The recent Home Depot attack is over and done with, but the aftermath leaves us with many important questions such as what is needed to stop this cycle of breaches and how do we fight back? It is encouraging to see the credit card industry lead the effort with new technologies such as chip-reading credit card terminals and efforts for increased security for electronic payment. Please reference the WSJ blog “Security Breaches Trigger Retail’s Big Players to Call for Major Tech Changes,” for additional information.
We often get questions from clients in retail and many other sector asking for the top “hot points” they should do to make sure they do not suffer a breach. Many struggle with where to begin and struggle to explain their current security state. While there is no substitution for complying fully with PCI DSS, there are a few common themes in breaches that all businesses should address to avoid one.
First, is understanding what security & compliance means to your company and where you are currently exposed. Working with third party, security professional services firms can provide a fresh set of eyes, add industry expertise to compliment your staff and help understanding what is needed. Unfortunately, so many companies go this step along.
Cyber-attack begins at the front door via the Internet and/or 3rd party gateways (commonly called extranets). The Target attack and alledgedly a similar case with Home Depot, remote access to these systems opened up an avenue for all kinds of risk. And if you are not segmenting the network it may not matter what your perimeter infrastructure looks like. If someone can jump around inside your network once they gain access, you can bet they will go after any system with a perceived value.
A second issue facing retailers is the growing complexity and sophistication of malware for real-time theft. I remember many conversations back in the 2008-2009 time frame where software engineers VEHEMENTLY objected to encryption controls in their applications. They would leave things unencrypted in memory (including encryption keys) and say things like, “Wow, it’s virtually impossible to grab this data,” or “Nobody is going to spend time trying to capture things from RAM while they reside there for a few microseconds.” Well, the bad guys have a number of methods for capturing this data including making the entire integrated POS software run inside a debugger, transparently to the user – this is presumably how cardholder data was gleaned from Target systems.
Lack of segmentation. Remember, segmentation IS NOT a PCI DSS requirement, and never has been. It is strongly suggested, and for most large customers its one of the most importantways they will be able to comply in a cost effective manner. But small customer with just a few computers don’t want to spend the extra money to segment these networks, thus it gives the bad guys a an easy way in. Compromise the back office PC with malware and jump over to the POS network.
Lastly as an industry we need to match the cyber-criminals intensity and intentions. They don’t sleep, take vacations and their threat is constant. Security and compliance analysis, advanced security solutions and 7/24 proactive monitoring are now table stakes. This problem required more than one simple product.
Partnering, building awareness, segmentation, advanced security solutions and proactive monitoring will go a long way to preventing a breach.
Director of Presales Engineer