Transcript
RETAIL SECURITY BREACHES WHAT YOU CAN LEARN FROM THEM
As security breaches become a growing concern for
nearly every type of organization, Senior IT Managers
must take every conceivable step to protect their
company and avoid seeing their company in the
headlines.
SECURITY BREACHES INCREASING EXPONENTIALLY EXECUTIVE SUMMARY
Page 2
This document presents the current state of Retail
Security Breaches and offers suggestion on how to deal
with the ever-increasing likelihood that your company
will be attacked by hackers. Joe Ross, President and
Co-Founder of CSID, [vii] the leading provider of global
identity protection and fraud protection technology,
suggests that unless merchants implement new
procedures to deter thieves at the Point of Sale, things
will get worse before they get better.
FOR RETAILERS, IT STARTS AT THE POINT OF SALE AND EXTENDS TO STRENGTHENING CONNECTIVITY LINKS WITH MANAGED SERVICE PROVIDERS.
The results of a recent study by CIO Magazine found
that retailers are the biggest target for cyber attackers
and POS is still the easiest and most common way in
the door.[i]
In their 2014 Data Breach Investigations Report, [ii]
Verizon suggested that 2013 was the “year of the retail
breach.” The 2014 report was published before the high
profile Target intrusion and according to most experts
the number of attacks is escalating year over year.
In 2015, Verizon surveyed over 70 companies and
reported the following:
• $400Millioninlossesin61countries
• 2,122ConfirmedDataBreaches
(That doubles the 2014 number)
• 79,790SecurityIncidents
• TopfiveindustriestargetedwerePublic,Financial
Services, Manufacturing, Accommodation and
Retail
• In70%oftheattacks,thereisasecondaryvictim
• In60%ofthecases,attackerscompromisethe
target in minutes
• Innearly100%ofthecases,aknownCVEexisted
but patches had not been applied
POS Systems Number One Target from 2014
Report:
• 523RetailBreachesin2013
• SpecificallyinRetail,researchersfoundmorethan
four times more breaches in small organizations
than in the mega retailers
• 28.5%ofthebreachestargetedPOSsystems
• IntheAccommodationSector,morethan90%of
the incidents hit POS (Point of Sale) systems and
POS was also the biggest target in the
entertainment and retail sectors
INTRODUCTION
Page 3
Phishing on the Rise
• Phishingislikeshootingfishinabarrelforhackers
–it’sjusttooeasy–23%ofrecipientsopen
phishingmessagesand11%clickonattachments
andacampaignofjust10emailsyieldsa90%
chance that at least one person will open the email
• 97%ofexploitstargetCVE’s
(CommonVulnerabilitiesandExposures)
With so many attacks on retailers in recent years, the
biggest challenge was narrowing our list so we decided
to profile a few of the larger ones and lump the others
into how the attacks occurred with POS and Managed
Service Attacks being the most prevalent.
Some specific instances that are not covered, but
deserve “honorable mention” include Sony, UPS, White
Lodging, Sally Beauty, Michaels, Affinity Gaming, PF
Changs, Albertsons and Super Value, Dairy Queen,
Staples, KMart and Goodwill.
As a recent Security Intelligence report highlights,
“consumer credit card information is better than
gold because it can be transmitted electronically and
anonymously.” [iii] Once they gain access to POS
systems, Retail Cyber Attackers can quickly skim
small amounts of cash out of multiple accounts and
with millions of accounts compromised, they can very
quickly accumulate large amounts of stolen money.
TOP RETAIL ATTACKS AND WAYS TO AVOID THEM
Page 4
PREVENTING THESE ATTACKS SHOULD BE THE NUMBER ONE PRIORITY OF EVERY RETAILER IN THE WORLD.
Research strategist Chris Poulin carefully analyzed the
2013 Target attack and in his February 2014 update
reported that entry into the Target infrastructure
reportedly came through a portal involving an HVAC
contractor. The attacker apparently used the portal to
penetrate Target’s internal network and compromise
a Windows file server. From there they worked their
way into the POS system. He offered the following
recommendations for combatting similar attacks:
• Monitor contractor relationships to make sure
they are keeping theirsystems up to date.
Anyone who has access to your systems through
approved portals is potentially an unwitting partner
with an attacker. In the case of Target, the HVAC
contractor had a well-known virus resident in the
system they used to attach to Target’s contractor
portal.
WHAT TO LEARN FROM THE TARGET ATTACK [iv] SPECIFICALLY
Page 5
• Ensure that all Webservers are at the most
current revision level. The Target attack could likely
have been prevented if the operating systems on
both internal and external servers were at their most
current revision level. A large percentage of the
patches released by software manufacturers are in
place to plug known security leaks and must be
installed like clockwork!
