Kudos to the Department of Justice for the indictment of Albert Gonzalez and two of his coconspirators. With all of the high profile data breaches occurring we need to take a deeper look at what is going on here. While TJX and Heartland may have been PCI compliant, they were still breached. The issue with most security approaches is that they focus primarily on “preventative” controls. There are not enough “detective” controls in place to make sure that if one of the preventative controls fails, there is someone or something there to notice. No defense is impenetrable and that is why we practice “defense in depth.”

In the case of Heartland Payments Systems, it is alleged that the hackers were siphoning off data for months and it wasn’t until Visa and MasterCard noticed the fraud, that Heartland found the breach. Some questions that companies should be asking themselves include:

• Do you have in place a process to review audit logs from your firewalls and core routers on a regular basis?
• Do you have a process in place to monitor the activities of privileged users and system accounts?
• Do you have a formal entitlement review to verify that security is granted in a “least privilege” model?
• Do you audit database and file system activity?
• If any user was accessing an unusual amount of data, would anyone notice?

I would appreciate hearing your thoughts on these questions.