Attacks/Breaches
3/11/2014
08:22 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Retail Industry Mulls Forming Its Own ISAC For Intel-Sharing

Breaches at Target and other retailers sound the alarm for retail industry to establish a cyber-threat Information-Sharing and Analysis Center

The massive data breach at Target, along with a wave of other attacks on retailers that has come to light in the past few months, has turned up the heat on the retail sector to formalize intelligence-sharing on threats and attacks on the industry.

Retail industry officials say their sector now is considering several ways to better prepare for and defend against the increasing wave of targeted attacks on its members, including the formation of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC).

ISACs provide an official mechanism for sharing information about the latest malware and cybercrime activity spotted targeting specific industries and others. They also include databases of those threats and vulnerabilities for their members. There are some 16 ISACs to date for specific industries, including the financial industry's FS-ISAC, as well as ISACs in the electricity, water, supply chain, and research and education sectors. The goal is to help the industries better team in the face of cybercrime and cyberespionage.

"The retail industry is considering many different proposals and options aimed at identifying, preventing, and combating coordinated cyberattacks, including the establishment of a retail industry Information Sharing and Analysis Center, or ISAC. ISACs are a valuable resource with a proven track record," says David French, senior vice president of the National Retail Federation (NRF).

NRF earlier this year asked the Senate Banking, Housing, and Urban Affairs Committee to look at recent breaches at retailers, government agencies, and universities in a "holistic" way such that breaches will become less profitable to the bad guys. That would entail converting to chip-based payment cards using PINs, for example. In addition to better intel-sharing, the retail organization also supports legislation for better protecting consumers' debit card transactions and a federal breach notification law.

Meanwhile, Congressional leaders are pushing the Federal Trade Commission (FTC) to request the creation of a Merchant and Retail Industry ISAC. U.S. Sens. Mark Kirk, R-Ill., and Mark Warner, D-Va., last month asked FTC chair Edith Ramirez to do so in order for retailers to have a platform for sharing threat and vulnerability information so they can better prepare for cyberattacks and protect their customers' payment card data and other information.

"Establishing an ISAC will enable the retail industry to share information that can help prevent the types of widespread consumer data theft we have seen in recent months," Warner said. "The private sector should work together to be more responsive to the serious threats consumers face from data breaches."

Sam Visner, vice president and general manager of global cybersecurity at CSC, says establishing an ISAC would be ideal. He noted that the FTC's lawsuit filed against Wyndham Worldwide Corp. in 2012 after the hospitality company suffered three major breaches in two years was a wake-up call. "That was significant," Visner says. "If the FTC is willing to fine these companies [that are breached], it can also do things to improve information-sharing and responses ... You need to get information-sharing" among industries up and running as quickly as possible, he says.

A big challenge for retail is not just detecting a breach, says Raj Ramanand, founder and CEO of Signifyd, but discovering that payment card data was stolen before it gets resold in the underground markets. "How can you detect when those cards are flooding the market?" rather than learning about it once the stolen cards are used by fraudsters, he says.

An ISAC could help retailers get a jump on that type of intelligence, security experts say.

[The departure of Target's CIO and the creation of a dedicated chief information security officer position (CISO) and a new compliance officer (CCO) begins a new chapter in the retailer's post-breach security posture. See Target Begins Security And Compliance Makeover.]

Meanwhile, the NRF and other retail trade associations have teamed with key financial associations to explore more information-sharing, as well as the adoption of more secure payment cards. Among the organizations in this new alliance are the Retail Industry Leaders Association (RILA), the Financial Services Roundtable (FSR), the American Bankers Association (ABA), the American Hotel & Lodging Association (AH&LA), The Clearing House (TCH), the Consumer Bankers Association (CBA), the Food Marketing Institute (FMI), Independent Community Bankers of America (ICBA), the International Council of Shopping Centers (ICSC), the National Associations of Convenience Stores (NACS), the National Grocers Association (NGA), and the National Restaurant Association (NRA).

"We are committed to working together to ensure customer personal and financial information is secure and protected," said Tim Pawlenty, CEO of FSR. "Exploring avenues for increased information sharing and collaborating on innovative technologies and safeguarding data will be critical in defending against common enemies."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Technopeasant
50%
50%
Technopeasant,
User Rank: Apprentice
4/24/2014 | 11:01:04 AM
A Retail ISAC is needed
Forming a RET-ISAC is a good move because retailer's need an alternative to or, at minimum rational guidance thru, PCI-DDS compliance.

Everyone knows that scope reduction is the only economically realistic way for most retailers to become PCI compliant but hackers don't give a rip about scope. So a retailer can either spend 9 MONTHS OUT OF A YEAR EVERY YEAR as Target did to maintain their now obviously worthless "PCI certification" or , PCI council be damned, build an absolutely secure but non-compliant environment.

The mere fact that the PCI council has only just last month (3/2014) certified its first North America P2PE (End-to-end encryption) vendor when others (yet to be certified) have offered P2PE solutions for years indicates the council is hopelessly conflicted. Never mind the standard is evolving and compliance is at best a point-in-time event and means nothing in the face of an actual breach.
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/15/2014 | 11:14:23 AM
re: Retail Industry Mulls Forming Its Own ISAC For Intel-Sharing
Wouldn't have helped Target. The attack was top down, from the Corporate IT Operations Center. Updates to company are pushed from corporate to store servers to POS devices using remote deployment push tools. (Typically staffed by supercilious know-it-alls who refuse to think beyond their mainframe temple.) Just like implementing a bad group policy on the top level domain controller makes its way to to every computer in multiple forests. Military requires Physical Security and isolation between systems, damn the inconvenience. No binary access to critical systems. Requiring sneakernet, for want of a better idea, would mean malware would literally have to walk past a security guard.
BTW The largest US retailers actually use a Linux image on the store server, pushed out via bootp to diskless POS terminals. Malware updates only need to change the image on the store server and issue global restart.
And April Fools! Windows POS (Embedded 2009) is actually XP.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.