Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/28/2014
03:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Retailers Facing Intensified Cyberthreat This Holiday Season

After the Year of the Retail Breach, retail's annual holiday shopping season "freeze" on new technology and some security patching is just around the corner.

Retailers not surprisingly are on edge entering this year's holiday shopping season after an epic wave of data breaches this past year. Adding to their stress: The shopping season also marks an annual "holiday freeze" period, where no new security tools or other IT projects go live as critical transaction and other supporting systems must be locked in top performance and availability mode. In many cases, only the most critical security patches get installed, with others put on hold until the busy holiday shopping season concludes.

Retail industry sources say cyber security now is top of mind at the executive suite and board of directors in those companies. But they still won't be deploying any new security upgrades or technologies once the holiday shopping kicks into gear next month. They face a delicate balance this year between intensified security vigilance and the tradition of not altering systems or adding new technology until after the Christmas rush is over. Each and every security patch doesn't get applied, for instance: Only the most critical and necessary security patches get installed to prevent any disruption to the busy retail season.

"You try to avoid any technology project, and patching goes on as needed," says Liz Garner, vice president of the Merchant Advisory Group. "In general, companies are reviewing the patch notifications they get. If it's remotely critical, they are absolutely going to run the patch -- anything that could affect the confidentiality or availability of the system," she says.

Many large department stores and big-box chains continue with their regular security risk assessments during the heavy shopping season as well, Garner says.

But not all retailers institute a freeze on patches or vulnerability scans during the holiday shopping season. "Security patching at our company does not change during the season or at any time. We have a mature QA process and patching is considered basic maintenance of business," one retailer source says. "Scans are not a security control. They are a detective mechanism to ensure open vulnerabilities are addressed, and [they] don't impact operations in our experience, so not performing them during the holidays seems silly."

Meantime, retailers are keeping an ear to the ground on any new attacks. "Everybody's on high alert that something big could happen. They're watching their phones and checking their email," says Mike Davis, CTO at security firm CounterTack, which works closely with its retailer customers.

But even with the threat level at a high, the holiday freeze is on at many retailers starting sometime in November (depending on the retailer's schedule). "There are code and production freezes in November and December. During the freeze, nothing can be installed … especially from Thanksgiving until six days after Christmas," he says.

"No new technology is going to get employed even if it's free, good, and tested," Davis says. 

Chris Strand, senior director of compliance at Bit9, says the holiday freeze is a traditional practice in retail as well as the financial services industry, for example. Strand, who witnessed that practice in his previous role as a PCI security assessment officer, says the moratorium on any new software during that time is common practice among retailers with a Black Friday and holiday season push, mainly at large department stores, big-box retail chains, and e-commerce shopping sites.

"Normally, it's just patching that may be delayed or halted during the holiday freeze. That's the component that comes into play first and foremost since it requires the most processing power and downtime, which could affect retail systems during a critical event," Strand says. "Vulnerability and threat scanning may be throttled down during high-volume periods" as well, he says.

Updating malware signature files for new threats or variants may not happen at all on Black Friday, for instance. Retailers often "hedge their bets" and hold off on updating .dat files because that can interfere with processing power and potentially disrupt systems that are critical to the shopping and transaction experience -- and to sales, Strand says.

Any machines for customer transactions or reconciliation, including general ledger and inventory systems are locked down, CounterTack's Davis says.

While the freeze could risk leaving a system more vulnerable to attack, it's all about the risk assessment, security experts say. An attacker could set an exploit into motion prior to the freeze and try to harvest the stolen data then, they say, but it would be fairly conspicuous since it's an all-hands-on-deck time at retailers, so more eyes theoretically would be on the network and systems.

Davis says the freeze period is actually the worst time for an attacker to hit retailers: "This is the worst time to target them. They usually have all staff on hand, 24/7. So [an attack] is probably more likely to get caught in the holiday time," he says. "If I were an attacker, I would pick March when large upgrades … and change is happening like crazy" to their IT systems, or during summer vacation time, he says.

With the exception of Target, most of the big retail breaches didn't occur during that two-month period. Target's cyberattack actually began during the Black Friday shopping season almost exactly one year ago. Davis says while Target did "everything right" security-wise, its big mistake was not responding to the red alert generated by its FireEye system.

National Retail Federation vice president of technologies Tom Litchford says the holiday shopping season is no more dangerous cyberattack-wise than any other time of year. "It's business as usual" in staying alert to any threats, he says. NRF's cyberthreat alert system for its retailer members has been up and running since June, he notes. 

[Try as they might, retailers don't seem to be able to get the Backoff malware to actually back off: infections of the notorious malware increased 57% from August to September. Read Backoff PoS Malware Boomed In Q3.]

With retailers getting a serious security wake-up call after the wave of payment card breaches, does this mean they are more ready and secure this shopping season than last year at this time? "I don't think so," Davis says. It takes time to deploy new security technologies, and many have geographically disparate environments to address, he says.

It's more about detection than prevention for all organizations, retailers included. The key is catching the malware and bad guy activity before they take the payment card or other data out the door, security experts say.

Anywhere from one-fourth to one-third of organizations contain at least one bot-infected machine that's beaconing back to the bad guys, says David Lissberger, president of security firm Sentinel. A regional grocery chain his firm recently evaluated had such an infection, he says, but they were able to remediate it before it led to a breach.

"That happens all types of [POS] environments … It's not a breach, but just malware trying to check in outbound," Lissberger says. "They may not be exfiltrating data yet. They [the attackers] are checking to see if they still own the network, testing to see if they still have a connection on the inside."

Such "check-ins," as Lissberger calls them, occur at automated intervals, and his firm's Store-Minder IPS system was able to detect them.

