Compromised! Now What?

Learning your sensitive data has been compromised, and that you are required to undergo an investigation, can be a worrying and potentially complicated experience. Perhaps your credit card processing bank has contacted you, indicating that you need an investigation. Or you have detected an intrusion within your processing environment and need to understand the extent of the compromise. No matter how you found out, Trustwave is here to help.

Trustwave’s SpiderLabs Expertise and Experience

SpiderLabs is the advanced security team within Trustwave focused on incident response and application security testing. SpiderLabs has performed hundreds of incident response investigations, thousands of penetration tests, and hundreds of application security tests. With more than seven years of service, Trustwave’s SpiderLabs is uniquely positioned to help many organizations respond to and resolve a variety of security incidents. Our QIRAs are experienced security professionals, with career experience ranging from corporate information security and security research, to federal and local law enforcement. Trustwave’s SpiderLabs is a member of FIRST, the global Forum for Incident Response and Security Teams. FIRST is the premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams to more effectively respond to security incidents, reactive as wellas proactive.

How the Bank Knew

If your bank has contacted you, it’s likely you have been flagged as what is called a Common Point of
Purchase (CPP). This means that a certain percentage of credit cards that have experienced fraudulent activity have been processed through your payment environment. When a CPP Report is issued from the
Payment Brands (i.e., Visa Inc., MasterCard Worldwide, American Express, Discover Network and JCB), it is sent to your processing bank, who then contacts you. Regardless of how the breach occurred, you now are required to enlist a Qualified Incident Response Assessor (QIRA) to identify the details of the breach and the necessary remediation activities. What follows s an explanation of the investigative process and what you can expect.

The Investigative Process

It is in your best interest to cooperate fully with the investigation and move through this process in a timely manner. The reasons for doing so include:• If there has been a breach, you need to immediately contain the damage and limit exposure (see“How to Contain Damage and Limit Exposure”). Allowing an additional one or two days, weeks or months could prove to be very costly. You may damage your reputation and you could potentially be responsible for fraudulent charges. • Fines or penalties are passed down at some point. Hindering efforts to contain the compromise will not help you, and may cause fines to increase.• If an intrusion took place, you want to preserve the evidence as soon as possible. As the computer
system continues to operate, valuable evidence is likely being destroyed or tainted. Being able toquickly pinpoint a defined window of intrusion is in your best interest.

Choosing Trustwave

If Trustwave has been selected as your incident response service provider, the process will begin with a signed Statement of Work. A QIRA will then be assigned to the case and will contact you, usually the same day the case is assigned. The assigned QIRA will guide you through this process, working to ensure the experience is as painless as possible. Trustwave QIRAs don’t just perform investigations; they act as your advisor. QIRAs are also often able to assist in communicating with the bank, card brands or acquirer. Once a QIRA has been assigned to your case, they will contact you to ask questions about the case, answer any questions you may have and identify an acceptable time for an on-site visit.

Understanding the Relationships: In this whole process, it’s important to be aware of how all of the relationships work to understand issues such as liability and responsibility. Let’s look at your relationship with your bank: you have a contract with them, not Visa and MasterCard. Your bank has a direct relationship with Visa and MasterCard, not you. This makes the bank responsible for ensuring you are compliant with PCI DSS, not Visa or MasterCard. Discover and American Express are different, and you probably have a direct relationship with them since they act as both the processor and the card brand. In this situation, you would need to report compliance directly to them.

On-site Investigation

Trustwave is required by the card brands to be on-site within five business days from the time we are assigned the case, regardless of where you are located. Once on-site, the QIRA will meet with you to discuss the case further, addressing any concerns and questions. Understanding that the compromise is a sensitive topic, the QIRA will not share any information with anyone while on-site. QIRAs also attempt to blend in with regards to attire. Should an employee ask what we are doing, a typical response would be, “Just working on the computers.” QIRAs will need physical access to the suspect systems and will require administrator user names and passwords. Once access is provided, little ongoing effort maybe required on your part. In a more complex network environment, the QIRA might request that one of your IT personnel be on-site to ensure everything is properly identified and adequate access to the required systems is gained.

