The holiday retail “freeze” is underway, which means that any security upgrades or technology additions for retailers are put on hold until after the busy holiday shopping season. For the next few weeks, only critical security patches will get installed.
In this article, the security industry reacts to this annual practice and gives advice on how retailers can take a less-than-ideal security situation and get the best possible outcome, that is, avoiding a data breach.
The holiday season is retailers’ busiest time of year, with an estimated one-fifth of the year’s shopping taking place between November and December in the UK and over half of online retailers expecting to achieve 20% growth, according to IMRG. But during this time, retailers arguably face a more difficult problem with IT than other industries for many reasons.
“Retailers have a huge network of widely distributed systems with many locations, not to mention online retail websites. All of this equates to many points of attack. Cash registers and POS systems are networked computers, so compromising them can compromise the entire infrastructure,” said Garrett Gross of AlienVault. “There is also the issue of short tenured employees who have little to no security training. Combine this with the vast amounts of sensitive customer information and card data they handle, and it’s not hard to see why catastrophic breaches like Target and Home Depot have occurred.”
Featured Download: Social media access at work. Do your employees know the rules?
Yet, for retailers the main challenge and priority is staying “available” to customers, whether it is for online or in-store purchases. This narrow focus is something that Alert Logic’s Richard Cassidy says can be somewhat of an oversight.
“At executive level, service availability translates to transactions, which in turn relates to revenue growth,” he explained. “However, executives often neglect the wider collateral damage that can be caused by a data breach, not only in terms of brand damage but also in the resultant fall of consumer confidence and any remediation activities required (legal and operational) to mitigate those losses.
“In this respect, surely ’security’ is true availability. Acknowledging this, organisations need to understand that ‘change-control freezes”’only serve to reduce the focus on security,” Cassidy continued.
Tim Erlin, director of security and risk at Tripwire, agreed. “The concept of a holiday IT freeze is outdated in today’s world, and while many retailers implement such a ‘freeze,’ there should be exceptions when it comes to areas that support the business. Security should certainly be one of those exceptions.”
Martyn Ruks, technical director at MWR InfoSecurity, said that “decisions around what the retail freeze looks like need to be driven by the maturity of the organisation. There also needs to be cases where exceptions can be made based on a clear understanding of potential risks and threats to the retailer along with the detective and reactive measures in place to combat the greatest risks.”
Barry Shteiman, director of security strategy at Imperva, took a somewhat more sympathetic view. “During a shopping season, the dilemma of ‘security vs. availability’ becomes especially hard because companies have to decide whether or not they are willing to take the risk of downtime and losing business vs. a potential breach. Therefore, preparation is key.”
However, Mark James, security specialist from ESET, argues that there is never a convenient time to put a “freeze” on security updates, stating, “The customer’s private data should always be a priority, even above profits. Freezing security updates not only puts the customer’s data at risk; it also jeopardises the company’s own data.”
Phil Lieberman of Lieberman Software said the funny thing about the yearly IT technology season freeze for retailers makes a lot of sense – except it doesn’t. “Obviously, the busiest period of sales should not be the time to replace point of sale systems, upgrade databases, or introduce new store systems as the disruption introduced would result in little positive benefit.
“On the other hand, most retailers have abysmal internal IT security that is just waiting to be exploited by criminals. The introduction of appropriate and necessary technology and processes would have little to no visible impact on sales, for security can be introduced quickly and transparently with no significant negative consequences. This is assuming that the correct technology is selected and is effectively totally automated, mature, and scalable to the retailer’s environment with no significant interruptions.”
Tripwire’s Ken Westin, meanwhile, had a bleaker view: “I would be willing to bet that criminal syndicates have already compromised retail computer networks in anticipation of the holiday shopping season.”
Tim “TK” Keanini, CTO of Lancope, shared Westin’s sentiments: “Attackers don’t wait until the holiday season to compromise large retailers; the attack campaign begins months and even years prior. The penetration of the network and devices happens long before the holiday season, and their game becomes remaining undetected as they steal data that can be monetised. This holiday season, we might even see some ransomware attacks as attackers become bolder and bolder when they are not met with a challenge.”
