Retailers not surprisingly are on edge entering this year's holiday shopping season after an epic wave of data breaches this past year. Adding to their stress: The shopping season also marks an annual "holiday freeze" period, where no new security tools or other IT projects go live as critical transaction and other supporting systems must be locked in top performance and availability mode. In many cases, only the most critical security patches get installed, with others put on hold until the busy holiday shopping season concludes.
Retail industry sources say cyber security now is top of mind at the executive suite and board of directors in those companies. But they still won't be deploying any new security upgrades or technologies once the holiday shopping kicks into gear next month. They face a delicate balance this year between intensified security vigilance and the tradition of not altering systems or adding new technology until after the Christmas rush is over. Each and every security patch doesn't get applied, for instance: Only the most critical and necessary security patches get installed to prevent any disruption to the busy retail season.
"You try to avoid any technology project, and patching goes on as needed," says Liz Garner, vice president of the Merchant Advisory Group. "In general, companies are reviewing the patch notifications they get. If it's remotely critical, they are absolutely going to run the patch -- anything that could affect the confidentiality or availability of the system," she says.
Many large department stores and big-box chains continue with their regular security risk assessments during the heavy shopping season as well, Garner says.
But not all retailers institute a freeze on patches or vulnerability scans during the holiday shopping season. "Security patching at our company does not change during the season or at any time. We have a mature QA process and patching is considered basic maintenance of business," one retailer source says. "Scans are not a security control. They are a detective mechanism to ensure open vulnerabilities are addressed, and [they] don't impact operations in our experience, so not performing them during the holidays seems silly."
Meantime, retailers are keeping an ear to the ground on any new attacks. "Everybody's on high alert that something big could happen. They're watching their phones and checking their email," says Mike Davis, CTO at security firm CounterTack, which works closely with its retailer customers.
But even with the threat level at a high, the holiday freeze is on at many retailers starting sometime in November (depending on the retailer's schedule). "There are code and production freezes in November and December. During the freeze, nothing can be installed … especially from Thanksgiving until six days after Christmas," he says.
"No new technology is going to get employed even if it's free, good, and tested," Davis says.
Chris Strand, senior director of compliance at Bit9, says the holiday freeze is a traditional practice in retail as well as the financial services industry, for example. Strand, who witnessed that practice in his previous role as a PCI security assessment officer, says the moratorium on any new software during that time is common practice among retailers with a Black Friday and holiday season push, mainly at large department stores, big-box retail chains, and e-commerce shopping sites.
"Normally, it's just patching that may be delayed or halted during the holiday freeze. That's the component that comes into play first and foremost since it requires the most processing power and downtime, which could affect retail systems during a critical event," Strand says. "Vulnerability and threat scanning may be throttled down during high-volume periods" as well, he says.
Updating malware signature files for new threats or variants may not happen at all on Black Friday, for instance. Retailers often "hedge their bets" and hold off on updating .dat files because that can interfere with processing power and potentially disrupt systems that are critical to the shopping and transaction experience -- and to sales, Strand says.
Any machines for customer transactions or reconciliation, including general ledger and inventory systems are locked down, CounterTack's Davis says.
While the freeze could risk leaving a system more vulnerable to attack, it's all about the risk assessment, security experts say. An attacker could set an exploit into motion prior to the freeze and try to harvest the stolen data then, they say, but it would be fairly conspicuous since it's an all-hands-on-deck time at retailers, so more eyes theoretically would be on the network and systems.
Davis says the freeze period is actually the worst time for an attacker to hit retailers: "This is the worst time to target them. They usually have all staff on hand, 24/7. So [an attack] is probably more likely to get caught in the holiday time," he says. "If I were an attacker, I would pick March when large upgrades … and change is happening like crazy" to their IT systems, or during summer vacation time, he says.
With the exception of Target, most of the big retail breaches didn't occur during that two-month period. Target's cyberattack actually began during the Black Friday shopping season almost exactly one year ago. Davis says while Target did "everything right" security-wise, its big mistake was not responding to the red alert generated by its FireEye system.
National Retail Federation vice president of technologies Tom Litchford says the holiday shopping season is no more dangerous cyberattack-wise than any other time of year. "It's business as usual" in staying alert to any threats, he says. NRF's cyberthreat alert system for its retailer members has been up and running since June, he notes.
[Try as they might, retailers don't seem to be able to get the Backoff malware to actually back off: infections of the notorious malware increased 57% from August to September. Read Backoff PoS Malware Boomed In Q3.]
With retailers getting a serious security wake-up call after the wave of payment card breaches, does this mean they are more ready and secure this shopping season than last year at this time? "I don't think so," Davis says. It takes time to deploy new security technologies, and many have geographically disparate environments to address, he says.
It's more about detection than prevention for all organizations, retailers included. The key is catching the malware and bad guy activity before they take the payment card or other data out the door, security experts say.
Anywhere from one-fourth to one-third of organizations contain at least one bot-infected machine that's beaconing back to the bad guys, says David Lissberger, president of security firm Sentinel. A regional grocery chain his firm recently evaluated had such an infection, he says, but they were able to remediate it before it led to a breach.
"That happens all types of [POS] environments … It's not a breach, but just malware trying to check in outbound," Lissberger says. "They may not be exfiltrating data yet. They [the attackers] are checking to see if they still own the network, testing to see if they still have a connection on the inside."
Such "check-ins," as Lissberger calls them, occur at automated intervals, and his firm's Store-Minder IPS system was able to detect them.
Small stores, big malware
Law enforcement officials say small-to midsized businesses, including those in the retail business, are often "ground zero" for much of the new malware that ultimately spreads to larger companies. Ari Baranoff, assistant special agent in charge for the US Secret Service, says that in July, the Secret Service was dispatched to a small store in Syracuse, New York, where payment card data had been reported stolen.
Secret Service agents found an unknown malware sample on the store's POS server. "We identified the malware, removed it, and brought the sample back. Together with Trustwave, we reverse-engineered it and found it was a zero-day," Baranoff told attendees of the Financial Services Roundtable event last week in Washington.
The US-CERT ultimately issued an advisory about the malware POS attack and the associated malware was also found in UPS stores. "As it turns out, the network defenders at UPS had identified this malware on their systems … so they contained it to one percent of their stores, under 50 stores," Baranoff said.