Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/20/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Retail Sector Second-Worst Performer on Application Security

A "point-in-time" approach to PCI compliance could be one reason why so many retailers appear to be having a hard time.

The retail industry's cybersecurity preparedness continues to lag behind almost every other sector despite efforts by the major credit card associations to bolster retail security via the Payment Card Industry Data Security Standard (PCI DSS).

Third-party risk management firm SecurityScorecard recently analyzed a total of 1,444 domains in the retail industry with an IP footprint of at least 100. Researchers from the firm passively monitored externally facing IPs of the retail domains for a period of about five months to see what vulnerabilities they could find.

The exercise showed the retail industry had the second-lowest application security performance among major sectors. In a list of 18 industries, the retail sector ranked 17th, just above the entertainment industry, in terms of having the most vulnerable applications. Last year, the retailer industry was the fourth lowest performer, meaning it dropped in application security performance in the preceding 12 months rather than improved.

Retailers also ranked dead last in terms of their ability to protect against social engineering attacks. SecurityScorecard's analysis showed that criminals employing phishing and other social engineering methods to steal data and commit fraud were likely to have more success with retailers than organizations in any other industry.

The findings are important because criminals target retailers more so than almost any other sector apart from healthcare and banking and finance. In recent years, numerous retailers have experienced spectacular data breaches that have compromised tens and sometime even hundreds of millions of payment cards.

Visa, Mastercard, American Express, and other major card associations have required retailers to implement a set of evolving security controls for protecting card data at rest, in use, while stored, and during transactions. The PCI security standard has been in place for well more than a decade.

Yet many retailers are not fully compliant with it, even though they can face stiff financial penalties in the event of a breach. In fact, SecurityScorecard found that nearly 91% of the retail domains analyzed had issues that likely put them in noncompliance with four or more PCI DSS requirements.

Retailers fared especially poorly with respect to PCI DSS Requirement 6, pertaining to application security. Ninety-eight percent of the domains that SecurityScorecard analyzed had issues that likely put them in noncompliance. Ninety-one percent had problems with a subsection of Requirement 6, pertaining to the need for promptly patching software and systems against known security vulnerabilities.

Fouad Khalil, head of compliance at SecurityScorecard, says his company considered a variety of issues related to application security when assigning performance rankings to various industries.

Security issues that were identified during SecurityScorecard's passive monitoring of the retail domains were weighted to account for differences in severity, Khalil says. When available, SecurityScorecard used industry-accepted standards, such as NIST's Common Vulnerability Scoring System v2, to assign severity ranking. When an identified issue did not have a formal severity ranking available, SecurityScore used recognized authorities and its own internal resources to determine severity.

"These weighted issue types are then rolled up into a factor score for application security," he says. "We repeated this same process for every major US industry, and when we compared the retail industry’s factor score to the rest, it came second-lowest," Khalil explains. To determine compliance or noncompliance with PCI DSS requirements for app security, SecurityScorecard flagged vulnerabilities that were "litmus test indicators of noncompliance" with a particular PCI requirement, he notes.

A "point-in-time" approach to PCI compliance could be one reason why so many retailers appear to be having a hard time with the application security requirement and several of the other requirements, SecurityScorecard said in its report. It is not just enough to implement PCI-manadated security controls, but also to maintain them on an ongoing basis, especially with regard to issues like patching and applying software updates.

SecurityScorecard used a somewhat similar process to arrive at its ranking for social engineering threats. In this case, the company looked at issues including retail employees using their corporate account information to sign up for services, such as social networks, personal finance accounts, and marketing lists, that can be exploited. In addition, SecurityScorecard monitored employee dissatisfaction levels using publicly available data, Khalil says. As with application security, the retail industry fared badly in comparison with other industries on this front, too.

In this instance, the retail industry's generally younger workforce may be a factor, according to SecurityScorecard. Many retail sector employees who are targets of phishing and social engineering scams don't know enough about the threat to be able to recognize it.

Related Content:

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.