Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:22 AM
Connect Directly

Retail Industry Mulls Forming Its Own ISAC For Intel-Sharing

Breaches at Target and other retailers sound the alarm for retail industry to establish a cyber-threat Information-Sharing and Analysis Center

The massive data breach at Target, along with a wave of other attacks on retailers that has come to light in the past few months, has turned up the heat on the retail sector to formalize intelligence-sharing on threats and attacks on the industry.

Retail industry officials say their sector now is considering several ways to better prepare for and defend against the increasing wave of targeted attacks on its members, including the formation of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC).

ISACs provide an official mechanism for sharing information about the latest malware and cybercrime activity spotted targeting specific industries and others. They also include databases of those threats and vulnerabilities for their members. There are some 16 ISACs to date for specific industries, including the financial industry's FS-ISAC, as well as ISACs in the electricity, water, supply chain, and research and education sectors. The goal is to help the industries better team in the face of cybercrime and cyberespionage.

"The retail industry is considering many different proposals and options aimed at identifying, preventing, and combating coordinated cyberattacks, including the establishment of a retail industry Information Sharing and Analysis Center, or ISAC. ISACs are a valuable resource with a proven track record," says David French, senior vice president of the National Retail Federation (NRF).

NRF earlier this year asked the Senate Banking, Housing, and Urban Affairs Committee to look at recent breaches at retailers, government agencies, and universities in a "holistic" way such that breaches will become less profitable to the bad guys. That would entail converting to chip-based payment cards using PINs, for example. In addition to better intel-sharing, the retail organization also supports legislation for better protecting consumers' debit card transactions and a federal breach notification law.

Meanwhile, Congressional leaders are pushing the Federal Trade Commission (FTC) to request the creation of a Merchant and Retail Industry ISAC. U.S. Sens. Mark Kirk, R-Ill., and Mark Warner, D-Va., last month asked FTC chair Edith Ramirez to do so in order for retailers to have a platform for sharing threat and vulnerability information so they can better prepare for cyberattacks and protect their customers' payment card data and other information.

"Establishing an ISAC will enable the retail industry to share information that can help prevent the types of widespread consumer data theft we have seen in recent months," Warner said. "The private sector should work together to be more responsive to the serious threats consumers face from data breaches."

Sam Visner, vice president and general manager of global cybersecurity at CSC, says establishing an ISAC would be ideal. He noted that the FTC's lawsuit filed against Wyndham Worldwide Corp. in 2012 after the hospitality company suffered three major breaches in two years was a wake-up call. "That was significant," Visner says. "If the FTC is willing to fine these companies [that are breached], it can also do things to improve information-sharing and responses ... You need to get information-sharing" among industries up and running as quickly as possible, he says.

A big challenge for retail is not just detecting a breach, says Raj Ramanand, founder and CEO of Signifyd, but discovering that payment card data was stolen before it gets resold in the underground markets. "How can you detect when those cards are flooding the market?" rather than learning about it once the stolen cards are used by fraudsters, he says.

An ISAC could help retailers get a jump on that type of intelligence, security experts say.

[The departure of Target's CIO and the creation of a dedicated chief information security officer position (CISO) and a new compliance officer (CCO) begins a new chapter in the retailer's post-breach security posture. See Target Begins Security And Compliance Makeover.]

Meanwhile, the NRF and other retail trade associations have teamed with key financial associations to explore more information-sharing, as well as the adoption of more secure payment cards. Among the organizations in this new alliance are the Retail Industry Leaders Association (RILA), the Financial Services Roundtable (FSR), the American Bankers Association (ABA), the American Hotel & Lodging Association (AH&LA), The Clearing House (TCH), the Consumer Bankers Association (CBA), the Food Marketing Institute (FMI), Independent Community Bankers of America (ICBA), the International Council of Shopping Centers (ICSC), the National Associations of Convenience Stores (NACS), the National Grocers Association (NGA), and the National Restaurant Association (NRA).

"We are committed to working together to ensure customer personal and financial information is secure and protected," said Tim Pawlenty, CEO of FSR. "Exploring avenues for increased information sharing and collaborating on innovative technologies and safeguarding data will be critical in defending against common enemies."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/24/2014 | 11:01:04 AM
A Retail ISAC is needed
Forming a RET-ISAC is a good move because retailer's need an alternative to or, at minimum rational guidance thru, PCI-DDS compliance.

Everyone knows that scope reduction is the only economically realistic way for most retailers to become PCI compliant but hackers don't give a rip about scope. So a retailer can either spend 9 MONTHS OUT OF A YEAR EVERY YEAR as Target did to maintain their now obviously worthless "PCI certification" or , PCI council be damned, build an absolutely secure but non-compliant environment.

The mere fact that the PCI council has only just last month (3/2014) certified its first North America P2PE (End-to-end encryption) vendor when others (yet to be certified) have offered P2PE solutions for years indicates the council is hopelessly conflicted. Never mind the standard is evolving and compliance is at best a point-in-time event and means nothing in the face of an actual breach.
User Rank: Apprentice
3/15/2014 | 11:14:23 AM
re: Retail Industry Mulls Forming Its Own ISAC For Intel-Sharing
Wouldn't have helped Target. The attack was top down, from the Corporate IT Operations Center. Updates to company are pushed from corporate to store servers to POS devices using remote deployment push tools. (Typically staffed by supercilious know-it-alls who refuse to think beyond their mainframe temple.) Just like implementing a bad group policy on the top level domain controller makes its way to to every computer in multiple forests. Military requires Physical Security and isolation between systems, damn the inconvenience. No binary access to critical systems. Requiring sneakernet, for want of a better idea, would mean malware would literally have to walk past a security guard.
BTW The largest US retailers actually use a Linux image on the store server, pushed out via bootp to diskless POS terminals. Malware updates only need to change the image on the store server and issue global restart.
And April Fools! Windows POS (Embedded 2009) is actually XP.
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...