The Real Work Begins

The QIRA will review your environment, perform live analysis and create copies of system hard drives that re suspect. Systems are most often copied live—meaning you don’t have any downtime—and Trustwave QIRAs understand the need for business to continue normally. If downtime is required for some reason, it will be scheduled at a time that would least impact your business and regardless of the time of day.

How Long Will You be On-site?

There are many factors impacting how long a QIRA will be on-site.The age of the systems, hard drive size and number of systems all play an important role in determining time on-site. For a small retail environment, Trustwave’s QIRA may be on-site for the length of a typical workday. During this time we will make every effort to keep your business running normally.

Live Analysis

While on-site, the QIRA performs a live analysis; this could include but is not limited to memory, malware, timeline, file and log analysis. As a result of this analysis, the QIRA will likely have a sound theory about what happened before they leave your business. If the appropriate contact or manager is on-site, these findings will be conveyed. Before the on-site is completed, the QIRA will make you a copy of the evidence acquired. This copy is for your records in the event that any legal or law enforcement actions take place.

Initial Remediation

Once the system’s hard drives have been imaged, you can begin your remediation, as well as start to correct outstanding security deficiencies. In most situations, there are many security deficiencies that need to be corrected, and being well organized will help you as you complete this process. You should generate a list or spreadsheet of all deficiencies and provide a date when each deficiency was corrected or a target completion date. It is helpful to provide your bank with a weekly status report until all deficiencies are remediated, and this remediation status document will aid this effort (see the “Remediation” section on the next page for more on how this document can help).

Off-site Investigation

When the on-site

investigation has been completed, your QIRA will head back to a Trustwave SpiderLabs facility, where they will have access to state-of-the-art hardware and software tools to complete the investigation. At the Spiderlabs facility, your QIRA will back up the evidence and work from a copy of the evidence. The original evidence will then be stored securely in a fireproof vault with secure access controls in place. All Trustwave SpiderLabs team members are certified Qualified Security Assessors (QSAs) and are required to follow strict QIRA guidelines (Visa provides detailed requirements in “What to do if compromised,” available online as a PDF: http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf). As a requirement, a preliminary report is to be issued no more than five days from the time we arrive at our facility. Preliminary reports may be six or more pages in length, but may vary according to the depth of the breach. The contents of the report include what the QIRA currently knows about the case and a suspected cause summary. However, this information could change as the investigation continues.

The Final Report

The final report contains all findings of the investigation; at this point, the active investigative portion of the case is considered closed. Final reports are issued about two weeks from the issuance of the preliminary report, although the scope of the investigation can affect delivery times. Final reports vary in length; a final report for a small single site, such as a restaurant, may be between 20 and 35 pages. The report will include:• System and network deficiencies • Findings • Timeframe of exposures • Windows of intrusion • Number of cards at risk • Outstanding security remediation efforts

All of this information is required by your bank and the card brands.

Are the Perpetrators Ever Apprehended?

Yes. At your request, Trustwave will reach out to the appropriate authorities. We commonly work with Police, FBI and local law enforcement. When actionable intelligence is gathered during the investigation, the involvement of law enforcement can assist with appending the individuals responsible for the breach.

How to Contain Damage and Limit Exposure
• Do not access or alter compromised system(s)
• Do not log on this system or change passwords
• Do not turn compromised system off—isolate compromised system from thenetwork
• Preserve logs
• Log all actions taken
• For a wireless network, change the Service Set Identifier (SSID) on the wireless access point (WAP) and other systems that may be using this connection (with the exception of any systems believed to be compromised)
• Be on high alert and monitor traffic on all systems with cardholder data

Who Receives Reports?
As a QIRA, Trustwave SpiderLabs is required to release all reports to all parties involved; typically the reports are issued at the same time to you, your bank and all affected card brands organization. In summary, the investigation will result in two formal reports, a preliminary report and a final report.

The Final Call
Once the final report is issued, your bank will schedule a final call. This conference call includes all parties involved: you, your bank, the QIRA and the affected card brands. This gives all parties a chance to ask questions about the final report and to understand the status on outstanding remediation efforts.
Final calls are typically scheduled to take place within a week or two from the issuance of the final report. The bank sends out potential dates and times with the goal of attaining 100% attendance. Once attendance is attained, a conference call number and code will be e-mailed to you. Prompt attendance is critical; the review of the report cannot begin until all parties are present.

