Danielle Zeedick
Danielle Zeedick
Case studies in security breaches are interesting as they do not just expose a potential threat to customers or clients, but also expose the many vulnerabilities in a business' infrastructure both technical and managerial. Recently, and close to home here in Vermont, it was reported that Hannaford's chain of grocery stores had malware installed on hundreds of servers which affected many of its stores.

However, during a security audit, it was reported that Hannaford was certified as security compliant. My question is, were any recommendations made during the audit? Was an upgrade scheduled if recommendations were made? What decisions were made to keep or eradicate such vulnerabilities? What existing tools were updated? They met industry security standards, so what exactly did they need to do, maybe nothing? Remember, security is a PEOPLE problem, not simply a system problem.

The fallout that is now seen, as reported, is two class action lawsuits: 4.2 million credit cards compromised, 1,800 fraud cases linked…and counting.

Reports have also indicated that the sequence of events were as follows:
Data breach: December 7, 2007 (post attack finding)
Hannaford discovered breach: February 27, 2008
Hannaford contained breach: March 10, 2008.

In the two week period between discovery and containment, what happened? And why so long to containment?

The complexity and magnitude of this attack smacks of insiders, outsiders, and traffic patterns that could indicate some kind of problem. Here comes the rest of the iceberg…It just seems that it was a long time from discovery to closure on this one. Mapping the tragedy in a post-mortem sense should be just as important to Hannaford as the upgrade of the system. I trust this happens each and every time there is a security breach anywhere (she says hopefully).

Let's rewind to our first security course:
  1. Try to prevent disasters in a proactive manner, do not plan on managing the disaster reactively.
  2. Do NOT ignore IDS alarms, train your IDS properly, and understand what constitutes “normal” behavior for the network.

Hey, somebody close that barn door already will ya?



Danielle Zeedick is a professor of information assurance and program director of the Bachelor of Science in Information Assurance at Norwich University in Vermont.