• Require regular changing of passwords and
insist they are encrypted. Too many organizations
and the users of systems in these organizations are
too relaxed in how they control and maintain
passwords. In the case of the Target breach, the
contractor reportedly had remote access and one
of the software packages used for the remote access
was using the manufacturer default for username
and password. The hackers simply scanned the
network using the default information until they
found a server that used those credentials and they
were in the front door of the network.
• Recognize Point of Sales Systems that are the
likely target and lock them down – the Verizon
reports say that 90% of attackers go after POS
systems, so make them your number one priority
in your efforts to avoid attacks. In the Target incident,
the attackers eventually worked their way into the
POS systems but the attack could have been
averted with the right tools installed at this level.
Poulin recommends using dynamic configuration
tools like sandboxing and end point behavior
anomaly to guard against unauthorized use of POS
devices.
• Watch for unauthorized collection and
summarizingofdata. Once they were in the door
at Target, the attackers collected and assimilated all
Page 6
the individual entries from POS card swipes on
internal servers. Network activity monitoring, “deep
packet inspection” and similar tools would have
detected the unauthorized accumulation and storage
of the credit card information.
• Guard against exfiltration – the final step in the
Target attack was to export the data to external
servers on a regularly scheduled basis. This again
could have been avoided with network monitoring
that included string pattern and anomaly protection
software. Learn from this example and establish
policies that only allow exporting of data to
specifically authorized sets of IP block or restrict
accesstobanksofaddressesusedbyEasternBloc
countries.
InhisNakedSecurityanalysisofthe$62MillionHome
Depot loss, John Zorabedian suggests that the “silver
lining”intheattackmaybethedeathofthe50yearold
mag-strip card technology that are so easy for hackers
to penetrate.
The Home Depot attack was unfortunately bigger than
the one inflicted on Target and here again, attackers
targeted the antiquated POS strategy employed by
Home Depot and so many other retailers around the
world.
HOME DEPOT - POS AGAIN THE “TARGET” AT HOME DEPOT [v]
Page 7
Existing Magstripe readers are vulnerable to RAM
scraper malware that steals payment card data from
POS systems. This enables thieves to then use this
information to enter fraudulent transactions against
unsuspectingcardholders.ThenewerEMVtechnology,
on the other hand, uses a unique code for each
transaction, so even if the code is compromised, it is
useless to attackers for making additional charges.
Zorabedian and others note that U.S. retailers and
banks lag far behind their counterparts around the
globe. He urges them to adapt the new technology as
quickly as possible because the cost of not replacing
these systems “is enormous and rapidly mounting.”
Attackers successfully penetrated the upscale
department store from July to October of 2013 gaining
access to personal financial data of over 350,000
customers. In an official notification to customers,
Nieman Marcus highlighted what they are doing to
resolve the issue and most retailers would do well to
follow this example before they are attacked
• Disablingthemalwarewediscoveredinthecourse
of our investigation
• Workingdirectlywithfederallawenforcementinits
investigation
NIEMAN MARCUS EXPOSED CUSTOMER INFORMATION
Page 8
• Conductingafullreviewofallofourpaymentcard
information systems and vulnerability assessment
with the payment card brands, our merchant
processor, a leading investigations, intelligence and
risk management firm, and a leading, payment brand
approved forensics firm
• Reviewing our intrusion detection systems and
firewalls
• Reinforcingoursecuritytools
• Reviewingandhardeningoursystems
• Modifyingoursoftwareandsecuritycredentials
Since POS is the ultimate target, every retailer in the
world should consider the following advice from CIO
Magazine to prevent POS breaches:
• Install next-generation firewalls (NGFWs) between
network segments and in the business-to-business
portal.
• Introducea fullmobilitysecurityplan that includes
basic limitations on the mobile devices themselves
POS ATTACKS ON COUNTLESS OTHERS
Page 9
• Separatesystemsintogroupsandzonestoprevent
attackers from penetrating further into the
infrastructure
• Usetwowayauthenticationonallmobiledevices
• Keepallsoftwarepatchedandupdated
• Isolate POS systems from the remainder of the
corporate network
• Trustsnothingandnobody
• Strengthenemailsecuritytoblockmalware
Although the individual impact on a single big store grabs
the headlines, there are countless attacks occurring
every day on small and large retailers alike via third
contractors they rely on for auxiliary services. These
attacks actually represent a higher level of exposure
than the high profile attacks because of their impact on
stores covered by managed service companies.
One of the most recent examples [vi] is through a
company called PNI Digital Media Inc., a Vancouver-
based firm that manages and hosts online photo
services for numerous retailers including Walmart, CVS,
Rite Aid, Sam’s Club and more.
Following an alert by PNI, several retailers suspended
their online photo services while they investigated
reports that customer information was stolen from
online payment transactions that compromised “names,
addresses, phone numbers, email addresses, photo
account passwords and other credit card information.”
THIRD PARTY MANAGED PROVIDER ACCESS
Page 10
The big lesson here for retailers is to be very careful
about who they contract with for auxiliary services.
