edoceo: Latin "to inform fully, instruct thoroughly"

Card System Solutions Security Breach - Light Analysis


By this point in time we've all heard that CardSystems in Tuscon who is responsible for some 15 billion in payments had a security breach. CardSystems states there was a lapse that allowed the installation of a rouge computer program, this is what caused the damage. We know what they did wrong: forgot to pay attention to security, lets analyze this piece by piece.

Retained Data!

CardSystems was only the payment processor, in this role they are required to process the payments in a timely fashion and to not retain this information. This was their first mistake. They held this data in a file they are claiming is for research of failed transactions. What kind of baloney is that? A system that is processing large volumes of payments should have appropriate logs to determine failures. If your system is failing use these logs or some debug output to determine faults, not archiving and reprocessing data sets that you know should not be retained. Who thought that was a good idea?

A Lapse

Lapse? Perhaps they mean they were not keeping their systems up to date. This lapse led to the installation of rouge software to distribute their unauthorized retained data. Regardless of your platform why were security updates that prevent this type of activity not installed? Why wasn't the system secured by some other manner such as firewalls or harending of the system itself to prevent this.

Don't tell me it's not possible, even on Windows. If these guys are using Linux how the hell did this happen? Answer: uneducated administrators, it's not the wand it's the magician. If these guys are on Windows how did this happen? Answer: uneducated administrators, it's not the wand it's the magician. No firewall/IDS/IPS, forgotten updates, failure to harden system and possibily sloppy code. These types of failures will break on any platform.

Rouge Program

Now you have a rouge program on the system sending data off to someplace. Didn't this anomlous traffic signal anyone? Why wasn't this system that processes financial transactions restricted only to communicate with other financial institutions? Who in their right mind leaves a financial computer system this open?

It's important that both the systems processing the data are secure but their networks need to be secure too. This means both inbound and outbound traffic, all traffic. There is hardware and software available from multiple vendors to perform these functions, why were they not in place?

Methods of Prevention

This whole fiascio could have been avoided with simple steps: harden the comptuer system and software and secure the traffic. Simple! In our financial processing software Arca we've don't this, there are a million reasons to and zero reasons not to. That's not bragging that's doing the job right, if you provide financial software or services they must be as secure as technology will permit.

What to do now

If you need help with harding your software we can help. If you need to find a different provider of services, we can help This type of issue should not be tolerated With Edoceo's technology it won't even exist.

exit(0);

XHTML 1.1. and CSS2.1/3 © 1999-2008 Edoceo, Inc.
Edit this Page