5 Ways to Protect Your Retail Store from Data Breaches

Both brick-and-mortar and ecommerce retail stores make attractive targets for hackers, especially during the holidays.

The 2016 holiday shopping season is in full swing, and fortunately for retail stores, consumers are not hesitating to reach for their wallets: Cyber Monday sales hit a record of $3.39 billion, surpassing estimates, and Thanksgiving and Black Friday receipts rose year-over-year by 11.5% and 21.6%, respectively.

5 Ways to Protect Your Retail Store from Data Breaches.However, not all is merry and bright for retailers. Retail stores are favorite targets of cyber criminals, especially during the holiday shopping season, when brick-and-mortar and ecommerce stores are flooded with customers, many if not most of them paying with debit or credit cards. Target’s POS system was attacked by hackers during the Christmas shopping season in 2013, in what turned out to be one of the largest data breaches in history; the company ended up paying out well over $100 million to settle lawsuits from banks and affected consumers. Just a few months ago, clothier Eddie Bauer discovered that all of its U.S. and Canadian stores were infected with malware. Neiman Marcus, Home Depot, and Wendy’s have also been hit with major POS data breaches.

It is far better for retailers to prevent hacks in the first place than to scramble to clean up the mess afterwards. Whether you operate a brick-and-mortar retail store, an ecommerce site, or both, here are five proactive cyber security tips to protect your store during the holiday season and throughout the year.

1. Make sure your store is PCI DSS compliant.

All major payment card issuers require that the retail stores that accept their cards be PCI DSS compliant. Additionally, some states have data privacy laws with standards that mirror PCI DSS or that explicitly mention PCI DSS. If your POS system or ecommerce site is breached, and your store was not PCI DSS compliant, you risk running afoul of your state’s laws, you may become embroiled in numerous class-action lawsuits from banks and consumers, and the credit card companies could impose fines amounting to tens or hundreds of thousands of dollars. If you do not or cannot pay the card issuers’ fines, you will no longer be permitted to accept their cards. While PCI DSS compliance alone will not protect you against breaches, compliance with this important data standard is the first step to a comprehensive data security plan.

2. Be sure to address the special security issues of POS terminals.

Brick-and-mortar retail stores with POS terminals have specific cyber security needs. Among other things, none of your POS terminals should be connected to a public WiFi network, your terminals must be monitored for card skimmers and other tampering and, no matter how tight your budget, you must purchase new POS systems from a reputable dealer. See this blog for more details on protecting POS systems in brick-and-mortar stores.

3. Train all of your employees, including temps, on cyber security best practices before letting them touch any of your computers.

The media portrays hackers as mysterious hooded figures sitting in dark rooms, tapping away at a keyboard as they hunt for “back doors” into networks. In reality, most data breaches are the result of hackers obtaining legitimate login credentials, often using social engineering schemes such as phishing emails or leaving malware-infected flash drives laying around for employees to pick up and insert into machines. All of your retail store’s employees, including temporary workers, must be trained in cyber security best practices before they are allowed to do any work on a computer, including a POS system. This training should include instructions to immediately report all suspicious emails or any other activity that just doesn’t seem right to a supervisor.

4. Keep all of your systems up to date.

This should go without saying, but many retail stores and other businesses fail to update their operating systems, software, and firmware on a regular basis. Because new threats emerge daily, and the updates often include security patches addressing the latest dangers, this leaves them open to cyber threats. Updates must be installed as soon as possible after they are released.

5. Restrict employee system access as appropriate.

No employee, whether permanent or a temp, should be given more system privileges than they absolutely need to do their job. For example, there is no reason that a packing and shipping employee needs to access employee tax data. Additionally, temporary workers should not be allowed to access your retail stores’ most sensitive data, such as customer payment information and payroll data. Jobs that require access to this type of data should be reserved for permanent employees who have a track record with your organization, have had more cyber security training than your seasonal workers, and have probably passed a more extensive background check.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

[bpscheduler_booking_form]

UC Berkeley Offers Cyber Security Advice to Donald Trump

In a new report, UC Berkeley’s Center for Long-Term Cybersecurity offers suggestions to President Elect Trump

Now that the election is over, the nation’s attention has turned to President Elect Donald Trump and what a Trump Administration will mean for cyber security. Notably, information security was the only tech-related topic Trump addressed directly on his official website. However, Trump’s plan outlines procedural generalities and does not go into technical specifics, something that is to be expected from a candidate who hails from a business background and has admitted to not being particularly tech-savvy. Since Trump’s election, his cyber security team has been slow to take shape.

