Some interesting information is coming forward about the break in at Heartland Payment Systems. The Secret Service has identified an overseas suspect, according to StoreFront BackTalk.
What’s more interesting (to me, at least) is that the sniffer software installed on Heartland’s systems was deactivated when it was found. This can mean any number of things, including that it might not be the malware that accompanied the data theft, was waiting to be re-activated, or turned off because the thieves knew they had been spotted.
From an audit perspective, this makes me return to the challenge of how we monitor changes to our systems. How do we know when something has been installed or deleted? There are a number of software packages that purport to be able to monitor and report on changes (Tripwire comes to mind), but as an engineer I know that changes happen on a server architecture all the time.
Do we simply monitor traffic to and from the systems? I can’t imagine that this would be feasible with payment systems that have 100 million transactions a month, like Heartland.
Do we look for anomalies in the traffic? Even tougher and more CPU intensive. We can watch outbound firewall traffic to block lists of known malware servers, but that list would change constantly.
Ideas? Suggestions? I’m shaking my head.