Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
P.F. Chang's The Latest Target?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/13/2014 | 9:59:04 AM
Re: Latest Target?
I have to agree with you. I work at a healthcare organization and I see how effective a "simple law" (putting it lightly) like HIPAA can be. Most of our fiscal decisions towards security initiatives you can link back to one HIPAA mandate or another. Not storing data on local drives, encrypting file storage, and among systems; IDS is a big one where HIPAA has very much forced the organization to get behind it. This is a very small subset of best practice that HIPAA has helped us accomplish.

The reason being these laws have repercussions for breaches and loss of data. And let me tell you, they are hefty when fiscally analyzed against incorporating security systems.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/12/2014 | 10:43:46 PM
EMV
Just when I wanted some Chinese. :) I think the focus at this point needs to be on EMV credit cards here in the U.S. It's not foolproof or anything, but I think it raises the level of difficulty for fraudsters.

BP
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/12/2014 | 4:50:53 PM
Multi-factor Biometrics
Really, we have gotten to the point where archaic technology like POS is just begging to be abused.  Retail as a whole must change, and while I heard a snigger or two as folks read my post subject, I'm quite serious.  Two of my favorite research subjects are quantum computing and biometrics.  A multi-factor biometrics security system for in-person retail purchasing would eliminate the majority of these "old school" hacks and save billions, if not trilllions, or dollars - a savings assuming we can pull off multi-factor biometric security for less than trillions!

If you don't believe POS is archaic and ready for retirement, dig into old - I mean old - issues of 2600 Hacker Quarterly, and then read every third issue until 2014.  Yes, POS along with many other similar retail systems just seem to evolve in micro-steps instead of moving aside for truly secure and efficient purchasing systems.  Innovate, for crying out loud.  Your average "cash only" retail shop is ultimately more secure than any store with POS or a similar charge system.  Might be why I eat a lot of noodle soup and milk tea with boba...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 4:22:36 PM
Re: Latest Target?
You would think that there is some evidence of improvement in the change of command at the top of Target -- together with today's news about the hring of Target's first CISO .  But getting the entire retail industry to make the investments they need to make is a huge commitment in culture change, not just $$.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/12/2014 | 2:55:28 PM
Re: Latest Target?
I disagree that making consumers responsible would be beneficial in the least.  However, I do agree that laws generally lead to checklist style compliance but, in the least it would get retailers moving.
RalphDaly28
50%
50%
RalphDaly28,
User Rank: Apprentice
6/12/2014 | 2:30:41 PM
Re: Latest Target?
A "simple law" that holds employees personally responsible will not be effective at addressing security. It might be a boon for the insurance industry as executives will refuse to work for a company that doesn't cover that risk for them. Think that will increase spending on security or insurance? Consumers already care even though their exposure is limited. If you don't think retailers are being held responsible take a look at Target's sales and profits since the breach. Laws can't fix technology and social problems. They generally only make them worse especially when the people writing them are clueless about how the world works.  Or in the words of Ludwig Von Mises: "Economic history is a long record of government policies that failed because they were designed with a bold disregard for the laws of economics."
ecowper
0%
100%
ecowper,
User Rank: Apprentice
6/12/2014 | 1:24:13 PM
Re: Latest Target?
Robert said: "I hate to say it, but what is needed here is a law (think HIPAA) to force retailers hands."

 

I spent some time in the healthcare industry, both as a consultant and a CISO. A new law only does two things. 

1. Create a compliance regime and bureaucracy, whose focus will be to make sure that their organizations can check the boxes saying they comply. Frankly, compliance/checkbox security has been a major problem for security, not a factor to improve security, for a long time now. 

2. The law sets up a checkbox approach to solving the problems that caused yesterday's breaches. While preventing those is important, we are not going to get ahead of the game that way. 

The real solution, I would posit, is very simple and two-fold. First, a very simple law, one that makes the CEO, CFO and the Board of Directors as a group and individuals liable for protecting credit cards, PII, etc. Second, change credit card fraud laws. Right now, the consumer has no skin in the game because the issuing bank has to make them whole, by law. Consumers are feeling no pain from all the credit card breaches, so they really don't care. And thus, no pressure is ever put on the retailers who failed in their obligation to protect the data. 

My two cents worth. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/12/2014 | 11:09:19 AM
Re: Latest Target?
I think you are exactly correct.  Companies tend to not spend money on security unless they see it as a major threat to the bottom line.  Historically, point of sale machines were viewed as "dumb terminals" without the need of security.  However, as we are all well aware, this is not the case any longer.

I think retailers will eventually get around to putting secure POS systems in place but I also think it will be much too slow.  I hate to say it, but what is needed here is a law (think HIPAA) to force retailers hands.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/12/2014 | 10:31:31 AM
Re: Latest Target?
This is a very disturbing notion.  I feel that despite past events organizations are handling this as catastrophe based event. For example, buying a house in an area that could possibly be hit with a tornado or another natural disaster. You know the possibility is there but you don't ever believe it will happen to you. I think organizations are weighing the risk against budget and because this is happening to a subset of the overall retail company base I think they've decided that the cost of securing the PoS systems outweighs the probability of breach.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 9:46:15 AM
Re: Latest Target?
I'm amazed at how little has changed in the aftermath of Target et al – and now PF Chang.We have a poll running on the site that asks the question: Have the headlines surrounding data breaches like Target's changed your company's policies around managing risk and securing data? More than half of respondents to date say that it's either "busness as usual" or "Eh, we're hearing a lot of talk from the C suite, but no action or budget."           

You can check out the results here and add your two cents, if you haven't already. 
Page 1 / 2   >   >>


Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1842
PUBLISHED: 2020-02-18
Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version 1.0.0.71(SP1); and OSCA-550AX and OSCA-550X version 1.0.0.71(SP2) have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
CVE-2020-8010
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
CVE-2020-8011
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
CVE-2020-8012
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
CVE-2020-1791
PUBLISHED: 2020-02-18
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch to third desktop after a series of operation in ADB mode.