Heartlandpt3

1. Security check Heartland payment systems
EASy Security Project:Part 3-- Synthesis Through Recommended Changes in Control Practice

2. Summary of audit Objectives
5.1 Manage Security Measures
5.2 Identification, Authentication and Access
5.3 Security of Online Access to Data
5.5 Management Review of User Accounts
5.7 Security Surveillance
5.9 Central Identification and Access Rights Management
5.10 Violation and Security Activity Reports
5.11 Incident Handling
5.12 Reaccreditation
5.13 Counterparty Trust
5.14 Transaction Authorization
5.16 Trusted Path
5.17 Protection of Security Functions
5.18 Cryptographic Key Management
5.19 Malicious Software Prevention, Detection and Correction
5.20 Firewall Architectures and Connections with Public Networks
3. 5.1- Manage Security Measures
Control Objective- IT security should be managed such that security measures are in line with business requirements. This includes:
1) Translating risk assessment information to the IT security plans.
2) Implementing the IT security plan.
3) Updating the IT security plan to reflect changes in the IT configuration.
4) Assessing the impact of change requests on IT security.
5) Monitoring the implementation of the IT security plan.
6) Aligning IT security procedures to other policies and procedures.

Recommendation:
The security beach at Heartland Payment Systems would not have happened if security measures were correctly measured and all aspects of business, and security risks were taken under consideration while creating the security measures for the company. Heartland needs to implement (or reorganize) their IT security measures to ensure proper protection for card holders and company data. I recommend that Heartland hire a penetration testing organization for intrusion detection testing.

Plan of Action:
People? CIO, Director of IS, IS-Infrastructure teams, third party auditing company.
Procedures? Create a sufficient IT security plan to keep Heartland Payment Systems data safe.
Hardware? Existing hardware
Software? Existing software
Telecommunications? None
Cost? Cost of employee labor, cost of an Auditor and Penetration Tester
4. 5.2-Identification and Authentication Access
Control Objective- The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g. regular password changes).

Recommendation:
We recommend that Heartland Payment Systems implement new identification, authorization, authentication, and access procedures to monitor the users that are traversing the Heartland network. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. (Payment Card Industry (PCI) Data Security Standard, 2010)

Plan of Action:
People? CIO, Director of IS, IS-Infrastructure teams
Procedures? Implementation of a secure user authentication procedure
Cost? Labor costs
5. 5.3-Security of online access to data
Control Objective- In an online IT environment, IT management should implement procedures in line with the security policy that provides access security control based on the individuals demonstrated need to view, add, change or delete data.

Recommendation:
Heartland Payment Systems has a problem with online access to data, or with intruders from outside of company boundaries being able to access Heartlands internal operations. Heartlands response to its data breach rested on two pillars aimed at the merchant acquiring and processing side of the payment system: improve data sharing and better secure data, particularly data in transit (Cheney, 2010). I recommend Heartland implement end-to-end encryption (to secure data in transit), and tokenization. Tokenization is a way for merchants to protect credit card information (Cheney, 2010). The process replaces card data after authorization with randomized numbers, which are useless to thieves. The real data (credit card information) is then deleted from the merchants database (Metzger, 2010). End-to-end encryption is the process of encrypting a massage (credit card data) from one end of the communication media to the other.

Plan of Action:
Procedures? Implement end-to-end encryption between data links, and implement token technology.
Software? Tokenization software, encryption software (can be hardware based by using existing hardware equipment)
Cost? Software cost, labor costs
6. 5.5 Management Review of User Accounts
CONTROL OBJECTIVE- Management should have a control process in place to review and confirm access rights periodically. Periodic comparison of resources with recorded accountability should be completed to help reduce the risk of errors, fraud, misuse or unauthorized alteration.

Recommendation:
Evidence exists that it was possible for intruders to enter through servers and systems that were considered less critical. According to an article titled Lessons from the Data Breach at Heartland , "Big companies have hundreds of these things, and they think they're not worth worrying about or they're managed by a third party," Tippett says. "Bad guys will go after anything they can knock over (King, 2009).

