Ira Winkler says 'No' to Hannaford Inside Job
I can tell you first hand that a breach of that scope is very “relatively” easy to commit when there is a motivated attacker with the time available. Again, I have broke into many of the top companies in the world, always having tremendous success in relatively short periods of time.
Ira, what have you seen in terms of those companies who have submitted their PCI audit reports? Are they easier to break in? Harder? I am curious if the PCI spec has helped or not. I have to believe that by its nature it has helped make systems more secure and harder to break into.
With regard to many servers being compromised, it sounds like the experts have not heard about automated attack tools. Nor have they considered that servers are generally installed identically throughout an organization, and that if you can compromise one of those systems, you can compromise many. Similarly given that there tends to be password reuse, if you compromise the password on one server, you have compromised many servers. Similarly, if there are trust relationships between the systems, the compromise of one system actually compromises many systems.
I have seen, played with, and heard of automated attack tools - it's what the script kiddies and lazy grey or black hats use to accelerate the desired results. You can buy a great set on Ebay now and of IRC is the Devil's playground, but I digress...
The PCI spec which Hannaford said it had met is designed to take care of the low hanging fruit of a breach. Passwords, no consistent and measured or documented processes, and poor encryption are all targets the PCI spec is designed to mitigate and keep us lazy wannabe hackers out of systems.
Take a look at my other blog for more info on PCI...