The New Year certainly got off to an interesting start in the world of information security, as a seemingly never-ending spate of retail data breaches made, and are making, headlines almost daily.
First, before Christmas, there was the massive breach at Target, comprising an estimated 40 million credit and debit card account holders during the peak of the holiday shopping season. The cyber-criminals infiltrated Target’s network and installed sophisticated malware in its point of sale (PoS) terminals that could not be detected by anti-virus or other traditional security defenses. Later, we learned that the breach was even bigger, compromising the personal information of some 70 million more customers, including names, phone numbers, and email and mailing addresses.
Next was the breach at Neiman-Marcus, where a reported 77 out of 85 stores were hit by sophisticated malware, exposing the personal information of 1.1 million consumers. This breach was reported to have occurred between mid-July and October, but wasn’t discovered and contained until early January. Just a week later, the Michael’s chain of arts and crafts stores announced that it also had been breached -- its second breach in three years.
Major investigations are now underway at these retailers, and details continue to emerge almost daily. Chief executives are on the hot seat, testifying in front of Congress about what happened and what immediate measures they are taking to ensure such breaches don’t happen again. Worse, all three incidents have had a widespread impact on consumer confidence, which will likely cost the organizations millions of dollars to restore.
It’s an object lesson that even the best security defenses may not stop cyber-criminals from breaking in and stealing customer data. While the debates over encryption, Payment Card Industry (PCI) compliance standards, and chip-and-pin systems among retailers continue, there are also lessons to be learned by any industry that works with significant Web applications, a highly-connected supply chain, and a large number of credit card transactions. Here are three dos and don’ts based on what happened at Target, Neiman-Marcus, and Michael’s stores.
Do scan for application vulnerabilities continuously and proactively. It’s important to monitor constantly for changes that may enable attackers to gain entry. Vulnerability scanning is no longer a one-time project. In fact, applications are the number one point of entry for attackers year after year. They create an easy front door hackers can enter to steal data. Ongoing vulnerability scanning will keep that door locked and ensure the security of your code.
Don’t overlook the security of your supply chain partners. Many of today's hacks are coming through third parties that handle sensitive information, because attackers know that an attack on a business partner is often simpler and easier to hide than a direct attack. They’ve also learned that a breach in one partner’s environment can easily propagate across today’s digitally-connected networks, further complicating data loss and damages.
The latest reports on the Target breach indicate that the hackers may have stolen Target’s network credentials from a third-party, Pennsylvania-based heating, ventilation, and air conditioning (HVAC) provider. These days, enterprise security means not only scanning your own environment, but also checking your partners’ applications to ensure that their security is solid and won’t compromise your customers’ data.
Don’t forget to regularly update and patch specialized hardware. Resource-constrained security administrators often overlook the security of specialized devices, such as PoS terminals deployed at remote sites. The makers of these industry-specific devices and applications are often slow to roll out new patches. In most cases, PoS terminals are compromised through improperly configured remote-access technologies used in their PoS applications.
It’s also smart to utilize two-factor authentication for all remote access. Enterprises should ensure that their environments are well suited to download and install patches for core operating systems, critical applications, or anti-malware controls. Many retail enterprises aren’t.
While no one can be certain that these three breaches could have been avoided, one thing is very clear: All it takes is one hole in one application to give cyber criminals access to sensitive data. Companies must -- without delay -- put in place tight security policies to protect their applications across the software development life cycle. They also must use ongoing application security scanning and vulnerability assessments to ensure the security of their own systems, as well as those of their partners.
If they don’t, cyber criminals will continue to exploit that one single point of failure, gain access to the organization’s crown jewels of corporate and personal data, and lead the industry further down the path of never-ending data breaches.