Big Retail = A Honey Pot of Data
The retail industry is a high value target for cyber attacks, simply due to the transactional nature of the business. The large numbers of financial transactions means that there is a honey pot of data and countless opportunities for cyber criminals to steal sensitive customer information.
Online transactions, Point of Sale (POS) systems, and retail environments where there are transient workforces and high staff turnover simply equals increased risk. And far too often, POS systems run on old systems with no Malware protection and sometimes unpatched operating systems. Big retailers with operations that include a large numbers of stores, hundreds of POS systems, fragmented procurement, and multiple distribution centers are attractive environments for a cyber criminal or criminals planning an attack.
To further the risk of an attack or breach, many retailers also outsource their IT or cyber security capabilities to third parties – which means retail organizations need to (seriously) consider supply chain security as well.
Review our other blog on this topic here.
Preventing eCommerce Cyber Attacks – It’s all about the Benjamins
The threats of cyber attacks for retail companies are very clear and unfortunately abundant, from the introduction of Malware to steal financial data, unauthorized insiders gaining access to private systems and databases, to the creation of fraudulent transactions and routing money to other destinations. It’s all about the Benjamins baby.
A high profile example of the risks in retail comes from Forever 21 in 2017. A large number of the company’s POS systems were infected with Malware for nearly seven months, enabling cyber criminals to steal credit card data that had been stored in the logs of completed transactions. Forever 21 reported that the Malware obtained the shoppers’ card number, expiration date, internal verification code – and in some cases also cardholders’ names.
Another well known name that has fallen foul of cyber attack(s) is Macy’s. An investigation into the 2019 breach of Macys.com found that the attack was linked to a website that stole customer payment data on the “Checkout” and “My Wallet” pages. Macy’s was also attacked in 2018. That breach allowed criminals access to sensitive credit and debit card information, names, and birthdays of “a small number” of Macys.com and Bloomingdales.com customers.
Right now, as business across the globe becomes increasingly more digital and as eCommerce continues to expand – particularly as COVID-19 has kept consumers at home and driven them to shop almost exclusively online – the reality is that digital retailers simply cannot operate without prioritizing cyber security.
Protecting Credit Card Transactions
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for any company that handles credit card payments.
Among the requirements for achieving PCI compliance is the ability to monitor access to systems and any activity on the network, ensuring that encryption and perimeter security is active, restricting access to data and systems, and requiring the use of strong passwords. Monitoring and reporting are key requirements for PCI DSS.
“The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications.
Examples of system components include, but are not limited to the following:
- Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE.
- Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
- Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
- Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
- Applications including all purchased and custom applications, including internal and external (for example, Internet) applications.
- Any other component or device located within or connected to the CDE.
Log Management & Cyber Security
Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs.
Effective log collection & management will allow you to:
- Implement audit trails to link all access to system components to each individual user.
- Implement automated audit trails for all system components for reconstructing these events: all individual user accesses to cardholder data; all actions taken by any individual with root or administrative privileges; access to all audit trails; invalid logical access attempts; use of and changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges), and all changes, additions, deletions to accounts with root or administrative privileges; initialization, stopping or pausing of the audit logs; creation and deletion of system-level objects.
- Record audit trail entries for all system components for each event, including at a minimum: user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, system component or resource.
- Use time synchronization technology, synchronize all critical system clocks and times, and implement controls for acquiring, distributing, and storing time.
- Secure audit trails so they cannot be altered.
- Review logs and security events for all system components to identify anomalies or suspicious activity. Perform critical log reviews at least daily.
- Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis
One of the key requirements is not just collecting log data on these activities but also having the ability to review it daily as required by the regulation. Snare makes this easy by providing out-of-the-box capability to generate the appropriate reports needed to be compliance for PCI DSS.
Further to this capability Snare can also provide Database Activity Monitoring (DAM) to ensure that application level controls are not bypassed and direct database access is used instead, and both File Integrity Monitoring (FIM) and Registry Integrity Monitoring (RIM) to ensure that changes made to key files or suspicious registry activity (including the installation of malicious applications) is detected.
Make sure you also check out our best practices white paper for PCI DSS here.
Need to get your log management solution in place?
Reach out to our team. We work with over 4,000 customers across the world to help manage logs and prevent the types of costly and damaging cyber security breaches referenced in this article.