The Importance of Information-Sharing in Countering Security Threats
The endless string of retail breaches discovered late last year and continuing through this year has everyone on edge, waiting for news of the next major retailer to be hit with somewhat mysterious POS (Point of Sale) malware.
Some of those retailers include Michaels, Target, Sally Beauty, Neiman Marcus, Smuckers and many others that are still under investigation. One has to wonder if these breaches were all occurring around the same time, or if after a few high-profile cases, closer scrutiny revealed a truth that may have been concealed for some time.
While the basics of PCI DSS compliance have been around for awhile, and many different security solutions have been recommended to build a defense against these threats, there still needs to be more interactive and timely discussions within the retail industry about information security.
Retail Information Sharing and Analysis Center (ISAC)
To help spread awareness and create a forum to share information about various cybersecurity threats in the retail and financial industries, the National Retail Federation (NRF) is creating an information-sharing platform in partnership with the Financial Services Information Sharing and Analysis Center (FS-ISAC); effectively named the retail Information Sharing and Analysis Center (ISAC).
The goal is simple: to help enable other retailers that want to implement security in order to avoid a consumer data breach. By sharing their findings within the retail industry, others can gain an understanding of the lessons learned about new and emerging threats. Attacks on POS vendors can often affect more than one retailer, so this type of knowledge is invaluable.
Data on retail security threats will be compiled by not only those within the industry, but also government and law enforcement agencies, as well as partners in the financial services industry.
POS malware: How it all goes down
As the 2014 Verizon DBIR report details, POS intrusions often go down in similar ways: Compromise the POS device, install malware to collect magnetic strip data from credit and debit cards, transmit the data and then cash in. But how do attackers compromise these devices?
With “little to no legwork,” that’s how. Often, the devices are publicly accessible to the Internet with no password in place, or they’re protected by weak or default passwords. Unsurprisingly, the DBIR reports that 38 percent of hacking varieties used in POS intrusions exploited stolen credentials.
For a deeper dive into the different variants of POS malware, ways they can infect systems, the type of data they steal, and how two-factor authentication could effectively thwart attackers from stealing retail company customer data, read my previous article, POS Malware: A PCI Nightmare.
To secure web-based apps that may allow attackers access into internal networks, retailers may want to review how to use a web SDK to integrate two-factor authentication with their existing logins to third-party applications, whether hosted in the cloud or on-premises. Read Target Breach: Vendor Password Exploit for more information on how you can protect your web applications.
Also, this alert from the US-CERT (United States Computer Emergency Readiness Team) details more information about malware targeting POS systems.
Security for other things...like the Internet of Things (IoT)
The retail industry isn’t the only organization that needs IT security assistance in a major way - the Internet of Things (IoT), or rather, the growing number of new consumer-driven technology and devices that connect to the Internet require a fair degree of security oversight as well.
Leading that discussion are the innovators behind BuildItSecure.ly, a forum to connect security professionals with IoT innovators and developers. Providing technical guidance and standards documents on mobile, cloud and network app security, the site is a springboard for the IoT industry to use as a valuable resource to integrate security best practices into product design.
Want to get involved? Reach out to Mark Stanislav and Zach Lanier if you’d like to be part of BuildItSecure.ly, and follow the initiative on Twitter.