Blog | Aeris Securehttps://aerissecure.com/blog/2014-10-10T16:23:25+00:00The Aeris Secure blog provides insight on current topics in cyber security, risk management and compliance.Weekly Wrap Up | Oct 10, 20142014-10-10T16:23:25+00:00Garrett Stileshttps://aerissecure.com/blog/author/garrett/https://aerissecure.com/blog/weekly-wrap-up-oct-10-2014/b'This week's wrap up includes information on failing incident response, an update on the Chase Bank data breach, Jimmy Johns data breach, and the Good Will data breach.
### Schneier Says Incident Response is Failing
#### Key Details
- Hacking attacks are inevitable, so organizations need to move from protection and detection towards breach management
- Proper response can make the difference in surviving a breach
- "A sufficiently motivated, funded and skilled hacker will always get in"
- 90's were about protection, 00's about detection, and this decade is about response
- Security is a mix of people, processes, and technology
#### Lessons Learned
With most organizations not investing enough in protection and detection, it becomes more critical that they take response seriously. With the growing demand for skilled security professionals, and incident response being a highly specialized and technical niche in security, it might prove difficult to find people qualified when needed. It is crucial in this threat landscape of "When" not "If" you get breached that all organizations think about how to respond to a breach, have a plan, and practice the plan. Key to success is making sure those involved understand their role and can respond quickly.
#### News Stories
[theregister.co.uk | 'A motivated, funded, skilled hacker will always get in' – Schneier](http://www.theregister.co.uk/2014/10/09/your_security_defences_are_going_to_fall_get_over_it_schneier/)
### Chase Breach Update
#### Key Details
- New York Times reports Chase breach also affected 9 other unnamed financial institutions.
- Chase breach impacted 76 million households and 7 million businesses.
- Breach exposed names, addresses, phone numbers, and emails. No evidence of compromised account numbers, passwords or social security numbers.
- The string of massive breaches has heightened expectations around cyber security.
#### Lessons Learned
Even though Chase is claiming no account information was compromised, the impact here is huge. The threat of a data breach isn't just an IT problem, it is a business problem and must be taken seriously at the executive level. Even though the attack didn't compromise account data, it appears the attackers are now using the personal contact information to carry out phishing attacks to try an gain access to banking credentials. This should be a reminder to everyone that banks will never ask for sensitive information over email or text message.
#### News Stories
- [scmagazine.com | Report: After Chase disclosure, bank regulator rallies execs to shore up defenses](http://www.scmagazine.com/the-chase-data-breach-has-prompted-a-regulator-to-meet-with-chief-executives-of-regulated-firms/article/375675/)
### Signature Systems & Jimmy John's
- Jimmy John's sandwhich shop confirms data breach of more then 200 stores
- Attackers gained access to Jimmy John's POS system through Signature Systems' remote access support account
- Signature Systems announced that the breach extended to nearly 100 other stores, mainly small mom-and-pop restaurants
#### Lessons Learned
This is another story of a 3rd party service provider negatively impacting is clients. Based on the details known it doesn't look like two-factor authentication was used, which is a PCI requirement. It is important for merchants to be aware of their PCI requirements and ensure their service providers are meeting them. The [SAQ Instructions and Guidelines document](https://www.pcisecuritystandards.org/documents/pci_dss_SAQ_Instr_Guide_v2.1.pdf), provided by the PCI SSC, provides a good list of questions a merchant should ask when selecting a POS vendor and support team.
#### News Stories
- [krebsonsecurity.com](http://krebsonsecurity.com/2014/09/signature-systems-breach-expands/) | Signature Systems Breach Expands
- [pcisecuritystandards.org](https://www.pcisecuritystandards.org/documents/pci_dss_SAQ_Instr_Guide_v2.1.pdf) | Self-Assessment Questionnaire Instructions and Guidelines
### Goodwill Data Breach
#### Key Details
- Breach came through third party C&K Systems
- C&K; System's hosted managed services environment was targeted intermittently from Feb. 2013 to Aug. 2014
- Affected Goodwill stores in more than 20 states
- Affected at least two companies other than Goodwill
- Attack used a variant of infostealer.rawpos malware
- Similar but not directly related to the Neiman Marcus, Home Depot, P.F. Chang's, and Target breaches
#### Lessons Learned
Another example of attackers going down the path of least resistance. All these recent data breaches have
one thing in common. Third parties have been the attack vector. Rather than going after the stores themselves
or constructing elaborate schemes to gain access the POS physically attackers are coming in through
service providers that are supposed to make life easier. This is another reason to make sure even as a small
business you have iron clad, rock solid service agreements with any third party you outsource any business
function to. No matter how small it may seem at the time, a solid service agreement could save loads of money
in the future.