Life After the Final Call
At this point, your contact to obtain additional information should be your bank. By now you should have already provided your bank with the status in regards to outstanding remediation. Each bank is different, but they typically like to see weekly remediation status. The bank’s goal is ensure you are compliant with the PCI DSS as quickly as possible. You don’t want to be fined for not performing the required remediation.

Remediation
Being compliant with PCI DSS requirements is a continuous process and requires due diligence.

Tracking Remediation Status
Prior to the final call, you should create a remediation status document that includes a remediation plan and timeline. A good place to start is the list of common security deficiencies on the next page. It provides a high-level overview of the PCI DSS requirements and common areas of compromise. The remediation status document should contain the deficiency, completion status and projected completion date. It’s good to start on this as early as possible so you can track what’s being done and when. Some items are easy to correct and could happen right away, and some items might need more planning and take some time. Also, as part of our investigation services, Trustwave provides you with 12 months of TrustKeeper access. TrustKeeper is an ondemand, Web-based compliance and vulnerability management tool. Enrolled businesses use TrustKeeper to access reports to support compliance and remediation activity.

Reporting to Your Bank
Your bank is going to want to see the remediation status document to ensure compliance, probably on a weekly basis. We strongly recommend providing it to them prior to the final call; not only does it show you are being proactive, but it also helps the bank appear informed to the card brands. Additionally, it provides us the ability to say an aggressive remediation plan is underway and we don’t have to go over all points on the final call, since both the bank and the card brands already have the plan.

Additional Documents Your Bank May Request
Subsequent to the closing of this investigation, your merchant bank will mostly likely request the submission of several completed documents in order to satisfy PCI DSS compliance requirements:
• Passing TrustKeeper Vulnerability Scan Report
• Completed Self-Assessment Questionnaire (SAQ)
• Completed Attestation of Compliance (AOC)

In order to complete the first two documents, it is important that you register and log in to the TrustKeeper Web portal: https://www.trustkeeper.net. Instructions have previously been e-mailed to you. Once you have established access, you will be able to schedule an external vulnerability scan of your environment and
complete the Self-Assessment Questionnaire (SAQ). The Passing TrustKeeper Vulnerability Scan Report and SAQ can then be downloaded and supplied to your bank. The Attestation of Compliance (AOC) document must be downloaded from a separate Web site: https://www.pcisecuritystandards.org/saq/index.shtml.

Conclusion
By now you should have a good idea of what to expect during the investigation and remediation process. You will receive or be responsible for several items, including:
• Copy of evidence acquired
• Preliminary Report
• Remediation Status Document
• Final Report

The Final Call Process
Final calls typically last between 30 and 45 minutes and will follow these steps:
1. You should dial in 5 minutes early.
2. Your bank will take roll call once everyone has arrived.
3. Your bank then will hand the call over to the QIRA.
4. The QIRA will review highlights of the report.
5. The QIRA will ask you for a status on outstanding remediation efforts. If you have submitted the remediation status document to your bank prior to the final call, you won’t have to answer as many questions on the call; we can simply say there is a comprehensive remediation plan and completion dates in place. If you haven’t sent a remediation status document, we have to go through all of the remediation items in the report, the status of each item and proposed completion dates.
6. The call will end with a request for questions. If you have any questions, you should ask your QIRA prior to the final call. If you have questions with regards to fines or penalties, this is not the forum; this should be done on a separate call with your bank.

About Fines
We do not speak in absolutes in regards to fines. Fines may be levied 30 to 90 days after the close of investigation; this information is typically NOT shared with Trustwave. There are two types of fines: noncompliance and fraud recovery. For more information on fines, please contact your bank.
• Final Call
• Passing TrustKeeper Vulnerability Scan Report
• Completed Self-Assessment Questionnaire (SAQ)
• Completed Attestation of Compliance (AOC)

Continuous PCI DSS Compliance
The PCI DSS requirements can be a little overwhelming, and chances are you might not fully understand some of the requirements. Don’t worry, you’re not alone. Your first step in becoming compliant should be identifying the person who’s going to head up this process. This person should be someone with some technical
skills and understands or can interpret the PCI DSS guidelines. If you use an outside IT service provider, do not assume they know what PCI DSS is or that they have built your payment environment around PCI DSS guidelines. In a majority of our cases, it’s all too common to hear: “But I pay them to handle my network and security.” Please be aware that outsourced IT service providers also need to be PCI DSS compliant--it’s required! They should be able to supply you with documentation to support this. If you need assistance in becoming PCI DSS compliant, Trustwave does offer a variety of services that will aid in the process to help ensure full and continuous compliance.