The U.S. Secret Service, Financial Services Information
Sharing and Analysis Center (FS-ISAC) and The Retail
Cyber Intelligence Sharing Center warn retailers that
“managed service providers that offer outsourced
services to numerous merchants are increasingly being
targeted by cybercriminals.”
In a recent cybersecurity alert, they listed a number of
companies that have been targeted and said retailers
should use ‘multifactor authentication for remote-
access login to point-of-sale systems <and incorporate>
specific policies related to outdated operating systems
and software in contracts with vendors.” Chris Bretz,
director of payment risk at the FS-ISAC, says that
“criminals continue to find success by targeting smaller
retailers... who use a managed service provider that
provides IT and payment services for their business.”
Recommendations from Verizon’s 2014 report to
combat phishing:
• Block filter, and alert on phishing emails at the
gateway
• Launch an engaging and thorough security
awareness program
• Improvedetectionandresponsecapabilities
Additional recommendations from Chris Poulin who
notes that attackers are growing increasingly more
sophisticated:
ADDITIONAL RECOMMENDATIONS FOR COMBATTING CYBER ATTACKS
Page 11
Protecting Against Future, Sophisticated Attacks
• Develop a systemprofile of yourPOS systems as
they “should be” and then have a software program
that alerts of any configuration changes, application
or network activity that violates the “should be.”
• Clearly identify andmonitormission critical assets
similar to how the energy and utilities designate
these critical systems with a “data diode” which only
allows mission critical systems to interact with other
data diode systems. This can help prevent malware
infection in the first place.
• Create default ping back payloads and sizes and
then configure IPS addresses alert you when non-
standard packets are detected
• Carefully monitor, detect and report all unusual
network traffic behavior, specifically including the
use of port 443, unusual DNS queries and other non-
standard queries
• DevelopafullSecurityIntelligenceSystemandlog
all unusual activities especially anything involving
POS systems or exports to external systems.
Joe Ross, President and Co-Founder of CSID, [vii] the
leading provider of global identity protection and fraud
protection technology suggests that unless merchants
implement new procedures to deter thieves at the Point
of Sale, things will get worse before they get better.
He points out that although attacks on high profile
companies get more media attention, cyber attackers
often go after smaller, more vulnerable shops where the
financial hit damages to their reputation could put them
out of business. He urges merchants to invest for the
futurebyswitchingtoanEMV-compliantsystem(named
after its original developers (Europay, MasterCard®
andVisa®).Visit the CreditCards.com [viii] website for
additionalinformationaboutEMV.Healsosuggeststhat
shoppers might do well to use cash and gift cards as a
safer form of payment since no personal information is
exposed to the store systems.
COMMENTS FROM SECURITY EXPERT
Page 12
Christopher Poulin concludes his analysis of the Target
Attack with this statement which should be a signpost
for every single retailer in the world:
“there is no perfect or foolproof detection . . . your
<security> plan should include detection, response and
escalation, engaging law enforcement as appropriate,
preservation of evidence, compliance with regulations
and contractual agreements, customer and press
notification, and public relations.”
CONCLUSION
Page 13
If you are the senior IT Manager in charge of your
organizations’ infrastructure you likely spend 20% of
more of your time protecting it from internal compromise
and external attack. With the full security suite from
thinkASG, you can rest assured that you are doing
everything humanly possible to provide secure access
to your organization’s data and customer information.
Be sure to lock down your POS systems, all the networks
that have access to it or store password information
and insist that managed service providers keep their
systems up to date and secure at all times.
IF YOU ARE THE SENIOR IT MANAGER IN CHARGE OF YOUR ORGANIZATIONS’ INFRASTRUCTURE YOU LIKELY SPEND 20% OF MORE OF YOUR TIME PROTECTING IT FROM INTERNAL COMPROMISE AND EXTERNAL ATTACK.
yourCloud: Together we take a workload by workload
view to determine the best target infrastructure to
deploy your business applications - on or off-premise.
yourData: What can we learn from your business data to
help us craft intelligent solutions for protection, security,
compliance and resiliency of your most important asset
next to your people.
ABOUT US
Page 14
yourSecurity: As a team, we work together to establish
a holistic and mature security posture that will help
detect, prioritize, address and help prevent security
breaches.
yourSupport: We ask, “Is everything essential to running
my business fully protected?” Define and address
gaps in coverage whether it be people, resources or
knowledge.
Our goal is to provide strategic outcomes that align
technology with the goals and objectives of your
business.
For more info click or call 800.991.9274 -
THINKASG.COM
YOUR TRUSTED IT CONSULTING AND SOLUTION PROVIDER, ALIGNED WITH
YOUR BUSINESSthinkASG enables technology and business alignment through timely expertise, services and
solutions crafted to meet long-term vision, goals and objectives of the business.
top related