BLOG POST

This week's wrap up includes information on failing incident response, an update on the Chase Bank data breach, Jimmy Johns data breach, and the Good Will data breach.

Schneier Says Incident Response is Failing

Key Details

• Hacking attacks are inevitable, so organizations need to move from protection and detection towards breach management
• Proper response can make the difference in surviving a breach
• "A sufficiently motivated, funded and skilled hacker will always get in"
• 90's were about protection, 00's about detection, and this decade is about response
• Security is a mix of people, processes, and technology

Lessons Learned

With most organizations not investing enough in protection and detection, it becomes more critical that they take response seriously. With the growing demand for skilled security professionals, and incident response being a highly specialized and technical niche in security, it might prove difficult to find people qualified when needed. It is crucial in this threat landscape of "When" not "If" you get breached that all organizations think about how to respond to a breach, have a plan, and practice the plan. Key to success is making sure those involved understand their role and can respond quickly.

News Stories

theregister.co.uk | 'A motivated, funded, skilled hacker will always get in' – Schneier

Chase Breach Update

Key Details

• New York Times reports Chase breach also affected 9 other unnamed financial institutions.
• Chase breach impacted 76 million households and 7 million businesses.
• Breach exposed names, addresses, phone numbers, and emails. No evidence of compromised account numbers, passwords or social security numbers.
• The string of massive breaches has heightened expectations around cyber security.

Lessons Learned

Even though Chase is claiming no account information was compromised, the impact here is huge. The threat of a data breach isn't just an IT problem, it is a business problem and must be taken seriously at the executive level. Even though the attack didn't compromise account data, it appears the attackers are now using the personal contact information to carry out phishing attacks to try an gain access to banking credentials. This should be a reminder to everyone that banks will never ask for sensitive information over email or text message.

News Stories

• scmagazine.com | Report: After Chase disclosure, bank regulator rallies execs to shore up defenses

Signature Systems & Jimmy John's

• Jimmy John's sandwhich shop confirms data breach of more then 200 stores
• Attackers gained access to Jimmy John's POS system through Signature Systems' remote access support account
• Signature Systems announced that the breach extended to nearly 100 other stores, mainly small mom-and-pop restaurants

Lessons Learned

This is another story of a 3rd party service provider negatively impacting is clients. Based on the details known it doesn't look like two-factor authentication was used, which is a PCI requirement. It is important for merchants to be aware of their PCI requirements and ensure their service providers are meeting them. The SAQ Instructions and Guidelines document, provided by the PCI SSC, provides a good list of questions a merchant should ask when selecting a POS vendor and support team.

News Stories

• krebsonsecurity.com | Signature Systems Breach Expands
• pcisecuritystandards.org | Self-Assessment Questionnaire Instructions and Guidelines

Goodwill Data Breach

Key Details

• Breach came through third party C&K Systems
• C&K System's hosted managed services environment was targeted intermittently from Feb. 2013 to Aug. 2014
• Affected Goodwill stores in more than 20 states
• Affected at least two companies other than Goodwill
• Attack used a variant of infostealer.rawpos malware
• Similar but not directly related to the Neiman Marcus, Home Depot, P.F. Chang's, and Target breaches

Lessons Learned

Another example of attackers going down the path of least resistance. All these recent data breaches have one thing in common. Third parties have been the attack vector. Rather than going after the stores themselves or constructing elaborate schemes to gain access the POS physically attackers are coming in through service providers that are supposed to make life easier. This is another reason to make sure even as a small business you have iron clad, rock solid service agreements with any third party you outsource any business function to. No matter how small it may seem at the time, a solid service agreement could save loads of money in the future.

News Stories

arstechnica.com | Credit card data theft hit at least three retailers, lasted 18 months