This is the first installment in a two-part series about how retailers can help protect their enterprises this holiday season. Be sure to read part two for the full story.
With the holiday season upon us, retailers have an opportunity to boost revenues before the end of the year. Any increase in profit at the expense of retail cybersecurity, however, can cost a company more in the long run, given the rising size and costs of data breaches and associated revenue and reputational loss. With extra web traffic and high order volumes coming in, the holiday shopping season can be a particularly perilous time for businesses seeking to safeguard customer information.
A Timely Cause for Retail Cybersecurity Concerns
Tis the season for retailers to buckle down on security, since data breaches typically peak just prior to and during the holiday shopping season. IBM X-Force Incident Response and Intelligence Services (IRIS)’s assessment of X-Force Interactive Security Incident data recorded between 2012 and 2017 revealed that 41 percent of all retail and consumer product breaches occurred between September and December, elevating the risk for enterprise network breaches during that time of year. More than two-thirds of all records in the consumer products sector were leaked, lost or stolen during these last four months of the year — that’s nearly 180 million records each year.
Don’t Reward the Naughty
A growing number of retailers now offer rewards programs to retain and nurture their customer bases. For shoppers to join these programs, most retailers ask for personally identifiable information (PII) such as name, address, phone number and email address. If ever compromised, an attacker can correlate this customer PII to payment data and use it to aggregate information to compromise the user’s identity.
In line with recent regulatory laws such as the General Data Protection Regulation (GDPR), retailers should collect the least possible amount of PII on customers, have a clear purpose for each data element, and make sure to always keep data encrypted and safeguarded, both in transit and at rest.
Listen to the podcast: Examining the State of Retail Security
Phishing Is in Season
Attackers don’t wait for the holiday season to begin launching spam campaigns, which are often employed as the first stage of their overall fraud and attack campaigns. Analysis of X-Force spam honeypot data collected between 2015 and 2018 revealed a notable rise in the average volume of spam emails beginning in August, with September slightly lower and October ranking third.
Figure 1: Total volume of spam emails recorded, 2015–2018 (Source: IBM X-Force)
Preventing and responding to data breaches leading up to and during the holiday shopping season has become imperative. It is incumbent on retail security professionals to perform due diligence during this time, and there are several ways to accomplish this goal.
Below are five holiday season tips for retailers to help make your enterprise a safer shopping environment. These techniques can help retailers identify impending data breaches and sidestep the costs associated with a major data breach.
While I’ve listed these tips in the order of what I generally consider to be top-of-mind for retailers, this list can be customized to serve your organization’s specific needs.
1. Mitigate the POS Malware Threat
After a popular big box retailer suffered a breach in 2013, public awareness around the vulnerability of point-of-sale (POS) systems grew exponentially. That breach was facilitated by malware that infected POS machines and helped threat actors access a large volume of credit card information to sell to other criminals on the dark web. This intrusion resulted in the theft of more than 110 million records.
Five years later, POS malware continues to plague retailers. According to IBM X-Force, 74 percent of publicly reported POS malware breaches in 2017 impacted the retail sector. X-Force IRIS has observed malicious actors using POS malware, such as FrameworkPOS and PoSeidon, to siphon credit card data from POS terminals. Web-based malware, which steals credit card data on the fly as online transactions are processed, is also gaining steam.
To help mitigate these risks, both in physical and virtual realms, retailers should take the following steps:
- Use some form of malware detection on your entire network to include the network of POS systems.
- Test the devices’ hardware and software (more to come on penetration testing in the second installment of this series) and keep devices up-to-date through regular patching.
- Work with a supplier that will contractually adhere to both your regulatory standards and security requirements.
- When using mobile POS, have controls in place to ensure the integrity of the hand-held device and the encryption of its communication channels with the server that processes and stores card data.
- Ensure any mobile payment system is from a trusted provider that supplies regular updates, patches, and equipment upgrades to comply with advances in encryption requirements and evolving threats.
Cybercriminals also commonly steal credit card data through payment card skimmers. These physical devices are fitted into the mouth of card readers and work by copying track data from the credit card and storing it on a memory chip inside the skimming device. In addition to retail establishments, skimmers are often found in ATMs, restaurants and gas stations.
As a precaution, retailers should frequently search for devices on their POS terminals and swiping equipment. Attackers typically attach skimmers to the device by sliding them onto the scanners and collecting them later. To check for a skimmer, examine devices daily and pull on the scanner if anything appears different. If part of the device comes off, it may be a skimming device. Call your service provider and IT security team to report it before resuming activity with that terminal or device.
With security controls and practices becoming more efficient, threat actors have resorted to gluing card skimmers to machines. This makes it difficult to detach by simply pulling it off the affected device. Retailers should train employees in all locations to recognize the proper look and components of their POS terminals and swiping devices. Employees should also know how to report suspicious devices.
2. A Clean Network Is a Safe Network
Payment card data carries immediate monetary value to criminals, and there are many methods by which they aim to steal it.
One tactic IBM X-Force researchers have seen increasingly often is the injection of malicious code into legitimate e-commerce websites. By compromising websites where people shop online, attackers can send payment data submitted during customer checkout to their own infrastructure.
To help reduce the likelihood of becoming a feeding ground for criminals, online retailers should take the following steps:
- Harden the security of underlying web servers.
- Limit access to critical assets and properly manage the privileges of those that maintain them.
- Ensure that web applications are secure, harden them against threats like SQL injections and other common attacks, and have them tested regularly.
- Deploy a change monitoring and detection solution to spot unauthorized modifications to your e-commerce platform’s web hosting directories. If this is not feasible, schedule periodic, manual reviews of these assets.
