Target Has A Bullseye On Its Chest
January 13, 2014
When Target announced that it had suffered a major breach of approximately 40 million credit cards and 70 million customer records, the nation as a whole took a collective gasp in shock.
In the aftermath of the initial disclosure, the public then heard from Neiman Marcus that it too had suffered an electronic breach of data that may include credit cards.
These are major retailers, who unlike mom and pop shops, have security programs in their budgets and departments that are specifically tasked with managing and maintaining a secure environment.
Furthermore, both of these retailers are level one merchants which in the credit card world means that they are required by the credit card companies to bring in 3rd party assessors to validate their security, so the question on everyone’s lips is “what’s wrong with retail in America?”
However, that question is inadequate, because the issue is not limited to one vertical market. Just last year, Visa made a major announcement to the grocery industry that hackers were targeting them with malware (sounds a lot like Target).
The same issues that affected Target, will be the same ones with which every industry must contend.
The media attention to these recent breaches is understandable.
They are household names with a long history of providing goods and services. While neither breach comes close to being the largest breach of credit cards in U.S. history, the average person relates to these companies on a personal level, so the outrage caused by their announcements has captured the interest of the media and government officials alike.
At the time of this writing, Congress is calling for investigations and hearings to better understand where the security of these companies failed.
Since, as of yet, only limited data has been released on the nature of the theft and the mechanisms used to steal the data, it is only possible to describe the most critical elements that all retailers must consider when looking to secure their infrastructure.
In general terms, Target has hinted that malware, most likely a memory scraper, was responsible for intercepting credit card data from their POS system as the memory contains credit card information in clear text so that it is usable by the acquiring bank.
If we assume that a memory scraper was responsible, then there are three areas of focus that should be hardened to make data exfiltration as difficult as possible for hackers.
To begin with, the malware has to be installed onto a critical system. To do this, software has to be added to the network In the past several years, weaknesses in firewalls, or insecure remote access practices have allowed external hackers to penetrate protected systems from the Internet which in turn eventually lead to access to a company’s critical payment environment.
Therefore, knowing that your external facing firewalls limit incoming traffic to the least amount possible (while still enabling business critical functions), is the primary step in securing a network.
Along with this step is the mechanism for remote access. The Payment Card Industry Data Security Standard (PCI) lists several requirements for remote access that when implemented properly can help reduce inadequate security. (For more on PCI or to review the standard click here).
If a hacker makes it through the firewall, then the next step is to install the malicious software that can steal the payment data. This is an area where many retail environments have little in the way of adequate protection.
Some companies try to rely on anti-virus software to help prevent malware that can scrape memory. While modern anti-virus programs can detect all kinds of dangerous software including memory scrapers, the truth of the matter is that hackers are producing malicious software faster than anti-virus companies can create the mechanisms to detect them. It is therefore highly likely that anti-virus software will fail to be effective at stopping a hacker who has developed a custom piece of code to scrape memory from a retailer. Hardening the POS environment has proven to be the most effective technique when trying to prevent unauthorized software from being installed on critical systems.
There are numerous ways to accomplish this, but here is a short list of some of the most effective ones used today:
- Managing users correctly (limiting permissions, requiring strong passwords that change frequently, disabling accounts when users leave, educating users about sharing login information).
- Keeping administrative privileges to a system to programmatic elements whenever possible.
- Reviewing security logs from both the POS system and the OS on a daily basis to determine if unauthorized software has been installed.
- Use whitelist software that disallows unauthorized applications from running or being installed.
While this list is not all-inclusive, these are the measures that many companies have found to be helpful when developing a POS hardening plan.
Finally, if we simply assume that the firewall (or remote access) was inadequate to stop a hacker from entering the network and that the hacker also managed to infiltrate the POS environment with malware, there is still one area in the network which can be hardened that can help to prevent a breach of data.
That is the external access the secure environment has to the Internet.
This is the security in place at the firewall that limits what data can be sent from within the network out to the internet. Think of this as the inverse of the first requirement listed in this article which was the Internet into the network. Now we are talking about data traveling to the Internet from the network.
If history of breaches has shown us anything, it is that many organizations minimize the importance of managing data that travels from the network to the Internet. Many IT managers concentrate so much on stopping data from coming into the network, that they forget that how data leaves the network is equally if not more important.
It is clear that many retailers have recently had issues in their security programs, but since we have no inside information about their configurations, we cannot state that anything listed in this post directly reflects the processes or security that any of them had in place. Also, we have not discussed any physical security that may have played a factor in stealing data because we have only been receiving questions about electronic security.
If you are tasked with protecting your environment, think of security like an arms race with your IT departments pitted against hackers. The purpose of this post is to simply list the effective places you can beef up electronically that will pay off the most when trying to prevent a security breach.