Plan of Action:
People? Internal Risk Management and the business unit process owners.
Procedures? Implement a daily audit control that compares user accounts and access logs on systems that have data classified as sensitive. This includes read, write, and update functions. Only exceptions should be reported to Risk Management, who will in turn take action.
Software? Existing audit tools will be used, but a new report will need to be created.
Cost? Small Audit control enhancement: 40-80 hours, resources loaded rate of $65 per hour.
7. 5.7-Security Surveillance
Control Objective- IT security administration should ensure that security activity is logged, and any indication of imminent security violation is reported immediately to all who may be concerned (internally and externally) and acted upon in a timely manner.
Recommendation:
According to msnbc.com Heartland said it was alerted by Visa and MasterCard of unspecified suspicious activity surrounding processed card transactions and enlisted the help of auditors to investigate. The investigation last week uncovered "malicious software" that compromised data in Heartland's network, it said (Heartland Payment Systems Hacked-Technology & Science - Security, 2009). This concludes that the security surveillance of Heartland was not adequate enough to detect the security breach at an earlier time. I recommend that Heartland upgrade their existing network surveillance software/hardware and implement new procedures for detecting malicious behavior on the Heartland network.

Plan of Action:
Procedures? Upgrade existing network surveillance software/hardware and implement new procedures for detecting malicious behavior on the Heartland Network
Hardware? Existing hardware (possibly upgrade to better hardware)
Software? Existing Software (possibly upgrade to better software)
Cost? Cost of labor, and optional cost of hardware/software
8. 5.9 Central Identification and Access Rights Management
CONTROL OBJECTIVE- Controls are in place to ensure that the identification and access rights of users as well as the identity of system and data ownership are established and managed in a unique and central manner to obtain consistency and efficiency of global access control.
Recommendation:
Evidence exists that it was possible for intruders to enter through corporate servers and plant the malware. Once they gained access to a corporate system, the hackers planted sophisticated packet-sniffing tools and other malware to detect and steal payment card data flowing over the victim companies' networks, according to court documents (Vijayan,2009).

Plan of Action:
People? Risk Management, Security Management, and Network Server Team
Procedures? A server security standardization project should be planned and implemented.
Hardware? Existing
Software? Existing
Cost? Small sized project (500-1000 hours, $25,000- $50,000)
9. 5.10-Violation and Security Activity reports
Control Objective: IT security administration should ensure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity. The logical access to the computer resources accountability information (security and other logs) should be granted based upon the principle of least privilege or on a need-to-know basis.

Recommendation: We recommend that Heartland review and rewrite their procedures for completing violation and security activity reports to comply with precautions taken to stop future security breaches. Heartland should Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations (Payment Card Industry (PCI) Data Security Standards Requirements and Security Assessment Procedures version 2.0., 2009).

Plan of Action:
Procedures? Implement new violation and security activity reporting procedures to ensure proper escalation and logging of security incidents.
Software? Existing Software
Cost? Cost of labor
10. 5.11 Incident Handling
CONTROL OBJECTIVE- Management should establish a computer security incident handling capability to address security incidents by providing a centralized platform with sufficient expertise and equipped with rapid and secure communication facilities. Incident management responsibilities and procedures should be established to ensure an appropriate, effective and timely response to security incidents

Recommendation:
As a result of this breach, incident handling should include a prioritization. In future incidents when outside forensics companies or other security/audit related specialist are used, a classified data/system will determine the order of importance based on criticality to the business. In late 2008, Heartland hired two forensics companies it hasn't identified. Both scoured the network, but it wasn't until Jan. 12 that one found strange-looking data coming from Heartland's system that let Heartland employees uncover the intrusion (King, 2009). This will allow focused network scans to systems that hold sensitive data to be executed first.

Plan of Action:
People? IS Help Desk, Risk Management, Security Management, External consultant
Procedures? Internal procedure change across internal IS teams
Hardware? None
Software? None
Cost? Small procedure enhancement: 20-40 hours, resources loaded rate of $65 per hour.
11. 5.12 Reaccreditation
Control Objective- Management should ensure that reaccreditation of security (e.g., through tiger teams) is periodically performed to update the formally approved security level and the acceptance of residual risk.

