I heard a talk by Heartland CEO Robert Carr at SRI in Menlo Park, CA. He laid out the timeline of the attacks on Heartland that resulted in their huge data breach:
- Sometime in 2007: Hacker executes a SQL injection attack on an externally accessible web page–Installs sniffer software on a database server and begin to monitor traffic
- Early 2008: Pen test discovers the SQL injection vulnerability and mitigates it. However, the sniffer is not discovered.
- April 2008: Heartland passes its PCI audit
- May 2008: Hackers begin to steal credit card data
So what are lessons here?
- Audits can give you a false sense of security. A manual audit won’t discover everything. Two separate audit activities (the pen test and PCI audit) were performed during the time Heartland was breached and neither discovered it fully.
- Passing an audit is not the same thing as compliance. As mentioned in an earlier post, PCI requires firewalls to be configured to prevent the kind of data extrication that occurred at Heartland. So even though Heartland passed its audit, it was not compliant with PCI.
Manual audits can never be more than a spot check on your security. By their nature, they only sample a small percentage of your infrastructure. Passing an audit shoudn’t make you feel secure. And when issues are found (like Heartland’s SQL injection vulnerability), you should wonder what else might be out there (like Heartland’s sniffer).