This week's wrap up includes information on failing incident response, an update on the Chase Bank data breach, Jimmy Johns data breach, and the Good Will data breach.
Schneier Says Incident Response is Failing
- Hacking attacks are inevitable, so organizations need to move from protection and detection towards breach management
- Proper response can make the difference in surviving a breach
- "A sufficiently motivated, funded and skilled hacker will always get in"
- 90's were about protection, 00's about detection, and this decade is about response
- Security is a mix of people, processes, and technology
With most organizations not investing enough in protection and detection, it becomes more critical that they take response seriously. With the growing demand for skilled security professionals, and incident response being a highly specialized and technical niche in security, it might prove difficult to find people qualified when needed. It is crucial in this threat landscape of "When" not "If" you get breached that all organizations think about how to respond to a breach, have a plan, and practice the plan. Key to success is making sure those involved understand their role and can respond quickly.
Chase Breach Update
- New York Times reports Chase breach also affected 9 other unnamed financial institutions.
- Chase breach impacted 76 million households and 7 million businesses.
- Breach exposed names, addresses, phone numbers, and emails. No evidence of compromised account numbers, passwords or social security numbers.
- The string of massive breaches has heightened expectations around cyber security.
Even though Chase is claiming no account information was compromised, the impact here is huge. The threat of a data breach isn't just an IT problem, it is a business problem and must be taken seriously at the executive level. Even though the attack didn't compromise account data, it appears the attackers are now using the personal contact information to carry out phishing attacks to try an gain access to banking credentials. This should be a reminder to everyone that banks will never ask for sensitive information over email or text message.
Signature Systems & Jimmy John's
- Jimmy John's sandwhich shop confirms data breach of more then 200 stores
- Attackers gained access to Jimmy John's POS system through Signature Systems' remote access support account
- Signature Systems announced that the breach extended to nearly 100 other stores, mainly small mom-and-pop restaurants
This is another story of a 3rd party service provider negatively impacting is clients. Based on the details known it doesn't look like two-factor authentication was used, which is a PCI requirement. It is important for merchants to be aware of their PCI requirements and ensure their service providers are meeting them. The SAQ Instructions and Guidelines document, provided by the PCI SSC, provides a good list of questions a merchant should ask when selecting a POS vendor and support team.
- krebsonsecurity.com | Signature Systems Breach Expands
- pcisecuritystandards.org | Self-Assessment Questionnaire Instructions and Guidelines
Goodwill Data Breach
- Breach came through third party C&K Systems
- C&K System's hosted managed services environment was targeted intermittently from Feb. 2013 to Aug. 2014
- Affected Goodwill stores in more than 20 states
- Affected at least two companies other than Goodwill
- Attack used a variant of infostealer.rawpos malware
- Similar but not directly related to the Neiman Marcus, Home Depot, P.F. Chang's, and Target breaches
Another example of attackers going down the path of least resistance. All these recent data breaches have one thing in common. Third parties have been the attack vector. Rather than going after the stores themselves or constructing elaborate schemes to gain access the POS physically attackers are coming in through service providers that are supposed to make life easier. This is another reason to make sure even as a small business you have iron clad, rock solid service agreements with any third party you outsource any business function to. No matter how small it may seem at the time, a solid service agreement could save loads of money in the future.
arstechnica.com | Credit card data theft hit at least three retailers, lasted 18 months