A franchisee of a national hamburger chain in the southern United States was notified by Visa U.S.A, Inc. and the U.S. Secret Service of the theft of credit card information in August 2008. The franchisee has a chain of eight stores with annual revenue of $2 million.

The chain focused on the technology of its point-of-sale (POS) system. A leading vendor that allowed for centralized financial and operating reporting provided the POS system. It used a secure high-speed Internet connection for credit card processing. The company determined that neither the POS nor credit card authorization connection was the source of the breach. Although the POS was infected, the source of the breach was the network. Each of the franchisee’s stores provided an Internet hotspot to its customers. It was determined that this Wi-Fi hotspot was the source of the breach. Although considerable care was given to the POS and credit card authorization process, the Wi-Fi hotspot allowed access to these systems. It was determined the probable cause of the breach was malware installed on the POS system through the Wi-Fi hotspot. The malware collected the credit card information, which was later retrieved by the thief.

This was a PCI DSS framework violation. The PCI DSS framework consists of over 200 requirements that outline the proper handling of credit card information. It was clear that insufficient attention was given to the network to ensure it met PCI DSS requirements. For discussion purposes, the focus is on the network. The PCI DSS outlines other standards that may have been violated related to the hardening of the POS server itself. The following four PCI DSS network requirements appear to have been violated:

• Network segregation
• Penetration testing
• Monitoring
• Virus scanning

PCI requires network segments that handle credit cards be segmented. It was unclear whether there was a complete absence of segmentation or if weak segmentation had been breached. PCI DSS outlines the standards to ensure segmentation is effective. If the networks had been segmented, this breach would not have occurred.

PCI requires that all public-facing networks be penetration tested. This type of testing would have provided a second opportunity to prevent the breach. This test would have uncovered such weaknesses within a Wi-Fi hotspot that allowed the public to access back-end networks.

PCI also requires a certain level of monitoring. Given the size of the organization, monitoring might have been in the form of alerts or logs reviewed at the end of the day. Monitoring could include both network and host-based intrusion detection. Monitoring may have detected the network breach. Monitoring may also have detected the malware on the POS system. Both types of monitoring would have provided opportunities to prevent the breach.

PCI also requires virus protection. It was unclear if this type of scanning was on the POS system. If it was not, that would have been a PCI DSS violation. Such scanning provides one more opportunity to detect the malware. Early detection would have prevented the breach.

The PCI DSS requirements are specific and adopt many of the best practices from other frameworks such as ISO. The approach is to prevent a breach from occurring. Early detection of a breach can prevent or minimize card losses. For example, early detection of the malware in this case study would have prevented card information from being stolen. Some malware takes time to collect the card information, which must then be retrieved. Quick reaction to a breach is an opportunity to remove the malware before any data can be retrieved.

Another older story, but one that is still quite relevant, is that of Edward Snowden. In May 2013, Edward Snowden, a National Security Agency (NSA) contractor, met a journalist and leaked thousands of documents detailing how the United States conducts intelligence surveillance across the Internet. In June 2013, the U.S. Department of Justice charged Snowden with espionage. Not long afterward, Snowden left the United States and finally sought refuge in Russia. The Russian government denied any involvement in Snowden’s actions but did grant him asylum.

Although this story reads like a spy novel, it raises a number of information security policy questions. For this discussion, it is not important whether Snowden was a traitor, a spy, or a whistleblower. The issue here is the security policies and controls that allowed a part-time NSA contractor to gain unauthorized access to highly sensitive material. This is particularly important because in April 2014, the Department of Defense announced adoption of the NIST standards. Would the Snowden breach have been prevented if the NIST standards had been adopted earlier?

Given the secret nature of the NSA, the full details of how this breach of sensitive data occurred may never come out. However, reports indicate that Snowden worked part time for an American consulting company that did work for the NSA in Hawaii. There he gained access to thousands of documents that detailed how the U.S. government works with telecommunication companies and other governments to capture and analyze traffic over the Internet. The details of the scope and nature of this global surveillance program were not publicly known and were considered secret.

It’s clear from the reporting that Snowden had excessive access; that is to say, he was granted access beyond the requirements of his job. Additionally, reports indicated that he used other people’s usernames and passwords. He obtained these IDs through social engineering. Finally, consider the way in which he accessed and captured the information. Some reports indicate he used inexpensive and widely available software to electronically crawl through the agency’s networks. There are also indications that he removed the information on a USB memory stick.

It is noteworthy that there have been two additional data breaches at the NSA since Snowden, both from insiders. Harold Martin III was indicted in 2017 and accused of taking home thousands of pages of classified documents. In March 2019, Mr. Martin pled guilty and was sentenced to 9 years of prison followed by 3 years of probation. Also in 2017, Reality Winner, an NSA contractor, leaked information about an investigation into Russian interference to newspapers. She pled guilty in 2018 and received a 5-year sentence. What these two cases illustrate is that the agency has not made sufficient corrections since the 2013 Edward Snowden case. This illustrates that any organization must take a frank and honest look at security failures. That is the most effective way to learn from those mistakes. Failure to do so can lead to the same security breaches being repeated in the future.

There were clear NIST framework violations in the Edward Snowden case. For purposes of this discussion, the focus is on the network and social engineering. NIST publications outline other standards that were violated, such as effective security management and oversight.

The following four NIST framework network policies were clearly violated:

• Sharing of passwords
• Excessive access
• Penetration testing
• Monitoring

It’s never a good idea to share passwords. This would be a clear violation of security policy, especially by anyone handling classified data. Additionally, the level of access must be considered a policy violation. Any security framework generally prohibits granting access not related to the individual’s job function. It’s clear from the volume of material involved in the Snowden affair, and its classified nature, that the access he was granted was excessive for the role he performed.

The NIST framework also outlines the guidance on penetration testing. Penetration testing, if done by a competent penetration tester, can be an effective way to measure compliance with security policies. This type of testing and assessment would provide another opportunity to correct the network control deficiencies prior to a breach.

The NIST framework outlines the requirements for effective network monitoring. These requirements require logs to be reviewed in a timely manner. Log reviews are a detective control and essential in identifying potential hackers. Keep in mind, Snowden scanned the internal network for months while downloading vast amounts of data. Hackers tend to probe a network for weaknesses prior to a breach. Assume that some of those links the web crawler attempted to access resulted in an access violation. These violations would have been an indicator of a potential breach in progress. This type of monitoring would have provided another opportunity to correct the network control deficiencies and identify Snowden as an internal hacker.

Finally, consider the lack of controls that allowed Snowden to remove so many documents on a USB memory stick. This unusual activity could have been prevented or, at a minimum, detected, given the volume of material extracted—especially given that many organizations have in place additional controls to monitor contractor activities.

Some of the specifics of the Snowden breach may never be known to the public. Nonetheless, a security policy framework must be a comprehensive way of looking at information risks and ensuring there are layers of controls to prevent data breaches. This case is typical of a breach occurring over many months, indicating the breakdown of multiple controls. It represents both a lack of effective security policies and lost opportunities to detect a breach over several months.

In March 2014, eBay noticed an unexpected database session on its servers. The session was scanning password files. Later, eBay disclosed that users’ credentials for 145 million users had been compromised. This is a substantial issue for a company whose entire business model is based on e-commerce. According to eBay, the data stolen did not include credit card information.

The company discovered the breach by first noticing several anomalies on the corporate network. The investigation discovered that the attackers had used employees’ passwords to gain initial access to the network. Analysis of the attack indicates attackers may have been in the network for two months or more before a breach was detected. Analysts have speculated that the entire attack may have started with spear phishing campaigns to get employees’ credentials.

There are policies that would have, if implemented and adhered to, either prevented this breach or mitigated it substantially:

• Two-factor authentication could have prevented this breach. Even if an attacker obtains a user’s password, two-factor authentication would prevent the attacker from gaining access.
• More robust monitoring and alerting of network anomalies would have alerted eBay to the issue much sooner.
• More robust employee education and email policies might have prevented the original spear phishing campaign from being successful.

This case illustrates the pressing need for good security policies that are enforced. Certainly, a wide range of standards apply to eBay, including PCI DSS. It is equally clear that these standards were not adhered to.

A more recent example is from August 2019. A story broke regarding a former U.S. Department of Energy contractor named Gary Peter Simon who was accused of accessing the network two months after his contract expired. Mr. Simon is accused of accessing cloud storage and destroying files, altering files, and altering other accounts. Mr. Simon did plead to one count of “intentionally accessing a protected computer without authorization and recklessly causing damage resulting in loss of more than $5,000 during one year.” He had accessed the Department of Energy’s Strategic Petroleum Reserve Office (SPRO). As of this writing, he has not yet been sentenced.

The real issue with this story is that proper policies and applying a security framework would have entirely prevented this incident. This incident is an ideal case study of why policies are important and how they must be applied.

• An off-boarding process to ensure all access has been revoked for exiting employees would have mitigated this situation.
• Cancelling all access for exiting employees and contractors would have completely prevented this situation.
• A robust Intrusion Detection/Intrusion Prevention System (IDS/IPS) that detects anomalous login attempts (such as those from people no longer authorized) would have identified this situation earlier.

This is a classic case of policies not being implemented properly. Because this was a government office, it was supposed to be applying FISMA, NIST, and related standards. It is clear in this situation that security policies were not followed.