Target, Neiman Marcus, Michaels, Home Depot and SuperValu are some of the biggest retailers that have experienced a data breach that has caused harm to both their brands and their customers. While those companies are taking steps to improve point-of-sale security, many more retailers have not learned from their mistakes.
The average cost of cybercrime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million in 2014 according to the Ponemon Institute. Late last year, a large number of retailers sent a letter to members of Congress asking for modifications to the breach laws to standardize reasonable, timely notification of sensitive data breaches whenever and wherever they occur. While these actions may provide some help, the focus should not be on passing legislation. Retailers need to expend the majority of their energies on evolving their security models.
All retailers should learn from Target and Home Depot; both organizations suffered serious financial impacts that helped to galvanize management attention. In spite of the negative impacts to both Home Depot and Target some good things have come from these breaches. Target has actually begun to change the culture of their company, hiring more people from outside and establishing clearer lines of communication about security issues across executive staff.
Retailers should remember that hardening their security is an ongoing process and not a compliance check box because attackers are getting smarter. They know that retailers have to comply with PCI DSS and keenly understand its weaknesses. After one retailer has been compromised, it’s easy for other attackers to apply the same tools and techniques to other retailers. It doesn’t help that attacker know where unencrypted payment data might reside within a retailer, whether at rest or transmitted. Attackers have already adapted different techniques for harvesting data using increasingly sophisticated malware.
The actual point of intrusion in retail breaches hasn’t been particularly sophisticated but the malware is and attackers are relying on standard system vulnerabilities, misconfigurations, as well as spear phishing for their initial entry point. Another concerning trend is that attackers have compromised trusted business partners and service providers of the company they are targeting in order to get into networks. Hackers burrowed into Target and Home Deport through their trusted partners, which is a pretty common attack method, and one that retailers are not typically prepared to defend.
With Target, it took months for hackers to research the network and they took their time before they carried out their attack. In other retail attacks, hackers went after the remote desktop protocol (RDP), a Microsoft protocol for transmitting data between servers and client devices. The RDP attacks are attacks of convenience because attackers can run a scan of the entire Internet and find all the open RDP ports in a few hours and then deploy brute force tools to break in.
RDP is not necessarily vulnerability itself, but having the RDP open to the Internet is. The problem occurs when an open RDP is found, because an attacker can attempt thousands of logins and they will not be locked out.
Cyber criminals now design malware specifically for POS infiltration. BlackPOS is now available in an open source format on the dark web. It was used in the Target and Home Depot breaches, so while hackers’ tools and techniques are escalating, retailers’ defences are not keeping up.
The POS trend was consistent throughout 2014, with Jimmy John’s, P.F. Chang’s, Goodwill, Dairy Queen, Kmart and Home Depot all reporting attacks. The encouraging news is that management boards at retailers are speaking more about the risk as the impact is seen more on share prices and that will translate into more resources for retail security IT teams.
For retailers looking to improve their cybersecurity, here are the top three suggestions:
- Invest in point-to-point encryption for all card processing data. Typically, retailers encrypt this data when it leaves their networks but inside their networks it remains unencrypted. If an attacker can get inside the network it’s very easy for them to quickly identify and steal credit card data.
- Invest in employee training. Retail organizations often have relatively high employee turnover and many rely on unskilled labor. Often employees will plug personal devices like mobile phones and iPods into POS terminals to charge them and it’s very easy for cross-contamination to happen as a result. Every retail employee needs regular training on security awareness.
- Most retailers don’t have an accurate inventory of the software applications running on their networks. This makes it nearly impossible to quickly detect new malware infections because there is no known, secure baseline. Every retail organization should have a comprehensive, up-to-date inventory of all corporate software applications.
Transforming security models is an ongoing challenge that retailers are going to have to commit to in 2015 or risk a catastrophic breach that could put them out of business.
Tripwire provides security compliance and automation software.
Favorite