find anything here that cannot be deduced using public information sources. You won’t find anything here that has not been stated before.

So what use is it? How about we assemble some key points and do a little bit of analysis to understand how something like this can be prevented in your company.

According to the original press release, the investigation uncovered malicious software that compromised data that crossed Heartland’s network. Before we start attacking PCI and saying that the standard should require encryption over any network, let’s think about what the standard does today that would prevent that.

To start, PCI Requirement 5.1.1 states:

Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.

We don’t know what kind of malware this is, so we don’t know if there are signatures to detect it; however, there are many types of software that can detect malware without signature. White-listing software is particularly useful here, and properly managed could easily have thwarted this breach.

Next, let’s have a look at PCI Requirement 6.1:

Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.

Malware rarely finds its way onto a system that is fully patched. Exceptions would include a zero-day exploit, or someone that already had administrative credentials for the machine in question. Zero-day exploits for machines behind firewalls are not as probable as those in front of them (or workstation/desktop machines). Administrative credentials could be particularly crippling, but getting access to them can be tricky. You would not typically see those outside the corporate network, unless the attack targeted an individual or team inside of a company. Besides, we know that no default credentials should work because of PCI Requirement 2.1 (Always change vendor-supplied defaults before installing a system on the network).

OK… One more, and then I will stop (although you can keep going). PCI Requirement 11.5:

Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

This one is the key. Malware cannot go undetected on systems that have proper file-integrity monitoring performed. Note I said PROPER, but let’s face it. Even a BASH script that computes a SHA-1 hash on all the files in a particular tree will find malware when it compares those hashes to previous versions.

CEOs, keep reading. Your part is coming, but first I need to address the CISO that is screaming at me right now.

Yes Mr. CISO, you are well informed. A targeted attack can be pretty effective against the base controls I mention above. The reality is that targeted attacks don’t happen (in the US anyway) as much as you might think because the basic security principles mentioned above are simply not being followed. Why would a criminal invest countless hours and money creating a targeted attack when generic malware works just as well?

Mr. CISO, you should not give up. You need to understand the risks in your environment, and that starts with strategic things like governance, and tactical things like mapping out data flows. This also means that when you are ready to ask for funding to address a risk, you don’t tell the board that the world will end with EVERY SINGLE ITEM on your agenda. Pick something appropriate, and SELL IT.

I know, you hate salespeople. Face it, if you are going to be effective, you will become one.

Now, Mr. CEO. As the Chief chief, you are responsible for all the things that happen on your watch. If a data breach occurs, you can bet that your compensation will suffer, your employees will suffer (through layoffs and poor financial performance), and in some extreme cases you will find yourself reporting to outside legal counsel instead of the board (this happens more often than you think). I’m not saying you should throw all of the company’s money toward security, but you should be taking it seriously. Make your CISO (or CIO… and if that is the case, go get a CISO) do his research and justify his position. When he does, you should listen.

What can we all learn? Going through the motions of something like PCI without actually committing to it will land you in the “PCI Validated, but Compromised” bucket like so many before you. The Anti-PCI crowd comes in two flavors, the “It’s Too Damn Hard” flavor, and the “It’s Doesn’t Address X Issue” flavor. Both of those flavors have valid points, but they are sooo 2006. 2009 is the time to OWN your security, and PCI is a great place to start.

If you are shopping for the easiest pass, or looking for an assessor that will pass a halfway implemented control, you are asking for trouble. 2009 is yet another year to do more with less, but don’t skimp on something like this. A good assessor will provide you with the concrete evidence you require to secure funding and fix problems you have been sitting on for years. It’s time to take security and PCI seriously and get your program in place to maintain them every single day. Why? Because breaches put their victims at a competitive disadvantage to their peers, thus impacting their long-term outlook.

Need help on finding a place to start? Drop us a line! We can help!

This post originally appeared on

Possibly Related Posts: