in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Could Have Prevented Heartland Payment Systems Problems?

  • Inactive sniffers
  • Call for end-to-end encryption
  • Heartland is PCI-DSS compliant

One week after the Heartland Payment Systems announced what may be (potentially) the biggest data breach ever, more details are emerging that may lower the chances of it eclipsing TJX.  On related news, Heartland is also calling for end-to-end encryption to prevent similar future breaches.  No doubt, this is a company that believes in the power of data encryption.

Inactive Malware - But Inactive Since When?

A spokesperson for Heartland has told Digital Transactions News that the malware program at the root of all the hubbub was "inactive."  That's right folks, the sniffer program that was supposed to have recorded and stolen millions of credit card numbers was not active.

Or rather, it was not active when they found it this January.  While there is no concrete evidence of when it may have been installed, investigators think the sniffer may have been planted as far back as May.  Heartland was alerted about suspicious activity in late October.  Obviously, they don't know when the sniffer was deactivated.

It's pretty clear, though, that it was active at some point.  Otherwise, Heartland wouldn't have been aware of the breach, since it was MasterCard and Visa that alerted them of "suspicious activity."

CEO Calls For End-To-End Encryption

Heartland is PCI-DSS compliant.  Of course, there's lots of criticism about PCI being a little too subjective, but being in compliance usually means a company's got the bare minimum in terms of data security.  If you'll recall, TJX was not compliant at the time of their breach announcement.

The problem with security policies and standards like PCI is that, ultimately, they're guidelines.  Why?  Because they're usually the minimum set of instructions one has to follow.  Potentially, one could do more--much more--to increase data security.

For example, Heartland could have had end-to-end encryption in place.  Current PCI standards don't require this, and Heartland is a victim of this loophole. (On the other hand, one could argue that Heartland was a victim of not enough network monitoring.  If the hacker didn't have access to their network in the first place, end-to-end encryption would be a moot point.)  The CEO of Heartland Payments is calling for industry-wide use of end-to-end encryption.  If they don't follow, well, at least Heartland will have it: they're already working on something.

Encryption: Gives You Security, Takes A Little Of Your Time

The problem with encryption--if you can call it a problem; I'd just call it "normal" and "obvious"--is that encryption takes time.  How much time?  It depends on how strong the encryption is: the stronger it is, the longer it takes to take the encrypted data, decrypt it, and read it.  Also, the stronger the encryption, the more secure the data.

Makes sense, right?  What provides more security, a door with one lock or with three locks?  Which door takes longer to lock and unlock?  More security means more time spent on trying to access what's behind that security.

Depending on the application, it may mean less than an extra second, or more than an hour.  It also depends on how much you have to encrypt.  Encrypting one page of text using file encryption by AlertBoot would take less time to encrypt and decrypt than three pages of text.  People, though, wouldn't notice it because with modern computers it only takes a blink of an eye.

So, if it's so quick, why is end-to-end encryption not used under PCI-DSS?  After all, we're talking about a couple of lines of data.

I don't know why PCI-DSS opted to not have end-to-end encryption.  I suspect it was because it slows down business overall.  With millions of transaction a day, saving one second translates into plenty of savings of time.  You may not notice it yourself at the supermarket counter--after all, what's one second out of your 24 hours?--but the company certainly does notice the cascading effects of that extra second per customer.

Related Articles:
http://www.digitaltransactions.net/newsstory.cfm?newsid=2068
http://www.smartbrief.com/news/aicpait/storyDetails.jsp?issueid=8695A856-38F8-4106-941A-131F38430F4D&copyid=5CA7F860-ED98-4035-9F04-A69D6A29FEB4

 
<Previous Next>

Data Encryption Software: Can't Prevent Majority Of Data Security Breaches?

Hard Drive Encryption Software Not Used, Baked Ham Customers Beefed

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.