With the holiday retail “freeze” underway, any security upgrades or technology additions are put on hold until after the busy holiday shopping season and only critical security patches get installed.
The holiday season is retailers’ busiest time of year, with an estimated one-fifth of the year’s shopping taking place between November and December in the UK and over half of online retailers expecting to achieve 20 per cent growth according to IMRG. But during this time, retailers arguably face a more difficult problem with IT than other industries for many reasons.
“Retailers have a huge network of widely distributed systems with many locations, not to mention online retail websites which equates to many points of attack. Cash registers and POS systems are networked computers, so compromising them can compromise the entire infrastructure,” said Garrett Gross from AlienVault.
“There is also the issue of short tenured employees who have little to no security training. Combine this with the vast amounts of sensitive customer information and card data they handle, and it’s not hard to see why catastrophic breaches like Target and Home Depot have occurred.”
Yet, for retailers the main challenge and priority is staying “available” to customers, whether it is for online or in-store purchases. This narrow focus is something that Alert Logic’s Richard Cassidy says can be somewhat of an oversight. “At executive level, service availability translates to transactions, which in turn relates to revenue growth,” he said. “However, executives often neglect the wider collateral damage that can be caused by a data breach, not only in terms of brand damage, but in the resultant fall of consumer confidence and any remediation activities required (legal and operational) to mitigate those losses.
“In this respect, surely ’security’ is true availability and as a result organisations need to understand that “change-control freezes” only serve to reduce the focus on security.”
Tim Erlin, director of security and risk at Tripwire, agreed. “The concept of a holiday IT freeze is outdated in today’s world, and while many retailers implement such a ‘freeze,’ there should be exceptions when it comes to areas that support the business. Security should certainly be one of those exceptions.”
Martyn Ruks, technical director at MWR InfoSecurity said that “decisions around what the retail freeze looks like need to be driven by the maturity of the organisation”. He said that there needs to be cases where exceptions can be made based on a clear understanding of potential risks and threats to the retailer, along with the detective and reactive measures in place to combat the greatest risks.
Barry Shteiman, director of security strategy at Imperva took a somewhat more sympathetic view. “During a shopping season the dilemma of security vs. availability becomes especially hard, because companies are to decide whether or not they are willing to take the risk of downtime and losing business vs. a potential breach; therefore, preparation is key,” he said.
However, Mark James, security specialist from ESET argues that there is never a good time to put a “freeze” on security updates, stating that “The customer’s private data should always be a priority, even above profits. Freezing security updates not only puts the customer’s data at risk, it also jeopardises the company’s own data.”
Phil Lieberman said the funny thing about the yearly IT
technology season freeze for retailers makes a lot of sense – except it doesn’t. “Obviously the busiest period of sales should not be the time to replace point of sale systems, upgrade databases, or introduce new store systems as the disruption introduced would result in little positive benefit,” he said. “On the other hand, most retailers have abysmal internal IT security that is just waiting to be exploited by criminals. The introduction of appropriate and necessary technology and processes would have little to no visible impact to sales as security can be introduced quickly and transparently; with no significant negative consequences. This is assuming that the correct technology is selected and it is effectively totally automated, mature and scalable to the retailer’s environment with no significant interruptions.”
Tripwire’s Ken Westin had a more bleak view: “I would be willing to bet that criminal syndicates have already compromised retail computer networks in anticipation of holiday shopping season.”
TK Keanini CTO of Lancope, shared the sentiments: “Attackers don’t wait until the holiday season to compromise large retailers, the attack campaign begins months and even years prior. The penetration of the network and devices happens long before the holiday season and their game becomes remaining undetected as they steal data that can be monetised. This holiday season, we might even see some ransomware attacks as attackers become bolder and bolder when they are not met with a challenge.”
With all of that in mind, what can and should retailers being doing to protect themselves and their customers? Preparation should be the main priority, all of the security professionals agreed.
“It is also a good time to complete refreshers of employee security training, review/test incident response processes, review decision making processes around new/emerging threats, conduct security reviews and testing, baseline system configurations within key environments, identify key 3rd parties to supplement capability and dedicate time to searching for compromises that might already have occurred,” said MWR’s Ruks.
“It is important to not just rely on signature based detection, and perimeter defences, but also look for anomalous behaviour inside the network. Identifying indicators of compromise such as credit card numbers appearing on systems, or transmitted across the network and pay special attention to any configuration or other changes to point-of-sale systems,” continued Westin from Tripwire.
“The latest Microsoft Schannel vulnerability (CVE-2014-6321) should also be a cause for concern, although there have been no reports of any exploits, it is only a matter of time. If retailers have not already patched their systems, they should do so with haste before putting freeze in place, particularly web and email servers first followed by internal networks.”
Barry Shteiman urged companies to harden their online defences, saying that “companies who are expecting a surge in online activity are to prepare in advance by hardening systems”. He encouraged testing defences, patching them and putting in compensating controls such as web application firewalls and DDoS mitigation engines in order to absorb zero-day attacks and volumetric attacks to be able to still serve customers and minimise the risk of a breach.
Kevin Epstein, VP of information, assurance and governance at Proofpoint said that the holiday shopping season’s internal operational freeze should free up resources to focus on external challenges, and it may be exactly the right time to test external SaaS solutions for Phishing and Social Media security as such filters can be simply turned on or off, so there’s minimal risk. “They add substantial protection to the infrastructure not under IT’s direct control,” he said.
Should a breach occur, Ruks recommend that retailers “ensure the execs remain briefed using language they understand about the “on the ground” situation and maintain communication and situational awareness between key teams in the business.”
AlienVault’s Gross suggested that retailers share the love and make sure they are sharing threat data with other retailers. “Retailers are increasingly sharing threat data, which can help a great deal with attacks that tend to be the same across all Point of Sale (POS) terminals. With the commonality of attacks, this threat sharing may be extremely valuable to retailers.”
Finally, Keanini said that it’s not just companies that have a role to play. “As individuals and shoppers, we must perform our part, too,” he said. “Online commerce depends on individual shoppers not being hacked too. Check your statements, don’t click on unverified links, and make your new year’s resolution to practice these safe online habits all year long.”
Perhaps Philip Lieberman summed it up best: “There is no logic in the argument: now is not a good time to secure our environment. For every day that security is weak, you have another day that your company can be exploited by criminals and nation states. There is no holiday season in cyber-security.”