Be Ready to Pursue - Before an Attack Occurs

100% security doesn’t exist.

The frustrating truth is that almost every organisation will suffer a security breach at some point. Whether it is the defacing of a website, loss of data through a Trojan horse or the corruption of a system by a virus or worm, most companies will experience some form of data breach. This includes merchants who have diligently put measures in place to prevent fraud by implementing the correct security processes and procedures, enlisted specialist third-party anti-fraud services, adhered to appropriate industry initiatives such as 3D Secure and CV2, and complied with PCI DSS to protect their infrastructure against attack.

While all of these measures form part of a comprehensive security plan - and PCI DSS is a good basis on which to build resilience to a breach - there simply is no foolproof solution. The level of fraud is staggering and always changing in scope. In 2008 for example, 19% of organisations who were subject to a security breach were, in fact, PCI compliant. Many organisations never even realise they are hacked. In 2008, 69% of credit card breaches reported were by third parties rather than the breached organisation.

Hackers use freely available company data to target and ‘footprint’ an organisation in preparation for an attack. They are creative, innovative and above all persistent; intent on stealing data from whatever channel they can, be it customer data, credit card numbers or corporate documents. No matter how much an organisation tries to prevent and protect against a breach, the persistent hacker may find a hole that a systems administrator hasn’t plugged. Merchants should therefore be ready for the eventuality of a security breach with procedures in place to pursue and rapidly respond should an external or internal breach occur.

Once a breach becomes apparent, merchants must immediately contain and limit the exposure of the breach to minimise data loss. If the merchant is PCI DSS compliant they will have an incident response process in place which should be followed. If a merchant does not have an incident response process in place or are not PCI DSS compliant, they should engage the services of a forensic specialist to investigate the breach to determine the root cause and to pursue the perpetrators.

Merchants also need to notify their acquiring bank as soon as possible who may also request that they assign a Qualified Forensics Investigator (QFI), from a reputable fraud and payment security specialist like The Logic Group, to investigate the breach. The merchant can choose their own QFI from a list provided by VISA and/or MasterCard. Prompt action is critical when a breach occurs; if a merchant doesn’t already have relationships in place with a QFI valuable time can be lost. In some instances it can take as long as three to four weeks to get the legal agreements in place (such as NDA’s, contract for forensic services, pricing schedule etc). It therefore makes sense to already have a QFI assigned to the company. If the relationship already exists the QFI can be integrated into a merchant’s incident response plan so reaction to a breach would be immediate.

Pre-arranged service contracts with QFI’s are available providing a 24 x 7 call-out service to deal with any security incident. Such contracts are similar to a gas boiler maintenance contract with an on-call emergency service and an annual inspection to assess risks and exposure from external and internal threats.

Within three days the merchant must also provide a Compromised Entity Details report to the card scheme(s).

A forensic investigator will follow a structured forensic methodology using different tools to analyse the compromised environment. An investigator will first work to isolate the area of compromise to limit further compromise and also to maintain the integrity of the environment. This will allow them then to conduct forensic tests to identify the method of compromise and, where possible, identify evidence to support finding the identity of the perpetrator. Most importantly, the investigator will know how to preserve, extract and analyse evidence in a manner that can stand up in a court of law and that complies with the requirements of the card schemes.

Many security breaches are via SQL injection. Typically this is where an e-commerce website has not been security coded or hasn’t had the appropriate security penetration testing performed. This weakness allows a hacker to steal data directly from the customer database anonymously over the Internet. Many main high street brand names have a significant online presence in, for example, the estate agent, holiday travel, car insurance, electrical gadgets, auction and book selling market sectors. In these markets insecure websites can potentially leak customer and financial data.

In the majority of cases the method, area of breach and data at risk can be identified. In cases where the compromised card numbers are known, they can be searched for using e-discovery tools.

QFI’s can also use a Certified Ethical Hacker (CEH) to identify risks. Using the same tools as an unethical hacker, a CEH will have permission to hack a live system with the full cooperation of the client in order to identify where there are weaknesses in the environment. The CEH will then write a report on the weaknesses found and provide recommendations for remediation.

The evidence captured during an investigation will be analysed, logged and securely stored in a forensics lab which employs specialist tools to ensure all data is protected during the investigation so that evidence cannot be tampered with.

Knowing what to do and taking quick action in the event of a breach is critical. Using the service of a QFI and establishing the relationship early on will help to ensure that a breach will be identified and contained quickly. The resulting forensic analysis will also provide the best possible chance of pursuing the breach and shoring up an organisation’s defences to ensure a similar attack doesn’t happen again.

Security is not a quick fix. Organisations must evaluate and assess all parts of their business to identify the risks and potential of exposure. Comprehensive processes and procedures must be put in place to prevent breaches from happening in the first place, best-practice guidelines should be followed to protect an infrastructure from attack including compliance to PCI DSS, and organisations should be ready to pursue a breach should it occur by rapidly responding in the event of a compromise. While fraudulent activity can never be avoided completely, this is an organisation’s best defence.