Sister CISA CISSP

Jan 27 2009   5:51PM GMT

More on the Heartland Breach

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

Some interesting information is coming forward about the break in at Heartland Payment Systems. The Secret Service has identified an overseas suspect, according to StoreFront BackTalk.

What’s more interesting (to me, at least) is that the sniffer software installed on Heartland’s systems was deactivated when it was found. This can mean any number of things, including that it might not be the malware that accompanied the data theft, was waiting to be re-activated, or turned off because the thieves knew they had been spotted.

From an audit perspective, this makes me return to the challenge of how we monitor changes to our systems. How do we know when something has been installed or deleted? There are a number of software packages that purport to be able to monitor and report on changes (Tripwire comes to mind), but as an engineer I know that changes happen on a server architecture all the time.

Do we simply monitor traffic to and from the systems? I can’t imagine that this would be feasible with payment systems that have 100 million transactions a month, like Heartland.

Do we look for anomalies in the traffic? Even tougher and more CPU intensive. We can watch outbound firewall traffic to block lists of known malware servers, but that list would change constantly.

Ideas? Suggestions? I’m shaking my head.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: