Every eight minutes an organization reported a security incident in 2013, according to recent data from 50 CERTs, technology vendors, law enforcement agencies, and computer forensics organizations worldwide. It’s impossible to know how many incidents went unreported or worse yet undetected, but the tally is certain to be significantly greater.
While the media has latched onto several high profile security incidents, the publicity spotlight has a tendency to skew what really happened to retailers who have done all the due diligence to prepare and prevent such threats. What is the reality behind these high profile events? Let’s balance them against a rational assessment of the broader facts, in the context of what we have seen when providing security assessments.
In December 2013, Target announced that it had fallen prey to a malware attack on their POS systems, resulting in the disclosure of 40 million debit and credit card details along with the names, addresses, email addresses, and phone numbers of up to 70 million customers. The attack appears to have taken place over a period of about 3 weeks between November and December 2013 – just 2 months after Target completed certification verifying compliance with the global standards for securing payment card information (PCI DSS).
Analysts have reported that attackers used a phishing attack to gain access to the credentials of one of Target’s HVAC subcontractors, which they then exploited to burrow into Target’s corporate network to embed the malware into the POS systems. Although PCI standards require data to be securely encrypted when in transit or storage, the malware probably circumvented these measures by harvesting payment card data directly out of the memory of the POS terminals – the one place where it has to be decrypted for processing.
The Reality and Recommendation
As a large retailer dealing with millions of card payments a year, Target already had robust security infrastructure in place to protect its data and its customers. Indeed post-incident commentary indicates that the attack triggered alarms in the security system on several occasions, but for reasons not clear the alarms were overlooked until a government agency finally detected the breach and notified Target. (It is not uncommon for organizations to casually dismiss certain types of security alert due to high volumes of false positives or simply the lack of resource to investigate every alarm).
The payment card industry (PCI) has almost completed its transition to “chip and pin” technology which will largely mitigate the effectiveness of this type of attack once merchants have upgraded the card readers attached to their POS systems.
April 7, 2014 the Internet started buzzing with headlines of heralding the most serious security incident ever seen, nicknamed Heartbleed. It is a play on the word “heartbeat,” referring to the vulnerable mechanism used to keep internet connections alive using the popular security software OpenSSL. Although most users had probably never heard of OpenSSL, more than two thirds of Internet sites use it to secure online browsing and transactions. Innumerable government organisations and private enterprises alike also use OpenSSL to secure remote access VPN connections, email, and various other online services. OpenSSL is even embedded within many popular network appliances, meaning that the true extent of this incident probably touches nearly every organization connected to the Internet.
The Heartbleed vulnerability allows an attacker to request random fragments of data from the server’s memory. This may not sound like much of a threat in itself, until you recognise that every username, password, credit card number, and any other sensitive data passing through server sits in memory at some point. A patient attacker could simply run an attack that harvests small chunks of data all day and all night, and then mine the results for useful nuggets. The vulnerability crept into the software about two years ago and to make matters worse, this attack leaves no forensic trail. In other words, organisations can determine if they are vulnerable, but there is no way to know if someone has exploited their vulnerability.
The Reality and Recommendation
It is very difficult to protect against an unexpected vulnerability in a popular and well-respected security product. All organisations should have already checked their systems for the presence of this vulnerability and applied the necessary patches. They should also revoke and replace any server security certificates present on vulnerable servers, and change passwords for all accounts present on vulnerable servers. As users, we should change our passwords on all affected Internet services (email, any website that requires a logon, etc), but only after checking with the site administrator that they have already applied the patch (otherwise an attacker might intercept your new password).
On May 20, 2014, Ebay announced publicly that a cyber attack had compromised a database containing encrypted passwords and other non-financial data including names, email and physical addresses, phone numbers and dates of birth of up to 145 million customers. The attack occurred between February and March 2014, when the attackers obtained the log-in credentials of a small number of employees, allowing them access to the corporate network.
While it appears that no financial data was leaked, the exposure of personally identifying information is still valuable to hackers who can exploit these details either for identity theft or further social engineering attacks. For example, many call centres rely on a customer providing their full name, address, and date of birth to verify the caller’s identity, allowing them to make account changes, obtain further information, or order products or services. Even more alarming is the potential for the attacker to break the password encryption, giving them usernames and passwords for 145 million consumers, many of which will have been re-used for other online services.
The Reality and Recommendation
Like Target, Ebay is a responsible and tech-savvy organisation that has rigorous security infrastructure in place. They have yet to publish detail of the exact attack mechanism, however the available information suggests that attackers focused on the weakest link, which is almost always the human element. This serves as a reminder of the importance of educating staff about the threats that companies face, and reminding them how to help avoid falling prey to them. It should go without saying that anyone with an account on Ebay should immediately change their password, and the same for any other services they have used the same password.
Tough Luck or Easy Target: The Top 5 Threats
Each of these incidents attracted considerable media attention, but are they truly indicative of the current threats facing our customers? Drilling down into incidents reported in 2013 for certain key industries reveals the following top 5 threats:
1. Point Of Sale (POS) Intrusion
A remote attack against card payment systems to capture payment card data. (This does not include physical tampering such as “card skimmers”). The attack on Target falls into this category.
2. Denial of Service
An attack intended to compromise the availability of a system or network, typically by creating a “traffic jam” by flooding a network connection with spurious traffic.
3. Cyber Espionage
Unauthorised access to a system that is either linked to state-affiliated actors, or exhibits the motive of espionage.
4. Web App Attack
An attack carried out through a web application – typically by exploiting vulnerabilities in the app or using credentials stolen from a valid user.
5. Insider Misuse
An incident knowingly perpetrated by a trusted party – typically either theft or exposure of proprietary information, or facilitating an attack by a third party.
Sound Advice: Constant Due Diligence
POS Intrusions are clearly a high priority threat for retailers, and as such they should pay close attention to keeping their POS network securely isolated, keeping all antivirus and system software up to date, and using network intrusion detection and analysis tools to detect anomalous network traffic coming from the POS system. (A POS attack requires the attacker to somehow collect the harvested data, and it is this traffic that triggered internal alarms at Target).
A holistic security strategy must also encompass user education to recognise and avoid falling prey to scammers and social engineers, as even the strongest fortifications will fail if you can trick someone into handing over a key to the door.
Motorola Solutions helps retailers to establish and maintain security through a range of services including PCI compliance planning and security assessment, network design, implementation, and management services. With these provisions in place, retailers can feel more confident in protecting customer data and their networks now and in the future.
Simon Fennen is Asia-Pacific and Middle East Region Professional Services Delivery Lead, Motorola Solutions.
Learn more about WLAN Management and Security Software from Motorola Solutions.