Security Experts:

Complexity for Retailers Creates Opportunities for Attackers

The retail industry is an increasingly attractive target for criminals looking to steal large amounts of credit card data and quickly monetize it.

Recent high-profile security breaches at major retailers stem from the fact that in-store networks and their components are evolving and spawning a range of attack vectors. These networks were initially built to support Point-of-Sale (POS) systems connecting to back-end servers and the corporate wide-area network (WAN). But today, new technologies and business models are pulling retailers into multiple directions in an effort to remain competitive. In-store networks are now connecting to the Internet and other third-party networks to serve many additional uses including:

• In-store marketing collateral or systems that allow customers to learn about special offers and product information

Defending Against PoS Attacks

• Intranet and Internet access for employees

• Facility management via Internet of Things (IoT) devices connected to monitor heating, cooling, and other process control systems

• Guest Wi-Fi access

• Physical security including alarm systems and camera feeds

Furthermore, POS systems are now commonly connected to the public Internet to enable both remote operations and remote support of an ever-expanding retail footprint. Not all legacy systems were designed to securely handle external connections. Built on commodity hardware, operating systems, and software components, POS systems are easily compromised using relatively unsophisticated methods of attack. Other factors including increasingly stringent annual PCI-DSS assessments and the IT industry’s growing skills shortage, particularly in the area of cybersecurity, limit the amount of resources retailers can devote to dealing with these dynamic environments. It’s easy to see how retail IT environments are becoming materially more complex and difficult to protect and manage.

Attackers understand all of these factors and are taking advantage of weak security links to gain a foothold within a retailer’s environment and obtain payment card data and other highly-sensitive information. As a response, retailers need to deploy new security controls on in-store networks to protect against attacks coming via external connections, to provide comparable protection across all store locations, and to granularly control the Internet usage of in-store users and customers. Yet challenging margin realities across the retail industry can make this initiative seem daunting. As many retailers take a fresh look at their IT security practices and solutions, the following three questions for vendors can help identify some important baseline capabilities:

1. How do your solutions support multiple locations? As you evaluate on-premises and cloud-based security solutions, consider that cloud-based deployments can scale to offer protection down to the store level without requiring any additional hardware. These Software as a Service (SaaS) solutions also eliminate many of the management and maintenance headaches and rising costs associated with numerous store locations and lack of on-site technical support. Look closely also at how they handle traffic inspection. Some solutions forward all traffic to a central aggregation point for inspection, consuming considerable amounts of bandwidth. Solutions that offer protection at the store level are able to forward ‘high-risk’ traffic only to the central location for inspection and allow low risk traffic to pass – critical for bandwidth-constrained environments.

2. What types of advanced security capabilities do you provide? Given the kinds of malware and attacks being seen in the retail industry, you must assume a hostile environment. To protect against both known and emerging threats, look for dynamic solutions that offer a variety of techniques to detect malware including traditional malware signatures as well as file and site reputation and outbreak filters. Dynamic solutions that can integrate easily with complementary defense layers, community-based threat intelligence, and sophisticated behavioral analysis and anomaly detection can identify zero-day threats and provide protection anytime, anywhere a threat is found. The ability to automatically update protections based on the latest intelligence helps retailers adapt in real-time to the changing threat landscape despite having a small security team. Solutions that are cloud-based and include protection for roaming users make it easier to enforce consistent policy-based security across stores and users.

3. What reporting options are available and how labor-intensive are they? Template-based reports that are web-based and easy to customize are a baseline for management and compliance documentation. Beyond traditional security data, detailed analysis of bandwidth consumption and utilization provides valuable information to help ensure the efficient use of networks and support innovative technologies, including Guest Wi-Fi. Advanced reporting capabilities that show employee and customer Wi-Fi browsing habits enable you to discover instances of comparison shopping with online retailers as well as unacceptable content and potentially block such activity.

There’s no limit to the technological complexity retailers face in the battle for share of wallet. New business models, innovative technologies, and an increasing number of devices and people will continue to push retail IT environments into uncharted territory. Cloud-enabled tools and processes designed to be granular and flexible provide retailers a practical way to overcome mounting complexity and reduce opportunities for attackers.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.