Common Security Deficiencies

In looking at the different ways that restricted cardholder data is acquired, there are two primary types of compromises:

Stored Data: Once a system is compromised and the intruder realizes that it’s a payment environment, the first thing they do is look for stored data. Some older non-compliant payment applications actually stored the credit card information locally in the database. This makes it particularly easy for someone to walk away with 10’s of thousands of credit card numbers very quickly.
Data in Transit:  This is when data is traveling from point A to B; we’ll look at several methods of compromise:
• A network ‘sniffer’—There is malware that will capture card data while it traverses the network.
• Keylogger—There is malware that will capture keystrokes, is normally found on POS terminals since card swipers interface just like keyboards. When a card is swiped, the full magnetic strip (track data) is captured in transit and stored.
• Memory parser—This has been a more recent type of malware. This is typically found on the processing server or POS terminal. When a card is first accepted (swiped) or processed (accepted by the processing server) it is not encrypted in memory; it’s vulnerable. This type of software will dump parts of memory (processes) to disk and parse for card data. This is a very effective method of even extracting card data from a PA-DSS validated payment application.
• Some people are probably asking themselves right now, “So if a memory dumper is just as effective against a validated payment application, how am I supposed to protect myself?” This is why the Payment Card Industry Data Security Standard (PCI DSS) isn’t just about the storage of restricted cardholder data--it encompasses all security measures in general.

Top 10 Vulnerabilities Leading to Compromise
1. Remote Access Applications: Accessing computers remotely can save time and money, but can be very risky if not implemented securely. Limiting access to by both location and time can help mitigate against external attacks.
2. Passwords: Weak passwords are easily detectable by hackers. PCI DSS requires passwords to be at least seven characters with at least one upper-case character, one lower-case character and one special character.
3. Firewalls: Firewalls serve as filters for network traffic; without them, intruders can easily access your network.
4. Encryption: Not all devices apply appropriate encryption, especially older point-of-sale (POS) systems and other devices.
5. Improper Network Segmentation: You want the least number of systems connected to the payment environment. If a non-payment related system (let’s say accounting) was compromised, the compromise will not spread to the payment environment.
6. Weak or Default User names and Passwords: It is very common for service providers to leave the default user name and password. Having accounts like “user: user” or “admin:admin” leaves you susceptible to intrusion.
7. No Anti-virus: Not updating the signatures is just as good as not having any at all.
8. Surfing the Web: Many environments are not properly segmented or allow web surfing on terminals. There should not be any untrusted network connections to the payment processing environment. Surfers often pick up viruses or backdoor Trojans that directly lead to the compromise.
9. Leaving Remote Access Ports Open: Leaving pc anywhere or VNC ports open and having the software always listening is an open invitation to an attacker. These applications can often be easily brute force cracked, such as using programming to try a large number of passwords until the right one is found.
10. Not Updating Windows: If you don’t keep the operating system current, intruders could use known Windows vulnerabilities to gain remote access.

Useful Links
American Express: https://www209.americanexpress.com/merchant/singlevoice/dsw/FrontServlet?request_type=dsw&pg_nm=home&merch_van=datasecurity
Discover: http://www.discovernetwork.com/fraudsecurity/disc.html
JCB: https://www.jcb-global.com/english/pci/index.html
MasterCard: http://www.mastercard.com/us/merchant/pdf/Security_Rules_Merchant_10_17_08.pdf
PCI Security Standards Council: https://www.pcisecuritystandards.org/
Visa: http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html, http://www.visaeurope.com/aboutvisa/security/ais/incaseofcompromise.jsp