For most retailers, the holiday season is easily the most profitable time of the year, bringing in huge crowds of shoppers the last couple weeks of the year. However, the much-anticipated holiday season is also notorious for being the season of hacking, as illustrated by several massive breaches during this time in previous years. Hence, retailers need to be on high alert, given the large volumes of purchase transactions. Recent research from security firm BitSight noted that the retail industry continues to be ranked among the most prone to attacks, partly due to many retailers still running services highly vulnerable to SLL security holes. (BitSight provides businesses with security ratings that objectively measure a company’s security performance to transform the way they manage risk.) Furthermore, Verizon's Data Breach Investigations Report notes that the lion share of confirmed data breaches is due to infected point-of-sales (POS) devices. I would assert that retailers should not let their guard down. The motive for these attacks is simply monetary gain for stealing customer payment information. Customer data is the crown jewels for retail and it’s core to establishing the customer relationship. Mishandling this data jeopardizes the critical trust needed in a whimsical consumer market. Most recently the R-CISC (Retail Cyber Intelligence Sharing Center) offered some good reasons why the holiday season is a hacker’s dream:
- High volume traffic can disguise the malicious behavior
- The focus is on sales and keeping the system up
- New functionality may be introduced as part of the season’s promotional efforts or responding to an EMV mandate in the U.S., which can be distracting or introduces a new threat vector
- Given the need for reliable uptime for this heavy volume, many freeze their networks and systems, preventing updates for misconfigurations or blocking bad traffic
It's clear the retail sector continues to be a strong target for cybercriminals. This is further evident when malware is exclusively tailored for POS systems. The most recent Modular POS (ModPOS) is a very sophisticated framework that is very flexible with evasion tactics, such as hashes that can not be detected and using encryption to further evade itself. The good news is that there are important lessons can be learned from previous retail attacks. For example, Target and Home Depot did not appear to scrutinize their third-party partners. Retailers need to assure that contractors or vendors only have access to what they truly need – network segmentation and tight authentication are a must. Another example is the eBay 2014 breach where data protection was not implemented across all levels. At the time, customers' personal information was not encrypted, yet this breach took months to detect. Continuous monitoring of sensitive assets should also be must-have for retailers. Overall, in many of the retail breaches making mainstream news, cyber security was isolated as an IT issue. In reality, Cyber security needs to be approached as business issue and actively discussed at the boardroom. Be safe and best wishes for your holiday season! Title image courtesy of ShutterStock
