08:22 AM
Connect Directly

Retail Industry Mulls Forming Its Own ISAC For Intel-Sharing

Breaches at Target and other retailers sound the alarm for retail industry to establish a cyber-threat Information-Sharing and Analysis Center

The massive data breach at Target, along with a wave of other attacks on retailers that has come to light in the past few months, has turned up the heat on the retail sector to formalize intelligence-sharing on threats and attacks on the industry.

Retail industry officials say their sector now is considering several ways to better prepare for and defend against the increasing wave of targeted attacks on its members, including the formation of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC).

ISACs provide an official mechanism for sharing information about the latest malware and cybercrime activity spotted targeting specific industries and others. They also include databases of those threats and vulnerabilities for their members. There are some 16 ISACs to date for specific industries, including the financial industry's FS-ISAC, as well as ISACs in the electricity, water, supply chain, and research and education sectors. The goal is to help the industries better team in the face of cybercrime and cyberespionage.

"The retail industry is considering many different proposals and options aimed at identifying, preventing, and combating coordinated cyberattacks, including the establishment of a retail industry Information Sharing and Analysis Center, or ISAC. ISACs are a valuable resource with a proven track record," says David French, senior vice president of the National Retail Federation (NRF).

NRF earlier this year asked the Senate Banking, Housing, and Urban Affairs Committee to look at recent breaches at retailers, government agencies, and universities in a "holistic" way such that breaches will become less profitable to the bad guys. That would entail converting to chip-based payment cards using PINs, for example. In addition to better intel-sharing, the retail organization also supports legislation for better protecting consumers' debit card transactions and a federal breach notification law.

Meanwhile, Congressional leaders are pushing the Federal Trade Commission (FTC) to request the creation of a Merchant and Retail Industry ISAC. U.S. Sens. Mark Kirk, R-Ill., and Mark Warner, D-Va., last month asked FTC chair Edith Ramirez to do so in order for retailers to have a platform for sharing threat and vulnerability information so they can better prepare for cyberattacks and protect their customers' payment card data and other information.

"Establishing an ISAC will enable the retail industry to share information that can help prevent the types of widespread consumer data theft we have seen in recent months," Warner said. "The private sector should work together to be more responsive to the serious threats consumers face from data breaches."

Sam Visner, vice president and general manager of global cybersecurity at CSC, says establishing an ISAC would be ideal. He noted that the FTC's lawsuit filed against Wyndham Worldwide Corp. in 2012 after the hospitality company suffered three major breaches in two years was a wake-up call. "That was significant," Visner says. "If the FTC is willing to fine these companies [that are breached], it can also do things to improve information-sharing and responses ... You need to get information-sharing" among industries up and running as quickly as possible, he says.

A big challenge for retail is not just detecting a breach, says Raj Ramanand, founder and CEO of Signifyd, but discovering that payment card data was stolen before it gets resold in the underground markets. "How can you detect when those cards are flooding the market?" rather than learning about it once the stolen cards are used by fraudsters, he says.

An ISAC could help retailers get a jump on that type of intelligence, security experts say.

[The departure of Target's CIO and the creation of a dedicated chief information security officer position (CISO) and a new compliance officer (CCO) begins a new chapter in the retailer's post-breach security posture. See Target Begins Security And Compliance Makeover.]

Meanwhile, the NRF and other retail trade associations have teamed with key financial associations to explore more information-sharing, as well as the adoption of more secure payment cards. Among the organizations in this new alliance are the Retail Industry Leaders Association (RILA), the Financial Services Roundtable (FSR), the American Bankers Association (ABA), the American Hotel & Lodging Association (AH&LA), The Clearing House (TCH), the Consumer Bankers Association (CBA), the Food Marketing Institute (FMI), Independent Community Bankers of America (ICBA), the International Council of Shopping Centers (ICSC), the National Associations of Convenience Stores (NACS), the National Grocers Association (NGA), and the National Restaurant Association (NRA).

"We are committed to working together to ensure customer personal and financial information is secure and protected," said Tim Pawlenty, CEO of FSR. "Exploring avenues for increased information sharing and collaborating on innovative technologies and safeguarding data will be critical in defending against common enemies."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/24/2014 | 11:01:04 AM
A Retail ISAC is needed
Forming a RET-ISAC is a good move because retailer's need an alternative to or, at minimum rational guidance thru, PCI-DDS compliance.

Everyone knows that scope reduction is the only economically realistic way for most retailers to become PCI compliant but hackers don't give a rip about scope. So a retailer can either spend 9 MONTHS OUT OF A YEAR EVERY YEAR as Target did to maintain their now obviously worthless "PCI certification" or , PCI council be damned, build an absolutely secure but non-compliant environment.

The mere fact that the PCI council has only just last month (3/2014) certified its first North America P2PE (End-to-end encryption) vendor when others (yet to be certified) have offered P2PE solutions for years indicates the council is hopelessly conflicted. Never mind the standard is evolving and compliance is at best a point-in-time event and means nothing in the face of an actual breach.
User Rank: Apprentice
3/15/2014 | 11:14:23 AM
re: Retail Industry Mulls Forming Its Own ISAC For Intel-Sharing
Wouldn't have helped Target. The attack was top down, from the Corporate IT Operations Center. Updates to company are pushed from corporate to store servers to POS devices using remote deployment push tools. (Typically staffed by supercilious know-it-alls who refuse to think beyond their mainframe temple.) Just like implementing a bad group policy on the top level domain controller makes its way to to every computer in multiple forests. Military requires Physical Security and isolation between systems, damn the inconvenience. No binary access to critical systems. Requiring sneakernet, for want of a better idea, would mean malware would literally have to walk past a security guard.
BTW The largest US retailers actually use a Linux image on the store server, pushed out via bootp to diskless POS terminals. Malware updates only need to change the image on the store server and issue global restart.
And April Fools! Windows POS (Embedded 2009) is actually XP.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I've seen worse.  Last week Tim had a dragon."
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.