DPI Scrambles After Credit-Card TheftBy Larry Dignan | Posted 2003-03-06 Email Print
"Security by obscurity" didn't work for one credit card processor: An "unauthorized outside party" ran off with credit card data anyway.
'Security by Obscurity'">
'Security by Obscurity'
According to Caston, DPI probably benefited from "security by obscurity" until now. After the attack, it's likely to have a bull's-eye on its network not long after the feds clear out.
The plans—or lack of them—that DPI had in place ahead of the attack will go a long way to determining how quickly it'll recover. Executives need to prepare for a hack and map out plans and procedures before it even happens.
"Having a plan in these situations makes all the difference," says Infidel's Bace. "It helps to think these things out before you're in a crisis."
The intrusion plan should include: creating an emergency response team either in-house or contracted out, clarifying decision-making and weighing options for various attack scenarios.
Bace also tells clients to take a "footprint" of your system with software from a vendor like Tripwire. Taken during normal operation, this footprint of the network and its applications can serve as a baseline for when things go awry. Ultimately, this snapshot helps project managers see what an attacker changed.
With the planning in place, analysts say responding to an intrusion is much like putting out a fire or working in an emergency room. Analyze the problem, contain it with a short-term fix, eliminate the issue and then ultimately fix it.
The main goal after an attack is to fix the problem and keep the business running, says Brady. That means cutting over to your disaster recovery plan or "cold" backups—offline mirror systems—to keep operations going.
But beware some short-term fixes. One big mistake is to patch the hole and move on—you could be sealing in malicious code. "Simply patching a system after it's hacked is analogous to letting a burglar in your house and then locking the door—if he's in, he's in," says Caston.
Consultants say the response depends on the situation. Typical first responses include disconnecting a compromised system from the network and changing passwords.
Even those steps, however, can be complicated without forensic analysis done either in-house or through security consultants. "Unless you have absolute knowledge of how a hacker got in, you have to analyze everything on the network," says Caston.
More complications can depend on whether the law is involved. Conflicts in the DPI case could emerge because the law enforcement goals to preserve evidence can hold back the company's efforts to resume business.
"Law enforcement has specific procedures and rules of custody and they are picky about sharing information," says Bace. "But they are getting better at collecting data in a way that doesn't affect operations."
After the immediate crisis passes, business leaders may choose to rejigger network architecture to prevent future attacks. Rubin suggests installing "honey pots"—repositories of fake data—to throw hackers off the trail, reconfiguring firewalls and separating databases that hold key information.
Once a company is confident its network is ready for business, executives have to go out and mend some fences. The attack on DPI resulted in added expense for other companies in the credit-card food chain.
PNC Bank, based in Pittsburgh, decided to replace 10,000 active cards to allay customer worries, says PNC spokesman Brian Goerke.
Goerke wouldn't reveal how much the new cards cost PNC, but Gartner estimates replacement cards run $35 each.
"If you're smart and you make it, you come back up in a different environment," says Bace. "Then you need to talk about what steps you took to make damn sure this doesn't happen again."