Compliance is not security

The 2018 hack on British Airways is alarming to say the least, and it’s not just because roughly 500,000 payment cards were compromised. British Airways is a huge company earning millions each year. These sorts of companies are heavily regulated and are required to be Level 1 PCI complaint (the highest level of compliance). These companies spend thousands every year on security in terms of compliance, penetration tests (often a requirement of compliance), vulnerability scans and even proactive monitoring of their network. And yet, they still get hacked.

Why is this? If the big players with great big pots of money to invest into cyber security still get hacked, how can anyone be safe? Well, for starters, the sad fact is that no business is 100% safe at all times. It could be said that breaches are an inevitability. Not necessarily the kind of breach BA has just suffered, but some kind of breach. Secondly, it’s hard to conclude anything of value from this particular case as investigations are still ongoing (at the time of writing). However, in my experience a big contributing factor is that, over the years, organisations have clung to the misconception that compliance = security.

It doesn’t.

This isn’t to criticise compliance. Obviously, compliance is key, and no doubt helps. But just because a business is Level 1 PCI compliant, doesn’t mean they’re unhackable.

A point in time

A penetration test conducted as a part of a compliance plan only offers a review of a network or application’s security at a fixed point in time. The same could be said for a vulnerability scan that flags any known vulnerabilities when they’re run. A company could remedy all of these flaws and misconfigurations, only for a new bug to be discovered and shared among the hacking community the very next day. By some definitions, this could mean that the business is suddenly not compliant, but it’s simply not feasible to conduct pen tests on a daily or even weekly basis. Big companies have a lot of money, but not an unlimited amount.

Having said that, being proactive is key. To maintain compliance, businesses really should be running scans at least monthly. Anything less, then systems will be put at risk. Some vendors are now switching to consistent scan approaches, where critical systems are scanned immediately upon being changed. Of course, scans are not the same as penetration tests. A Penetration test is where a human uses every trick in the book to sneak into a network or circumvent security in some way. VA scans can be prone to false positives, so it’s always best to have an expert on hand to manually review this.

I don’t store card data, so I don’t need to worry

Reading the many articles around BA’s unfortunate breach has caused many a past conversation to bubble up to the top of my memory. Over the years, many people have said to me “I don’t store credit card data,” or words to that effect, under the view that this makes them exempt from PCI compliance or even the worry of keeping such data secure. It’s perhaps a reasonable view. They think that as they don’t hold onto the data themselves, then it can’t be hacked.

This is wrong and the news around British Airways gives evidence to support this. From the information available, it appears that only bookings made within a set time frame (August 21st – September the 5th) were affected. This suggests the attack was not down to exfiltration of data from a database, but more down to siphoning the data that is submitted and transferred from the site. Even if the data is stored and processed elsewhere (through a third party) and is deemed to be as secure as it can be, data can still be stolen from a site as it’s entered. It was a data-in-transit attack.

Detection is key

One of the most worrying things about this example, is the length of time BA was compromised. For two weeks, malicious actors were able to access card details. As mentioned earlier, in that time they managed to access the details of around 500,000 cards. As it turns out, users were being redirected to a fradulent webpage, meaning British Airways' page would have been compromised in some way. Under GDPR, any major breach which puts data subjects [EU citizens] at risk must be reported within 72 hours of the business becoming aware. We have no doubt that BA complied with this, but that indicates that there was a long period where they were not aware. It seems the ICO were not kidding around when they fined British Airways, demanding £183 million for the breach.

This data must have been going somewhere and assumedly, there will be logs indicating this. It’s of the utmost importance to ensure critical assets are being strictly monitored, not just with a robust SIEM, but by skilled analysts checking for changes to code, files or user accounts. A FIM tool is especially recommended. Said skilled analysts should also be taking the time to conduct a daily review the security logs, and metadata. This is key to reducing the time to detection.

It’s also important to regularly check other assets that may not seem immediately obvious. If something isn’t strictly necessary, it might be worth removing it from the network to reduce your attack surface. Focussing on the key areas in order to gain a compliance certification but neglecting to regularly check everything else can land you in trouble.

Keep your business secure

If you’re looking to keep your business as secure as it can be against data breaches, Bulletproof can offer a wide range of security services from compliance certification to penetration services from CREST accredited testers. We also have our own custom built SOC monitored by attentive analysts, so can offer a tailored managed SIEM service with active threat hunting.