07-29-13 | Blog Post
Recently, Nasdaq.com reported on hackers that gained access to more than a dozen major global payment processor, retailer and financial institutions’ systems, including NASDAQ (trading platform unaffected), 7-Eleven, JC Penney, Heartland Payment Systems, Visa Jordan, Global Payment, JetBlue, Dow Jones and others.
In a press release from last week, a federal indictment announced that five men in Russia were charged with conspiring in the international hacking scheme which resulted in 160 million credit card numbers stolen. Issued by the U.S. Attorney’s Office, District of New Jersey, the scheme was described as the largest ever prosecuted in the United States.
So how did they do it? Justice.gov reports initial entry was gained using an SQL injection – SQL (Structured Query Language) is a programming language often used to manage databases. After finding vulnerabilities in SQL databases, the hackers would infiltrate the computer network and then use malware to create a backdoor that would maintain unauthorized access to the network. In some cases, their malware was on several companies’ servers for over a year.
After they stole credit card numbers and other personal data, they sold it to resellers worldwide through online forums or direct.
How did they get away with it undetected? The hackers used anonymous web hosting services provided by another conspirator that didn’t keep records of their activities or report to law enforcement. The hackers also communicated only through private/encrypted channels, and they were able to disable security settings on their targeted companies to keep from logging their actions on their networks.
How much was lost? About $300 million reported by the financial institutions, credit card companies and consumers.
As U.S. Attorney Paul J. Fishman stated in the press release, “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant and we cannot be too careful.”
How can you protect your company against these types of attacks and decrease your risk of suffering from business loss? A web application firewall (WAF) can help protect your networks and servers more than a traditional IPS/IDS (Intrusion Protection/Detection System) by having the capability of detecting and preventing SQL injections.
For companies that need to meet PCI DSS compliance (Payment Card Industry Data Security Standards), including those that were affected by this breach, requirement 6.6 states you must install a WAF in front of public-facing web applications to detect and prevent web-based attacks.
The same goes for healthcare organizations that need to meet HIPAA compliance – technical safeguards dictate they must implement technical security measures to guard against unauthorized access to ePHI (electronic protected health information) being transmitted over an electronic communications network.
For more information about other ways to secure your servers against a data breach, read about our Technical Security services.
Or, if you’re confused about how to meet technical security requirements of PCI DSS, read our PCI Compliant Hosting white paper. It discusses the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing, and vendor selection criteria.
Related Articles:
Encrypting Backup Data for HIPAA and PCI Compliance
Stored data is a top target by hackers, especially the type of data that can be used for fraud and medical identity theft – within the healthcare industry in particular, encrypting stored data to meet HIPAA compliance is one way … Continue reading →
A Quick Tech Tutorial: Daily Log Review for PCI Compliance
A daily log review can detect patterns of normal use and provide insight into any abnormalities in the system network and servers instead of auditing devices after an event occurs. With consistent monitoring and analysis, data breaches can be pinpointed … Continue reading →
Offsite Backup and IT Disaster Recovery for PCI DSS Compliance
For companies that deal with credit cardholder data, including e-commerce, retail, franchise, etc., the Payment Card Industry Data Security Standards (PCI DSS) are the official security guidelines set by the major credit card brands. Of the 12 PCI DSS requirements … Continue reading →
References:
Five Indicted in New Jersey for Largest Known Data Breach Conspiracy
PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (PDF)
DOJ Charges Five Hackers in Data Breach Scheme