Warning: Data breach ahead

Like many other consumers, Tyson had automatic payments on his card
that suddenly weren’t happening. Ultimately the card had to be
replaced. All this came about after TJX — operator of Winners and
HomeSense stores — announced in January that unidentified intruders had
gained access to customer credit card numbers stored in its computer
systems, exposing consumers to the risk of fraud and identity theft.

It
later emerged that intruders first gained access to TJX’s computer
systems as early as mid-2005, and store transactions from all of 2003,
the first half of 2004 and May to December of 2006 had been
compromised.
 
TJX has issued statements saying it is working
with credit-card issuers and security contractors, but has not said how
the breach happened and did not return calls from Canadian Security
seeking comment.

It’s not the only company to suffer such an
intrusion. A recent survey conducted by privacy and information
management research firm for Dallas law firm Scott & Scott LLP
found that more than 85 per cent of organizations surveyed had had a
breach.

 While Tyson suffered the same sort of inconvenience
from the TJX breach as many others, his 20-plus years of experience in
security — he is currently senior security manager for the City of
Vancouver — gives him a different perspective.

Tyson suspects —
and other experts agree — that if the intruders were from outside the
company, they likely gained access through a poorly secured web
application.

 “Security is a weakest-link discipline,” Tyson
says, and with many organizations focusing on securing the perimeters
of their networks but paying less attention to the online applications
that provide the outside world with legitimate access to data on those
networks, those applications are often the weakest link.

 “Seventy-five
per cent of new attacks now exploit software vulnerabilities, and most
of the IT security dollars are spent bolstering the security on the
perimeter of the network,” says Brian O’Higgins, chief technology
officer at Third Brigade Inc., an Ottawa-based intrusion prevention
system provider.

There are a number of ways web applications
can be compromised, some of them disturbingly simple. One example
security specialists like to give is SQL injection.

Structured
Query Language (SQL) is a venerable and widely used language for
requesting information from databases. A SQL query might ask for the
names, credit card numbers and expiry dates of, say, all the customers
in Toronto. That query should come from inside the organization. But in
some cases, an outsider who knows SQL can type such a query into a
website — in the field where a customer is supposed to type a password,
say — and the web application will recognize the input as an SQL query
and process it without considering where it came from.

Of
course an application shouldn’t do this. It should validate data as it
is input and reject commands entered in the data fields of a web page.
But the programmers who write applications aren’t necessarily security
experts. The trick of injecting commands is “one that people have known
about for a couple of years, so they’re getting fixed,” O’Higgins adds
— “but there’s always the next one.”

Is this what happened at
TJX? We don’t know. But computer security experts agree that the
security of web applications often doesn’t get the attention it should.
That’s the bad news; the good news is that they also have a concrete
suggestion as to what to do about it.

Two major credit-card
issuers, Visa and MasterCard, created the first version of the Payment
Card Industry Data Security Standard — a framework of technical
requirements and testing procedures to ensure that credit-card
information is handled safely.  Three other card issuers joined with
Visa and MasterCard early this year to create the Payment Card Industry
Security Standards Council, which has updated the initial standard and
will maintain it in future. (The standard and other information about
the council can be found on the council’s web site at
www.pcisecuritystandards.org.)

Any organization that handles
credit-card data is expected to comply with the standards, says Bob
Russo, general manager of the PCI Security Standards Council, and it
includes provisions to address insecure applications, which he agrees
are a prime target for intruders.

The TJX breach could also have
been the work of an insider — someone who worked for the company, with
legitimate access to its systems and possibly inside knowledge about
security provisions. “An insider issue is the most common type of
problem in criminal acts,” says Dave Morrow, chief security and privacy
officer at computer services firm Electronic Data Systems Corp. of
Plano, Tex., “and insiders have a built-in advantage because they know
the controls, they know the weaknesses and they operate in the
environment every day.”

The best defence against inside jobs is
strong security policies, adds Dave Woelfle, chief architect for global
sales support at EDS Canada. “A lot of organizations need to move to a
model where you only get access by permissions … really limit access
to only those who need it, as much as you can.”

They should
also separate controls so that no one individual can do anything that
might compromise data without the co-operation of someone else.
Rigorous audits can also help catch insider breaches faster, Morrow
adds.

Provisions to guard against insider breaches are also
included in the PCI standards, Russo says. They include requirements
like strong passwords and access logs.

 No security standard is
a guarantee against problems, but O’Higgins thinks any company adhering
to the PCI standards should be relatively safe from intrusions for a
while at least.

 
Intrusions into a company’s computer
systems are not the only concern, though, as another bad-news security
story that made the headlines early this year showed. Canadian Imperial
Bank of Commerce revealed in January that a disk containing a backup
file was lost in transit between Montreal and Toronto just before
Christmas. The file contained information on about 470,000 clients of
CIBC subsidiary Talvest Mutual Funds.
 
There has been no
indication that the lost data fell into malicious hands or was used in
any way that could hurt the customers concerned — at least not so far.

 Morrow
doesn’t think the incident is particularly unusual. “There were
incidents in the industry for years and years where tapes didn’t show
up, or disk drives of CDs got lost in the mail or whatever,” he says,
“but people just didn’t pay that much attention to it.” Stricter
legislation requiring companies to notify customers when such security
breaches occur mean the public hears about more of them now, Morrow
says.

The best defence against the loss of physical media
containing data — whether it’s a disk, a tape, a laptop or even a
personal digital assistant or smart phone — is encryption. EDS encrypts
all data before it leaves a client site, says Woelfle.

 It’s a
good idea, says Simon Hunt, chief technology officer at SafeBoot N.V.,
a supplier of encryption and other security technology — but too few
are acting on it. “About two per cent of the corporate-owned devices
that should be encrypted actually are encrypted,” Hunt says.

It’s
not that encryption is expensive, nor does encryption make life
difficult for users. Where the extra work comes is in planning how
encryption will be implemented — a process that can be fairly long and
arduous. However, having to admit to an intrusion into your systems is
bad for business.

 And customers as well as investors get
skittish about such incidents. Take Dave Tyson, who says he will be
discouraging his family from shopping at Winners “for some time”.

“Business in general has failed to convince customers that security is a large enough priority,” he says.