Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
P.F. Chang's The Latest Target?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
RyanSepe,
 User Rank: Ninja
6/13/2014 | 9:59:04 AM
Re: Latest Target?
I have to agree with you. I work at a healthcare organization and I see how effective a "simple law" (putting it lightly) like HIPAA can be. Most of our fiscal decisions towards security initiatives you can link back to one HIPAA mandate or another. Not storing data on local drives, encrypting file storage, and among systems; IDS is a big one where HIPAA has very much forced the organization to get behind it. This is a very small subset of best practice that HIPAA has helped us accomplish.

The reason being these laws have repercussions for breaches and loss of data. And let me tell you, they are hefty when fiscally analyzed against incorporating security systems.
Bprince
Bprince,
 User Rank: Ninja
6/12/2014 | 10:43:46 PM
EMV
Just when I wanted some Chinese. :) I think the focus at this point needs to be on EMV credit cards here in the U.S. It's not foolproof or anything, but I think it raises the level of difficulty for fraudsters.

BP
RetiredUser
RetiredUser,
 User Rank: Ninja
6/12/2014 | 4:50:53 PM
Multi-factor Biometrics
Really, we have gotten to the point where archaic technology like POS is just begging to be abused.  Retail as a whole must change, and while I heard a snigger or two as folks read my post subject, I'm quite serious.  Two of my favorite research subjects are quantum computing and biometrics.  A multi-factor biometrics security system for in-person retail purchasing would eliminate the majority of these "old school" hacks and save billions, if not trilllions, or dollars - a savings assuming we can pull off multi-factor biometric security for less than trillions!

If you don't believe POS is archaic and ready for retirement, dig into old - I mean old - issues of 2600 Hacker Quarterly, and then read every third issue until 2014.  Yes, POS along with many other similar retail systems just seem to evolve in micro-steps instead of moving aside for truly secure and efficient purchasing systems.  Innovate, for crying out loud.  Your average "cash only" retail shop is ultimately more secure than any store with POS or a similar charge system.  Might be why I eat a lot of noodle soup and milk tea with boba...
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
6/12/2014 | 4:22:36 PM
Re: Latest Target?
You would think that there is some evidence of improvement in the change of command at the top of Target -- together with today's news about the hring of Target's first CISO .  But getting the entire retail industry to make the investments they need to make is a huge commitment in culture change, not just $$.
Robert McDougal
Robert McDougal,
 User Rank: Ninja
6/12/2014 | 2:55:28 PM
Re: Latest Target?
I disagree that making consumers responsible would be beneficial in the least.  However, I do agree that laws generally lead to checklist style compliance but, in the least it would get retailers moving.
RalphDaly28
RalphDaly28,
 User Rank: Apprentice
6/12/2014 | 2:30:41 PM
Re: Latest Target?
A "simple law" that holds employees personally responsible will not be effective at addressing security. It might be a boon for the insurance industry as executives will refuse to work for a company that doesn't cover that risk for them. Think that will increase spending on security or insurance? Consumers already care even though their exposure is limited. If you don't think retailers are being held responsible take a look at Target's sales and profits since the breach. Laws can't fix technology and social problems. They generally only make them worse especially when the people writing them are clueless about how the world works.  Or in the words of Ludwig Von Mises: "Economic history is a long record of government policies that failed because they were designed with a bold disregard for the laws of economics."
ecowper
ecowper,
 User Rank: Apprentice
6/12/2014 | 1:24:13 PM
Re: Latest Target?
Robert said: "I hate to say it, but what is needed here is a law (think HIPAA) to force retailers hands."

 

I spent some time in the healthcare industry, both as a consultant and a CISO. A new law only does two things. 

1. Create a compliance regime and bureaucracy, whose focus will be to make sure that their organizations can check the boxes saying they comply. Frankly, compliance/checkbox security has been a major problem for security, not a factor to improve security, for a long time now. 

2. The law sets up a checkbox approach to solving the problems that caused yesterday's breaches. While preventing those is important, we are not going to get ahead of the game that way. 

The real solution, I would posit, is very simple and two-fold. First, a very simple law, one that makes the CEO, CFO and the Board of Directors as a group and individuals liable for protecting credit cards, PII, etc. Second, change credit card fraud laws. Right now, the consumer has no skin in the game because the issuing bank has to make them whole, by law. Consumers are feeling no pain from all the credit card breaches, so they really don't care. And thus, no pressure is ever put on the retailers who failed in their obligation to protect the data. 

My two cents worth. 
Robert McDougal
Robert McDougal,
 User Rank: Ninja
6/12/2014 | 11:09:19 AM
Re: Latest Target?
I think you are exactly correct.  Companies tend to not spend money on security unless they see it as a major threat to the bottom line.  Historically, point of sale machines were viewed as "dumb terminals" without the need of security.  However, as we are all well aware, this is not the case any longer.

I think retailers will eventually get around to putting secure POS systems in place but I also think it will be much too slow.  I hate to say it, but what is needed here is a law (think HIPAA) to force retailers hands.
RyanSepe
RyanSepe,
 User Rank: Ninja
6/12/2014 | 10:31:31 AM
Re: Latest Target?
This is a very disturbing notion.  I feel that despite past events organizations are handling this as catastrophe based event. For example, buying a house in an area that could possibly be hit with a tornado or another natural disaster. You know the possibility is there but you don't ever believe it will happen to you. I think organizations are weighing the risk against budget and because this is happening to a subset of the overall retail company base I think they've decided that the cost of securing the PoS systems outweighs the probability of breach.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
6/12/2014 | 9:46:15 AM
Re: Latest Target?
I'm amazed at how little has changed in the aftermath of Target et al – and now PF Chang.We have a poll running on the site that asks the question: Have the headlines surrounding data breaches like Target's changed your company's policies around managing risk and securing data? More than half of respondents to date say that it's either "busness as usual" or "Eh, we're hearing a lot of talk from the C suite, but no action or budget."           

You can check out the results here and add your two cents, if you haven't already. 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file