In the first part of our series on the cybersecurity implications of retail breaches, we examined what the recent incidents at Target, Neiman Marcus and Michaels/Aaron Brothers had in common. Essentially, these incursions, although carried out by different perpetrators, shared several key traits:
- Targeting of magnetic strip payment cards, popular in the U.S. and long known to be weaker than the PIN/microchip-enabled alternatives that are common throughout the rest of the world.
- Successful exploitation of weak points such remote access to HVAC systems and unsecured point-of-sale terminals
- Bypassing of security mechanisms, in part because the scope of the retailers’ operations made it difficult to catch every alert or possible anomaly.
With that in mind, what can the victims of these breaches, and the numerous organizations that are constantly at risk from similar campaigns, do to shore up their security positions? A comprehensive response to the fallout from Target et al’s troubles requires attention to technical solutions (e.g., network monitoring and anti-malware software) as well as improvements in day-to-day processes for managing passwords and data access.
Fortunately, retailers have already taken some steps to mitigate breach-related risks. Here’s a look at what has been and could be done to ensure that future incidents are less damaging than what happened to Target, or simply prevented altogether.
Sharing information between retailers
Until recently, retailers had no platform that enabled easy sharing of security intelligence. Last month, the U.S. National Retail Federation unveiled plans to set up something akin to the Information Sharing and Analysis Centers that exist in other verticals.
In the past, merchants have relied on informal, ad hoc processes to exchange information possibly relevant to security vulnerabilities. However, these channels have not always provided the consistency or the speed to make that data actionable. A 2014 Ponemon Institute survey found that only 30 percent of organizations are satisfied with how they gather intel, while more than 60 percent of them believe that more streamlined measures, had they been in place, would have prevented actual cyberattacks.
Companies need new ways to gather information in seconds rather than days or weeks. Plus, they need mechanisms for putting this data into context. Seventy percent of survey respondents reported that shared intel often expired in a matter of minutes, which is perhaps unsurprising given the manual processes by which it is most commonly relayed.
Machine-to-machine exchange, as well as advanced solutions such as Trend Micro Deep Discovery, provide the real-time intelligence that retailers need to prevent attacks. Still, it may take some time for organizations to adjust to a new sharing culture and ensure that new approaches do not cause security issues of their own.
“The doomsday scenario is someone misusing the information they share and causing harm, and the harmed party comes back to the original source looking [for compensation],” stated IID CEO Lars Harvey, whose company commissioned the Ponemon Institute report in question, according to Dark Reading. “That’s what attorneys are most afraid of. Scaling trust is a big challenge.”
Stepping up the password security game
“[The username and password system] is broken, and has been for many years,” stated Ari Schwartz, advisor to the White House National Security Council, according to InformationWeek.
It is hard to disagree with this assessment, especially in the context of the recent retail breaches. In looking at the Target incident, Threatpost’s Michael Mimoso pointed out that HVAC systems integrators often reuse the same passwords for multiple customers.
“If one organization gets compromised, the chances are all of them are going to get compromised,” Qualys director of research Billy Rios told Threatpost. “These are super common problems and it’s totally crazy.“
The U.S. Federal Trade Commission is one of many government agencies pushing for new security regulations in wake of the Target breach. Minimum password standards could eventually be enforced by such legislation. To ensure compliance and safety, organizations can use password managers to streamline the process of generating and keeping up with credentials.
Taking up the NIST’s voluntary cybersecurity framework
The U.S. National Institute of Standards and Technology issued voluntary cybersecurity guidance earlier this year, but its prescriptions have taken on new urgency in light of retail’s troubles. The framework provides advice on how to pursue many of the measures covered above, including collaborative information sharing, password security and securing the supply chain.
Speaking at a recent tradeshow, U.S. Deputy CIO Lisa Schlosser observed that virtually all breaches can be prevented by stepping up basic security practices and tending more closely to the network. Cybercriminals often go after simple vulnerabilities, and the NIST’s framework shows organizations how to close these loopholes.
More specifically, it creates a common set of standards by which organizations in different verticals can assess not only their own security postures, but the ones of the contractors, suppliers and collaborators that are increasingly essential to their operations. One flaw in the supply chain could lead to serious exploits, as happened to Target, making it important for public and private sector entities to work together on gathering intelligence and shoring up defenses.
Migrating to chip and PIN cards
The U.S. lags the rest of the world in payment card security, relying on magnetic strip technology even as everyone else has moved on to chip and PIN combinations. Fortunately, Target is taking the lead in pushing for cards similar to the EMV ones common in Europe.
“The move toward chip and PIN had been a very slow process in the United States because so many players have to restructure everything,” Consumers Union lawyer Suzanne Martindale told The New York Times. “We’re hoping that Target moving in this direction will encourage other retailers and financial institutions to create more secure payment cards, because it’s long overdue.”
Chip and PIN cards are more difficult to duplicate than their magnetic strip counterparts. While this advantage likely would not have forestalled the late 2013 Target breach – which was caused by malware in POS systems – it’s a step in the right direction and one that merchants should emulate.