Security Experts:

Feedback Friday: 56 Million Payment Cards Compromised in Home Depot Breach - Industry Reactions

Home Depot Confirming Data Breach

Home Depot has confirmed that it has suffered a data breach in which credit and debit cards used at stores across the United States and Canada have been compromised. The company estimates that a total of 56 million customer payment cards had been exposed between April and September 2014.

The investigation is ongoing, but the retailer says the attackers used a unique, custom-built piece of malware to evade detection. There's no evidence that debit card PINs have been compromised, and stores in Mexico or customers who shopped online are not affected by the breach, Home Depot said.

The company is confident that the malware has been eliminated from all infected terminals and that the method of entry used by the attackers has been closed off. To prevent future incidents, Home Depot has implemented encryption mechanisms to protect payment data, and it plans on deploying chip and PIN technology to all of its United States stores by the end of the year.

Feedback Friday

What types of security solutions should have been used by Home Depot? What are best practices for avoiding such incidents? What steps should the retail industry take? These are just some of the questions answered by members of the security industry.

And the Feedback Begins...

 Joshua C. Douglas, Chief Technology Officer, Raytheon Cyber Products:

 "With the rise in POS compromises across the industry, one has to wonder, is there a deeper problem at hand, and are the POS systems the problem themselves?  One, maybe two, affected commerce companies could be coincidental; but having the likes of these multiple, major retail organizations breached seems to point back to a larger problem. These systems need to contain tamper-resistant active threat monitoring, as well as the manufacturers being looked at for breaches, themselves."

 

Rahul Kashyap, Chief Security Architect and Head of Research at Bromium:

 "It's disconcerting to note that retailer breaches are quickly becoming habitual headlines. The impact is millions of innocent end users at risk. Notably, it's reported that the recent Home Depot breach used repurposed POS malware that was used in prior breaches.  Retailers and all other commerce platforms are the ultimate levelers that 'flatten' the Internet population.


From a sophisticated security-savvy professional to the not-so-savvy grandmom, we all end up visiting these shops and are equally vulnerable.  This is a loud wake up call to the on the ground realities of cyber security and unfortunately, we don't see any signs of an end to this - yet."

 

Eric Ouellet, Vice President of Strategy at Bay Dynamics:

 "The reality is that, as long as organizations continue to look at IT security with an individual security solution silo view, data breaches like Home Depot’s will continue to occur. In fact, when you look at large organizations like Home Depot and Target, the breaches did not occur due to a lack of security tools investment, but rather the breadcrumbs left behind show to be three key factors:


 

1. -  Each of the security solutions on their own produce an unprecedented amount of event data that typically overwhelms even the largest of security teams, and so it is practically impossible to find the most important needles in the haystacks in any reasonable amount of time.


2. – Each security solution operates on its own, meaning there is no stitching of information between systems and as a result you have dozens of individual haystacks that you need to look at each and every day.


3. – Any attempts at stitching information between haystacks of data is typically a manual process that is supported with some technologies like SIEM or other case management tools that are ill suited for this task.


This approach is flawed, and proof of it is demonstrated time and time again with each breach that occurs. What you need is not only a federated view of all the security solutions but a way to identify all the individual needles in each of the haystacks and then a way to find the common thread that links individual needles together across all of the security solutions. What might appear as noise in one security solution might in fact be an important breadcrumb that tips the importance of an event in another. The use of federated user behavior analytics is the only way to find that common story line and elevate individual actions above the overall noise."

Chris Morales, practice manager at security testing and analysis firm NSS Labs:

 "[The Home Depot attack] looks to be the exact same as the previous round of retail industry attacks using the BlackPOS point of sale malware specifically targeted at the retail industry. I’m not surprised this has occurred and I am sure we will hear quite a few more in the near future.


 

What I don’t understand is why the retail industry has not taken action against an obvious targeted attack that has caused so much damage elsewhere. How is it that large retailers like Home Depot didn’t assume the breach before they had to be told about it by an outside source? Has the retail industry done nothing since last winter? Every company in the retail industry should be performing a thorough investigation of their POS network with the assumption they have already been compromised."

Matthew Alderman, Vice President of Strategy, Tenable Network Security:

 "Proper security of credit card data requires not just compliance but basic security hygiene, including continuous detection and response capabilities to investigate and mitigate malicious activity.  Is the industry implementing the proper capabilities to effectively manage 'security' or are they viewing this as a 'compliance' activity? 


 Annual Reports on compliance, quarterly scanning and 'security' point solutions may meet the 'compliance' requirements of the Data Security Standard, but it’s not effective in maintaining the 'security' of credit card data. These breaches are just a reminder that we need to properly secure our environments, not just comply with the requirements."

 

Tom Keigher, Senior Penetration Tester and Security Researcher, Foreground Security:

"Facts in the investigation will unfold and change rapidly, but some things about the retail breaches remain fairly similar.  For starters, the malware used in the target and Home Depot breaches appears to be related.  This is not surprising, as the tools needed to perpetrate things like this are readily available in some of the Internet’s darker corners for black market prices.


Currently, Home Depot's breach looks to have a similarly vulnerable point of entry:  an aging operating system on their point-of-sale systems.  In fact, the Windows-based OS may even be the same one Target’s POS systems used.  The solution is over a decade old, and many weaknesses in it would be trivial to exploit.


