Visa's Fraud Investigations and Incident Management group released a data security alert for financial institutions. They're cautioning that hackers are targeting web facing systems that may be vulnerable to breach to steal cardholder information and introduce malicious software (malware) into internal networks. Visa has documented the following successful penetration incidents:
- Establishing continuous remote access to the internal network through a 'back door'
- Compromising internal systems passwords using a password-cracking system
- Mapping the internal network infrastructure
They make the following recommendations to guard against these threats:
Failure to use a Network-Based Intrusion Detection System Network-based intrusion detection systems (NIDS) are designed to monitor network traffic in order to distinguish between normal network activity and abnormal or suspicious activity that may identify an attack. The early detection of a network compromise is difficult without adequate network monitoring and intrusion detection capabilities. Risk Impact: Without the means to detect suspicious network events, network compromises can remain undetected. Risk Mitigation: In conjunction with achieving full compliance with the Payment Card Industry Data Security Standard, and implementing a robust security monitoring strategy, deploying NIDS can detect and mitigate suspicious events. Suspicious events that may be symptoms of a successful compromise include:
- Unexpected outbound transmission of sensitive data
- Network connections originating from internal critical systems that would not normally communicate outside the network, including untrusted networks and the Internet
- Failure to utilize a Host-Based Intrusion Detection System - Host-based intrusion detection systems (HIDS) are designed to monitor the behavior of host / computer systems to distinguish between normal activity and abnormal or suspicious activities. A key function of HIDS is to detect unknown activities caused by malware, packet sniffers or rootkits by monitoring incoming and outgoing communications traffic. HIDS will then check the integrity of critical system files and directories and watch for suspicious processes and executables. HIDS can also monitor the usage of system accounts with elevated or administrative privilege. Unexpected use of accounts with administrative privilege is often a sign of a larger compromise. Risk Impact:Without the means to detect suspicious events on a host system or critical files, unauthorized access by a user or malware can remain undetected. Risk Mitigation Strategy: Implement HIDS on critical systems, particularly those that involve the flow of payment card data, to monitor for suspicious or anomalous events.
- Improperly segmented network environment - Payment card account information can be compromised at financial institutions or merchant locations that lack proper network segmentation. For more information, please refer to the October 31, 2006, Visa Data Security Brief, Improperly Segmented Network Environment, available online.
- Poorly configured ingress and egress firewall rules - Firewall ingress (inbound) and egress (outbound) rules that are misconfigured or left unchanged from their default configurations represent an area of significant vulnerability. For more information on ingress and egress firewall rule misconfiguration, please refer to the Visa Business Review article (Issue No. 070911), Visa Identifies Top Network Vulnerabilities to Promote Data Security Awareness, available at https://www.us.visaonline.com.
- SQL injection - A review of recent data security breaches suggests Structured Query Language (SQL) injection attacks on e-commerce Web sites and Web-based applications that manage card accounts (e.g., PIN updates, monetary additions, account holder updates) have become more prevalent. SQL injection attacks are caused primarily by applications that lack input validation checks, un-patched Web servers and poorly configured Web and database servers. These attacks pose serious additional risks to cardholder data stored or transmitted within systems and networks connected to the affected environment.