#### News Stories
[arstechnica.com](http://arstechnica.com/security/2014/09/credit-card-data-theft-hit-at-least-three-retailers-lasted-18-months) | Credit card data theft hit at least three retailers, lasted 18 months
'Weekly Wrap Up | Sept, 12 20142014-09-16T18:50:55+00:00Garrett Stileshttps://aerissecure.com/blog/author/garrett/https://aerissecure.com/blog/weekly-wrap-up-sept-12-2014/b'This week's wrap up will provide key details of The Home Depot data breach, information on the Cyber Protection Brigade, and key details of the report discussing the vetting of cyber contractors.
### The Home Depot Confirms Data Breach
#### Key Details
- Data Breach Confirmed
- Investigating transactions from as early as April
- Home Depot reaffirms that no customers will be liable for fraudulent charges reported in a timely manner
- Home Depot stock is down 2.9% since first disclosing the possible breach
#### Lessons Learned
Following through on doing what's best for their customers Home Depot has confirmed that there was indeed a data breach on their network. It wasn't much of a surprise for them to confirm the breach after they already disclosed the possibility last week. Taking doing the right thing one step further with the confirmation is something many companies should take note of. Customer trust is not an easy thing to earn and rightly so. I feel that with their seemingly transparent way of handling this situation so far will go a long way in helping earn some of that trust back. Had they waited and tried to hide the breach Home Depot would be much worse off than they are now.
#### News Stories
[Home Depot Confirms Data Breach, Investigating Transactions From April Onward](http://www.forbes.com/sites/maggiemcgrath/2014/09/08/home-depot-confirms-data-breach-investigating-transactions-from-april-onward/">forbes.com)
### Cyber Protection Brigade
#### Key Details
New cyber branch could be established as early as October
First brigade of its kind
It takes 3 years of training to qualify for the brigade
any of today's weapon systems are run by computers and can be popular targets for adversaries
#### Lessons Learned
In today's increasingly connected world it's only a matter of time before an attacker compromises a military network and gains access to weapons systems or other sensitive data. The fact that the military is possibly creating its own cyber branch further solidifies how real of an attack vector networks and computer systems can be. The wars of tomorrow are well on their way to being fought completely in cyberspace and it's important to remember that in every way there is always collateral damage and that collateral damage can easily be ill prepared business owners or private users.
#### News Stories
[Army standing up cyber brigade, possible cyber branch](http://www.army.mil/article/133176/Army_standing_up_cyber_brigade__possible_cyber_branch/">army.mil)
### REPORT: AGENCIES AREN’T PROPERLY VETTING ALL CYBER CONTRACTORS
#### Key Details
- More than 75% of the Transportation Department's information security workforce are contractors
- Some of them haven't even had background checks
- Similar situation occurred at the State Department
- In one instance a courier who delivered IRS documents had served 21 years in prison for arson, retaliation, and even attempted escape
#### Lessons Learned
This story goes to show how easy it is for upper level management to get too far removed from everyday operations. Due to lack of oversight people didn't perform their jobs up to par and some tasks went undone. This is also a good example of how separation and rotation of duties proves to be a useful layer of security. Had they been rotating job duties the people coming in would have had to review policies and procedures for the new position and could have acted accordingly. While it's true the new person could have missed the background checks too, but rotation of duties still adds another layer required for failure before something like this happens.
