Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
P.F. Chang's The Latest Target?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/13/2014 | 9:59:04 AM
Re: Latest Target?
I have to agree with you. I work at a healthcare organization and I see how effective a "simple law" (putting it lightly) like HIPAA can be. Most of our fiscal decisions towards security initiatives you can link back to one HIPAA mandate or another. Not storing data on local drives, encrypting file storage, and among systems; IDS is a big one where HIPAA has very much forced the organization to get behind it. This is a very small subset of best practice that HIPAA has helped us accomplish.

The reason being these laws have repercussions for breaches and loss of data. And let me tell you, they are hefty when fiscally analyzed against incorporating security systems.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/12/2014 | 10:43:46 PM
EMV
Just when I wanted some Chinese. :) I think the focus at this point needs to be on EMV credit cards here in the U.S. It's not foolproof or anything, but I think it raises the level of difficulty for fraudsters.

BP
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/12/2014 | 4:50:53 PM
Multi-factor Biometrics
Really, we have gotten to the point where archaic technology like POS is just begging to be abused.  Retail as a whole must change, and while I heard a snigger or two as folks read my post subject, I'm quite serious.  Two of my favorite research subjects are quantum computing and biometrics.  A multi-factor biometrics security system for in-person retail purchasing would eliminate the majority of these "old school" hacks and save billions, if not trilllions, or dollars - a savings assuming we can pull off multi-factor biometric security for less than trillions!

If you don't believe POS is archaic and ready for retirement, dig into old - I mean old - issues of 2600 Hacker Quarterly, and then read every third issue until 2014.  Yes, POS along with many other similar retail systems just seem to evolve in micro-steps instead of moving aside for truly secure and efficient purchasing systems.  Innovate, for crying out loud.  Your average "cash only" retail shop is ultimately more secure than any store with POS or a similar charge system.  Might be why I eat a lot of noodle soup and milk tea with boba...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 4:22:36 PM
Re: Latest Target?
You would think that there is some evidence of improvement in the change of command at the top of Target -- together with today's news about the hring of Target's first CISO .  But getting the entire retail industry to make the investments they need to make is a huge commitment in culture change, not just $$.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/12/2014 | 2:55:28 PM
Re: Latest Target?
I disagree that making consumers responsible would be beneficial in the least.  However, I do agree that laws generally lead to checklist style compliance but, in the least it would get retailers moving.
RalphDaly28
50%
50%
RalphDaly28,
User Rank: Apprentice
6/12/2014 | 2:30:41 PM
Re: Latest Target?
A "simple law" that holds employees personally responsible will not be effective at addressing security. It might be a boon for the insurance industry as executives will refuse to work for a company that doesn't cover that risk for them. Think that will increase spending on security or insurance? Consumers already care even though their exposure is limited. If you don't think retailers are being held responsible take a look at Target's sales and profits since the breach. Laws can't fix technology and social problems. They generally only make them worse especially when the people writing them are clueless about how the world works.  Or in the words of Ludwig Von Mises: "Economic history is a long record of government policies that failed because they were designed with a bold disregard for the laws of economics."
ecowper
0%
100%
ecowper,
User Rank: Apprentice
6/12/2014 | 1:24:13 PM
Re: Latest Target?
Robert said: "I hate to say it, but what is needed here is a law (think HIPAA) to force retailers hands."

 

I spent some time in the healthcare industry, both as a consultant and a CISO. A new law only does two things. 

1. Create a compliance regime and bureaucracy, whose focus will be to make sure that their organizations can check the boxes saying they comply. Frankly, compliance/checkbox security has been a major problem for security, not a factor to improve security, for a long time now. 

2. The law sets up a checkbox approach to solving the problems that caused yesterday's breaches. While preventing those is important, we are not going to get ahead of the game that way. 

The real solution, I would posit, is very simple and two-fold. First, a very simple law, one that makes the CEO, CFO and the Board of Directors as a group and individuals liable for protecting credit cards, PII, etc. Second, change credit card fraud laws. Right now, the consumer has no skin in the game because the issuing bank has to make them whole, by law. Consumers are feeling no pain from all the credit card breaches, so they really don't care. And thus, no pressure is ever put on the retailers who failed in their obligation to protect the data. 

My two cents worth. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/12/2014 | 11:09:19 AM
Re: Latest Target?
I think you are exactly correct.  Companies tend to not spend money on security unless they see it as a major threat to the bottom line.  Historically, point of sale machines were viewed as "dumb terminals" without the need of security.  However, as we are all well aware, this is not the case any longer.

I think retailers will eventually get around to putting secure POS systems in place but I also think it will be much too slow.  I hate to say it, but what is needed here is a law (think HIPAA) to force retailers hands.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/12/2014 | 10:31:31 AM
Re: Latest Target?
This is a very disturbing notion.  I feel that despite past events organizations are handling this as catastrophe based event. For example, buying a house in an area that could possibly be hit with a tornado or another natural disaster. You know the possibility is there but you don't ever believe it will happen to you. I think organizations are weighing the risk against budget and because this is happening to a subset of the overall retail company base I think they've decided that the cost of securing the PoS systems outweighs the probability of breach.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 9:46:15 AM
Re: Latest Target?
I'm amazed at how little has changed in the aftermath of Target et al – and now PF Chang.We have a poll running on the site that asks the question: Have the headlines surrounding data breaches like Target's changed your company's policies around managing risk and securing data? More than half of respondents to date say that it's either "busness as usual" or "Eh, we're hearing a lot of talk from the C suite, but no action or budget."           

You can check out the results here and add your two cents, if you haven't already. 
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.