Wednesday, May 6, 2020

Computer Security Breach Oracle Payment System

Question: Describe about the Computer Security Breach for Oracle Payment System. Answer: Part A: A computer security breach incident was reported on CNBC on 6th August, 2016 where hackers are said to have infiltrated Oracle payment system used by Micros Systems Inc. Micros use Oracle technologies and offers IT services and cloud-based solutions for hotels, food and beverage facilities and retailers. Micros have good domain reputation as they offer services across 180 countries. In the month of June, Oracle had acquired Micros Systems Inc. (Shores, 2014). Oracle acknowledged this breach and informed, the breach is due to malicious code in their payment systems which are used by many companies under hospitality and retail sectors. Micros had requested all users having access to their online support portal to reset their passwords as the malicious code is found in their legacy systems. Oracle has further informed CNBC, their cloud services, and corporate offerings were not affected, also they use encryption to store credit card data. In order to prevent further damage and recurrence, Oracle implemented extra security measures for all legacy systems used by Micros systems. The source of this breach is unknown, however, experts point the breach could have done by a cybercriminal group named Carbanak gang which was earlier involved in hacking banking systems (Balakrishnan, 2015). Initial analysis showed that the attackers have compromised Oracle Micros POS customer support portal. This portal is used by companies for processing their transactions using payment cards. The scope and size of the attack are still investigated on how attackers could have gained access to POS systems. At first, Oracle has thought the breach could be just a few computers and servers in their retail division. When new security tools were introduced by Oracle to remove the malicious infection, it was found almost 700 systems were infected. Initially, this breach was brought to notice by an Oracle Micros customer on 25th July 2016 because customers were experiencing delays in customer service. Investigations by security experts revealed the customer support portal of Oracle Micros was sending and receiving data with a server belonging to Carbanak gang. One investigation source briefed that the breach began by infecting one single system inside Oracles network and compromised more systems. The company has shown concern that it has compromised details of customers Micros portal which can be used to administer from a remote location and upload a malware to steal payment card details. This could have gained access to POS systems which are linked to cash registers at a Micros customer store. According to one fraud analyst at Gartner Inc, Oracle might have encrypted the data, but the customer devices could have been used to make the breach. POS-based malware is usually installed through a hacked remote administration tool. When the malware is loaded into the POS devices, the attackers can capture data each time a card is swiped at the cash register (KerbsOnSecurity, 2015). From the above incident, it can be seen that POS and payment card systems are an easy target because of different reasons. This is acknowledged by security experts. The payment card has a magnetic stripe which holds all information related to the customer can be divided down into three tracks or areas. Tracks one and two in a credit-card focus on payments, the data here is encrypted. In this area, attackers attempt to steal customer data using a compromising POS device because this has information related to fraudulent online purchase or counterfeit cards. Secondly, the POS architectures usually deployed are vulnerable in certain architectures. The architectures commonly used for processing transactions are store electronic payment system (EPS) Deployment model, POS EPS deployment model, Hybrid/POS Store deployment model, the payment system in gas stations and mobile payments. It is important to note that not all POS architectures ensure the same level of data protection and encryption. In some architecture, it can be found that the POS device transmits data which passes through different systems in unencrypted format. This makes data exposed and vulnerable. Due to this reason, payment care processing systems are an easy target. It is important to note that when payment data is processed in memory, it is almost impossible to secure a POS device and it can be compromised easily. Attackers make use of memory scraping technique, where a scraper malware is deployed on such systems. This scraper malware can be modified to track and target s pecific data patterns and has to ability to bypass end-point defenses like anti-virus software (Whitteker, 2014). To overcome such security breaches in future, Micros must consider certain practices on priority. The practices include implementing standard and secure system practices, applying patches to the application and system software within 48 hours and application white-listing. It is also important to reduce the number of users with administrative rights. This is because if an attacker gains administrative password, it is easy to gain access to many systems in the network. Part B: Data breach case of Anthem What was the problem? Anthem Inc. is USAs second largest health insurance company having millions of customers. According to Anthem, one person out of every nine Americans has medical insurance cover through the companys associated insurance plans. In December 2014, Anthems IT systems were breached and their database compromised. The breach was first identified in Jan 2015 by one database administrator when he experienced his administrator rights were used to run some data queries which he did not initiate but were found running under his name. Queries are run to extract data and transfer the results to another file. A few days later, an internal investigation established the fact that there are security breach and data is compromised. As soon as the company learned about the attack, it approached the FBI for a thorough investigation. The president and CEO of Anthem confirmed the attack and stated the attackers have gained access to personal information of their customers, that include numbers of social s ecurity, medical details and including salary data. The company confirmed that along with customers, employee data is also compromised. As investigations are