This year has seen a slew of retail organizations hit by data breaches, putting millions of customers’ personal data at risk. While the mode of attack, from malware to malicious insider, has been varied, one thing is clear – cyber criminals are becoming increasingly sophisticated and underhand in their methods. With Black Friday and Cyber Monday approaching, retail organizations are going to see a spike in both online and offline sales and a significant amount of pressure will be placed on their infrastructure. At this time particularly, retailers cannot afford to take shortcuts in security.
Verizon’s 2014 Data Breach Investigations report showed that, in 2013, retail organizations had the third highest number of security incidents with confirmed data loss, behind financial and public sector institutions. The sector is always going to be a prime target for hackers, but that cannot be an excuse not to do as much as possible to prevent it.
While retailers must meet extensive data security requirements and compliance regulations, the focus of many of these organizations’ IT departments is revenue-generating activities, rather than breach prevention and protection of customer data. If this year has done nothing else, it’s shown that retailers need to shift their mindset and readdress their existing security strategy. For example, too many still believe that traditional defenses provide adequate security and overlook crucial, more sophisticated approaches that involve continuous monitoring and security intelligence.
Payment information is some of the most sought after data for hackers and, as Verizon’s report shows, 14% of all breaches in 2013 involved point-of-sale (POS) intrusions, with a further 9% from card skimming. In order to identify malicious events of this nature, the entire infrastructure involved in card processing needs to be properly monitored for anomalous activity – including everything from the POS system endpoints to the payment processor, as well as all back-office and network infrastructure.
To begin with, certain attributes on the POS endpoint must be monitored in order to effectively identify malicious activity. For example, when a piece of malware is installed on a POS system, it might reach out to a command-and-control server, or the malware might initiate suspicious process activity and/or make changes to the POS’s file system – abnormal communications for a POS. As such, retailers need to be able to identify anomalous behaviors.
Essentially, it’s a case of ensuring all POS systems are running the same set of processes and their file systems all look identical to one another – with the only exception being during scheduled updates. If they’re not identical, there’s a high chance there’s malware somewhere on the system.
In many cases, an organization’s POS endpoints also communicate directly with third-party payment processors and, in many situations, those endpoints will also communicate with ‘back-office’ systems. These systems can serve a variety of purposes, particularly within larger organizations – from aggregating transactions from multiple POS endpoints for processing, to keeping track of a customer’s purchases for loyalty programmes. Although these back-office systems don’t always process credit card data, they are generally authorized to communicate with POS endpoints, which makes them a viable option for hackers. Given other personal data may also be residing on these systems, they need to be protected along with credit card details.
Furthermore, network communications between components in the card processing chain also need to be tightly controlled and monitored. Given POS and back-office systems operate so specifically, identifying unauthorized network communications is crucial, though also relatively easy to spot. POS endpoints should only communicate with certain elements of the chain, such as with back-office systems or third-party processors. When a new type of network communication appears, such as malware attempting to phone home or a malicious actor attempting to exfiltrate data, security personnel should be immediately notified.
Regardless of the increasing sophistication of cyber threats or the growing amounts of data generated by retail organizations, it is undeniably best practice to be constantly aware of the smallest changes that occur across the IT network. The use of centralized, automated protective monitoring security-intelligence systems, capable of processing data from the entire IT infrastructure involved in processing credit card transactions, allows administrators to identify any malicious activity in the payment processing chain.
Whether an insider is accessing data they shouldn’t be, malware is running and exfiltrating data, or a simple firewall misconfiguration is exposing a back-office server to the internet, the endpoints and/or the network’s behavior will change. Retailers need to be able to recognize these changes of behavior as they happen, allowing them to identify and stop attacks before customer data is compromised – and the company becomes tomorrow’s headline.
About the Author
Ross Brewer is vice president and managing director for international markets at LogRhythm, a position he has held since 2008. Brewer has spent more than ten years in the information security sector where he has had a successful track record of building and managing internatioal operations. Prior to joining LogRhythm, Brewer was vice president and managing director for EMEA at LogLogic.