How security-wary retailers can prepare for the holiday season

Nuspire Jared1

10/15/2014

Original article: http://www.net-security.org/article.php?id=2145&p=1

Retailers are beside themselves with worry as the spate of data breaches among them continues. With Black Friday approaching, what can retailers still do to protect themselves from these cybercrooks?

While it may be too late for retailers to do anything major with their IT platform, network and infrastructure to protect them substantially from this year’s anticipated denial of service (DoS) attacks, there are some actions IT teams can take.

While some of these actions may seem simplistic, these last-minute initiatives could make a difference when it comes to keeping company and customer information secure:
  • Train employees who will likely do their own online shopping during breaks on how to surf the net safely. Teach them how to spot malicious content and what methods hackers usually use to invade a data network.
  • Simply prohibit employees from using the company laptops and other network devices during this most important buying season of the year.
  • If a retailer has a firewall system that filters out websites, allow access to trusted ones and prevent access to those that aren’t.
  • Employ application whitelisting. This practice lists those apps that have been granted permission. When an applications attempts to execute, it’s checked automatically against the list and is allowed to run if found on it. An integrity check monitor is added generally to make sure that the app is, indeed, the approved program and not a malicious one. It’s advised to install it on each point-of-service terminal.
Thinking long term – to Black Friday 2015

Even though this holiday shopping season has yet to begin, IT teams need to already start planning for Black Friday 2015 and next year’s holiday shopping season. 

Several important protective initiatives can help mitigate against hacking, and some will require capital expenditures, depending on how extensive a proactive stance the company wants to take. 

Let’s consider application whitelisting a bit further. A retailer that wants it implemented on its file share servers, Point-of-Sale terminals and the like will have to deal with a vendor that specializes in it, and there are notable ones that can furnish apps for Windows-based environments and Apple’s system. This process will also require some time to find the appropriate vendor and system to use. 

Encrypting stored data also can help immensely; it requires an encrypted card reader to handle the chore. But encryption isn’t really meant to keep hackers out. Rather, a well-designed and executed encryption program can make sure that hackers can’t use what they steal unless they have a decryption key. 

A good defense: Multifactor authentication

Another excellent defense action involves setting up multifactor authentication. It requires users to present two or more independent authentication factors: something only they know, something only they have and/or something only they are. 

Each factor must be validated before it can be authenticated. For that, a key is used. It can be a series of unique characters generated from unique provided information provided, or random characters. It might be a time-stamp or a key bought with a video game or other product. 

As concerns cloud computing, multifactor authentication has increasingly become popular after this summer's collapse of cloud code hosting service Code Spaces in the wake of a successful attack on its cloud control panel. The attacker apparently got his hands on an employee’s login credentials for the company’s cloud computer control panel.

Also available today are threat prevention platforms that deliver multivector threat intelligence and the ability of the component parts of a system to operate together successfully. These platforms go beyond conventional antivirus and anti-malware defenses and enable quick detection, validation and response to DoS attacks. As a result, they create a protective fabric across an enterprise to stop cyber-attacks. 

For a long-term security program, retailers and their IT professionals really should peruse the SANS Institute’s 20-point Critical Security Controls for Effective Cyber Defense. These aren’t steps that can be taken quickly but they certainly can be ready for the 2015 holiday season.

Among the 20 points covered are:

  • Inventory of authorized and unauthorized devices
  • Inventory of authorized and unauthorized software
  • Secure configurations for hardware and software on mobile devices, laptops, workstations and servers
  • Continuous vulnerability assessment and remediation
  • Wireless access control
  • Security skills assessment and appropriate training to fill gaps
  • Boundary defense
  • Maintenance, monitoring and analysis of audit logs
  • Incident response and management
  • Secure network engineering
  • Penetration tests and red team exercises.

What’s clear is that retailers should begin now, if they haven’t already, to adopt a continuous threat-protection program. Such a plan gives a retailer the ability to detect threats in real time and to decrease the time to contain and react to the threat.