TUCSON – “Just when you think you have everything solved, new technologies hit you,” said Rick Dakin, CEO and chief security strategist at Coalfire. These new technologies, which are broadening the cyber attack surface to devices such as satellites, indicate that the cybercrime trend is heading for a more threatening world full of spies and well-funded, sophisticated hackers.
Is this snowballing threat nothing but gloom and doom? Retailers such as Target might agree, and the Heartbleed virus is proving that the other shoe has yet to drop. But awareness is growing among the convenience and fuel retailing industry that cybercrimes have elevated to a level of risk management that is light years beyond the scope of slips, trips and falls. And the fight against cybercrimes must involve top-level management, beginning with the CEO.
At the Conexxus Annual Conference last month in Tucson, Dakin outlined what went wrong during the recent Target data breach, and how retailers can protect themselves from the same fate. First, however, retailers should find out whether they’re already being compromised — Target was under attack for four months before anyone with the company realized what was happening.
“I get two questions” about Target, said Dakin. The first being “what went wrong?” Here’s what happened:
- Antivirus protection was not working or ineffective
- Egress filtering was not set to limit exfiltration of stolen data
- Lack of two-factor administrative access authentication
- No file integrity monitoring or application white-listing to prevent malware installation
- Ineffective security monitoring and alerting
- Third-party vendor management was not adequate
The second question is: “How do you know you’re not already under attack?” Dakin advised attendees look at Target’s situation through introspection and understand their own vulnerabilities within their systems, particularly at the point of sale.
A January 2014 FBI report warned that the wave of cybercrime is far from over — and that malware used to attack POS systems are available at prices that make cybercrime affordable to a increasingly sophisticated hacker community. Malwares that infect POS systems such as BlackPOS, Dexter and vSkimmer are found on underground criminal forums and can sell for up to $6,500 per copy. “We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it,” notes the FBI report.
The Department of Homeland Security National Cybersecurity and Communications Integration Center determined that the Trojan.POSRAM point-of-sale malware monitors information in payment application programs. When the malware determines unencrypted track data is in RAM, the information is stolen.
Visa posts data security alerts online that offer a high-level view of current cybercrime threats. The card company also released a January 2014 report that profiles large U.S. merchant data breaches and examples of issues that lead to the compromise of privileged credentials. One such compromise, a root compromise through a vendor, is a nightmare and takes at least a year to clean up, noted Dakin. Visa’s report found that among 11 large U.S. retailers that experienced a data breach, six had malware installed on their POS systems, nine had privileged credentials compromised and system admin IDs exploited, and five were PCI compliant.
“The hacker community is too sophisticated and there’s too much money involved,” said Dakin, in respect to the financial motivations that perpetuate cybercrimes.
He suggested several steps retailers can take to mitigate a “Target-styled” attack:
- Determine whether they’re already being attacked.
- Perform a walk-through of their systems.
- Don’t waste a good crisis. Now that everyone is paying attention, implement a risk assessment and communicate with your organization about the risks already prevalent.
And finally, don’t believe the EMV hype. If the United States were to fully embrace EMV, it’s a myth that consumer data will automatically be protected. (See “Half Covered” in NACS Magazine.) “EMV is a fraud management solution, not a data protection solution,” said Dakin, noting that while it can slow down the fraud side, it doesn’t protect the data side of transactions.
Dakin advised retailers to perform an ROI analysis on EMV to determine whether the technology is worth implementing at their stores.
During his presentation, he also referenced documents that could help retailers as they brief other members of their organizations on cyber risks. Those documents and recommended resources are available here.