initiated, Anthem is making use of services by Mandiant, a cyber security firm to help in this investigation and to strengthen the security of all its systems. The details of the breach were made public to all customers and employees in February 2015 (Ragan, 2015). Who were affected and how? The data breach has impacted hundreds and thousands of Anthem customers across the country. New York Times reported the breach could impact millions of customers because their database was holding over 80 million customer records. There are a variety of health insurance plans operated by Anthem under different brands that include, Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Shield of Georgia and Empire Blue Cross and Blue Shield (Abelson Matthew, 2015). Customers in all these schemes were impacted and in addition to data of customers availing identity protection services were also impacted. Investigation on the impact of data breach revealed that data belonging to members who are not Anthem customers are compromised because their employer offered them Anthem coverage plans. The information lost included names, date of birth, social security numbers, home address, e-mail address, job information and salary data. However, no evidence could be found to show compromise of credit card or banking information. Also, the company stated that there is no evidence to show information related to records containing medical data, test results or diagnosis code were either compromised or stolen (Anthem, 2015). How was the attack carried out? Anthem spends around $50 million annually and employs around 200 staff to ensure IT systems are secure and available. According to details of the breach, IT security experts explain that Anthem has failed in three steps that could have been implemented to prevent this attack. The three steps are: IT systems did not have multi-factor authentication for all its systems. This is a robust method of authentication and was implemented only in certain areas, leaving the rest of their IT less protected. Anthem did not have monitoring technology like intrusion detection systems which can sniff unusual flows of data within their IT network and computer systems. Their compromised database is not encrypted. The main area of vulnerability was that Anthem did not implement two layers of authentication for its employees in all the areas of the computer system, as stated by their CIO. This made it easier for hackers to gain a login and password, and using guessing game and persistence, hackers were able to capture password of database administrators. Further, since there was no multi-layer authentication required for sensitive areas in IT their systems were vulnerable to hacking. Two-way authentications are followed by many financial institutions such as banks. This practice was not practiced implemented in Anthem. As soon as the company discovered the attack, all the systems, and services that did not have two-way authentications were shut down. In addition to this vulnerability, attackers could have also exploited vulnerabilities found in Windows, Java or Adobe. Further to external attacks, insider attack is also possible because some unauthorized queries were found running with administr ator rights. On top of these gaps, Anthem invests significantly in IT in its quest to be the most trusted health care system in the country but met with an impasse (Wall, 2015). What could have been done to prevent the attack? All major enterprise organizations understand there are weaknesses in using technology. In fact, an Anthem spokesman remarked that the company uses data loss prevention technology to monitor network flows, but there was no system to detect suspicious flows. Security experts feel that it is hard to determine if the hack on Anthem was done by an insider or by an external hacking group. Symantec, an IT security solutions firm states that this attack was done by a notorious group named Black Vine based in China (O'Connoor, 2015). However, wherever the roots of this attack lies, the company could have followed certain steps to mitigate such attacks. Implementing two-factor authentication immediately on all systems Protecting all internal systems adequately Keep data secure using encryption with robust storage that will make use of decrypting keys. This can prevent an internal attack. Implement robust and in-depth multi-layer security to protect all systems and the network. In spite of these suggestions, data breaches are not fully preventable. Anthem must develop a dynamic IT security management plan to check against any malicious activity in their systems and network. References Abelson, R., Matthew, G. (2015, February 15). Millions of Anthem Customers Targeted in Cyberattack. Retrieved August 22, 201, from New York Times: https://www.nytimes.com/2015/02/05/business/hackers-breached-data-of-millions-insurer-says.html?_r=0 Anthem. (2015). Report on Anthem Facts. Monroe, WI: Anthem Inc. O'Connoor, F. (2015, February). Symantec: Well-heeled hacking group Black Vine behind Anthem breach. Retrieved August 22, 2016, from Computer World. IDG News Service: https://www.computerworld.com/article/2954715/security/symantec-wellheeled-hacking-group-black-vine-behind-anthem-breach.html Ragan, S. (2015, February 4). Anthem confirms data breach, but full extent remains unknown. Retrieved August 22, 2016, from CSO: https://www.csoonline.com/article/2880352/disaster-recovery/anthem-confirms-data-breach-but-full-extent-remains-unknown.html Wall, J. (2015, February). Anthem's IT system had cracks before hack. Retrieved August 22, 2016, from Indiannapolis Business Journal: https://www.ibj.com/articles/51789-anthems-it-system-had-cracks-before-hack Balakrishnan, A. (2015). Hackers infiltrate Oracle payment system. Retrieved August 21, 2016, from CNBC Cybersecurity: https://www.cnbc.com/2016/08/08/hackers-infiltrate-oracle-payment-system.html KerbsOnSecurity. (2015). Data Breach At Oracles MICROS Point-of-Sale Division. Retrieved August 21, 2016, from KerbsonSecurity. In depth news and security investigation: https://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-sale-division/ Shores, R. (2014). Oracle and MICROS Systems. Retrieved August 21, 2016, from Oracle and Micros: https://www.oracle.com/us/corporate/acquisitions/micros/index.html hitteker, W. (2014). Point of Sale systems and security. Executive Summary . Whitepaper from SANS Institute, Infosec Reading Room.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.