The retail sector has been hit particularly hard by data breaches in recent years. Everyone is familiar with the record-breaking theft of payment card data from North American retailer Target, as well as similar incidents befalling Neiman Marcus and Michael’s. These occurrences put millions of individuals’ identities at risk, while also costing the organizations in question potentially billions in lost revenue and reputation.
If there is any silver lining here, then perhaps it is the increased (and shared) incentive for individuals and businesses to rethink how they are safeguarding sensitive data. The question now is: How do they go about actually mitigating risk and preventing damage? In this first installment in our series on the effects of data breaches on retail, we’ll examine some of the most notable incidents of 2013 and 2014, and what each one of them could mean for cybersecurity practices.
Target, Michaels and Neiman-Marcus breaches enabled by malware and weak links in cybersecurity chain
Why are attackers successful at breaching complex systems overseen by major corporations and security teams? Part of the issue is that today’s retail operations are predicated on elaborate supply chains and third-party vendor relationships, many components of which are not given the attention they require.
Accordingly, cybercriminals need not enter through the metaphorical front door. Instead, they can find the one weakest point in the target’s operations – HVAC remote access, point-of-sale terminals, payment software – and take advantage of it to eventually gain access to core infrastructure. They’re essentially conducting asymmetrical attacks on weaker parts of the overall apparatus. Here’s how that happened at Target, Michaels and Neiman-Marcus
Earlier this year, security researchers discovered that the Target breach may have been enabled by the exploit of an external HVAC system capable of remotely accessing Target’s corporate network. Such an arrangement is common among retailers that monitor building conditions around the clock, keeping an eye out for environmental anomalies and fluctuations.
However, Target’s HVAC vendor stated that the system was only for electronic billing and that it could not enable the “pivot attacks” that are inherent dangers in such setups. These maneuvers are often easy to execute, in part because many HVAC monitoring companies reuse the same straightforward passwords for all of their customers.
“We’ve done assessments where we exploit an Internet-facing HVAC system and pivot to the corporate network,” Qualys security researcher Billy Rios told Threatpost. “Pivoting from the HVAC system to the corporate network is really trivial; it’s designed to be a bridge like that.”
Michaels and its subsidiary Aaron Brothers revealed in April that a substantial amount payment card data may have been compromised. The two arts and crafts retailers’ systems were continually exposed from mid 2013 onward, during which time they processed millions of credit and debit cards.
It is not clear yet exactly what mechanism the attackers used, but their efforts appeared highly targeted at only a portion of the stores’ point-of-sale systems. In Target’s case, information was stolen with the help of distributed malware. Like HVAC infrastructure, POS equipment is a sometimes overlooked attack surface that can serve as an easy gateway to core assets.
This breach, more so than the other two, shows how that even with an advanced alerts system in place, security intrusions can slip under the radar. Neiman Marcus’s operations were compromised for more than eight months as hackers gained access to company computers.
More than 60,000 notices were triggered by the organization’s security mechanisms, which is still a small portion of all typical daily log activity. The attack’s perpetrators arranged for their malware to automatically be deleted from Neiman Marcus’s servers each day in order to further evade detection.
The sheer volume of events on the logs helped disguise the ongoing breach. Additionally, the malware in question was given a filename similar to the company’s payment software, making it inconspicuous within the sea of notices and alerts.
Overall these three breaches share a few important characteristics:
- Targeting of magnetic strip payment cards, which are still considered unsafe compared to EMV microchip cards.
- Exploitation of a single key weak point, whether POS infrastructure, HVAC control systems or payment software.
- Evasion of in-place security mechanisms, by way of capitalizing on the sheer scope and operational noise of the target’s supply chain and everyday operations.
To avoid falling into a similar situation as one of the above retailers, organizations must take stock of their assets and security systems to identify endpoint vulnerabilities before, rather than after, the fact. Guidance from cybersecurity firms will be needed to streamline the process.
“It’s hard to make any specific roadmap for a security program until you figure out how good or bad you are in different areas,” Veracode vice president Chris Eng told TechTarget. “With most large organizations, there’s no one central place where you can find that; you’ve got to go around and start piecing everything together. The initial compromise came through an HVAC vendor, so Target will have to think about the security of its entire supply chain, but they can’t do that until they understand all of the pieces of the puzzle.”
Vendor management, the NIST framework and responding better to data breaches
That sounds a like a daunting undertaking, and it is, but there are resources to help organizations in overhauling their security postures. For example, the U.S. National Institute of Standards and Technology formulated a voluntary cybersecurity framework last February, and companies are taking another look at it as a way to mitigate the risk of a breach.
According to InformationWeek, Ari Schwartz, a member of the White House National Security Council, stated that organizations were referencing the framework as a way to improve security in vendor management. This seems like a sensible approach in light of the damage – tens of millions of cards compromised and perhaps as much as $1 billion in damages – triggered by the interaction of Target’s network and a vendor’s HVAC system.
Look out for the second part of this series, in which we’ll look more at the stakes of data breaches and what retailers and others can do to protect themselves.