This blog is part of a weekly review of scenarios from Verizon’s Data breach digest.
In this case study, Verizon describes a failure of supply-chain security in which a cyber insurance carrier noticed an unusual pattern of payment card fraud originating from one of its customers – an oil and gas company that operated a number of petrol stations in the US.
Four petrol stations were found to be showing the same fraud pattern, but although systems were openly accessible from the Internet, network and endpoint forensics determined that there was no evidence of an external source of point-of-sale (POS) intrusion. All connections via these systems could be accounted for, and there was no evidence that card skimmers had been used at cash registers or at the pumps. Clearly, something else was happening. But what?
Verizon worked with the police and the oil and gas company to install evidence traps that included keystroke logging, file integrity monitoring with alerting, and playback recording of remote sessions. An alarm was tripped within days.
Verizon found that the vendor contracted for IT and POS support had connected via Remote Desktop over a virtual private network (VPN) to the payment processing server. It checked there were no other active logins, then set the system clock forward by two years and copied cleartext authorisation requests from each fuel pump – including magnetic stripe sequences, which could be used to commit payment card fraud – before setting the clock back to the correct date and time. The next night – a Saturday – another alert was tripped when a similar intrusion occurred. The police were informed, and paid a visit to the vendor’s support centre.
As it was a Saturday night, there was only one car parked at the office – indicating that a particular member of the helpdesk team was responsible. They popped in for a chat with him.
It transpired that this individual deliberately sought late-night weekend shifts when he’d be the only person on call. He would then connect to customer systems and steal cardholder data, mistakenly believing that he’d be less likely to be caught, and that changing the time on the system would cover his tracks. He was wrong.
As Vormetric’s Insider Threat Report 2015 rightly pointed out, with more and more external suppliers being granted privileged access to client systems, the insider threat no longer applies to your own staff – your entire supply chain is a potential threat to your security. This is why you need to ensure that your system is secure at all points. If you gather, process or store payment card data, you’ll be obliged to do so by the PCI DSS.
Supply-chain security is a tenet of the international standard for information security, ISO 27001. Once you have achieved certification to the Standard, you can insist that your suppliers do as well. An ISO 27001-compliant information security management system helps protect your valuable data at all points.