Recommendation:
Heartland went through reaccreditation process for Payment Card Industry Data Security Standard (PCI DSS) certification. However, Heartlands CEO said that PCI DSS was an insufficient protective measure and that the standard for security was much higher (McGlasson, 2009). Therefore Heartland knew that there approved security measures were subpar. What Heartland should have put in place was a team of people that looked at their security measures. The team of people should of went though each step in there payment procedure and find were the risks are in that process. After the team has completed the assessment then the security level should have been updated to the correct standard.

Plan of Action:
People? CIO, Director of IS, IS-Infrastructure Teams, a team of people (e.g. Tiger Teams) to assess the security measures
Procedures? To update the accepted security level
Cost? Cost of employee labor, cost of Tiger Team
12. 5.13 counterparty trust
CONTROL OBJECTIVE- Organizational policy should ensure that control practices are implemented to verify the authenticity of the counterparty providing electronic instructions or transactions. This can be implemented through trusted exchange of passwords, tokens or cryptographic keys.

Recommendation:
Evidence suggests a potential weakness in the fact that data must be decrypted to move from Heartland's system to Visa and MasterCard, as credit card companies accept only unencrypted data. Trusted exchange between parties is an obvious weakness, theres no telling if that link (which might be over a telecom connection across 2,000 or so miles) can be breached. A project implementing E3, tokenization, and other methods that allow sensitive data to move through networks encrypted should be launched (Farrell, 2010).

Plan of Action:
People? Risk Management, Security Management, External consultant, Business Units, IS, Server Team
Procedures? Updated procedures will results from this project.
Hardware? Point of sale, and magnetic card reader
Software? Enhancement of software is likely.
Telecommunications? Recommendation
Cost? Medium sized project (1000-2000 hours, $50,000- $100,000) This is not including the cost to merchants for new Point of sale and card readers.
13. 5.14 Transaction Authorization
Control Objective- Organizational policy should ensure that, where appropriate, controls are implemented to provide authenticity of transactions and establish the validity of a users clamed identity to the system. This requires use of cryptographic techniques for signing and verifying transactions.

Recommendation:
The software that was planted could read and collect unencrypted data in motion (Higgins, 2009). Heartland need to have in place a cryptographic technique so that each transaction is verified before the transaction begins. Heartland needs to have a policy in place so that the validity of a users claimed identity can be established. They will need to update their hardware and software to allow cryptographic techniques to be used. They also need to ensure that people in the company do not share their credentials with anyone else. It doesnt matter how good your encryption is if people in your company share credentials to access a higher security level then they are assigned.

Plan of Action:
Procedures? Create a cryptographic technique so that each transaction is verified
Hardware? New hardware will need to be purchased if existing hardware does not support cryptographic techniques.
Software? New software will need to be purchased if existing software does not support cryptographic techniques.
Telecommunications? Telecommunications will need to be upgraded if it does not support cryptographic techniques.
Cost? Cost of employee labor, new hardware, software, and upgraded telecommunications
14. 5.16 Trusted Path
Control Objective- Organizational policy should ensure that sensitive transaction data are exchanged only over a trusted path. Sensitive information includes security management information, sensitive transaction data, passwords and cryptographic keys. To achieve this, trusted channels may need to be established using encryption between users, between users and systems, and between systems.

Recommendation:
A SQL injection was used to capture data as it was being processed (Cheney, 2010). This shows that Heartland did not have trusted channels established. Heartland needs to have a trusted path for its transactions. The trusted path needs to include user to user communication, user and system communication, and system to system communication. Heartland needs to put in place a procedure to ensure that sensitive information is only sent over a trusted path. This will include secure telecommunications for every step in the payment process from beginning to end. This will include updating hardware and software to allow encryption techniques to be used.

Plan of Action:
People? CIO, Director of IS, IS-Infrastructure Teams
Procedures? Implementation of a trusted path for secure communications including end to end protection of the payment process
Hardware?Upgraded Hardware as needed to insure a trusted path
Software? Upgraded Software as needed to insure a trusted path
Telecommunications? Telecommunications will need to be upgraded to secure every step of the payment process
Cost? Cost of upgraded telecommunications, upgraded Hardware, upgraded Software
15. 5.17 Protection of Security Functions
CONTROL OBJECTIVE- Security-related hardware and software should at all times be protected against tampering andagainst disclosure of secret keys to maintain their integrity. In addition, organizations should keep a low profile about their security design, but should not base their security on the design being secret.

