Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:22 AM
Connect Directly

Retail Industry Mulls Forming Its Own ISAC For Intel-Sharing

Breaches at Target and other retailers sound the alarm for retail industry to establish a cyber-threat Information-Sharing and Analysis Center

The massive data breach at Target, along with a wave of other attacks on retailers that has come to light in the past few months, has turned up the heat on the retail sector to formalize intelligence-sharing on threats and attacks on the industry.

Retail industry officials say their sector now is considering several ways to better prepare for and defend against the increasing wave of targeted attacks on its members, including the formation of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC).

ISACs provide an official mechanism for sharing information about the latest malware and cybercrime activity spotted targeting specific industries and others. They also include databases of those threats and vulnerabilities for their members. There are some 16 ISACs to date for specific industries, including the financial industry's FS-ISAC, as well as ISACs in the electricity, water, supply chain, and research and education sectors. The goal is to help the industries better team in the face of cybercrime and cyberespionage.

"The retail industry is considering many different proposals and options aimed at identifying, preventing, and combating coordinated cyberattacks, including the establishment of a retail industry Information Sharing and Analysis Center, or ISAC. ISACs are a valuable resource with a proven track record," says David French, senior vice president of the National Retail Federation (NRF).

NRF earlier this year asked the Senate Banking, Housing, and Urban Affairs Committee to look at recent breaches at retailers, government agencies, and universities in a "holistic" way such that breaches will become less profitable to the bad guys. That would entail converting to chip-based payment cards using PINs, for example. In addition to better intel-sharing, the retail organization also supports legislation for better protecting consumers' debit card transactions and a federal breach notification law.

Meanwhile, Congressional leaders are pushing the Federal Trade Commission (FTC) to request the creation of a Merchant and Retail Industry ISAC. U.S. Sens. Mark Kirk, R-Ill., and Mark Warner, D-Va., last month asked FTC chair Edith Ramirez to do so in order for retailers to have a platform for sharing threat and vulnerability information so they can better prepare for cyberattacks and protect their customers' payment card data and other information.

"Establishing an ISAC will enable the retail industry to share information that can help prevent the types of widespread consumer data theft we have seen in recent months," Warner said. "The private sector should work together to be more responsive to the serious threats consumers face from data breaches."

Sam Visner, vice president and general manager of global cybersecurity at CSC, says establishing an ISAC would be ideal. He noted that the FTC's lawsuit filed against Wyndham Worldwide Corp. in 2012 after the hospitality company suffered three major breaches in two years was a wake-up call. "That was significant," Visner says. "If the FTC is willing to fine these companies [that are breached], it can also do things to improve information-sharing and responses ... You need to get information-sharing" among industries up and running as quickly as possible, he says.

A big challenge for retail is not just detecting a breach, says Raj Ramanand, founder and CEO of Signifyd, but discovering that payment card data was stolen before it gets resold in the underground markets. "How can you detect when those cards are flooding the market?" rather than learning about it once the stolen cards are used by fraudsters, he says.

An ISAC could help retailers get a jump on that type of intelligence, security experts say.

[The departure of Target's CIO and the creation of a dedicated chief information security officer position (CISO) and a new compliance officer (CCO) begins a new chapter in the retailer's post-breach security posture. See Target Begins Security And Compliance Makeover.]

Meanwhile, the NRF and other retail trade associations have teamed with key financial associations to explore more information-sharing, as well as the adoption of more secure payment cards. Among the organizations in this new alliance are the Retail Industry Leaders Association (RILA), the Financial Services Roundtable (FSR), the American Bankers Association (ABA), the American Hotel & Lodging Association (AH&LA), The Clearing House (TCH), the Consumer Bankers Association (CBA), the Food Marketing Institute (FMI), Independent Community Bankers of America (ICBA), the International Council of Shopping Centers (ICSC), the National Associations of Convenience Stores (NACS), the National Grocers Association (NGA), and the National Restaurant Association (NRA).

"We are committed to working together to ensure customer personal and financial information is secure and protected," said Tim Pawlenty, CEO of FSR. "Exploring avenues for increased information sharing and collaborating on innovative technologies and safeguarding data will be critical in defending against common enemies."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/24/2014 | 11:01:04 AM
A Retail ISAC is needed
Forming a RET-ISAC is a good move because retailer's need an alternative to or, at minimum rational guidance thru, PCI-DDS compliance.

Everyone knows that scope reduction is the only economically realistic way for most retailers to become PCI compliant but hackers don't give a rip about scope. So a retailer can either spend 9 MONTHS OUT OF A YEAR EVERY YEAR as Target did to maintain their now obviously worthless "PCI certification" or , PCI council be damned, build an absolutely secure but non-compliant environment.

The mere fact that the PCI council has only just last month (3/2014) certified its first North America P2PE (End-to-end encryption) vendor when others (yet to be certified) have offered P2PE solutions for years indicates the council is hopelessly conflicted. Never mind the standard is evolving and compliance is at best a point-in-time event and means nothing in the face of an actual breach.
User Rank: Apprentice
3/15/2014 | 11:14:23 AM
re: Retail Industry Mulls Forming Its Own ISAC For Intel-Sharing
Wouldn't have helped Target. The attack was top down, from the Corporate IT Operations Center. Updates to company are pushed from corporate to store servers to POS devices using remote deployment push tools. (Typically staffed by supercilious know-it-alls who refuse to think beyond their mainframe temple.) Just like implementing a bad group policy on the top level domain controller makes its way to to every computer in multiple forests. Military requires Physical Security and isolation between systems, damn the inconvenience. No binary access to critical systems. Requiring sneakernet, for want of a better idea, would mean malware would literally have to walk past a security guard.
BTW The largest US retailers actually use a Linux image on the store server, pushed out via bootp to diskless POS terminals. Malware updates only need to change the image on the store server and issue global restart.
And April Fools! Windows POS (Embedded 2009) is actually XP.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.