View “Lessons from the Heartland Data Breach” on Vimeo to hear from Robert O. Carr, the particular victim. Read his testimony before the United States Senate Committee on Homeland Security and Government Affairs. An apparently secure (even audited, pen tested and forensically examined) organization was breached. You can be PCI DSS compliant, and pay the penalties of an information breach.
My take-aways from the Heartland breach: Note that a SQL injection vulnerability was discovered, then remediated. Too late, as it turns out; the damage was done. Previously undetected malware was running on the system. Even though an intrusion was suspected, this malware escaped the detection of auditors, pen testers and (for a long time) forensic examiners. In the end, forensics examiners found the vital clue that revealed that a security breach had occurred, was occurring and the intrusion response procedure needed to be invoked.
Why so long? Undetected malware is not the sort of problem auditors would look for. Pen testers would fail since the system had been hardened after the breach. A more efficient approach to a forensic examination would been to have a set of hash values of known good files, and compute the hash values of current files. Inspect the files that do not match the “known good” list. See Simple Malware Discovery Measures for additional approaches.
The Hannaford Brothers breach is also attributed to undetected malware.
My theory is that malware never (perhaps rarely) travels alone. Previously undetected malware is always (perhaps usually) accompanied by detected malware. Reliance upon anti-virus software to detect all malware is false confidence. Investigation of detected malware yields information you want to use. and that information may be about previously undetected malware or information about where malware is coming from. Was there detected malware that accompanied the undetected malware in the Heartland breach example?
I do agree that encryption of data is an additional defense, an additional preventative measure. There is also a need for readily available detective measures; reliable mechanisms to confirm or deny an incident quickly.
See also: Online Trust Alliance (OTA) 2011 Data Breach & Loss Incident Readiness Guide