Recommendation:
According to the report from Cheney, the Heartland Company managers their data 24/7 and that 7% of the information technology staff is focused specifically on security. However, Heartland needs to keep a low profile on their security design and not make it public to the whole company. The attackers gain access to the corporate network first and was able to perform many activities before gaining access to the processing network (Cheney, 2010). Heartland needs to keep their sensitive processing information separate from the corporate network to ensure integrity. Also, Heartland needs to ensure that there software is protected against tampering.

Plan of Action: People? CIO, Director of IS, IS-Infrastructure Teams
Procedures? Ensure that security design is not available to whole company and that it software and hardware is protected against tampering.
Hardware?Existing
Software? Existing
Telecommunications? Ensure that security communications is kept separate from the rest of the company.
Cost? Employee Labor
16. 5.18 Cryptographic Key Management
CONTROL OBJECTIVE- Management should define and implement procedures and protocols to be used for generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure. If a key is compromised, management should ensure that this information is propagated to any interested party through the use of certificate revocation lists or similar mechanisms.

Recommendation:
The form that was used in the breach was available for a long period of time but the breach was not until 2007 (Cheney, 2010). Heartland needs to ensure that cryptographic keys are not modified or disclosed. Heartland also needs to ensure that if a key is compromised that the correct people are notified.

Plan of Action:
Procedures? Ensure that cryptographic keys are not modified and not disclosed and ensure that if a key is comprised that the information is communicated
Hardware?None
Software? Upgrade encryption software to include cryptographic key management
Telecommunications? Ensure that if a key is compromised that it is communicated to the correct people
Cost? Upgraded software
17. 5.19 Malicious Software Prevention, Detection and Correction
CONTROL OBJECTIVE- Regarding malicious software, such as computer viruses or Trojan horses, management shouldestablish a framework of adequate preventive, detective and corrective control measures, and occurrence response and reporting. Business and IT management should ensure that procedures are established across the organization to protect information systems and technology from computer viruses. Procedures should incorporate virus protection, detection, occurrence response and reporting.

Recommendation:
The focus on the information from the breach was in the form of data in transit and not from a stored database, which made masking themselves from detection an easier process (Cheney, 2010). Heartland needs to have a malicious software prevention solution for data in motion. Heartland also needs to have detective, and control measures to protect its infrastructure. Also Heartland needs to ensure that if malicious software is detected that correct people are notified and that occurrence is responded to.

Plan of Action:
Procedures? Provide a software solution that ensures malicious software prevention and detection, including data in motion.
Hardware?Existing
Software? Upgraded software that provides malicious software prevention and detection with support for data in motion
Cost? New malicious software, Implementation Cost
18. 5.20 Firewall Architectures and Connections withPublic Networks
CONTROL OBJECTIVE- If connection to the Internet or other public networks exists, adequate firewalls should be operative to protect against denial of services, unauthorized access to the internal resources and control any application and infrastructure management flows in both directions.

Recommendation:
Heartlands CEO knew that they needed to move to higher standard for security (McGlasson, 2009). Heartland needs to have firewalls in place to ensure control for any application and infrastructure management flows in both directions. Heartland not only needs to ensure that there data is protected from the outside but they need to ensure that there sensitive information from the inside is not allowed to be sent to the outside of the network.

Plan of Action:
Procedures? Provide a firewall solution that ensures control of data flow in both directions
Hardware?Upgraded firewalls to control data flow in both directions.
Software? None
Telecommunications? Ensure that communications is controlled in both directions
Cost? New Firewalls
19. Summary of Recommendations
Organization and Management of Systems
New ID / Authentication Solution
Better Secure Data Practices
Increase of Security Surveillance
Encyrption of Data
Creation of a Trusted Path to Move Data
Data in Motion Security Protection
Creation of Updated Firewall Rules
20. Apa Sources
Heartland Payment Systems Hacked-Technology & Science - Security. (2009, January 20).
Retrieved December 11, 2010, from msnbc.com:
http://www.msnbc.msn.com/id/28758856/ns/technology_and_science-security/

In Re Heartland Payment Systems, Inc. Securities Litigation, Case 3:09-CV-01043-Aet-Tjb
Document 25. (2009, December 7). New Jersey: UNITED STATES DISTRICT COURT-
DISTRICT OF NEW JERSEY.

