Security experts’ advice for securing retail business during critical holiday shopping rush

HP security experts interviewed

 

John Pirc is Director of Security Intelligence at HP.  He is an accomplished author, having published two books on security best practices and is a global speaker who has lectured at the US Naval Post Graduate School.  John has worked with the Central Intelligence Agency in Cyber Security and holds NSA-IAM and CEH certifications.    

Stuart McIrvine is Director of Product Management for HP’s Enterprise Security Products.  With over a decade of experience in public and private security environments, Stuart has led overall security strategy for leading technology companies.  He was interviewed on ABC news, alongside Howard Schmidt, President Obama’s Chief Security Advisor.  Justin Harvey is HP’s Chief of Solution Strategies.  As part of HP’s pioneering Security Intelligence & Operations Consulting (SIOC) team, Justin has led the response team at some of the largest breaches.  He is typically called in to identify the breach, determine actions to prevent further attacks, and set up a Security Operations Center (SOC). 

Jacob West is CTO of for Fortify Products at HP.  He is an expert on software security with extensive knowledge about how real-world systems fail.  In 2007, Jacob co-authored the only comprehensive guide to static analysis for security showing developers how to avoid the most dangerous vulnerabilities in code.   

Ted Ross is Executive Technologist at HP Security’s Office of Advanced Technology. This team monitors the threat landscape, guides customers, and provides first response during security events.  Ted has consulted with HP’s largest customers, government agencies, and service providers and brings retail experience having been Strategy Architect for Wal-mart.   

 

Security experts’ advice for securing retail business during critical holiday shopping rush

 

Security is an ongoing process, not a seasonal event.  Yet the holiday shopping season brings with it heightened challenges for security and risk management, some of which are unique to the retail industry. The holidays bring three main areas of concern:  shopping volumes (both online and in store), seasonal (temporary) employees, and the general greater risk of attack and potential for greatest business impact. 

 

HP man at whiteboard.jpgWhen asked, “Should you be prepared?”, all companies will say “yes”.  But, when asked, “What have you done to prepare?”, the response is less consistent.  Most retailers will freeze IT changes during November and December to minimize risk to sales.  However, this also makes them less nimble in the face of new security attacks.  So by now,  mid-November, retailers should have ensured that their client facing assets are secure against common attacks and that security mitigation devices are up-to-date and deployed in the correct areas of the network.  And, they should have ensured PCI compliance.  But how much security is enough, and what can still be done this late in the game? 

 

Shopping volumes

 

Stuart McIrvine points out that increased volume creates a prime opportunity for denial of service attacks; the attack would build  on top of already high-volume so it’s more likely to succeed, plus the potential impact of business disruption is even greater.  In addition, the larger transaction volume simplifies theft of larger volumes of data for credentials or credit cards information.  John Pirc adds that the adversary that is targeting your infrastructure would have likely penetrated and dropped their exploits well before the holiday season is in full motion.  For the attacker wanting to move large volumes of data, why not do it when there is an expected increase in network traffic? The exploit that is sending data will not likely trigger any bandwidth thresholds as the company is expecting high volumes and the hackers traffic will blend in.”    

 

In addition to transaction volumes, backup volumes are increased as well.  If backups are lost, but encrypted, there is no requirement to report.  If they are not encrypted, reporting such loss can significantly tarnish brand image and damage customer confidence during the critical holiday shopping season.

 

Justin Harvey reminds retailers of three equally important principles of security: confidentiality (protecting your data), integrity (ensuring that it hasn't been tampered with), and availability (ensuring that the data and systems are available for use).  Sometimes security is not just about protecting your data, it could mean ensuring uptime on key revenue systems. 

 

During the holidays, there is increased overall activity with people going to more sites; more first time use and more new passwords are created.  Because of the holiday frenzy, consumers may be less tuned in to security risks and therefore more susceptible to attack.  And given that a common mistake is using one password at multiple sites, this creates a prime opportunity for thieves to obtain login credentials that could be used elsewhere.

 

Statistics from BIGInsight ™ Monthly consumer survey, October 2004-2012, reinforce the expected high volumes of online transactions, and the potential for more novice users exploring unfamiliar sites.

  • Most surveyed plan to purchase 26-50% of their purchases online; nearly ¼ will do >50% of their shopping online;
  • 60% of adults will purchase 10-75% of their shopping online; 54.3% of seniors (65+) will buy up to 50% online;
  • 46% surveyed own a smart phone; of those 15% will use their smart phone to make purchases.

 

Not only is online shopping a cornerstone of holiday shopping, but a rather substantial number of people are shopping via mobile phone.  Securing those transactions should be an important part of an overall security plan.  Combined with the larger attack surface created by social media engagement, retailers are challenged to continually evaluate their security operations strategy.

 

Seasonal employees

 

The holiday surge requires temporary staff.  According to the National Retail Federation, nearly all retailers polled (96.6%) utilize background screening as part of their applicant hiring process.  However, the holiday rush may cause normal processes to be short-cut.  Retailers should be especially vigilant for insider threats.  HP security experts advise the following:

  • Be mindful when provisioning/deprovisioning employees.  Stuart McIrvine cautions not to short-cut on the group used.  Add them to the group with minimal access specific only to their job.  When they leave or change jobs, be sure they are removed or their group is updated accordingly
  • Have a team trained in insider threats and prepared to handle any increase in holiday incidents.
  • John Pirc advises to be sure temporary staffers know and understand security policies.  Policies must be clear on things like how to handle attachments, personal email at work, use of Drop Box, social media, etc., and also ramifications for non-compliance.  Educate all employees on current risks like social engineering and phishing.

 

Holiday risk environment

 

Given the chief focus on sales, security may take a back-seat.  And with security staff taking vacation too, while the cat is away, the mice can play.  But once we are into the lock-down season, what can still be done?

