Wednesday, February 4, 2009

SRA Data Breach Analysis

If you've read your breach notification lately, SRA International announced it suffered a data breach.

{ Links }
Read carefully, there is a consistent theme in every one of those links... "SRA recently discovered a virus... that was not detected by its antivirus"... let's focus on that for a minute. While Mr. Ralph DeFrangesco of ITBusinessEdge seems to surmise that SRA Intl's antivirus systems were simply out-of-date, I will offer an alternative albeit more sinister explanation. My explanation requires a dig back into the news releases from Heartland Payment Systems (HPS) and the hoopla surrounding that incident. Both of these, if read carefully, point to a piece of malware that infiltrated otherwise healthy, reasonably-well maintained networks. Now, while I've been known to poke the occasional fun at "compliant" companies which suddenly become compromised I'd like to take a step back and address this from a slightly more sinister angle as I said before.

What-if... just what-if these "malware/viruses" which were placed inside these companies weren't run-of-the-mill worms/malware/viruses? What if, and this sounds more logical, these were custom-created malware with the intended purpose of infiltrating these companies and executing data breaches? Doesn't that sound more logical, given all we know, Mr. DeFrangesco? Doesn't that more easily explain how these malware could have slipped past antivirus systems? When's the last time your anti-virus caught an "0day" exploit? I'm going to guess never... and I'll stake my hard-earned reputation on that.

What we have here, folks, is a case of bad economic times breeding ugly things. These companies could have been compliant with everything known to man, had up-to-date anti-virus software on all desktops, servers and network wires and they still would have succumbed to these pieces of malware. Why? Antivirus is fundamentally flawed, period. Being able to stop an attacker only after they've been identified is nearly useless.

What I suspect is going on here, and will be happening more and more in the coming year - is that someone was commissioned to write a piece of malware which would attack a vector specific to HPS, or SRA... exploit the system and collect the data the attacker wanted. This malware would be largely undetected (as there are no signatures for custom malware), and would only be caught under extraordinary circumstances, or with dumb luck.

So you see... HPS, SRA, and the soon-to-be countless others are going to fall victim like dominoes, one right after the other and there is [almost] nothing any of them can do about it. The only effective measures against hard times and organized crime (which is what I surmise these cases clearly wreek of) is good, effectively implemented least-privilige policy, well-educated staff, and risk-based mitigation.

You heard it here first... this is just the beginning.

4 comments:

Tom Mahoney said...

You said, "What I suspect is going on here, and will be happening more and more in the coming year - is that someone was commissioned to write a piece of malware which would attack a vector specific to HPS, or SRA... exploit the system and collect the data the attacker wanted."

Frankly, in the case of Heartland, I can't imagine anyone thinking it was anything but that. Viruses, Trojans, and the like don't zoom into the heart of the operating system and siphon off months worth of credit card data at the only place in the process where the data isn't encrypted.

Tom Mahoney, Director
Merchant911.org

Andy Bochman said...

Fully Agree. IMHO Virus/Anti-virus in this case is a PR red herring. SRA and its gov agency clients just gown owned ... and not necessary because SRA was particularly lax in its security controls. Quite to the contrary: 99% of large orgs have substantial vulnerabilities in their software systems and only a few are taking definitive action. The rest hope to get through with fingers crossed and compliance programs that are of questionable efficacy. Another wake-up call.

Rafal said...

@Tom Mahoney - Yahtzee! All this talk of "we had a virus" is crap. I've never heard of a run-of-the-mill virus know exactly where to attack, and exactly what to ciphon off... the next question is logically - was it an inside job? My guess is that this is much like the cases where a disgruntled employee plants a trojan, then reaps the benefits. OR... it could be the classic case of an under-paid employee being approached in the company lot, after-hours, and offered money to "run this file"...

At any rate I can't imagine this subsiding... more to come.

Rafal said...

@Andy - happens every day, as "risk equations" are biased towards the business side... especially in such a atrophied economy.

Google+