Retail security must reach beyond compliance, writes Reuven Harrison, of Tufin Technologies.
The past year has seen a growing number of high-profile retailers suffer serious data security breaches. In the biggest attack, hackers made off with 40 million customer credit card records from US retail giant Target after stealing access credentials from one of its trusted supplier partners.
Similarly, luxury goods retailer Nieman Marcus failed to prevent the loss of 350,000 customers’ card details, many of which have since been used fraudulently. And UK kitchenware supplier Lakeland hit the headlines after falling victim to a hack that resulted in attackers accessing two encrypted databases (although the company maintains there’s no evidence that hackers managed to unscramble the data and steal card details).
These attacks, and others like them, serve to highlight that retailers must do far more to protect their systems and customers’ sensitive data. Despite the fact all three were certified as compliant with the Payment Card Industry Data Security Standard (PCI-DSS), which seeks to ensure the security of credit card data, this clearly wasn’t sufficient.
The bad news is we are likely to see many more high-profile hacks. While it’s by no means only retailers who will be affected, the sector probably faces a greater risk than most. According to IT security commentator Brian Krebs, retailers are the ‘wildebeests of the digital savannah’ – easy prey for cybercriminals to sink their teeth into. He notes a three-year study by Verizon Enterprise Solutions found that only 5pc of retailers managed to detect breaches through their own monitoring, compared to an average 31pc across all sectors (itself a woefully inadequate number).
This is certainly borne out by the Target and Nieman Marcus breaches. In both cases, security monitoring systems generated multiple alerts of a potential attack. In both cases, these were ignored or went unnoticed. Indeed, Target admitted it had turned off alerting because it hampered maintenance.
The complexity of large retailers’ networks – and the growing need to move, analyse and process customer data across a variety of in-house systems, virtualized servers, cloud providers, third-party systems, desktops and mobile devices – means there are myriad potential points of security failure. Any change to a system or application can open up new vulnerabilities. Simply achieving a tick in the box for PCI-DSS compliance is not enough to guarantee ongoing data security. Although the latest version of the standard (3.0) is more rigorous than in the past, it needs to be seen as a starting point not an endgame.
First, compliance standards will always lag some way behind the ever-evolving threat landscape. Attacks are becoming more sophisticated all the time, as evidenced by the Ke3chang hack that used a variety of devious and hard-to-detect methods to target public and private sector organizations over a three-year period.
Second, while PCI-DSS gives organizations an opportunity to periodically review their processes and policies, it doesn’t assure that they are being implemented properly and enforced on a continuous basis. In practice, there may be a gap between successfully passing an audit and implementing good network segmentation, enforcing access controls on firewalls and other devices and documenting network changes with their business application context.
In the retail industry especially, there will always be commercial pressures to introduce new and enhanced applications, services and capabilities while security will often be treated as an afterthought. While PCI-DSS 3.0 puts a greater focus on the need to view security as a ‘business as usual’ rather than a compliance exercise, it is down to individual organizations to ensure they put in place the appropriate tools and mechanisms to achieve this.
As companies’ network environments grow ever more complex and segmented, and the frequency of application and system changes accelerates, it has become nearly impossible to effectively monitor and manage overall system security using traditional manual methods. Companies must therefore ensure they implement security policy orchestration solutions that understand how networks are segmented, how information flows across those segmented networks, to prevent unwanted access into a sensitive network segment.
Effective solutions can automate much of the process by monitoring the effect of any application and system change on network security, flagging up potential violations, and amending firewall rules and security device settings accordingly.
And the cost of failing to act could be far worse than a rap on the knuckles from the regulator or a flurry of negative press. Both Target and Nieman Marcus, for example, are being sued by customers whose data they lost, and Target reported a 16 per cent ($440 million) drop in profits in the quarter following its breach.
Visit www.tufin.com.