 

Justin Harvey cautions retailers to stay vigilant – know what to monitor and have key security indicators/metrics.  Examples of what to look for might include:

  • High risk users with suspicious activity
  • Failed authentication attempts or brute force
  • High volume traffic without successful transactions (could be distributed denial of service attack
  • Systems behaving in new manner or communicating with other unrelated servers on the network
  • Public-facing servers with weird load behavior or outbound web traffic (could be APT)
  • Servers scanning other servers
  • Access during off hours.

In addition, Justin Harvey urges retailers to have a security response program in place to make certain the response is not worse than the event.  For instance, if there's a Distributed Denial of Service attack, what are the steps needed to correct this?  Who do you call?  What information is given?  Consider both successful and attempted attacks. 

 

  • Discuss who is doing what in the event of an attack.  Planned response must include not only IT but also HR, Legal, Operations, IT, Business Unit Leaders,  business app owners, PR, etc.
  • Ensure everyone public-facing knows the response and who is designated-voice.
  • Prepare multiple incident responses to varying incidents: trivial, minor, major, catastrophic.
  • Ensure development, quality, information security, operations have a quick-deployment-cycle planned, prepared and rehearsed.
  • Start preparing for next year. Development (requirement, code, validate, release, deploy) cycles require time & effort beyond holiday time availability.

 

No business is too small to have a response plan in place.  And Jacob West reminds retailers to learn from past mistakes: If particular problems have cropped up in past holiday shopping seasons, incorporate a direct response in processes this time around. If problems still happen, be sure to understand and document what went wrong to avoid them next year.

 

Lessons Learned

 

As first responders, these security experts see the worst attacks and common mistakes.  Retailers can learn from these experiences.  Their chief advice?

 

1.   Assess vulnerabilities.  Stuart McIrvine:

  • Conduct a scan
  • Identify where your systems are most vulnerable and where sensitive data is stored
  • Include temporary/seasonal infrastructure and wireless network encryption
  • Check configurations on hard controls like firewalls, ID access management system.

2.   Pay special attention to custom code

  • Jacob West: Custom landing pages and other newly-developed functionality are notorious openings for hackers to exploit because they are often developed in a hurry with less focus on process. Attackers often target discount codes and other types of special pricing opportunities to gain take advantage of retailers, so pay extra attention to these areas. 
  • Ted Ross: Today most attacks focus at the application layer on custom-built applications, portals, websites.  Static and dynamic code analysis tools reveal that 75% of custom applications are vulnerable.  Retailers need analysis tool to assess vulnerabilities and block exploits while the systems are in production.  Passing a PCI audit does not necessarily address this issue.

3.    PCI compliance is not enough

Stuart McIrvine and John Pirc agree with Ted.  Continuous monitoring and evaluation are needed  and must go beyond ‘checking the box’.  A case in point: Hannaford Bros had a breach resulting in exposure of 4.2 million credit cards after  passing their PCI compliance audit. 

 

4.    During lock-down, use network filters to block new threats

Ted Ross: The use of a network security product to identify & protect against new threats without bringing down production systems is imperative.  The holidays are an ideal time for attackers to exploit zero day vulnerabilities.  Security systems must be able to adapt to new zero days that are found even during the production lockdown.   

 

Advice for Next Year

 

Consider use of automation, such as HP Tipping Point, that use ZDI filters.  Ted Ross explains that by using recommended settings, users get new, automated updates to filters (even at 2am), ensuring the latest threats are blocked.  In addition, a Security Information and Event Management (SIEM) system, can manage the larger transaction volumes, reducing manual intervention – a critical factor during peak holiday volumes.

 

The recent attack on B&N POS devices reminds us that POS assets require extra attention. Several stores found maliciously modified POS devices at the checkout lines.  Justin Harvey suggests retailers should train store managers to look for suspicious activities regarding access to POS devices, credit card readers, PIN devices, and servers at the stores.  Managers should not allow anyone posing as a repair tech access to these systems without validating identity and purpose.  Additional procedures may include spot checks on POS devices to look for signs of tampering and even weigh the device to ensure that it is the proper weight. In addition, retailers should push their suppliers to keep up to date on security trends, and to keep manufacturing on-shore, or at least in first world countries.  Lastly, most self-checkout machines are Windows based, leaving them open to the same malware that any desktops are; they must be managed appropriately.

 

Summary

 

Security must be more than a seasonal focus and requires continuous assessment.  Review your most critical infrastructure components to ensure you have the right protection in the right place.  Don’t be afraid to go beyond “Traditional Security Best Practices”; look at other security technologies that complement existing security infrastructure to further reduce risk.  Consider threat intelligence and security data analysis.

 

Cautions and advice

  • Expect that you are already infiltrated and plan accordingly
  • Stay vigilant
  • Consider security of mobile transactions, wireless infrastructure and backup
  • Don’t short-cut processes used for temporary employees

 

Steps you can take during lock-down

  • Assess vulnerabilities
  • Develop a Security Response Plan

 

Begin planning for next year

  • Consider SIEM and other automation tools to ensure you can respond to current threats, even during the holiday lock-down
  • Go beyond PCI compliance
  • Use a multi-layered defense –applications, network, data – for greatest threat management
  • Treat POS as critical asset to be secured both electronically and physically

 

Companies can buy new technologies to detect threats to their environment, but having the right people onboard, trained and armed with repeatable processes is key to an effective security operations strategy.   HP ESP Solutions Consulting has helped industry leading companies worldwide to build security intelligence & operations centers.

 

HP is a leading provider of security and compliance solutions for the modern enterprise that wants to mitigate risk in their hybrid environment and defend against advanced threats.

Labels: Retail| security
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation