Presented at InnoTech Dallas on May 17, 2012. All rights reserved.

1. How to Rebuild the Controls and
Confidence after Data Exfiltration Occurs
Brian Blankenship
Operations Information Security Officer
Heartland Payment Systems

2. Dump truck racing = InfoSec Career

3. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective

4. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective

5. Heartland – A Full Service Payments Processor
• Card Processing
• Credit/debit/prepaid cards:
• Process over 10 million transactions a day
• Process over 3.9 billion transactions annually
• Payroll Processing (PlusOne Payroll)
• Check Management (Check 21, ExpressFunds, StopLoss)
• Online Payment Processing
• MicroPayments – Vending, Laundry, Campus Solutions
• Gift Cards and Loyalty Processing
• Heartland Gives Back
5

6. Heartland – Our People
• HQ: Princeton, NJ
• IT: Plano, TX
• 300 employees
• Servicing: Louisville, KY
• 800 employees
• Heartland Cares
Foundation

7. Heartland - 15 Years Ago ... and Today
1997 (1st Trans 6/15/97) Today
• 2,350 clients 255,000 clients
• 25 employees 3000+ employees
• #62 in US #5 processor in U.S.
• $0.4 billion portfolio $68 billion portfolio
7

8. Heartland - Financials
Net Revenue Net Income EPS
1.08
41,840
0.90 383,708
35,870
0.71
28,544 294,771
0.50
245,652
0.26 19,093
186,486
137,796
8,855
2004 2005 2006 2007 2008

9. Heartland – EPS in 2009…
Heartland CEO’s granddaughter

10. Heartland – The Recovery
• 2009
• Total Revenues $1,652 m (up 6.93%*)
• Net Income -52 m (down 224%)
• EPS -1.38 (down 223%)
• 2010
• Total Revenues $1,864 m (up 12.8%)
• Net Income 35 m (up 167%)
• EPS 0.88 (up 163%)
• 2011
• Total Revenues $1,996 m (up 7.1%)
• Net Income 44 m (up 25.7%)
• EPS 1.09 (up 23.9%)
*All percentages year-over-year 10

11. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective

12. The Threat
It’s all about the money ….

13. What Happened? – The Penetration
 Very Late 2007 – SQL Injection via a customer facing web page in our
corporate (non-payments) environment. Bad guys were in our corporate
network.
 Early 2008 – Hired largest approved QSA to perform penetration testing of
corporate environment
 Spring 2008 – CEO learned of Sniffer Attack on Hannaford’s , Created a
Dedicated Chief Security Officer Position and filled that position
 April 30, 2008 – Passed 6th Consecutive “Annual Review” by Largest QSA
 Very Late 2007 – Mid-May 2008 – Unknown period but it is possible that
bad guys were studying the corporate network
 Mid-May 2008 – Penetration of our Payments Network

14. What Happened?
The Investigation and The Announcement
 Late October 2008 – Informed by a card brand that several issuers
suspected a potential breach of one or more processors. We received
sample fraud transactions to help us determine if there was a problem in
our payments network. Many of these transactions never touched our
payments network.
 No evidence could be found of an intrusion despite vigorous efforts by HPS
employees and then two forensics companies to find a problem.
 January 9, 2009 – We were told by QIRA that “no problems were found”
and that a final report reflecting that opinion would be forthcoming.
 January 12, 2009 – January 20, 2009 – Learned of breach, notified card
brands, notified law enforcement and made public announcement.

15. Why I came to Heartland…
• The way the breach was handled
• High degree of transparency
• Knew that security would be #1 priority
• Heartland was changing the perception of
breaches, and how they should be handled

16. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective

17. PANIC
DENIAL
ANGER
BARGAINING
DEPRESSION
ACCEPTANCE
FIX THE PROBLEM

18. Vectors of Trust
• After any major incident, there are multiple
vectors of trust that have to be rebuilt
– Trust from your customers
– Trust from your investors
– Trust from your own employees
– Trust from your competitors
• Heartland has worked hard to rebuild these

19. The Real Response
 1/20/09 - Call to arms of all Heartland employees to visit clients and talk to
partners
 HPY share price drops from $15.16 on 1/16 to $8.18 on 1/22
 HPY 4Q08 Earnings Call – HPY drops to $3.43 on March 12; a 77.6% drop
since the breach announcement
 3/14/09 – Delisted from Visa list of approved vendors
 4/30/09 – Certified PCI compliant by VeriSign and reinstated on Visa list of
approved vendors
 5/11/12 – HPY Closed at $30.41

20. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective

21. Industry Security Advancements
• Chip & PIN (EMV)
– Helps authenticate the card
• Tokenization
– Reduces risk of storing card data
• Both help, but don’t address data
in transit

22. Heartland Approach to E3
• End to End Encryption
E3 Security • Continuous protection of the confidentiality and integrity of
Model transmitted information by encrypting at the origin and
decrypting at the destination.
• Build devices that use Tamper Resistant Security Modules
E3 Device to encrypt payment data at the point of swipe or data entry.
• Collaborate with existing device vendors and encryption
Strategy solution providers.
• Protect cardholder and merchant data wherever it
E3 Data resides on Heartland’s systems.
• Directly influence industry security standards and
Strategy practices to strengthen data protection.

23. Merchant Bill of Rights,
Sales Professional Bill of Rights, Durbin
http://www.spbor.com/
http://www.merchantbillofrights.org/
http://getyourdurbindollars.com/

24. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective

25. Key Risk Mitigations
 Data Loss Prevention
 Network and Application Penetration Testing
 Platform Security
 Static and Dynamic Code Analysis

26. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective

27. The New Paradigm
• During investigation of Heartland breach
• Found other processors knew of the
breach indicators
• Several had seen or know about them
• No one shared that information
• Started the PPISC (Payment Processors
Information Sharing Council) in 2009
• Charter – bring processors to table
to discuss threat indicators and tactics
• Avoid any discussion on business related topics to avoid
anti-trust
• Everyone brings to table topics that they are seeing through their
various intel sources (internal and external)
27

28. Intelligence Sharing – PPISC
 Malware signatures currently being shared with input of
Secret Service and other agencies
 Participation in threat exercises (CAPP – Cyber Attack
Against Payment Processes)

29. Changes in Breach Perceptions
• For Heartland, the impact was immediate and
very high
• People have come to understand that any
company can be breached
• Acceptance becoming the norm

30. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems
– What Happened in the Heartland Breach
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective

31. Targeted Attacks
Is your company a target…?

33. SpyEye: targets financial institutions
northerntrust.com treasury.pncbank.com ssl.selectpayment.com
svbconnect.com onlinebanking.banksterling.com texascapitalbank.com
web-access.com nashvillecitizensbank.com singlepoint.usbank.com
sso.unionbank.com commercial.wachovia.com wellsoffice.wellsfargo.com
mandtbank.com online.corp.westpac.com paymentech.com
appliedbank.com heartlandmerchantcenter.com reporting.worldpay.us
firstnational.com merchante-solutions.com portal.mercurypay.com
1fbusa.com logon.merrickbank.com mybmwcard.com
gotomycard.com cardmemberservices.net nordstromcard.com
statefarm.com tnbonlinebanking.com accountcentralonline.com
chase.com wellsfargofinancialcards.com credit.compassbank.com
rcam.target.com partnercardservices.com accessmycardonline.com
creditcards.citi.com commercebank.com hsbccreditcard.com
neteller.com mypremiercreditcard.com penfed.org
bankofamerica.com hsbc.com huntington.com
usaa.com citibank.com paypal.com

34. Adversary Attributes
• Advanced
• Well funded adversary
• Advanced technical capabilities
• Ability to identify zero-day exploits
• Weaponize exploits
• Trained professionals
• Backing of nation state or organized crime
• Persistent
• Sustained presence with target organization
• Remains undetected
• Takes time needed reach objective and exfiltrate information
• Threat
• Covert threat or alteration of sensitive information
• Political or military advantage
• Strategic or tactical advantage
• Economic advantage or financial gain
34

35. Can a system be completely secure?
“The only secure system is one that is powered
off, cast in a block of concrete and sealed in a
lead-lined room with armed guards – and
even then I have my doubts.”
Gene Spafford – Purdue University

