BLOG POST

This week has been a pretty eventful one in the world of information security. There have been quite a few news stories worth checking out. I thought I would post a summary of this weeks news stories, and share my insights and lessons learned.

Enjoy the holiday weekend.

Backoff Malware

Key Details

• Backoff malware targets Point-of-Sale systems to steal credit card data
• Method of entry is through remote access software (LogMeIn, Windows Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Pulseway, etc.)
• More than 1000 US businesses have been infected with malware targeting Point of Sale systems
• The Payment Card Industry Security Standards Council issues bulletin urging merchants to update antivirus, check system logs and update passwords as protection from Backoff
• US-CERT has posted an Advisory detailing the threat and business impact, as well as recommended solutions

Lessons Learned

A common method of entry between many of the recent breaches is remote access. It is the simple trade of of convenience and security. From a business perspective, no one wants to be bothered with enabling service accounts every time there is an issue, or jumping through the hoops two-factor authentication. Things get even more complicated, and maybe impossible to implement, when small businesses rely heavily on on third party suppliers. It is critical to make sure that these 3rd party vendors properly protect the access channels they use, and take the security of your business seriously. It is becoming more important to properly vet service providers to ensure they have the knowledge and experience to provide the services they offer. Don't rely on a POS tech support company to be an expert in security. It is also important to implement proper monitoring on remote access and throughout your network.

News Stories

• Point-of-Sale malware has now infected over 1,000 companies in US
• Retailers warned to act now to protect against Backoff malware
• PCI SSC Bulletin on Malware Related to Recent Breach Incidents
• Alert (TA14-212A) Backoff Point-of-Sale Malware

Possible Dairy Queen Data Breach

Key Details

• Data breach is still unconfirmed
• Notification of the possible breach came from a credit union in the Midwest
• A common point of purchase was traced back to several Dairy Queen franchise locations in Florida, Alabama, Indianan, Illinois, Kentucky, Ohio, Tennessee, and Texas
• This possible breach seems very similar to other recent confirmed and potential breaches involving the Backoff malware

Lessons Learned

Like the majority of discovered security breached, the notice of this potential breach came from a third party. This points to a lack of vigilance and monitoring in place at small retailers and restaurants. The threat landscape these days is such that no business is too small to become a victim. Krebs also noted that Dairy Queen doesn't have an breach notification policy in place with its franchise operators. Businesses need to realize the impact a security breach can have on a company, both big and small. Large organizations might be able to absorb the financial blow, unlike small businesses, but the the social and brand impact could hurt for a long time to come. Franchise organizations should look into supporting there franchisees not only with business operation policies and procedures, but guidance for IT security and management as well.

News Stories

• DQ Breach? HQ Says No, But Would it Know?
• DiaryQueen Investigates Possible

Community Health Services Data Breach

Key Details

• Security breach affected 4.5 million patients
• Method of compromise was through OpenSSL "Heartbleed" vulnerability
• VPN credentials were exposed through vulnerability and allowed attackers remote access
• Heartbleed is still alive and well. Hundreds of thousands of corporate servers, routers and firewalls are still vulnerable to Heartbleed today

Lessons Learned

Incident response is crucial. There is a critical window between the release of an 0-day and when a vendor issues a patch for its systems and applications. During this time it is critical that an organization have proper monitoring in place as well as a capable incident response team able to react and implement compensating controls while you wait for a vendor patch to be released. A quick response to vulnerability, especially ones as impactful as Heartbleed, can make the difference in a preventing a data breach like this one.

News Stories

• CHS hacked via Heartbleed Vulnerability
• APT Gang Branches Out to Medical Espionage in Community Health Breach
• Heartbleed Hack Still a threat Six Months After Discovery