By Jason Fredrickson, Guidance Software
The recent cyber attacks on Target, Neiman Marcus and Michaels Stores had an immediate and profound impact on sales, as well as a widespread and ongoing ripple effect on consumer confidence in the safety of credit-card information at point-of-sale terminals. Retail executives are now faced with increasing scrutiny by standards councils, the U.S. Securities and Exchange Commission and even Homeland Security, as well as the potential for personal liability for data breaches and a long-term blow to corporate reputation.
But there’s good news. Most retail organizations already have the right mindset to deal with this security problem. Aside from law enforcement, perhaps no industry understands the importance of security better than the retail industry, which excels at practicing due diligence in theft detection in the physical world. It’s just a matter of applying the same attitude to the network side.
Network “Cameras” Should Face both Outward and Inward
The bottom line for all these breaches is this: it’s all credit-card fraud, regardless of whether it was millions of customers’ credit-card data exposed as a result of a third-party vendor losing control of an authentic login and password (as was the case at Target), or a cashier swiping a single customer card into her iPad.
According to one of the computer security industry’s most trusted annual reports, the Ponemon Institute’s Cost of Cyber Crime Study released in 2013, it takes an organization an average of 80 days to detect a breach and 123 days to remediate it. Visa’s move to chip-and-PIN technology by 2014 for most North American cardholders will help, but it will only get us part of the way toward stronger security.
Let’s examine the problem by drawing a parallel to the “real world.” To prevent theft from occurring within your brick-and-mortar stores, you no doubt have a theft detector at every door. And you have cameras covering the interior of the store itself.
But if you have theft detectors, why do you need cameras? Because theft detectors are not sufficient in and of themselves. Some thieves are clever and prepared enough to find ways around the detectors, whether by breaking them, removing the tags or other approaches. The systems prevent some theft some of the time, but experience has shown that your teams must supplement that methodology by watching for theft within the store itself!
Most Security Has Already Been Breached
Information security professionals take the same layered approach by architecting security systems that provide different perspectives and defensive methods in the fight to keep hackers out. This is what we in the industry call “defense in depth.”
The Ponemon Cost of Cyber Crime Study also reported the disturbing statistic that 15% of all cyber attacks originate with the assistance of corporate partners or other insiders. And, all too often, the signs of impending attacks go undetected by traditional network alerting systems. In the same way that human resources professionals would not consider a good interview with a future employee to be sufficient information for a permanent judgment of his or her trustworthiness, information security teams in retail organizations cannot afford to assume that everyone with an accepted login and password at network security checkpoints is operating above board.
The bottom line is this: a single point of evaluation — what information security teams call “perimeter defense” — is simply not enough.
How Target’s Well-Designed Data Protection Systems were Foiled
At Target, the now infamous attack began with the cyber attackers logging in with valid and authorized login credentials that had been issued to a trusted HVAC vendor, who either willingly or inadvertently shared them with the attackers. This means that the login was considered authentic to network security systems, and the hacker gained entry with no resistance. The alerting systems set up by Target’s highly regarded information security team did not fail. The user login and password were on the “good list.”
If the attackers can penetrate the perimeter, is there any hope? Of course, but it means adopting the same mindset we use in the physical world. Just as your employees watch for strange behavior in their stores, security teams must operate under the assumption of compromise. If we assume the invaders are past the gates, we must now gain visibility to every endpoint — every laptop, data server and POS terminal — within our organizational networks in order to proactively hunt for signs of unauthorized or anomalous behavior.
Television shows like CSI and NCIS illustrate what many law enforcement forensic investigators refer to as “Locard’s Principle,” which is that every contact leaves a trace. The same can be applied directly to network security, as perpetrators will always leave behind some indication of his or her presence. The challenge is to find evidence of the compromise before the initial phase of the attack has been completed and while potential evidence can be captured from volatile data on affected endpoints, then preserved for analysis and possibly for delivery to relevant legal authorities.
Recommended Steps for the New Age of Cyber Attacks
My recommendations to retail chain executives and their information security teams to help ward off POS cyber security attacks are as follows:
• Create an incident response plan and regularly test your plan.
• Perform a sensitive data audit to find out which and how many instances of sensitive data, such as personally identifiable information (PII), credit-card data and intellectual property, exist on the network, and where they’re stored. This gives you an idea of where the valuable goods are on your network. For instance, you’re probably a lot more concerned about theft at the jewelry counter than in the sock aisle.
• Remove any unauthorized instances of that sensitive data according to your information- governance policies, so that you minimize your exposure.
• Create and regularly update baselines of normal activity for each of those endpoints.
• Assign information security specialists to proactively hunt for anomalies in near-real-time reports of endpoint activity. These are the signs that your network has been breached and the attackers are inside.
Only when you can track and report on endpoint activity in concert with perimeter network security can you close the loop on your security defense strategy. Doing this is the best way to prevent the bad guys from succeeding at their ultimate goals — access to your sensitive, valuable data.
Jason Fredrickson is the senior director of enterprise application development at Guidance Software. He hires, trains and runs software teams turning developers into leads, leads into managers and managers into developers. Fredrickson can be reached at firstname.lastname@example.org.