RETAIL SECURITY BREACHES WHAT YOU CAN LEARN FROM THEM

As security breaches become a growing concern for

nearly every type of organization, Senior IT Managers

must take every conceivable step to protect their

company and avoid seeing their company in the

headlines.

SECURITY BREACHES INCREASING EXPONENTIALLY EXECUTIVE SUMMARY

Page 2

This document presents the current state of Retail

Security Breaches and offers suggestion on how to deal

with the ever-increasing likelihood that your company

will be attacked by hackers. Joe Ross, President and

Co-Founder of CSID, [vii] the leading provider of global

identity protection and fraud protection technology,

suggests that unless merchants implement new

procedures to deter thieves at the Point of Sale, things

will get worse before they get better.

FOR RETAILERS, IT STARTS AT THE POINT OF SALE AND EXTENDS TO STRENGTHENING CONNECTIVITY LINKS WITH MANAGED SERVICE PROVIDERS.

The results of a recent study by CIO Magazine found

that retailers are the biggest target for cyber attackers

and POS is still the easiest and most common way in

the door.[i]

In their 2014 Data Breach Investigations Report, [ii]

Verizon suggested that 2013 was the “year of the retail

breach.” The 2014 report was published before the high

profile Target intrusion and according to most experts

the number of attacks is escalating year over year.

In 2015, Verizon surveyed over 70 companies and

reported the following:

• $400Millioninlossesin61countries

• 2,122ConfirmedDataBreaches

(That doubles the 2014 number)

• 79,790SecurityIncidents

• TopfiveindustriestargetedwerePublic,Financial

Services, Manufacturing, Accommodation and

Retail

• In70%oftheattacks,thereisasecondaryvictim

• In60%ofthecases,attackerscompromisethe

target in minutes

• Innearly100%ofthecases,aknownCVEexisted

but patches had not been applied

POS Systems Number One Target from 2014

Report:

• 523RetailBreachesin2013

• SpecificallyinRetail,researchersfoundmorethan

four times more breaches in small organizations

than in the mega retailers

• 28.5%ofthebreachestargetedPOSsystems

• IntheAccommodationSector,morethan90%of

the incidents hit POS (Point of Sale) systems and

POS was also the biggest target in the

entertainment and retail sectors

INTRODUCTION

Page 3

Phishing on the Rise

• Phishingislikeshootingfishinabarrelforhackers

–it’sjusttooeasy–23%ofrecipientsopen

phishingmessagesand11%clickonattachments

andacampaignofjust10emailsyieldsa90%

chance that at least one person will open the email

• 97%ofexploitstargetCVE’s

(CommonVulnerabilitiesandExposures)

With so many attacks on retailers in recent years, the

biggest challenge was narrowing our list so we decided

to profile a few of the larger ones and lump the others

into how the attacks occurred with POS and Managed

Service Attacks being the most prevalent.

Some specific instances that are not covered, but

deserve “honorable mention” include Sony, UPS, White

Lodging, Sally Beauty, Michaels, Affinity Gaming, PF

Changs, Albertsons and Super Value, Dairy Queen,

Staples, KMart and Goodwill.

As a recent Security Intelligence report highlights,

“consumer credit card information is better than

gold because it can be transmitted electronically and

anonymously.” [iii] Once they gain access to POS

systems, Retail Cyber Attackers can quickly skim

small amounts of cash out of multiple accounts and

with millions of accounts compromised, they can very

quickly accumulate large amounts of stolen money.

TOP RETAIL ATTACKS AND WAYS TO AVOID THEM

Page 4

PREVENTING THESE ATTACKS SHOULD BE THE NUMBER ONE PRIORITY OF EVERY RETAILER IN THE WORLD.

Research strategist Chris Poulin carefully analyzed the

2013 Target attack and in his February 2014 update

reported that entry into the Target infrastructure

reportedly came through a portal involving an HVAC

contractor. The attacker apparently used the portal to

penetrate Target’s internal network and compromise

a Windows file server. From there they worked their

way into the POS system. He offered the following

recommendations for combatting similar attacks:

• Monitor contractor relationships to make sure

they are keeping theirsystems up to date.

Anyone who has access to your systems through

approved portals is potentially an unwitting partner

with an attacker. In the case of Target, the HVAC

contractor had a well-known virus resident in the

system they used to attach to Target’s contractor

portal.

WHAT TO LEARN FROM THE TARGET ATTACK [iv] SPECIFICALLY

Page 5

• Ensure that all Webservers are at the most

current revision level. The Target attack could likely

have been prevented if the operating systems on

both internal and external servers were at their most

current revision level. A large percentage of the

patches released by software manufacturers are in

place to plug known security leaks and must be

installed like clockwork!