With that in mind, what can and should retailers be doing to protect themselves and their customers?
Preparation should be the main priority, all of the security professionals agreed.
“It is also a good time to complete refreshers of employee security training, review/test incident response processes, review decision making processes around new/emerging threats, conduct security reviews and testing, baseline system configurations within key environments, identify key third parties to supplement capability, and dedicate time to searching for compromises that might already have occurred,” said MWR’s Ruks.
Deepen Desai, head of security research for Zscaler, said that “the main incentive for businesses to adapt to a more proactive strategy is to prevent huge financial losses and safeguard customer loyalty.” Therefore, a shift to EMV chip-based payments is a good move.
“Retailers have started upgrading the Point of Sale terminals to support EMV chip enabled cards more aggressively in the wake of large breaches and also because of the new Counterfeit Card Liability Shift policy that will become effective in October, 2015,” he said. “While it is important for retailers to upgrade their terminals to the EMV standard, it is equally important for consumers to ensure that their credit cards are upgraded and have the EMV chip (a small, metallic square on the front of the card).”
“EMV card chips create a unique transaction code for every payment and cannot be used again. This will not prevent large scale breaches, but it will make any information stolen less profitable for the attackers and will also significantly reduce counterfeit credit card fraud. The United States has been one of the last major countries to adapt EMV.”
James of ESET said that “having the latest anti-virus installed is a great start. When coupled with good practices and user education, it can go a long way in spotting attempted and unsuccessful attacks.”
“It is important to not just rely on signature based detection and perimeter defences,” continued Westin from Tripwire. “We must also look for anomalous behaviour inside the network. This involves identifying indicators of compromise such as credit card numbers appearing on systems or transmitted across our networks. Additionally, we must pay special attention to any configuration or other changes to point-of-sale systems.”
“The latest Microsoft Schannel vulnerability (CVE-2014-6321) should also be a cause for concern. Although there have been no reports of any exploits, it is only a matter of time. If retailers have not already patched their systems, they should do so with haste before putting freeze in place, particularly web servers, email servers, and internal networks.”
Barry Shteiman urged companies to harden their online defenses, saying that “companies who are expecting a surge in online activity are to prepare in advance by hardening systems, testing them, patching them, and of course putting in compensating controls such as web application firewalls and DDoS mitigation engines in order to absorb 0day attacks and volumetric attacks as well as still serve customers, thereby minimising the risk of a breach.”
Kevin Epstein, VP of Information, Assurance and Governance at Proofpoint, surmised that neglecting cloud-based operations like social media and email is also a vital mistake.
“In a cloud-based world, the concept of an operational freeze has different connotations,” he said. “Are your social media venues covered? What about inbound email? Holiday shopping season’s internal operational freeze should free up resources to focus on external challenges, and it may be exactly the ‘right’ time to test external SaaS solutions for phishing and social media security. Such filters can be simply turned on or off, so there’s minimal risk, and they add substantial protection to the infrastructure not under IT’s direct control.”
Should a breach occur, Ruks recommends that retailers “ensure the execs remain briefed using language they understand about the ‘on the ground’ situation and maintain communication and situational awareness between key teams in the business.”
Meanwhile, AlienVault’s Gross suggests that retailers share the love and make sure they are sharing threat data with other retailers. “Retailers are increasingly sharing threat data, which can help a great deal with attacks that tend to be the same across all Point of Sale (POS) terminals. With the commonality of attacks, this threat sharing may be extremely valuable to retailers.”
Finally, Keanini said that it’s not just companies that have a role to play. “As individuals and shoppers, we must perform our part, too,” he said. “Online commerce depends on individual shoppers not being hacked too. Check your statements, don’t click on unverified links, and make your new year’s resolution to practice these safe online habits all year long.”
Perhaps Philip Lieberman summed it up best: “There is no logic in the argument: now is not a good time to secure our environment. For every day that security is weak, you have another day that your company can be exploited by criminals and nation states. There is no holiday season in cyber-security.”