It was December 2013, a week before Christmas, when the massive breach of US retailer Target hit the headlines. In the following months, 2014 saw the likes of Home Depot, Sally Beauty, Neiman Marcus and other US retailers in the news for all the wrong reasons.
The situation was not new – TJ Maxx reported a breach of over 45 million credit cards in 2007 – but what happened in 2014 was effectively a domino effect of retailers reporting major breaches one after the other. The situation was not restricted purely to retailers either – eBay reported a loss of around 145 million records in May 2014, while restaurant chain PF Chang revealed a data breach involving credit and debit card data stolen from restaurant locations nationwide across the USA.
Now two years on from these headlines, the focus of attackers appears to have switched away from retailers to the healthcare sector, where the lucrative bounty of personally identifiable information is available.
What I wanted to understand was that two years on from the retail security breaches, why did they suddenly stop? Is it the case that us in the media are simply bored of writing about these types of incidents, or have the retail security teams addressed the situation better and made major improvements to their security in the wake of what happened in 2014?
Jodie Sikkel, network infrastructure and security specialist at ANSecurity, said the main learning point is that compliance does not equal security, and “security is a process that requires planning, education, adaptive technology and regular health checks.”
“As a result of these breaches and in order to prevent further breaches, retailers are choosing to work with security specialists and subject experts to design adaptive security solutions to protect against external threats and data loss as well as tick all the obligatory regulatory and compliance boxes,” Sikkel said.
One such managed security service provider that I spoke to was Laurance Dine, managing principal for the Verizon Investigative Response Unit – a division of the Verizon RISK Team. In his role he spends time investigating breaches when they happen and doing everything associated with the investigation.
Asked why he thought the stories stopped, he said: “Overall, things have improved in what we are seeing on the investigations side and putting systems in place, and so systems such as Point of Sale (POS) are not online. With the size of the breaches that we saw, it does make you think and based on our research and debugging, I do think it is better.”
Dine’s team provide a healthcheck to retail security teams to get an idea of weaknesses and he said that while there was not a drop in retailers asking for assistance, things are moving in the right direction.
“It is improved, but it doesn’t mean you won’t be next on the hitlist,” he said. “It takes proper defense. It is a continuous thing, and you cannot assume hackers have gone away.”
One lesson to be learned in particular from the Target breach, where access was gained and malware uploaded to POS systems between 15 November 15 and 28 November (Thanksgiving and the day before Black Friday) after network credentials were stolen from a third party refrigeration, heating and air conditioning subcontractor, is that better segmentation was now being adopted.
Dine said he is seeing more of this and his team advises clients regularly on creating segmented environments. “If something were to happen, the best thing is to have good protection, so if an attacker gets in they do not get everything you have.”
Ben Johnson, co-founder and chief security strategist of Carbon Black, said that the “massive breaches” woke the retail industry up, but a combination of segmented networks and efficient change management has improved the sector.
Investigation
Speaking to CNBC whilst he was still Chairman and CEO of Target, Gregg Steinhafel said that “day one” of the investigation was 15 December 2013, and within hours it had managed to secure its environment. “We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk," Steinhafel told CNBC.
One of the investigators was the United States Secret Service, and former Special Agent Steven Bullitt, now vice-president of cyber forensics and investigations at security services provider Solutionary (an NTT Group Security Company) told me that as well as setting up the National Computer Forensics Unit in Alabama to train thousands of police officers in computer forensics and network intrusion investigations, he was involved in investigations into big data breaches.
He explained that in cases where the FBI is called, they don’t go in concurrently, but often there was better intelligence at the Secret Service so the two departments work together. He said that working as an investigator in retail security breaches, a common finding was with the vulnerabilities that were similar across sectors.
“A lot of time you may be an opportunity or a target of choice, as there are so many ways to get into a system now, and companies nowadays want connectivity and to be on all of the time. People also want productivity and want customization like BYOD and virtualization, and then on top of that is the Internet of Things, so the standard perimeter for protecting a company has widened now, so with all those things we have convenience but it doesn’t align with security as well. So businesses are forced to move with the environment that security is not aligned with,” he said.
