02 April 2008

Hannaford card data breach was a vulnerability problem

The recent Hannaford supermarket data breach in the US, in which up to 4.2 million customers card details appear to have been downloaded, was almost certainly the result of malware.

According to Brian Chess, chief scientist at application vulnerability specialist Fortify, the uniformity of the breach suggests that attackers took advantage of a software weakness.

“The fact that the servers in almost all of the stores were compromised makes it much more likely that the attackers found a vulnerability in a piece of code that was common to all the servers and used malware to exploit the weakness,” he says.

“My guess is that hackers first broke into the internal corporate network, then did some basic network scanning to identify all of the target servers, then figured out that there was a vulnerability on some piece of code running on all the machines,” he adds.

“We see many organisations that are much more lax about internal systems,” explains Chess. “What’s interesting about this case is that newswire reports suggest the store chain was fully PCI compliant … but PCI takes a relaxed attitude towards internal machines.”

Which is why, says Chess, Fortify has now launched Business Software Assurance (BSA), based on its new Fortify 360, essentially a blueprint for minimising risks associated with software exploits. What’s interesting is that it works at the most fundamental level –software itself – being based on the premise that enterprise security must come from within.

Roger Thornton, Fortify’s CTO, believes it’s about changing the mindset around security. “Businesses today are built and operated by software that houses intellectual property, business processes and trade secrets that are vital to the health of an enterprise,” he says. “Unfortunately, most of this software is developed to be open and functional, or was developed pre-Internet, and is therefore not necessarily secure.

“This creates a significant vulnerability at the company’s core. Business Software Assurance teaches organisations to address potential weaknesses in their everyday operations before they become exploitable.”

And that’s not just about ensuring good perimeter-based protection, or using application security tools, such as penetration testing. John Jack, Fortify’s CEO, says: “The security tools out there today, be they firewalls or Pen testing, provide an incomplete solution.

“We continue to watch hackers find and exploit vulnerabilities at some of the world’s biggest corporations and most highly-trafficked websites. Today’s data predators are sophisticated and organised, and they have found ways to attack you at your weakest point – your software.”

Fortify 360 is a suite of integrated solutions for identifying, prioritising and fixing security vulnerabilities in software, while also managing the business of ensuring application security.

It uses what the company describes as patented capabilities to identify the location of vulnerabilities at every phase of development. Once identified, it also provides the means to manage the processes around repairing the problems invariably uncovered, as well as providing a centralised dashboard for management and reporting.

Brian Tinham

Supporting Information

Fortify Software

This material is protected by Findlay Media copyright
See Terms and Conditions.
One-off usage is permitted but bulk copying is not.
For multiple copies contact the sales team.

Do you have any comments about this article?

Add your comments




Your comments/feedback may be edited prior to publishing. Not all entries will be published.
Please view our Terms and Conditions before leaving a comment.

Related Articles

Manufacturing view of security

The British Security Industry Association (BSIA), the trade body representing ...

Safety performance tool

Rockwell Automation has launched the Safety Maturity Index (SMI) tool, a ...

ODVA machinery SIG

Open, interoperable automation technologies pressure group ODVA is forming a ...

Getting IT right

Back to basics, but with your eyes wide open is a good starting point for any ...

Network practice

There’s much more to securing and provisioning your business and plant networks ...

Wireless world

Going wireless isn’t just about business communications. Brian Tinham discovers ...

Related Articles

Bakehouse: Delicious and determined

Bakehouse have gone from start-up to market leaders in 15 years. They are now ...


Customers and Shareholders Benefit as Global Manufacturer Deploys Management ...

Six Steps for: Discrete Manufacturers

Columbus IT has worked with many Discrete Manufacturing organisations enabling ...