36. Getting in can be easy…

37. The malware code was obfuscated:

38. Encoded: Zero AV Detection

39. Decoded: detected by 8 of 43 AV engines

40. Blackhole Explotation Kit

41. Social Engineering:
• Manipulating people into performing actions
or divulging confidential information
• Pretexting: creating an invented story to
engage a target in a way that makes them
more likely to divulge the desired information.
• Usually involves: sympathy, intimidation,
flattery, or fear
• Most companies are vulnerable to SE

42. Example SE scenario…
What would you do if…
• Receive call from your Helpdesk
• Caller ID shows correct number
• Said there is suspicious activity coming
from your computer, need you to run a
scan by visiting the following URL.
• http://onlinesecurityscanner.com

43. Example SE scenario…
• After the scan runs, you are informed that
your system checked out fine. Sorry for the
inconvenience.
For more info on Social Engineering:
http://social-engineer.org

44. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective

45. Are attacks on the rise?
• Increased media coverage over the last year
– Much like “shark attack” coverage
• New motivations
– Political
– Limelight / Ego
– Embarrassment
– Retaliation

46. Are attacks on the rise…???
The number of incidents reported has
been increasing
• 2010 – 800 new compromise incidents
• 2004-09 - just over 900
source: 2011 Verizon DBIR

47. Records Compromised
• The total number of records
compromised annually has declined
 2011 – 4 million
 2010 – 144 million
 2009 – 361 million
source: 2011 Verizon DBIR

48. Who is behind data breaches?
• 92% - stemmed from
external agents
(+22%)
• 17% - implicated
insiders (-31%)
• <1% - resulted from
business partners
(-10%)
source: 2011 Verizon DBIR

49. How do breaches occur?
• 50% utilized some form of hacking (+10%)
• 49% incorporated malware (+11%)
• 29% involved physical attacks (+14%)
• 17% resulted from privilege misuse (-31%)
• 11% employed social tactics (-17%)
source: 2011 Verizon DBIR

50. How do breaches occur?
83% of victims were targets of opportunity
92% of attacks were not highly difficult (+7%)
76% of all data was compromised from servers
(-22%)
86% were discovered by a third party (+25%)
96% of breaches were avoidable through simple
or intermediate controls
89% of victims subject to PCI-DSS had not
achieved compliance (+10%)
source: 2011 Verizon DBIR

51. Where should mitigations be focused?
 Eliminate unnecessary data
 Ensure essential controls are met
 Check the above again
 Assess remote access services
 Test and review web applications
 Audit user accounts and monitor privileged
activity
 Monitor and mine event logs
 Examine ATMs and other payment card input
devices for tampering
source: 2011 Verizon DBIR

52. Topics / Agenda
Heartland Payment Systems
– Who is Heartland Payment Systems?
– What Happened in the Heartland Breach?
– What Did We Do About It?
– What Are We Doing Now?
– Key Risk Mitigations
– Information Sharing – how it works
Is your company a target?
– Some current threats
– Breach Statistics
Information Security Perspective

53. Ever work with a security guy like this?

54. Information Security Balance
Purpose is to secure assets without
adversely affecting business functions.
Ultimate Needs of a
Security Business

55. Information Security Balance

56. Security Systems
 Firewalls
 IPS
 FIM
 Software Agents
 Malware Appliances
 Static/Dynamic Code Analyzers
 Vulnerability Scanners
 WAF
 DLP
 SIEM
 Anti-Virus

57. Security Systems
• Purchasing a “checklist” of security
devices is not enough..!
• You need skilled personnel to manage
these devices.
• Most of these technologies require a
large amount of time to manage
effectively.

58. Summary
• Businesses can recover from a major breach
• HPS has recovered and is growing
• PCI Security Standards Council Board of Advisors
• FS-ISAC Board of Directors
• Every company is a target, make yours a hard one
• Assume you have been compromised
• Focus on detection, data elimination
• Get involved
• Information Sharing (FS-ISAC, PPISC, Infragard)
• Local security chapters
ISSA, ISACA, OWASP
58

59. Thank you!
Brian.Blankenship@e-hps.com