• Require regular changing of passwords and

insist they are encrypted. Too many organizations

and the users of systems in these organizations are

too relaxed in how they control and maintain

passwords. In the case of the Target breach, the

contractor reportedly had remote access and one

of the software packages used for the remote access

was using the manufacturer default for username

and password. The hackers simply scanned the

network using the default information until they

found a server that used those credentials and they

were in the front door of the network.

• Recognize Point of Sales Systems that are the

likely target and lock them down – the Verizon

reports say that 90% of attackers go after POS

systems, so make them your number one priority

in your efforts to avoid attacks. In the Target incident,

the attackers eventually worked their way into the

POS systems but the attack could have been

averted with the right tools installed at this level.

Poulin recommends using dynamic configuration

tools like sandboxing and end point behavior

anomaly to guard against unauthorized use of POS

devices.

• Watch for unauthorized collection and

summarizingofdata. Once they were in the door

at Target, the attackers collected and assimilated all

Page 6

the individual entries from POS card swipes on

internal servers. Network activity monitoring, “deep

packet inspection” and similar tools would have

detected the unauthorized accumulation and storage

of the credit card information.

• Guard against exfiltration – the final step in the

Target attack was to export the data to external

servers on a regularly scheduled basis. This again

could have been avoided with network monitoring

that included string pattern and anomaly protection

software. Learn from this example and establish

policies that only allow exporting of data to

specifically authorized sets of IP block or restrict

accesstobanksofaddressesusedbyEasternBloc

countries.

InhisNakedSecurityanalysisofthe$62MillionHome

Depot loss, John Zorabedian suggests that the “silver

lining”intheattackmaybethedeathofthe50yearold

mag-strip card technology that are so easy for hackers

to penetrate.

The Home Depot attack was unfortunately bigger than

the one inflicted on Target and here again, attackers

targeted the antiquated POS strategy employed by

Home Depot and so many other retailers around the

world.

HOME DEPOT - POS AGAIN THE “TARGET” AT HOME DEPOT [v]

Page 7

Existing Magstripe readers are vulnerable to RAM

scraper malware that steals payment card data from

POS systems. This enables thieves to then use this

information to enter fraudulent transactions against

unsuspectingcardholders.ThenewerEMVtechnology,

on the other hand, uses a unique code for each

transaction, so even if the code is compromised, it is

useless to attackers for making additional charges.

Zorabedian and others note that U.S. retailers and

banks lag far behind their counterparts around the

globe. He urges them to adapt the new technology as

quickly as possible because the cost of not replacing

these systems “is enormous and rapidly mounting.”

Attackers successfully penetrated the upscale

department store from July to October of 2013 gaining

access to personal financial data of over 350,000

customers. In an official notification to customers,

Nieman Marcus highlighted what they are doing to

resolve the issue and most retailers would do well to

follow this example before they are attacked

• Disablingthemalwarewediscoveredinthecourse

of our investigation

• Workingdirectlywithfederallawenforcementinits

investigation

NIEMAN MARCUS EXPOSED CUSTOMER INFORMATION

Page 8

• Conductingafullreviewofallofourpaymentcard

information systems and vulnerability assessment

with the payment card brands, our merchant

processor, a leading investigations, intelligence and

risk management firm, and a leading, payment brand

approved forensics firm

• Reviewing our intrusion detection systems and

firewalls

• Reinforcingoursecuritytools

• Reviewingandhardeningoursystems

• Modifyingoursoftwareandsecuritycredentials

Since POS is the ultimate target, every retailer in the

world should consider the following advice from CIO

Magazine to prevent POS breaches:

• Install next-generation firewalls (NGFWs) between

network segments and in the business-to-business

portal.

• Introducea fullmobilitysecurityplan that includes

basic limitations on the mobile devices themselves

POS ATTACKS ON COUNTLESS OTHERS

Page 9

• Separatesystemsintogroupsandzonestoprevent

attackers from penetrating further into the

infrastructure

• Usetwowayauthenticationonallmobiledevices

• Keepallsoftwarepatchedandupdated

• Isolate POS systems from the remainder of the

corporate network

• Trustsnothingandnobody

• Strengthenemailsecuritytoblockmalware

Although the individual impact on a single big store grabs

the headlines, there are countless attacks occurring

every day on small and large retailers alike via third

contractors they rely on for auxiliary services. These

attacks actually represent a higher level of exposure

than the high profile attacks because of their impact on

stores covered by managed service companies.

One of the most recent examples [vi] is through a

company called PNI Digital Media Inc., a Vancouver-

based firm that manages and hosts online photo

services for numerous retailers including Walmart, CVS,

Rite Aid, Sam’s Club and more.

Following an alert by PNI, several retailers suspended

their online photo services while they investigated

reports that customer information was stolen from

online payment transactions that compromised “names,

addresses, phone numbers, email addresses, photo

account passwords and other credit card information.”

THIRD PARTY MANAGED PROVIDER ACCESS

Page 10

The big lesson here for retailers is to be very careful

about who they contract with for auxiliary services.

