With the holiday retail 'freeze' underway, which means that any security upgrades or technology additions are put on hold until after the busy holiday shopping season and only critical security patches get installed, the security industry has reacted to the retail industry’s practice and gives advice on how retailers can take a less than ideal security situation and get the best possible outcome – avoiding a data breach.
The holiday season is retailers’ busiest time of year, with an estimated one-fifth of the year’s shopping taking place between November and December in the UK and over half of online retailers expecting to achieve 20% growth according to IMRG. But during this time, retailers arguably face a more difficult problem with IT than other industries for many reasons.
'Retailers have a huge network of widely distributed systems with many locations, not to mention online retail websites which equates to many points of attack. Cash registers and POS systems are networked computers, so compromising them can compromise the entire infrastructure,' said Garrett Gross from AlienVault. 'There is also the issue of short tenured employees who have little to no security training. Combine this with the vast amounts of sensitive customer information and card data they handle and it’s not hard to see why catastrophic breaches like Target and Home Depot have occurred.'
Open for business
Yet, for retailers the main challenge and priority is staying 'available' to customers, whether it is for online or in-store purchases. This narrow focus is something that Alert Logic’s Richard Cassidy says can be somewhat of an oversight.
'At executive level, service availability translates to transactions, which in turn relates to revenue growth,' said Richard Cassidy, technical director EMEA at Alert Logic. 'However, executives often neglect the wider collateral damage that can be caused by a data breach, not only in terms of brand damage, but in the resultant fall of consumer confidence and any remediation activities required (legal and operational) to mitigate those losses.
> See also: The '12 scams of Christmas' revealed
'In this respect surely ’security’ is true availability and as a result organisations need to understand that 'change-control freezes' only serve to reduce the focus on security,' Cassidy continued.
Tim Erlin, director of security and risk at Tripwire, agreed. 'The concept of a holiday IT freeze is outdated in today’s world, and while many retailers implement such a ‘freeze,’ there should be exceptions when it comes to areas that support the business. Security should certainly be one of those exceptions.'
Martyn Ruks, technical director at MWR InfoSecurity said that 'decisions around what the retail freeze looks like need to be driven by the maturity of the organisation and there needs to be cases where exceptions can be made based on a clear understanding of potential risks and threats to the retailer along with the detective and reactive measures in place to combat the greatest risks.'
Barry Shteiman, director of security strategy at Imperva took a somewhat more sympathetic view. 'During a shopping season the dilemma of security vs. availability becomes especially hard, because companies are to decide whether or not they are willing to take the risk of downtime and losing business vs. a potential breach; therefore, preparation is key,' he said.
However, Mark James, security specialist from ESET argues that there is never a good time to put a 'freeze' on security updates, stating that 'the customer’s private data should always be a priority, even above profits. Freezing security updates not only puts the customer’s data at risk, it also jeopardises the company’s own data.'
Phil Lieberman said the funny thing about the yearly IT technology season freeze for retailers makes a lot of sense – except it doesn’t. 'Obviously the busiest period of sales should not be the time to replace point of sale systems, upgrade databases, or introduce new store systems as the disruption introduced would result in little positive benefit.
'On the other hand, most retailers have abysmal internal IT security that is just waiting to be exploited by criminals. The introduction of appropriate and necessary technology and processes would have little to no visible impact to sales as security can be introduced quickly and transparently; with no significant negative consequences. This is assuming that the correct technology is selected and it is effectively totally automated, mature and scalable to the retailer’s environment with no significant interruptions.'
Tripwire’s Ken Westin had a more bleak view: 'I would be willing to bet that criminal syndicates have already compromised retail computer networks in anticipation of holiday shopping season.'
Tim 'TK' Keanini CTO of Lancope, shared the sentiments: 'Attackers don’t wait until the holiday season to compromise large retailers, the attack campaign begins months and even years prior. The penetration of the network and devices happens long before the holiday season and their game becomes remaining undetected as they steal data that can be monetised. This holiday season, we might even see some ransomware attacks as attackers become bolder and bolder when they are not met with a challenge.'
