02 April 2008
Hannaford card data breach was a vulnerability problem
The recent Hannaford supermarket data breach in the US, in which up to 4.2 million customers card details appear to have been downloaded, was almost certainly the result of malware.
According to Brian Chess, chief scientist at application vulnerability specialist Fortify, the uniformity of the breach suggests that attackers took advantage of a software weakness.
“The fact that the servers in almost all of the stores were compromised makes it much more likely that the attackers found a vulnerability in a piece of code that was common to all the servers and used malware to exploit the weakness,” he says.
“My guess is that hackers first broke into the internal corporate network, then did some basic network scanning to identify all of the target servers, then figured out that there was a vulnerability on some piece of code running on all the machines,” he adds.
“We see many organisations that are much more lax about internal systems,” explains Chess. “What’s interesting about this case is that newswire reports suggest the store chain was fully PCI compliant … but PCI takes a relaxed attitude towards internal machines.”
Which is why, says Chess, Fortify has now launched Business Software Assurance (BSA), based on its new Fortify 360, essentially a blueprint for minimising risks associated with software exploits. What’s interesting is that it works at the most fundamental level –software itself – being based on the premise that enterprise security must come from within.
Roger Thornton, Fortify’s CTO, believes it’s about changing the mindset around security. “Businesses today are built and operated by software that houses intellectual property, business processes and trade secrets that are vital to the health of an enterprise,” he says. “Unfortunately, most of this software is developed to be open and functional, or was developed pre-Internet, and is therefore not necessarily secure.
“This creates a significant vulnerability at the company’s core. Business Software Assurance teaches organisations to address potential weaknesses in their everyday operations before they become exploitable.”
And that’s not just about ensuring good perimeter-based protection, or using application security tools, such as penetration testing. John Jack, Fortify’s CEO, says: “The security tools out there today, be they firewalls or Pen testing, provide an incomplete solution.
“We continue to watch hackers find and exploit vulnerabilities at some of the world’s biggest corporations and most highly-trafficked websites. Today’s data predators are sophisticated and organised, and they have found ways to attack you at your weakest point – your software.”
Fortify 360 is a suite of integrated solutions for identifying, prioritising and fixing security vulnerabilities in software, while also managing the business of ensuring application security.
It uses what the company describes as patented capabilities to identify the location of vulnerabilities at every phase of development. Once identified, it also provides the means to manage the processes around repairing the problems invariably uncovered, as well as providing a centralised dashboard for management and reporting.
This material is protected by Findlay Media copyright
One-off usage is permitted but bulk copying is not.
For multiple copies contact the sales team.