The U.S. Secret Service, Financial Services Information

Sharing and Analysis Center (FS-ISAC) and The Retail

Cyber Intelligence Sharing Center warn retailers that

“managed service providers that offer outsourced

services to numerous merchants are increasingly being

targeted by cybercriminals.”

In a recent cybersecurity alert, they listed a number of

companies that have been targeted and said retailers

should use ‘multifactor authentication for remote-

access login to point-of-sale systems <and incorporate>

specific policies related to outdated operating systems

and software in contracts with vendors.” Chris Bretz,

director of payment risk at the FS-ISAC, says that

“criminals continue to find success by targeting smaller

retailers... who use a managed service provider that

provides IT and payment services for their business.”

Recommendations from Verizon’s 2014 report to

combat phishing:

• Block filter, and alert on phishing emails at the

gateway

• Launch an engaging and thorough security

awareness program

• Improvedetectionandresponsecapabilities

Additional recommendations from Chris Poulin who

notes that attackers are growing increasingly more

sophisticated:

ADDITIONAL RECOMMENDATIONS FOR COMBATTING CYBER ATTACKS

Page 11

Protecting Against Future, Sophisticated Attacks

• Develop a systemprofile of yourPOS systems as

they “should be” and then have a software program

that alerts of any configuration changes, application

or network activity that violates the “should be.”

• Clearly identify andmonitormission critical assets

similar to how the energy and utilities designate

these critical systems with a “data diode” which only

allows mission critical systems to interact with other

data diode systems. This can help prevent malware

infection in the first place.

• Create default ping back payloads and sizes and

then configure IPS addresses alert you when non-

standard packets are detected

• Carefully monitor, detect and report all unusual

network traffic behavior, specifically including the

use of port 443, unusual DNS queries and other non-

standard queries

• DevelopafullSecurityIntelligenceSystemandlog

all unusual activities especially anything involving

POS systems or exports to external systems.

Joe Ross, President and Co-Founder of CSID, [vii] the

leading provider of global identity protection and fraud

protection technology suggests that unless merchants

implement new procedures to deter thieves at the Point

of Sale, things will get worse before they get better.

He points out that although attacks on high profile

companies get more media attention, cyber attackers

often go after smaller, more vulnerable shops where the

financial hit damages to their reputation could put them

out of business. He urges merchants to invest for the

futurebyswitchingtoanEMV-compliantsystem(named

after its original developers (Europay, MasterCard®

andVisa®).Visit the CreditCards.com [viii] website for

additionalinformationaboutEMV.Healsosuggeststhat

shoppers might do well to use cash and gift cards as a

safer form of payment since no personal information is

exposed to the store systems.

COMMENTS FROM SECURITY EXPERT

Page 12

Christopher Poulin concludes his analysis of the Target

Attack with this statement which should be a signpost

for every single retailer in the world:

“there is no perfect or foolproof detection . . . your

<security> plan should include detection, response and

escalation, engaging law enforcement as appropriate,

preservation of evidence, compliance with regulations

and contractual agreements, customer and press

notification, and public relations.”

CONCLUSION

Page 13

If you are the senior IT Manager in charge of your

organizations’ infrastructure you likely spend 20% of

more of your time protecting it from internal compromise

and external attack. With the full security suite from

thinkASG, you can rest assured that you are doing

everything humanly possible to provide secure access

to your organization’s data and customer information.

Be sure to lock down your POS systems, all the networks

that have access to it or store password information

and insist that managed service providers keep their

systems up to date and secure at all times.

IF YOU ARE THE SENIOR IT MANAGER IN CHARGE OF YOUR ORGANIZATIONS’ INFRASTRUCTURE YOU LIKELY SPEND 20% OF MORE OF YOUR TIME PROTECTING IT FROM INTERNAL COMPROMISE AND EXTERNAL ATTACK.

yourCloud: Together we take a workload by workload

view to determine the best target infrastructure to

deploy your business applications - on or off-premise.

yourData: What can we learn from your business data to

help us craft intelligent solutions for protection, security,

compliance and resiliency of your most important asset

next to your people.

ABOUT US

Page 14

yourSecurity: As a team, we work together to establish

a holistic and mature security posture that will help

detect, prioritize, address and help prevent security

breaches.

yourSupport: We ask, “Is everything essential to running

my business fully protected?” Define and address

gaps in coverage whether it be people, resources or

knowledge.

Our goal is to provide strategic outcomes that align

technology with the goals and objectives of your

business.

For more info click or call 800.991.9274 -

THINKASG.COM

YOUR TRUSTED IT CONSULTING AND SOLUTION PROVIDER, ALIGNED WITH

YOUR BUSINESSthinkASG enables technology and business alignment through timely expertise, services and

solutions crafted to meet long-term vision, goals and objectives of the business.