With that in mind, what can and should retailers being doing to protect themselves and their customers?
Make a list, check it twice
Preparation should be the main priority, all of the security professionals agreed.
'It is also a good time to complete refreshers of employee security training, review/test incident response processes, review decision making processes around new/emerging threats, conduct security reviews and testing, baseline system configurations within key environments, identify key 3rd parties to supplement capability and dedicate time to searching for compromises that might already have occurred,' said MWR's Ruks.
Deepen Desai, head of security research for Zscaler said that 'the main incentive for businesses to adapt to a more proactive strategy is to prevent huge financial losses and safeguard customer loyalty.' Therefore, a shift to EMV chip-based payments is a good move.
'Retailers have started upgrading the Point of Sale terminals to support EMV chip enabled cards more aggressively in the wake large breaches and also because of the new Counterfeit Card Liability Shift policy that will become effective in October, 2015,' he said. 'While it is important for retailers to upgrade their terminals to EMV standard, it is equally important for the consumers to ensure that their credit cards are upgraded and has the EMV chip (small, metallic square on the front of the card).
> See also:
'EMV card chip creates a unique transaction code for every payment and cannot be used again. This will not prevent large scale breaches but it will make the information stolen to be less profitable for the attackers and also significantly reduce the counterfeit credit card fraud. The United States has been one of the last major countries to adapt EMV.'
James of ESET said that 'having the latest anti-virus installed is a great start and coupled with good practices and user education will go a long way in spotting attempted and unsuccessful attacks.'
'It is important to not just rely on signature based detection, and perimeter defences, but also look for anomalous behaviour inside the network. Identifying indicators of compromise such as credit card numbers appearing on systems, or transmitted across the network and pay special attention to any configuration or other changes to point-of-sale systems,' continued Westin from Tripwire.
'The latest Microsoft Schannel vulnerability (CVE-2014-6321) should also be a cause for concern, although there have been no reports of any exploits, it is only a matter of time. If retailers have not already patched their systems, they should do so with haste before putting freeze in place, particularly web and email servers first followed by internal networks.'
Barry Shteiman urged companies to harden their online defenses, saying that 'companies who are expecting a surge in online activity are to prepare in advance by hardening systems, testing them, patching them and of course putting in compensating controls such as web application firewalls and DDoS mitigation engines in order to absorb zero-day attacks and volumetric attacks and still serve customers – minimising the risk of a breach.'
Inside and out
Kevin Epstein, VP of Information, Assurance and Governance at Proofpoint in a Cloud-based world, the concept of an operational freeze has different connotations,' he said. 'Are your social media venues covered? What about inbound email? Holiday shopping season’s internal operational freeze should free up resources to focus on external challenges, and it may be exactly the 'right' time to test external SaaS solutions for Phishing and Social Media security; such filters can be simply turned on or off, so there’s minimal risk, and they add substantial protection to the infrastructure not under IT’s direct control.'
Should a breach occur, Ruks recommend that retailers 'ensure the execs remain briefed using language they understand about the 'on the ground' situation and maintain communication and situational awareness between key teams in the business.'
While AlienVault's Gross suggested that retailers share the love and make sure they are sharing threat data with other retailers. 'Retailers are increasingly sharing threat data, which can help a great deal with attacks that tend to be the same across all Point of Sale (POS) terminals. With the commonality of attacks, this threat sharing may be extremely valuable to retailers.'
Finally, Keanini said that it's not just companies that have a role to play. 'As individuals and shoppers, we must perform our part, too,' he said. 'Online commerce depends on individual shoppers not being hacked too. Check your statements, don’t click on unverified links, and make your new year’s resolution to practice these safe online habits all year long.'
Perhaps Philip Lieberman summed it up best: 'There is no logic in the argument: now is not a good time to secure our environment. For every day that security is weak, you have another day that your company can be exploited by criminals and nation states. There is no holiday season in cyber-security.'