#### News Stories
[REPORT: AGENCIES AREN’T PROPERLY VETTING ALL CYBER CONTRACTORS](http://www.nextgov.com/cybersecurity/2014/09/agencies-contractor-employees-cyber-workforce/93620/?oref=ng-channelriver">nextgov.com)
'Weekly Wrap Up | Sept, 5 20142014-09-09T19:59:48+00:00Garrett Stileshttps://aerissecure.com/blog/author/garrett/https://aerissecure.com/blog/weekly-wrap-up-sept-5-2014/b'This week's wrap up will provide key details of a possible The Home Depot breach and an update to the Chase Bank data breach.
### The Home Depot
#### Key Details
-No official confirmation to a data breach
-The Home Depot hired Symantec Corp. and Fishnet Security to investigate
-The Home Depot is fast tracking deployment of Chip-and-PIN cards to be complete by the end of 2014
-Customers will not be liable for fraudulent charges
-If breach is confirmed Home Depot will offer free identity protection services to affected customers
#### Lessons Learned
This is a prime example of how a data breach should be addressed. The Home Depot has done (so far) a phenomenal job in keeping the public and more importantly its customers informed, even though they haven't actually confirmed a breach yet. It also goes to show that the infamous Target breach isn't the last of its kind either. Along that note, companies like Target and more recently Home Depot have many more resources to work with in preventing these kinds of things from happening so what is the small business owner supposed to do to protect themselves? This should further solidify that nobody is immune to breaches and everybody needs to take proper steps to make sure they don't become the next victim.
#### News Stories
- [Customer update on payment breach](https://corporate.homedepot.com/MediaCenter/Pages/Statement1.aspx)
- [Home Depot working 'around the clock' to find data breach CEO says](http://fortune.com/2014/09/04/home-depot-data-breach/)
- [What It Means For Home Depot If Data Breach Is Larger Than Target's](http://www.forbes.com/sites/samanthasharf/2014/09/03/what-it-means-for-home-depot-if-data-breach-is-larger-than-targets)
### Chase Bank
#### Key Details
-Unlike the Home Depot breach this breach is confirmed
-Discovered weeks ago, but investigators are unsure if the hackers have been removed from the network
-Attackers entered through a vulnerable Linux server
-Possibly same attackers as the Home Depot and infamous Target breach
-Attacks may have from Russian soil
#### Lessons Learned
Some people may think that even with all their resources a major bank was still breached, so why should I even bother to protect my assets. That question simply boils down to what would you do if a catastrophic breach occurred? Chances are if you don't take any steps to prevent and mitigate an attack one will happen and you will not survive. There are so many simple steps that pretty much any company can take to help prevent attacks on their systems. Most of them involve educating employees, which can be much easier than one might think.
#### News Stories
- [JPMorgan Data Breach Traced Back To Russia, Which Calls Claim 'Nonsense'](http://www.ibtimes.com/jpmorgan-data-breach-traced-back-russia-which-calls-claim-nonsense-1678296)
- [JPMorgan's Stolen Data Rerouted To Russia](http://www.bidnessetc.com/25060-jpmorgans-stolen-data-rerouted-to-russia/2/)
- [FBI Probes Possible Russian Cyber Attack On Major US Banks](http://www.hstoday.us/briefings/daily-news-analysis/single-article/fbi-probes-possible-russian-cyber-attack-on-major-us-banks/c29aa362171639d8e1d31c962efedc2d.html">hstoday.us)
'Weekly Wrap Up | Aug, 29 20142014-08-30T00:17:15+00:00Garrett Stileshttps://aerissecure.com/blog/author/garrett/https://aerissecure.com/blog/weekly-wrap-up-aug-29-2014/b'This week has been a pretty eventful one in the world of information security. There have been quite a few news stories worth checking out. I thought I would post a summary of this weeks news stories, and share my insights and lessons learned.
Enjoy the holiday weekend.
### Backoff Malware
#### Key Details
- Backoff malware targets Point-of-Sale systems to steal credit card data
- Method of entry is through remote access software (LogMeIn, Windows Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Pulseway, etc.)
