While it may seem far off for consumers, retailers know that now is the time to start thinking about the holiday season. Even though Black Friday deals are a few months away, it takes significant planning and testing to ensure web sites are optimized and secured to handle the onslaught of both legitimate and attack traffic, meaning now is the final stretch for retailers. Most retailers will enter into a “Code Freeze” on any changes to their network going into the fourth fiscal quarter. This not only gives them a deadline to get their systems patched and secured, but also address the malicious actors who might be targeting the network.
Every year, it seems like there is something new that retailers need to be on the lookout for, and this year is no different. Chip technology and ransomware are at the top of security professionals’ minds, and the retail industry is certainly not immune to their threats. So what exactly are the dangers related to these technologies and how can retailers mitigate them?
EMV (Eurocard, MasterCard, Visa) chips have been at the front of both companies’ and consumers’ minds lately, given the relatively high profile implementation of chip readers in stores and the distribution of new, chip-enabled cards to consumers. Unfortunately, part of this attention is due to the fact that adoption has been slow, creating frustration among both parties involved.
At this point, most consumers have been in a store that possesses a chip reader at the checkout line, but since the store has not activated them yet, they are not operational. Customers with chip cards do not want to guess whether or not the reader is available for use and are becoming more irritated with the process.
However, the issue is more than just irritation. As more retailers do succeed in fully implementing chip readers, companies that haven’t become even greater targets in the eyes of hackers who are looking for credit card numbers to steal. And given the spotlight put on retailers during the holiday season, the chances of being targeted increase even further. For example, all of Europe has been using chip cards and readers for years now, which means they are likely eliminated from a hacker’s pool of potential targets. So we’ve already started narrowing targets by geography.
From there, we start eliminating based on size. Naturally, larger retailers have been first when it comes to successfully implementing chip readers. So while they will likely still remain a target — given the high foot traffic in these stores around the holidays — they’re now harder to penetrate.
So who does that leave? Smaller businesses that have yet to fully integrate chip readers into their systems. It’s simply a process of elimination. If it’s not clear by now, the solution is simple: prioritize the implementation of chip readers. Your customers will appreciate it, and you’ll become less of an automatic target.
Outsmarting Chip Technology
At this year’s DefCon conference, we saw an example of how hackers are even outsmarting EMV chips, when an ATM chip reader was bypassed to enable the withdrawal of cash. In order for this type of hack to occur, two ATM machines at the same bank located on the same networking subnet with two hackers are needed. The victim inserts his card into the ATM that already has a credit card skimmer in place, and that transmits the authentication and the victim’s account information to a card device in another ATM where the malicious actor can then remove cash. While not the easiest exploit of EMV, it shows the extent researchers and malicious actors will go to exploit this technology. Although it’s a rare possibility for this holiday season, as it may take years, the industry should be thinking about the next threat scenario they’ll have to contend with.
Ransomware can be a bit more complicated than chip technology, especially given that 80% of organizations do not have a plan in place to protect themselves from this type of target (i.e., hackers who prefer to take a more general approach have a wide range of targets to go after).
That statistic is pretty shocking, but what makes it even more concerning is that retail has seen these types of beaches before. The industry is a predictable target — everyone knows Black Friday and the holiday season are standard promotional periods that significantly affect the bottom line, meaning targeted retailers will do anything to ensure that the bottom line and customer loyalty remain intact.
Since few organizations have a plan in place to mitigate ransomware attacks, it’s safe to assume that many retailers are less familiar with this technology than they are with the omnipresent chip readers. For those who aren’t familiar, ransomware is a growing extortion scheme by cybercriminals, a malicious software (malware) program that steals a victim’s data and then encrypts it, denying the owner access to their own information. Ransomware attackers then demand a payment in exchange for a password that decrypts the data.
And while the initial ransom amount may be relatively small, between $100 and $5,000, this figure should not be construed as the standard. Hackers use first-time, minimal fees to establish who exactly is willing to pay to get their data back, so those that pay are more likely to be targeted for attack again. After the initial breach though, ransom demands will increase exponentially until the retailer finally decides to tackle the issue some other way.
While completely eliminating the threat of ransomware may be difficult, like any cyber security attack, it is possible to minimize the impact. Useful solutions include:
Leverage 24x7 monitoring: Integrating a 24x7 threat monitoring system means you have access to a set of security tools that will protect your data at multiple layers of the application stack, and you will have access to actionable threat detection and security intelligence to protect your business-critical data and applications. This will allow you to detect a potential ransomware installation on a workstation in a matter of minutes. With this type of monitoring you can mitigate the risk before your infrastructure gets infected. Better to have to lose and reimage one workstation than having your centralized data encrypted and held for ransom. Make sure you are logging from all the right technologies that you will need to detect a potential infection.
Ensure robust log management: By implementing log management, you can easily collect, aggregate and normalize log data whether it originates in your own data center, a hosted environment or the cloud. And because you have all of this information right at your fingertips, it is then easier to proactively identify trends and potential threats before a real exploit occurs. This will allow you to find when the infected workstation is attempting to make lateral moves and infect more of your infrastructure.
Have an in-depth backup plan: Know the pain points of restoration and recovery, and make sure you are just above that pain point in your plan. For example, business-critical information shouldn’t be stored in only one place. Back up your files to a separate drive so that even if you do suffer a breach, you can maintain operations by utilizing the backup files while you address the security concern. Test your restoration plan regularly to confirm that you can efficiently restore your data in case of an incident.
The Bottom Line
In an ideal world, all retailers would have operational chip readers and they would have ransomware mitigation plans in place. As we see year after year, unfortunately, there are always those retailers who fall behind on security and suffer the consequences. And remember, the potential consequences can be truly damaging. A security breach puts millions of dollars at risk, and given the public manner in which these breaches tend to come to light, it can also have a serious impact on customer loyalty and retention.
So don’t wait — whether you work with an internal or external security team, make any final security upgrades now to better protect yourself and your customers by the time the holiday season is in full swing. The better protected you are, the happier everyone will be.
Stephen Coty joined Alert Logic in 2012 as the Chief Security Evangelist and has a wealth of experience in the security space. In his role at Alert Logic, Coty is currently in the process of building a premier threat research team that is innovating the industry by taking a more proactive versus reactive approach to security through solid research, reverse engineering of malware, and constant searches for stolen data, all of which can be leveraged as actionable data for remediation. He has more than 15 years of experience in systems engineering and security consulting, in industries ranging from health care to finance and government. Most recently, he held a senior position at Rackspace Hosting as the Manager of Cyber Security, where he served as the architect of the Security Operations Center and Threat Research Team. He is also a member of ISSA, Infragard and the HTCIA.