Payment Card Industry (PCI) Data Security StandardsRequirements and Security Assessment
Procedures Version 2.0. (2009, October). Retrieved December 11, 2010, from PCI
Security Standards Council:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Acohido, B. (2009, January 23). "Hackers Breach Heartland Payment Credit Card System-
USATODAY.com.". Retrieved December 11, 2010, from USA Today:
http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm
21. APA sources (continued)
Albanesius, C. (2010, May). Inside the Biggest Online Theft Case. PC Magazine, 29(5).

Cheney, J. S. (2010, January). Heartland Payment Systems Lessons Learned from a Data
Breach. Retrieved December 11, 2010, from Federal Reserve Bank of Philadelphia:
http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2010/D-2010-January-Heartland-Payment-Systems.pdf

Cyprus, B. (2009, June). Wireless POS Makes Your Business More Efficient.
Retrieved December 2010, from Vendor Safe Technologies :
http://www.vendorsafe.com/images/pdfs/Wireless_POS.pdf

Cyprus, B. (2010, January). Control Your Security, and PCI Will Follow The four most vital actions restaurants can take to accelerate network and credit card data - security.
Retrieved December 2010, from Vendor Safe Technologies :
http://www.vendorsafe.com/images/pdfs/whitepaper2_control_your_security.pdf

Farrell, F. (2010, June 28). Once Hacked, Twice Paranoid. Forbes, 185(11), pp. 50-50.

22. Apa sources (continued)
Higgins, K. (2009). Heartland CEO Provides More Details on Big Data Breach.
Retrieved December 11, 2010, from
http://www.darkreading.com/security/attacks-breaches/214600079/index.html

Howley, E. (October, 2010). UNF Security Breach Affetcs More Than 100,000 IDs.
Retrieved November 5, 2010, from Firstcoastnews:
http://www.firstcoastnews.com/news/topstories/news-article.aspx?storyid=171731&catid=3

Johnson, A. (2010, March). Guide for Security Configuration Management of Information Systems.
Retrieved December 2010, from csrc.nist.gov:
http://csrc.nist.gov/publications/drafts/800-128/draft_sp800-128-ipd.pdf

King, R. (2009, July 6). Lessons from the Data Breach at Heartland.
Retrieved from Bloomberg Buisinessweek-Special Report:
http://www.businessweek.com/technology/content/jul2009/tc2009076_891369.htm

Krebs, B. (2009, January 20). Payment Processor Breach May Be Largest Ever.
Retrieved December 11, 2010, from The Washington Post:
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html

23. Apa sources (continued)
McGlasson, L. (2009). Lawsuit: Heartland Knew Data Security Standards was 'Insufficient'.
Retrieved December 11, 2010, from bankinfosecurity:
http://www.bankinfosecurity.com/articles.php?art_id=1834

Metzger, T. (2010, February 2). How tokenization works.
Retrieved December 11, 2010, from Merchant Account Guide: The Merchant Account Experts:
http://www.merchantaccountguide.com/merchant-account-news/how-tokenization-works.php
Our Technology. Payment & Transaction Processing for Merchant Accounts. (n.d.).
Retrieved November 5, 2010, from Heartland Payment Systems:
http://www.heartlandpaymentsystems.com/Technology/

UNF-President's Office-Strategic Plan 2009-2014. (n.d.).
Retrieved November 5, 2010, from University of Northern Florida:
http://www.unf.edu/president/Strategic_Plan_2009-2014.aspx

Vijayan. (2009, August 17). U.S. Says SQL Injection Caused Major Breaches. Computer World.

Heartlandpt3

Documents

security procedures

security of online access

access security control

security surveillance5

security policy

security beach

security measures5

security risks