Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/9/2015
10:35 AM
Kevin Watson
Kevin Watson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Chick-fil-A Breach: Avoiding 5 Common Security Mistakes

On the surface these suggestions may seem simplistic. But almost every major retail breach in the last 12 months failed to incorporate at least one of them.

The latest in a record year of retail industry attacks, Georgia-based fast food company Chick-fil-A confirmed recently that it is investigating a potential credit card breach. The investigation is focused on the company’s point-of-sale (POS) network at some of its restaurants, and the breach is thought to have occurred between December 2013 and September 2014. Brian Krebs, an Internet blogger who specializes in banking security, reported that one financial institution claims that the common thread among approximately 9,000 of its affected customers are purchases at Chick-fil-A restaurants.

As you all know, security breaches of this nature can be caused by a variety of issues: newly discovered software flaws, lax security from a service provider, insider fraud, weak network security, and countless other avenues. There is also the possibility that the data that has been compromised did not originate from Chick-fil-A at all. Theft can occur at numerous places along the payment chain. For example, it may be necessary to examine the bank where the electronic transactions were processed.

In one sense, it does not matter how the breach occurred. The fact that credit cards at a major corporation have once again been stolen highlights the threat that all quick-serve restaurants and retailers of every size are facing from data thieves. Businesses interested in keeping their networks and data secure should start with simple security measures that can effectively mitigate the growing problem that hackers represent. While nothing is fool proof, the following suggestions could have prevented most (if not all) of the breaches that have garnered so much attention in the past 12 months:

Suggestion 1: Protect a location’s incoming Internet traffic. The first step in stealing data is finding an avenue into the targeted business. All of a business’s data circuits and its Internet connections must be protected by a robust and adaptable firewall, protecting the business from unwanted incoming traffic.

Suggestion 2: Implement secure remote access. When permitting remote access to a network for the management of POS and other systems, it is essential that this access is restricted and secure. At a minimum, access should only be granted to individual (not shared) user accounts using 2-factor authentication and strong passwords. Remote access activities should also be logged so that an audit trail is available.

Suggestion 3: Keep anti-malware software up-to-date. It is critical to keep all anti-virus/anti-malware software up to date with the latest versions and definitions. The companies that make anti-malware software monitor threats constantly and regularly update their packages to include preventive measures and improvements to thwart malware seen in other attacks.

Suggestion 4: Update your point of sale as security patches are released. Much like anti-virus/anti-malware updates, POS manufacturers are constantly improving their software to prevent hackers from stealing data, especially if a criminal manages to bypass the built-in security. It is essential that the latest security releases and patches be installed on all POS systems.

Suggestion 5: Limit outbound Internet traffic. In addition to blocking unwanted traffic from getting into a location, it is always a good practice to selectively block outgoing traffic as well. Many modern breaches involve software that becomes resident on your network and then tries to send sensitive data to the hacker’s system via the Internet. No system can completely prevent unwanted malware or viruses, so a good last line of defense is making sure secure data doesn’t leave your network without your knowledge. The same firewall used in Step One should be configured to monitor outgoing traffic as well as incoming.

These suggestions might, on the surface, seem simplistic, but almost every major breach in the last 12 months failed to incorporate at least one of them. Of course, this list is not an all-inclusive way to prevent every type of credit card theft, but it is interesting to ponder how much theft could have been prevented if just these five elements had been implemented correctly. Remember that it costs nothing for data thieves to attempt to hack a business, so for them, every business is a worthwhile target.

Kevin Watson joined VendorSafe as CEO in November 2014, bringing considerable experience in data security, managed technology services and high-growth technology companies. VendorSafe specializes in providing state-of-the-art-data cloud-based firewall solutions tailored for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jamieinmontreal
50%
50%
jamieinmontreal,
User Rank: Strategist
3/18/2015 | 11:11:59 AM
Suggestion 2 - additional possibiility
Individual strong passwords for each POS system would certainly do something but if the organization is large enough (Chick-fil-A, McDs, Harvey's, Marshall's etc etc etc) the chances are those passwords won't be changed regularly and will also be shared among admins opening up a security threat.   Hackers have way more time and resources and people generally speaking will default to convenience even when it's in breach of security policies.

Proper privileged access management is the right solution for this piece.

Very much in agreement on the other items though - 2FA in particular should be a standard approach along with better access management on all systems!

 
vnewman2
50%
50%
vnewman2,
User Rank: Strategist
1/13/2015 | 3:03:21 AM
Re: Security Basics: Don't Take for Granted
Banks have been allowed to proceed with their class action lawsuit against Target Corporation over losses they incurred from the massive data breach at the retailer last year. As large-scale breaches become more prevalent, banks likely will push back against the expectation that they will cover both the costs of fraudulent charges as well as consumer remediation efforts.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/12/2015 | 10:11:56 AM
Re: Security Basics: Don't Take for Granted
It's always good to be reminded about the low-hanging fruit. If the security teams aren't paying attention, you  can e sure that the attackers are...
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
1/11/2015 | 6:59:39 PM
Security Basics: Don't Take for Granted
These steps do seem rather rudimentary but as is mentioned at least one of these fundamentals were either not carried out or maintained. Security is difficult enough, so I don't understand why admins in the retail sector are not taking advantage of the easy tasks.

I guess everyone could be quilty of this - but security can no longer be viewed as a passive, boring chore.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11976
PUBLISHED: 2020-08-11
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
CVE-2020-13179
PUBLISHED: 2020-08-11
Broker Protocol messages in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to 20.04.1 are not cleaned up in server memory, which may allow an attacker to read confidential information from a memory dump via forcing a crashing during the single sign-on procedure.
CVE-2020-8918
PUBLISHED: 2020-08-11
An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth'...
CVE-2020-9244
PUBLISHED: 2020-08-11
HUAWEI Mate 20 versions Versions earlier than 10.1.0.160(C00E160R3P8);HUAWEI Mate 20 Pro versions Versions earlier than 10.1.0.270(C431E7R1P5),Versions earlier than 10.1.0.270(C635E3R1P5),Versions earlier than 10.1.0.273(C636E7R2P4);HUAWEI Mate 20 X versions Versions earlier than 10.1.0.160(C00E160R...
CVE-2020-9403
PUBLISHED: 2020-08-11
In PACTware before 4.1 SP6 and 5.x before 5.0.5.31, passwords are stored in a recoverable format, and may be retrieved by any user with access to the PACTware workstation.