In regard to breaches, Bullitt was reluctant to go into specific detail as some cases are still ongoing, but he said that as well as the big breaches, there are literally thousands of “small ma and pa stores that you don’t hear about.”
He said that the common vulnerability between larger retailers and smaller stories is that they all take credit card payments. “You do not hear about those small stores and chains and we have seen that if you have a person who owns five or six small franchise companies, they put in an integrator to put in a phone system and they put in remote access to fix these vulnerabilities.”
“So when he puts that in they set a backdoor to the system so the attacker scans the system, they can see the opening and administrator passwords are used to get into the system. I see this all of the time. I say if you have remote access it has to be on demand, meaning that the owner has to initiate it and have strong authentication or a VPN for it. There has to be some security steps involved as it is convenient, but if you can log into your environment from any place at any time, from any device, so can your adversary.”
Aftermath
After the breaches happened, the industry sought a way to make sure it didn’t happen again. One way to improve payment security will be with the deployment of EMV/Chip and PIN systems, and Bullitt believed that this will create a more secure and brighter future, as that and the introduction of mobile payments “make it more difficult for those miscreants to monetize the credit card industry, which is a commodity in the black market.”
He pointed to the years since 2014, where breaches have been more about personally identifiable information and healthcare data. “I tell people, when you hear about the breaches don’t think about those credit monitoring services for six months, if you are breached then you are breached for life.”
In a statement to the Consumer Financial Protection Bureau in October 2014, President Barack Obama mentioned the retailers pledging to adopt chip-and-pin technology by the beginning of 2015, and named American Express in its pledge of $10 million to replace outdated card readers at small businesses. I have used the Chip and signature in some US retailers such as CVS and Walgreens, but to date the Chip and PIN system seems absent.
That’s not to say that a better payment system would have saved the blushes of the retailers in the headlines though. One thing that did get instituted is the attention of the boards, and Mark Weir, director of major accounts UK and Ireland at Fortinet, confirmed this, saying that he was seeing “an awakening in the sector” at a board level.
He said: “Mapped with customer-level applications and big data, there is an understanding that firms need to work hard to protect their ever-expanding pool of data. In our experience, retail is a really exciting, vibrant and fast-moving sector, transforming itself at lightning speed to react to the steep increase in threats over the past two to three years.”
Ben Johnson said that there is a “huge focus on security” within boards, not just in the spending of money, but in the cultural buy-in and getting people on board with new technologies. “There is definitely more spend, more about being smarter with the money and focusing on technology, and general infrastructure and being smart with who you hire. There is a huge focus, and every board meeting that we see has a 45 minute section on cybersecurity and risk as it is such a big issue.”
The Cost
It was reported by CSO Online in early 2016 that Home Depot had agreed to pay as much as $19.5 million to remedy its data breach, which included around 56 million payment cards, as well as 53 million email addresses. This included a reported $13 million to reimburse customers for their losses, and $6.5 million to provide them with one and a half years of identity protection services.
The company admitted that it was working to put the litigation behind it, and that while customers “were not responsible for fraudulent charges”, they have “been our primary focus throughout", a spokesperson said.
Johnson said that as well as the $10 million paid by Target, this is making boards focus on the risk of security, and many are making progress as the board understands the current risk to the brand. Asked what has changed in the attitudes towards security, he said it is a combination of brand risk, regulatory and national and local government pressure, and the customer’s trust.
He said: “If you can create a notion of trust with users, you should have adequate if not solid controls in place to mitigate risks.”
Sharing Intelligence
The fear that was struck into retail security led to movements to make sure it did not happen again by the retailers and I guess that by the lack of more breaches in the headlines, that has been a success. One reason for this was the establishment of a cyber information sharing center (CISC), which it describes as “another tool in retailers’ arsenal against cyber-criminals by sharing leading practices and threat intelligence in a safe and secure way.”