- More than 1000 US businesses have been infected with malware targeting Point of Sale systems
- The Payment Card Industry Security Standards Council issues bulletin urging merchants to update antivirus, check system logs and update passwords as protection from Backoff
- US-CERT has posted an Advisory detailing the threat and business impact, as well as recommended solutions
#### Lessons Learned
A common method of entry between many of the recent breaches is remote access. It is the simple trade of of convenience and security. From a business perspective, no one wants to be bothered with enabling service accounts every time there is an issue, or jumping through the hoops two-factor authentication. Things get even more complicated, and maybe impossible to implement, when small businesses rely heavily on on third party suppliers. It is critical to make sure that these 3rd party vendors properly protect the access channels they use, and take the security of your business seriously. It is becoming more important to properly vet service providers to ensure they have the knowledge and experience to provide the services they offer. Don't rely on a POS tech support company to be an expert in security. It is also important to implement proper monitoring on remote access and throughout your network.
#### News Stories
- [Point-of-Sale malware has now infected over 1,000 companies in US](http://arstechnica.com/security/2014/08/point-of-sale-malware-has-now-infected-over-1000-companies-in-us/)
- [Retailers warned to act now to protect against Backoff malware](http://www.computerworld.com/article/2599724/data-security/retailers-warned-to-act-now-to-protect-against-backoff-malware.html)
- [PCI SSC Bulletin on Malware Related to Recent Breach Incidents](https://www.pcisecuritystandards.org/pdfs/140827_PCI_SSC_Statement_on_Malware_Related_to_Recent_Breach_Incidents.pdf)
- [Alert (TA14-212A) Backoff Point-of-Sale Malware](https://www.us-cert.gov/ncas/alerts/TA14-212A">US-CERT.gov)
### Possible Dairy Queen Data Breach
#### Key Details
- Data breach is still unconfirmed
- Notification of the possible breach came from a credit union in the Midwest
- A common point of purchase was traced back to several Dairy Queen franchise locations in Florida, Alabama, Indianan, Illinois, Kentucky, Ohio, Tennessee, and Texas
- This possible breach seems very similar to other recent confirmed and potential breaches involving the Backoff malware
#### Lessons Learned
Like the majority of discovered security breached, the notice of this potential breach came from a third party. This points to a lack of vigilance and monitoring in place at small retailers and restaurants. The threat landscape these days is such that no business is too small to become a victim. Krebs also noted that Dairy Queen doesn't have an breach notification policy in place with its franchise operators. Businesses need to realize the impact a security breach can have on a company, both big and small. Large organizations might be able to absorb the financial blow, unlike small businesses, but the the social and brand impact could hurt for a long time to come. Franchise organizations should look into supporting there franchisees not only with business operation policies and procedures, but guidance for IT security and management as well.
#### News Stories
- [DQ Breach? HQ Says No, But Would it Know?](http://krebsonsecurity.com/2014/08/dq-breach-hq-says-no-but-would-it-know/)
- [ DiaryQueen Investigates Possible](http://nrn.com/technology/dairy-queen-investigates-possible-data-breach)
### Community Health Services Data Breach
#### Key Details
- Security breach affected 4.5 million patients
- Method of compromise was through OpenSSL "Heartbleed" vulnerability
- VPN credentials were exposed through vulnerability and allowed attackers remote access
- Heartbleed is still alive and well. Hundreds of thousands of corporate servers, routers and firewalls are still vulnerable to Heartbleed today
#### Lessons Learned
Incident response is crucial. There is a critical window between the release of an 0-day and when a vendor issues a patch for its systems and applications. During this time it is critical that an organization have proper monitoring in place as well as a capable incident response team able to react and implement compensating controls while you wait for a vendor patch to be released. A quick response to vulnerability, especially ones as impactful as Heartbleed, can make the difference in a preventing a data breach like this one.
#### News Stories
- [CHS hacked via Heartbleed Vulnerability](https://www.trustedsec.com/august-2014/chs-hacked-heartbleed-exclusive-trustedsec)
- [APT Gang Branches Out to Medical Espionage in Community Health Breach](http://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach)
- [Heartbleed Hack Still a threat Six Months After Discovery](http://www.bloomberg.com/news/2014-08-27/heartbleed-hack-still-a-threat-six-months-after-discovery.html)'