Account takeover (ATO), which occurs when a threat actor gains unauthorized access to an online account that belongs to someone else, can also affect e-commerce customers. With access to shoppers’ accounts, fraudsters can wreak havoc by stealing stored payment data, making fraudulent purchases and rerouting existing orders to a different address, for example.
Unauthorized access requires the use of legitimate credentials, which criminals can attain through a variety of tactics. The most common methods include phishing, brute-forcing weak passwords and launching SQL injection attacks on the web application itself.
You can help mitigate these threats by practicing good network hygiene. Here are some useful tips retailers can apply today to lower the risk of user account compromises:
- Employ the most recent patches for all hardware, internal and external software, network communication protocols, and database security protocols.
- Sanitize user input to prevent injection attacks.
- Prioritize patching for the threats most relevant to your organization. Look out for the most-exploited vulnerabilities and ensure that internet-facing servers and systems are up to date.
- Always consult your local computer emergency response team (CERT), IBM X-Force Exchange and other threat intelligence sources to gather the latest news on vulnerabilities and mitigation techniques.
- Enforce multifactor authentication (MFA) for employees.
3. Go to Your Separate Corners
Cybercriminals are always leveraging new ways to steal payment card data and correlate it with PII. Elevated volumes of web traffic during the holiday season provide attackers with even more targets and opportunities.
To help keep customer data safe, even in cases where criminals manage to infiltrate assets, security teams should keep PII, financial data and POS information separate by segmenting enterprise networks. By keeping this information separated and encrypted, attackers will find it much harder to correlate data on customers. While segmenting a network can be an intensive process, it’s a small price to pay to keep customer data safe.
In network segmentation, allow only one IP address per segment to communicate at a time to detect suspicious traffic. While an attacker may spoof his or her IP address, this control can allow defenders to find out about most intruders rather easily. Here are some other best practices to consider:
- Conduct internal audits for segment crossover to ensure that segregated data sets do not get mixed over time and appear in other places on the network, which can help attackers with identity theft.
- Deploy web application firewalls (WAFs) to help ensure that incoming traffic is filtered, monitored and blocked to and from web applications to mitigate threats such as cross-site scripting (XSS) and SQL injection.
- As a secondary measure, a firewall should be implemented to effectively govern all traffic coming in and out of the network. Firewall configuration is a key element in its effectiveness and should be performed by a certified network technician.
- Have administrative users log in with a lower privilege level before escalating their privileges to perform updates and maintenance.
- Prevent sensitive users and systems from communicating with the internet.
4. Learn From History and Educate Users
Nearly every company has some kind of data protection training in place. To make employee training programs more effective, organizations must understand that training materials are sometimes clicked through at a rapid pace to complete them as quickly as possible in favor of getting back to work. So how can an organization effectively educate their users?
- Plan for role-based training of all employees in the organization.
- Train employees on both physical and digital security.
- Conduct short training sessions and field-test them by asking for employee feedback.
- Launch an internal phishing campaign: Send a spoofed email from a dummy account with official-sounding names, titles and subjects, and track the number of users who click on the links or attachments. Offer additional training according to the conclusions from the campaign.
- Identify users who need remedial training and retest as needed.
- Most importantly, provide all users with an easily accessible resource to report issues. Users should be able to contact IT security with any question or suspicion.
For education to be effective, it has to be repetitive and stay top-of-mind for users across the entire organization. Get management to support awareness campaigns and find opportunities to educate users. Having vigilant employees makes mitigating attacks during the holiday season that much more effective. Frequent email reminders, illustrative posters and communicating best practices during team meetings can demonstrate your organization’s commitment to secure day-to-day conduct. Giving users personalized attention can go a long way toward making the message resonate with them — for example, you might consider gifting a security-themed mug for the holiday season.
5. Use Network IP Whitelists and Blacklists
Whitelists are IP addresses or domains used specifically for allowing access, whereas blacklists are used to help prevent IP addresses or domains from entering a network. Whitelists and blacklists are useful for keeping unauthorized and authorized connections within or outside the network. Keeping these lists up-to-date demands some diligence, but they can be crucial to boosting network security.
Filtering IPs according to these lists is more suitable for enterprises that do not manage e-commerce activity, since e-commerce companies have to accept inbound requests from all over the world, especially during the holiday shopping season.
These lists are much easier to maintain for networks that do not face external customers because blacklists can be used on both inbound and outbound access to help block known malicious hosts from communicating or accessing the organization’s data and assets. Below are some basic tips for filtering hosts:
- Blacklist any IP addresses known to be malicious. Constantly updated lists can be fed into security solutions directly from threat intelligence platforms.
- Should a blacklisted IP address have legitimate reasons for communicating with the network, investigate, confirm and allow access via the whitelist.
- Whitelists should include any internal company addresses.
- Whitelists should exclude any websites that are not relevant for employees carrying out their daily tasks (e.g., social media, webmail, etc.).
- It is imperative to verify these lists periodically to help ensure that all information is accurate.
- Should any IP addresses on the whitelist become outdated, it should be promptly removed or moved to the blacklist.
- Keeping allowed and banned IP addresses from becoming intermingled is a basic premise of effective whitelist/blacklist practices.
Stay Tuned for More Holiday Season Tips for Retailers
There is no such thing as unimportant data. Take every necessary precaution to help protect enterprise and customer data by implementing strong retail cybersecurity controls, educating users and following current best practices. Maintaining customer confidence in your ability to protect their PII can result in more business, increased customer loyalty and stronger organizational reputation.
Stay tuned for five more tips to help retailers stay secure this holiday season.
Read the latest IBM X-Force Research
Strategic Cyber Threat Analyst, IBM