The R-CISC was launched in 2014 as a combination of 30 retailers with retail trade associations and by June, retailers were sharing threat intelligence among themselves with analyst support and with feeds from the NCCIC, FBI and other government sources. Later that year, Brian Engle was appointed as executive director, coming from a CISO background in his native Texas.
The R-CISC counted a membership of over 400 organizations at our time of meeting in March, and I wanted to know what Engle thought had improved the sector and what improvements has been made?
He said that as a very spread out and diverse sector containing thousands of retailers including everything from the local dry cleaners to the largest names, R-CISC is working by creating small groups of organizations into collectives, and he said that this has created “leaps and bounds in improvements in those organizations”, as they work together to improve capabilities.
Engle said that the beauty of working in a shared environment is that you can see the infiltration and once that happens, you can see how advanced and complex that is. “The threat may have been there and it was not what they used to get in as that is being shared and re-used and built upon across the hacker community,” he said.
So what are the levels of security within retailers? Engle said that in some of the more capable and advanced organizations, they are building up their capabilities at an advanced rate, and have personnel dedicated full time to what is happening but also pursuing detection – both internally and externally to their environments.
“That ranges down to organizations who are reliant on high degrees of outsourcing and have a small IT show and are a pure e-commerce platform and have developers and a router guy, and that is why it is difficult to look at this as an industry and say that the standard for the retail security needs to be set, and it does, but the bar cannot be one bar as that is stifling nature,” he said.
“The effect that has on organizations operating on a 3% margin in a grocery store – telling them to build a financial services capable security model – the costs would outdo any level of capability.”
Engle admitted that it is a complex problem and when it sees incidents occur it is easy to think of straightforward ways to solve it, but he said that there is always a deeper story and for the most part, most are not ignoring it.
“One thing I would say is no one gets to build the security program from ground zero, and no one plays the Chess game with all of the pieces on the board, and often you are playing 12 games at once and one of them is the king and the pawn and you’re just trying to avoid them!”
Of course as in any vertical, there are variants of companies in terms of size and capability, and I wanted to know if R-CISC was engaging with as many online retailers as traditional high street retailers? He said that actually, it is seeing retailers reinventing themselves but overall, security controls take time to implement.
So with fewer headlines in 2015 and 2016, are companies more prepared after the event? Engle said he thought it was largely yet to be seen, but the response is now there to react at a much better rate.
“Take the warning indicator, plus the types of things to detect, the sharing of information beyond cybersecurity indicators into the fraud space; this all helps to create cross-effecting factors. Think of the breach of the card data and the use of the cards, the impact upon another retailer and we are really reaching into a place where a degree of information sharing is the flag, and detecting that type of theft of a card at a faster rate,” he said.
“We can get to that place where all of those converging factors make POS malware only able to affect the smallest retailers with the lowest transaction rates. I think we will see the types of attack vectors shared effectively and quickly so that the types of things in the damage realm can be affected and removed.”
“There are so many tools available in the e-commerce realm to help step up authentication and help prevent the fraud; you don’t have to have the perfect wall to the credit card safe, you can have all of these other things for detection. Also, having the R-CISC as the clearing house for information that can be shared across the whole sector of retail, and broadly any consumer goods across the eco-system, really positions the retailer to be more proactive and not just chase the liability at the end of the event.”
Engle followed the model of other ISACs in saying that cyber-criminals are sharing information and specializing in areas across aspects of breaking into systems or exfiltrating data and moving it around quickly, and of course monetizing it. So if R-CISC can replicate this, then maybe the future for retail security does not look particularly bleak.
Two years on from writing a string of headlines about retail security breaches, it is reassuring to see that major advancements were made so quickly to try and resolve what was turning into a major problem. The case of customer trust is now a board matter, and they have realized that having a brand associated with poor security has a major impact upon the entire business.
It may be that retailers just improved their efforts and the problems stopped. With the European General Data Protection Regulation proposing mandatory data breach notification, maybe we will see a resurgence of bad news in the future. For the moment, retail security had its annus horribilis and while the cases are being settled and the instances not forgotten, maybe retail security really did take a great leap forward.