There has been much discussion in the security world about the timing of Hartland’s announcement of the breach, waiting until Inauguration Day to disclose that millions of transactions had been compromised and the overall sense of “spin” being the primary objective of Heartland’s handling of the situation to date. Worse yet is Heartland’s pointing to shortcomings of the Payment Card Industry Data Security Standard as the scapegoat for their lack of security. Don’t get me wrong; the PCI DSS is more like The Great Oz’s proclamations than sound security doctrine, but the information that has been disclosed about how the attacks were perpetrated indicate that end to end encryption through the DSS would not have helped the lack of a secure environment at Heartland. Press releases from Heartland themselves admit that the breach was perpetrated through malware that had made it past their firewalls, namely a keylogger and network sniffing software.
How could one assume that an environment so insecure as one to allow keyloggers and sniffers to be deployed and accessed remotely could be trusted to manage encryption key administration?
Herein lies the crux of a security mindset (and allow me to butcher a bit of pop psychology): Don’t sweat the small stuff… but, there isn’t any small stuff. Not in securing your enterprise there isn’t. There is lesser risk; but there are very few, if any no risk areas when you critically look at securing the confidentiality, integrity, and availability of your the information and systems within your financial institution. The desire to tackle the “big things” first is understandable, and as a means to triage areas of risk it is completely appropriate. However, the “small things” must not be forgotten.
Were someone to have had a conversation with Heartland regarding their security practices, it is easy to assume that Heartland’s answer to most risks was something akin to “… we have a firewall and we passed a PCI Audit”; neither of which would have fully addressed the threats that were exploited to perform this breach. Threats that were probably described as “small stuff” or improbable. The way an organization handles the “small things” is often more evident to their security mindset than the way they handle the “big things.” This is one of the reason our controls reviews are so granular here at The Garland Group.