Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
P.F. Chang's The Latest Target?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
RyanSepe,
User Rank: Ninja
6/13/2014 | 9:59:04 AM
Re: Latest Target?
I have to agree with you. I work at a healthcare organization and I see how effective a "simple law" (putting it lightly) like HIPAA can be. Most of our fiscal decisions towards security initiatives you can link back to one HIPAA mandate or another. Not storing data on local drives, encrypting file storage, and among systems; IDS is a big one where HIPAA has very much forced the organization to get behind it. This is a very small subset of best practice that HIPAA has helped us accomplish.

The reason being these laws have repercussions for breaches and loss of data. And let me tell you, they are hefty when fiscally analyzed against incorporating security systems.
Bprince
Bprince,
User Rank: Ninja
6/12/2014 | 10:43:46 PM
EMV
Just when I wanted some Chinese. :) I think the focus at this point needs to be on EMV credit cards here in the U.S. It's not foolproof or anything, but I think it raises the level of difficulty for fraudsters.

BP
RetiredUser
RetiredUser,
User Rank: Ninja
6/12/2014 | 4:50:53 PM
Multi-factor Biometrics
Really, we have gotten to the point where archaic technology like POS is just begging to be abused.  Retail as a whole must change, and while I heard a snigger or two as folks read my post subject, I'm quite serious.  Two of my favorite research subjects are quantum computing and biometrics.  A multi-factor biometrics security system for in-person retail purchasing would eliminate the majority of these "old school" hacks and save billions, if not trilllions, or dollars - a savings assuming we can pull off multi-factor biometric security for less than trillions!

If you don't believe POS is archaic and ready for retirement, dig into old - I mean old - issues of 2600 Hacker Quarterly, and then read every third issue until 2014.  Yes, POS along with many other similar retail systems just seem to evolve in micro-steps instead of moving aside for truly secure and efficient purchasing systems.  Innovate, for crying out loud.  Your average "cash only" retail shop is ultimately more secure than any store with POS or a similar charge system.  Might be why I eat a lot of noodle soup and milk tea with boba...
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 4:22:36 PM
Re: Latest Target?
You would think that there is some evidence of improvement in the change of command at the top of Target -- together with today's news about the hring of Target's first CISO .  But getting the entire retail industry to make the investments they need to make is a huge commitment in culture change, not just $$.
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/12/2014 | 2:55:28 PM
Re: Latest Target?
I disagree that making consumers responsible would be beneficial in the least.  However, I do agree that laws generally lead to checklist style compliance but, in the least it would get retailers moving.
RalphDaly28
RalphDaly28,
User Rank: Apprentice
6/12/2014 | 2:30:41 PM
Re: Latest Target?
A "simple law" that holds employees personally responsible will not be effective at addressing security. It might be a boon for the insurance industry as executives will refuse to work for a company that doesn't cover that risk for them. Think that will increase spending on security or insurance? Consumers already care even though their exposure is limited. If you don't think retailers are being held responsible take a look at Target's sales and profits since the breach. Laws can't fix technology and social problems. They generally only make them worse especially when the people writing them are clueless about how the world works.  Or in the words of Ludwig Von Mises: "Economic history is a long record of government policies that failed because they were designed with a bold disregard for the laws of economics."
ecowper
ecowper,
User Rank: Apprentice
6/12/2014 | 1:24:13 PM
Re: Latest Target?
Robert said: "I hate to say it, but what is needed here is a law (think HIPAA) to force retailers hands."

 

I spent some time in the healthcare industry, both as a consultant and a CISO. A new law only does two things. 

1. Create a compliance regime and bureaucracy, whose focus will be to make sure that their organizations can check the boxes saying they comply. Frankly, compliance/checkbox security has been a major problem for security, not a factor to improve security, for a long time now. 

2. The law sets up a checkbox approach to solving the problems that caused yesterday's breaches. While preventing those is important, we are not going to get ahead of the game that way. 

The real solution, I would posit, is very simple and two-fold. First, a very simple law, one that makes the CEO, CFO and the Board of Directors as a group and individuals liable for protecting credit cards, PII, etc. Second, change credit card fraud laws. Right now, the consumer has no skin in the game because the issuing bank has to make them whole, by law. Consumers are feeling no pain from all the credit card breaches, so they really don't care. And thus, no pressure is ever put on the retailers who failed in their obligation to protect the data. 

My two cents worth. 
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/12/2014 | 11:09:19 AM
Re: Latest Target?
I think you are exactly correct.  Companies tend to not spend money on security unless they see it as a major threat to the bottom line.  Historically, point of sale machines were viewed as "dumb terminals" without the need of security.  However, as we are all well aware, this is not the case any longer.

I think retailers will eventually get around to putting secure POS systems in place but I also think it will be much too slow.  I hate to say it, but what is needed here is a law (think HIPAA) to force retailers hands.
RyanSepe
RyanSepe,
User Rank: Ninja
6/12/2014 | 10:31:31 AM
Re: Latest Target?
This is a very disturbing notion.  I feel that despite past events organizations are handling this as catastrophe based event. For example, buying a house in an area that could possibly be hit with a tornado or another natural disaster. You know the possibility is there but you don't ever believe it will happen to you. I think organizations are weighing the risk against budget and because this is happening to a subset of the overall retail company base I think they've decided that the cost of securing the PoS systems outweighs the probability of breach.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 9:46:15 AM
Re: Latest Target?
I'm amazed at how little has changed in the aftermath of Target et al – and now PF Chang.We have a poll running on the site that asks the question: Have the headlines surrounding data breaches like Target's changed your company's policies around managing risk and securing data? More than half of respondents to date say that it's either "busness as usual" or "Eh, we're hearing a lot of talk from the C suite, but no action or budget."           

You can check out the results here and add your two cents, if you haven't already. 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-36312
PUBLISHED: 2022-08-16
Airspan AirVelocity 1500 software version 15.18.00.2511 lacks CSRF protections in the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models.
CVE-2022-38216
PUBLISHED: 2022-08-16
An integer overflow exists in Mapbox's closed source gl-native library prior to version 10.6.1, which is bundled with multiple Mapbox products including open source libraries. The overflow is caused by large image height and width values when creating a new Image and allows for out of bounds writes,...
CVE-2022-36306
PUBLISHED: 2022-08-16
An authenticated attacker can enumerate and download sensitive files, including the eNodeB's web management UI's TLS private key, the web server binary, and the web server configuration file. These vulnerabilities were found in AirVelocity 1500 running software version 9.3.0.01249, were still presen...
CVE-2022-36307
PUBLISHED: 2022-08-16
The AirVelocity 1500 prints SNMP credentials on its physically accessible serial port during boot. This was fixed in AirVelocity 1500 software version 15.18.00.2511 and may affect other AirVelocity and AirSpeed models.
CVE-2022-36308
PUBLISHED: 2022-08-16
Airspan AirVelocity 1500 web management UI displays SNMP credentials in plaintext on software versions older than 15.18.00.2511, and stores SNMPv3 credentials unhashed on the filesystem, enabling anyone with web access to use these credentials to manipulate the eNodeB over SNMP. This issue may affec...