UC Berkeley’s Center for Long-Term Cybersecurity offers suggestions to President Elect Trump.In light of this and the fact that data breaches, ransomware attacks, and other cyber crimes are escalating in intensity, frequency, and cost, the Center for Long-Term Cybersecurity at UC Berkeley has come up with a list of five suggestions for President Elect Trump:

1. Publicly Declare a New Era of “Active Defense”

The first suggestion UC Berkeley has is for Donald Trump to make a strong public declaration that the U.S. is entering a new era of “active defense” against cyber crime. In particular, the Center wants two norms established: 1) a more active role for the federal government in responding to nation-state cyber attacks and 2) an acknowledgement that electoral systems are a matter of national security both in the U.S. and abroad, that the U.S. will not interfere with other countries’ electoral systems, and that the U.S. will respond forcefully to any attempts by foreign cyber criminals to interfere with ours.

2. Build Public Awareness of Cyber Security

It is well-known that the weakest link in any organization’s cyber security plan is its people. The overwhelming majority of data breaches are the result of hackers obtaining legitimate login credentials, usually through phishing emails and other social engineering schemes. Unfortunately, most Americans are woefully uneducated on cyber security issues, which is why these incidents keep happening. To mitigate this problem, UC Berkeley would like to see President Elect Trump “make cyber security the next seatbelt” and implement a public awareness and education campaign to make everyday citizens aware of best cyber security practices. The Center would also like to see cyber security taught at the K-12 level as part of basic computer literacy, just as many schools are now teaching basic coding.

3. Address the Cyber Security Skills Shortage

The cyber security field is grappling with a severe skills shortage; there are approximately 200,000 unfilled cyber security jobs in the U.S., and demand is expected to increase by 53% by 2018. To address this problem, the center has three suggestions for President Elect Trump:

  • Forgive or, at least, defer student loans for new graduates who want to build careers in the cyber security field; (Just like the military forgives your student debt for military service, so should the same for federal service.)
  • Offer special cyber security visas for foreign-trained talent; and (This is easily abused by corporations who want to displace American workers so regulations are definitely required here.)
  • Establish online education programs so that anyone with the desire to study cyber security can do so. (A great resource to look at is Western Governors University. They have great accreditation and are non-profit.)

4. Establish a “Cyber Workforce Incubator”

UC Berkeley points out that a great number of cyber security professionals are concentrated on the West Coast. For numerous reasons, it can be difficult to entice these workers to move to the East Coast, where the federal government is headquartered. The Center suggests that Trump set up a national “Cyber Workforce Incubator,” headquartered on the West Coast, that would allow these professionals “to work on national security challenges without giving up their work cultures and networks.” The Center envisions that these professionals would be given the opportunity to work in the incubator for one to two years at a time, allowing them to serve their country by working on “the most important national security challenges before returning to the private sector refreshed and inspired.”

5. Create a New Government Agency Dedicated to Cyber Security

The Center’s final suggestion is that President Elect Trump set up a new government agency, tentatively called the Cyber Advanced Research Projects Agency (CARPA), to “aggregate existing government and DARPA cyber initiatives and focus specifically on innovating in a field that is increasingly critical to civilian as well as military life.” The Center’s logic is that, in an increasingly digitized world, cyber security has a fundamental part of national security. The defense of our nation’s critical digital infrastructure cannot be left solely to the private sector anymore than the defense of our physical infrastructure and borders.

Throughout his campaign, Donald Trump referred to cyber security in the context of national security. It is possible that his administration will increase spending on cyber security at the federal level and impose more stringent requirements on state and local governments. These would be welcome changes. As the new administration moves forward and coalesces its policies, it’s important that cyber security professionals and private sector businesses vocalize our ideas and issues and ensure that our concerns are heard.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

[bpscheduler_booking_form]

Mirai Botnet Attacks Likely Pulled Off By Teenagers

The recent Mirai botnet DDoS attacks were the largest on record – and they were likely masterminded by teenagers.

In October, a massive DDoS attack on the Dyn DNS “Managed DNS” infrastructure brought down a number of major websites, including PayPal, Twitter, Amazon, Netflix, and Spotify. The attack was accomplished through the use of the Mirai botnet, a piece of open source malware that works by compromising Internet of Things (IoT) devices and turning them into “zombies.” It was the largest DDoS attack in history, and it illustrated the significant vulnerabilities posed by insecure IoT devices.The recent Mirai botnet DDoS attacks were the largest on record – and they were likely masterminded by teenagers.

In the aftermath of the Mirai attacks, cyber security experts went to work to find out who was behind them. Was this the work of foreign or domestic terrorists? Nation-state hackers? Organized crime groups? Turns out, the largest DDoS attack ever recorded was most likely orchestrated not by organized terror groups or criminal masterminds, but teenagers, Vice News reports:

…[T]he world’s leading cybersecurity experts have been following clues to track who is responsible. They’ve come to a disturbing conclusion: the biggest DDoS attack in history was probably not caused by a state-sponsored actor, organized crime, terror groups, or anyone with a geopolitical or financial motive. So who’s left?

“Kids,” said Mikko Hypponen, chief research officer with security firm F-Secure. “Kids who have the capability and don’t know what to do with it.”

“The source code that was released could have been written by a high school student, a smart high school student, but a high school student nonetheless,” security expert Rob Graham said after examining the malware used in the attacks. “It wasn’t particularly sophisticated.”

The notion that a rank amateur could manage to pull off such a massive cyber attack is not unprecedented. In 2008, a Polish teenager hacked into the tram system of the city of Lodz, Poland, derailing four trains and injuring a dozen people. When questioned by authorities, he claimed that the hack was done as a “prank.”

Anyone can download the source code for Mirai. It’s available online, along with helpful, step-by-step instructions. As the recent DDoS attacks prove, it doesn’t take a computer science degree, the financial backing of a nation-state or terror group, or much skill to use it. This begs the same question that was asked after the Lodz tram debacle: If a high school kid motivated only by the desire to stir things up a bit can do this much damage, what could an organized, skilled, well-funded group of highly motivated cyber terrorists accomplish?

Insecure IoT Devices No Match for Mirai

The Mirai malware takes advantage of a very simple but extremely serious vulnerability that plagues IoT devices, from routers to printers to DVRs: Many, if not most users have never changed the default passwords their devices came with because they don’t know how, they don’t understand why they should, or both. Even in cases where a security-conscious user realizes they need to change their device’s password, they may not be able to; on some devices, the login credentials are hard-coded into the firmware, making it difficult or impossible for end users to change them.

Part of the PCI DSS standards that retailers and credit card processors must follow dictate that no hardware should ever be connected to a network unless its default login credentials have been changed. There are two good reasons for this. First, the majority of data breaches are the result of hackers obtaining legitimate login credentials into a system, and second, manufacturer default passwords are widely available online. The Mirai source code contains 68 user name and password combinations. Since manufacturers often use the same login credentials for multiple devices, just one set could allow a hacker to access hundreds, possibly thousands of devices.

Mirai works by scanning the internet for specific devices, then attempting to access them using manufacturer default credentials. Once Mirai successfully compromises a device, hackers can turn it into a “zombie” – often without the device’s owner even realizing it. Once an army of “zombie” devices has been amassed, it can be used flood specific web servers with so many junk requests that they slow to a crawl or crash.

Mirai DDoS Attacks the “Canary in the Coal Mine” for IoT Security

In the wake of the Mirai attacks, Chinese manufacturer Hangzhou Xiongmai voluntarily recalled its home webcams, and it’s possible more manufacturers will follow suit. However, in light of the serious issues raised by Mirai, much more has to be done. The situation is so bad, and IoT manufacturers have dragged their feet for so long, some experts are now calling for the federal government to step in and regulate IoT security.

If IoT manufacturers do not step up to the plate and clean their own houses, they are setting themselves up not only for onerous government regulations but also cyber attacks that are far more destructive than the Mirai DDoS attacks.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services provided by Lazarus Alliance and our award winning Continuum IRM GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

[bpscheduler_booking_form]