I believe the heart of the issue is two-fold, and likely to lead to many more breaches down the road.  Firstly, there is a terrible notion of security product among technical and non-technical business folks alike:  It’s the idea that we can address modern threats by buying a bunch of new firewalls or a new anti-virus package, back the truck up to the loading dock, and drop it all in place to call that risk 'mitigated.' Surely Home Depot could update their POS systems to a more current OS, but that is just one small part of the picture. 


I say this problem is two-fold because none of those security products are worth a thing to an organization’s security posture, unless they have really talented and experienced folks operating them.  The problem is that those are in short supply these days.  I think companies know they need exceptional people.  The bad guys are clever and they don’t play by a rule book.  That isn’t a secret at all.  The trouble is that finding people to outthink them can be hard or even impossible.  We need to start looking at cybersecurity holistically: the people and the tools need to be tailored to the network and the environment they are intended to protect."

Dan Waddell, Director of Government Affairs, (ISC)2:

 "Home Depot and other online retailers should augment their alerting service by adding an option to notify users every time a transaction is made on their account. This would help consumers learn about fraudulent charges quicker, while also saving retailers the hassle of remediating additional fraudulent charges. "


Patrick Thomas, security consultant at Neohapsis:

 "Historically, when organizations learn of their own compromise by reports from unrelated third parties it means that the intrusion has been ongoing for months. (See Verizon Data Breach Investigation Report, 2013, Fig 45)


While traditional emphasis on breach prevention remains important, mature organizations are also placing significant resources into defense-in-depth approaches that frustrate attacker's ability to move around the network to exfiltrate data. Each time an attacker is forced to do something unusual to overcome these internal defenses, it provides an additional opportunity for monitoring systems to identify the intrusion.


There's little that consumers can do directly to protect themselves from these sort of compromises. Certainly all consumers should keep a close eye on their credit card statements and credit report, but they can also vote with their dollars and reward companies that publicly demonstrate a commitment to security."

Steve Hultquist, chief evangelist for RedSeal Networks:

 “Retail breaches continue to demonstrate the sophistication of the attackers and the reward they receive being worth the investment they make in their attacks. These investments mean that enterprises must likewise increase their defensive investments, especially in the analysis of potential attack vectors. Simply reacting while attacks are in progress is insufficient. Each enterprise must know its network security architecture and have automated analysis to ensure that the entire end-to-end network complies with its policies. Not doing so is effectively agreeing to be attacked in unknown ways and having to deal with the impacts of a breach.”

Daniel Ingevaldson, CTO of Easy Solutions:

 "With the latest retail breach at Home Depot, attention has again turned to credit card black markets, the clearinghouses that sell these stolen cards to the highest bidder. These are no fly-by-night operation. In fact, the largest of these markets have some sophisticated features that any e-commerce site would tout, including integrated Bitcoin funding, good customer support and good commerce features.


It appears these new batch of cards are selling for $50-100 each, though we believe those prices are likely to come down faster than in the past, as the window of opportunity to profit from stolen cards has shrunk. This has happened because financial institutions have become smarter about dealing with these attacks.


For example, black market sites used to allow you to 'test' a stolen card, charging a small amount on it before committing to purchase, in order to prove it was a valid card. Since the Target breach, banks have improved their detection methods to look for these kinds of charges (as an indication of likely potential new fraud), so these sites no longer offer this service.


In addition, more banks are monitoring the black markets themselves, either on their own or through services like Easy Solutions provides, as an early warning system for stolen cards."

Lucas Zaichkowsky, Enterprise Defense Architect at AccessData:

 "These attacks are conducted remotely. It’s not as though there’s a self-replicating virus or drive-by download malware causing these breaches. These attacks are conducted remotely by human attackers. They gain an initial entry point to pretty much any system. The most common method is to find a vulnerable web server. Once there, they focus on mapping out the internal network and steal user accounts they can leverage to move around in disguise.


They’ll specifically figure out who has access to the card data environment, then target those accounts and relay through the same hop points used by administrators to get to the better protected card data environment. Their presence isn’t obvious since they’re accessing the environment just as the real administrator would. Once there, they’ll manually place newly created variants of specialize card data stealing malware, thereby evading anti-malware protection. Next-generation malware detection appliances observing Internet traffic will be completely blind to this since it’s being delivered through encrypted command and control channels.


POS networks are complex with multiple systems handling credit card data in the clear. There are also systems in that network necessary for functions other than processing credit cards such as inventory management. Any system or user that has access to the POS network is a likely target for exploitation and account hijacking. Once inside the POS network, attackers have multiple choices for pilfering card data as it passes through, many of which involve no malware whatsoever."

Tom Cross, director of security research at Lancope:

 "These retail compromises can have a direct financial impact on consumers. Some banks issue credit cards that are directly tied to consumer checking accounts. Fraudulent charges made on these cards are immediately deducted from the consumer's bank balance, and the consumer may have to wait for a fraud investigation to complete before they can recover their money. With so many large retail organizations getting compromised, I strongly recommend that consumers avoid using cards that are tied directly to their checking accounts.


However, no one wants to go through the hassle of having their card replaced because it was compromised, even if they won't be held responsible for the charges. Therefore, these compromises do have a reputational impact on financial institutions – some consumers will avoid doing business in stores if they fear that their card may be compromised. Other retailers who have been impacted in this string of attacks have faced significant costs associated with cleanup and lost sales."

Until Next Friday...Have a Great Weekend!

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.