Small stores, big malware
Law enforcement officials say small-to midsized businesses, including those in the retail business, are often "ground zero" for much of the new malware that ultimately spreads to larger companies. Ari Baranoff, assistant special agent in charge for the US Secret Service, says that in July, the Secret Service was dispatched to a small store in Syracuse, New York, where payment card data had been reported stolen.

Secret Service agents found an unknown malware sample on the store's POS server. "We identified the malware, removed it, and brought the sample back. Together with Trustwave, we reverse-engineered it and found it was a zero-day," Baranoff told attendees of the Financial Services Roundtable event last week in Washington.

The US-CERT ultimately issued an advisory about the malware POS attack and the associated malware was also found in UPS stores. "As it turns out, the network defenders at UPS had identified this malware on their systems … so they contained it to one percent of their stores, under 50 stores," Baranoff said.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
10/30/2014 | 5:31:20 PM
Re: Retailers Facing Intensified Cyberthreat This Holiday Season
Not often at all.  However this does happen at times.  I've read many times that the ultimate reason for an incident is systems that were not patched for known vulnerabilities.  The interesting thing is that when a business priority focus is on critical functions there is an almost natural tendency to lower the priority for that same patching process on less critical systems.  As a result the "bad guys" will attack a less patched/low priority system simply because they can establish a presence, and then use that presence to extend the attack to other systems from within.  This seems a classic "perimeter only" focus which in today's threatscape is simply not as valuable as it was in the good old days.  To often we hear that a breach was in place for extended periods of time before it is detected.  Therefore I would advocate that all systems, even the low priority ones, get that same level of care, custody, and control for patching and preventative controls as the high priority targets.  Don't give the adversary a weak spot if you can help it.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/30/2014 | 4:10:34 PM
Re: Retailers Facing Intensified Cyberthreat This Holiday Season
@Ed Telders,How often did you experience that "funny thing.....when an incident that could have been prevented by the non-security patching happened." More often than not, or the reverse?
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
10/29/2014 | 1:08:25 PM
Re: Retailers Facing Intensified Cyberthreat This Holiday Season
Yes indeed, fortunately they were minor ones in non-critical systems, mostly desktops.   That's why we had to create the robust testing and evaluation mechanism to be able to continue deploying critical security patches, they would get priority due to the risks.  What was more common was not in the critical security patch areas, but the less-critical patches were sometimes delayed to reduce risk of business impacts.  And then the funny thing would be when an incident that could have been prevented by the non-security patching happened it would get a lot of attention quickly due to the impact to the bottom line.  During the holiday retail rush it quickly becomes an "All Hands" response when something interrups the business.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/29/2014 | 12:58:59 PM
Re: Retailers Facing Intensified Cyberthreat This Holiday Season
Thanks, @Ed Telders for sharing your experience at a retailer. Did you ever see any security incidents that occurred as a result of a patch being delayed during the freeze?
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
10/29/2014 | 11:54:29 AM
Re: Retailers Facing Intensified Cyberthreat This Holiday Season
Having worked at a retailer the message was always very clear. Freeze during holidays.  The retailers make a significant amount of their annual revenue during those couple months of the holidays, I mean that the majority of revenue for the year comes in from the "Black Friday to New Years" shopping rush.  As a result even a small outage can be a direct bottom line impact.  I agee with Marilyn that it should not mean that patching should be stopped for security issues, but it does mean that you have to have a very mature patch management testing and impact assessment before the patches are rolled out.  Signature file types of defenses still roll on, mostly automatically with little impact.  But OS patches, and more application oriented patching can cause outages if not carefully evaluated.  Be careful !
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/29/2014 | 10:18:28 AM
Re: Retailers Facing Intensified Cyberthreat This Holiday Season
@MarilynCohodas

I would venture to guess the decision was informed by a quantitative risk analysis. The results of which probably revealed that the cost of having a catastrophic failure of POS systems due to patching was greater than the cost of compromise due to not patching POS systems.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/29/2014 | 8:52:25 AM
Re: Retailers Facing Intensified Cyberthreat This Holiday Season
I can totally understand why retailers would put a "freeze" on new technology during the holiday season but it is absolutely counter-intuitive to me to read that the same goes for security patching . I suppose the hackers already know that...
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/28/2014 | 4:17:55 PM
Re: Retailers Facing Intensified Cyberthreat This Holiday Season
Executives and security teams are probably updating their resumés and contact lists, just in case ...
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/28/2014 | 4:07:15 PM
Re: Retailers Facing Intensified Cyberthreat This Holiday Season
"Everybody's on high alert that something big could happen. They're watching their phones and checking their email" -- That comment from Mike Davis, CTO at CounterTack, gives a little visual on the tension retailers have faced over the past few months. Waiting for the other shoe to drop.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/28/2014 | 4:00:51 PM
Retailers Facing Intensified Cyberthreat This Holiday Season
"Retail industry sources say cyber security now is top of mind at the executive suite and board of directors in those companies." This is good to hear, of course. Hopefully the purse strings had been loosened up enough for those really good security initiatives to get funded. I am betting that this is an exciting and also a tense time for those security teams, who will certainly be there with bells on and rightfully so, given the breach fiasco that has defined 2014 so far. I would not be surprised if the bad guys had some zero day exploits that they have saved up just for this time of year. I am sure there will be an onslaught of attacks as we approach the holiday shopping season. As alert as security teams can be, it is always possible to sneak in under the radar amid the hustle and bustle of the biggest shopping event of the year. Can you imagine just how tense executives are regarding this issue?
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Talk about vendor lock in...
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11816
PUBLISHED: 2019-05-20
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
CVE-2019-10076
PUBLISHED: 2019-05-20
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10077
PUBLISHED: 2019-05-20
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10078
PUBLISHED: 2019-05-20
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
CVE-2019-12239
PUBLISHED: 2019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.