Transcript of "GDS International - Next - Generation - Retail - Summit - Europe - 4"
WHITE PAPER KEEPING ELECTRONIC HANDS OUT OF THE COOKIE JAR The retail industry’s goal: getting as many people as possible into the store. Well, not quite actually. In fact what retailers really want are as many paying customers as possible. In fact there’s a certain ‘customer’ no one wants in the store—whether you do business online or off. Shoplifting, slippage, the five-finger discount: call it what you like, it is theft and sadly it has been with the retail industry since the very first little kid put his hand in a cookie jar the moment the store keeper’s back was turned. These days this cookie-kid is no longer the big threat. However, script-based ‘kids’ most certainly are. Results of the 2011 Verizon Business Data Breach Investigations Report (DBIR) show the electronic threat is clear and present. MEETING THE CHALLENGES OF A NEW WORLD OF RETAIL The way people shop has completely changed over the last decade and will continue to do so. Customers want a more customized enhanced buying experience wherever they are. Consumers today expect compelling, efficient and personalized shopping experiences. And it pays off. Evidence suggests that multi-channel customers who receive a compellingFrom when the first kid put experience shop and spend considerably more.his hand in the cookie jar To do this effectively, it’s vital that you, as retailers, reach out to and connectas the store keeper’s back with customers and business partners, suppliers, warehouses, stores, employees,was turned, theft has been and consumers. It is within this extended enterprise that crucial retail practices are supported, such as online ordering with multiple pick-up and deliverya reality in retail. options; social networking strategies; pinpoint promotions and customer loyalty programs; real-time retailing with a visible supply chain. You’ll also need to be able to support a rapidly growing array of platforms to engage and meet customers’ needs: from PCs to smartphones; PDAs to kiosks; portable video displays to digital signage; express stores to Internet-linked game consoles. Yet with this wider variety range of platforms connecting to more places, comes a greater variety of potential risk. THE CURRENT THREAT LANDSCAPE First the good news: In general, according to the 2011 DBIR the number of total records compromised across all industries (based on our investigations analysis) declined from an all time high of 361 million in 2008 to 144 million in 2009, and then plummeted to 4 million in 2010. The survey offers a number of suggestions for the decline, with its leading hypothesis being that the successful identification, prosecution, and incarceration of the perpetrators of many of the largest breaches in recent history is having a positive effect.
Not only did the 2011 DBIR show a trend towards declining breaches, these breaches were also the mostdiverse in terms of threat agents, threat actions, affected assets, and security attributes involved thatthe report had found in its three year history. The report revealed a large number of highly-automatedand prolific external attacks, low and slow attacks, intricate internal fraud rings, country-wide devicetampering schemes, cunning social engineering plots, and much more.Over the course of the last three years there has been a rather marked swing in the source of breachesfrom insider attack to external threat. The general sense is that there has been a huge increase in smallerexternal attacks rather than a decrease in insider activity, with an associated and continued decline inpartner-caused breaches.In all, the 2011 DBIR showed that 92 percent of breaches analyzed stemmed from external agents, a riseof 22 percent over the prior year; 17 percent originated from internal sources, implicating insiders, downby 31 percent compared with the same time 12 months ago. Multiple party-based incidents fell by 18percent to 9 percent; and less than a single percentage of breaches resulted from the actions of businesspartners, a 10 percent fall.Even though the report revealed the all-time lowest amount of records breached in the three years ofthe survey, it also showed the all-time highest amount of incidents investigated. Report analysts suggestthis means IT teams are more aware of and willing to report threat activity. Overall, it’s clear threats arestill out there, especially for retailers where even a single successful attack can have huge consequences.Virtually everyone in retail knows about the major discount retailer who lost millions of customers’ creditcard details a few years ago following a successful attack by two people armed only with a laptop and aPringles tube. VERIZON RETAIL SECURITY SOLUTIONS: Your infrastructure security requires a significant investment in time, resources, and effort. The most effective security plans should match security policies to retail challenges. Verizon Professional Security Services and Verizon Managed Security Services can help you develop such plans. We look at your current level of security and help you develop and implement policies and procedures based on your company’s needs. Our highly trained security consultants look at all aspects of your business, including your network infrastructure and business applications, and provide expert advice for reducing security risks. Offering include • Antivirus, antispam, and antispyware applications • Application log monitoring and management • Denial–of-service defense resources • Firewalls and routers VPN • Image and content control • Intrusion detection and protection • Proxy serviceTHE RETAIL THREAT POTENTIAL IN 2011According to the 2011 DBIR, the retail industry has the dubious distinction of being beaten only by thehospitality industry in terms of data breaches by business sector. Retail breaches even exceeded thosetargeting the financial industry by a few percentage points.DBIR authors and researchers speculate the reason for retail’s increased popularity among the hackingfraternity may be attributed to the fact that along with hospitality, it presents a smaller, softer, and lessreactive target than finance, for example. The researchers speculate criminals may be making a classic riskvs. reward decision and opting to “play it safe” in light of recent arrests and prosecutions following large-scale intrusions into financial services firms.
The numerous smaller strikes on hotels, restaurants, and retailersrepresent a lower-risk alternative, and cybercriminals may be taking How do breaches occur?greater advantage of that option.In terms of compromised records by industry group, the report 50% utilized some form of hackinggrouped retail and hospitality together and found their industriescollectively responsible for 56 percent of all records illegally obtained. 49% incorporated malwareThis compares with 35 percent for finance and only 9 percent for all 29% involved physical attacksother industries.Given the huge significance of supply chains in retail, security among 17% resulted from privilege misusepartners is a huge issue, and events related to partners registeredhighly in the 2011 DBIR. The blunt truth is that partners can contribute 11% employed social tacticsto a conditional event that creates circumstances or conditions that— Source: 2011 Verizon Data Breach Investigations Reportif/when acted upon by another agent—allow a primary chain of eventsin a security threat to progress. In this respect, partners can be moreakin to vulnerability than threat (which is why partners involved inthem are not considered primary threat agents). Yet the DBIR 2011 Who is behind data breaches? 92%shows that partners contributed to conditional events in 22 percent stemmed from external agentsof incidents. A common example of this is is where a remote vendor 17%responsible for managing a Point-Of-Sale (POS) system neglects to implicated insiderschange default credentials, leaving it vulnerable to attack. <1% resulted from business partnersWHERE AND HOW SECURITY STRIKES OCCURRetail security incidents typically occur via remote access and desktop 9% involved multiple partiesservices, which again are on the top spot in the attack pathways list, Source: 2011 Verizon Data Breach Investigations Reportwith 71 percent of all attacks anaylzed by the 2011 DBIR as falling intothe category of hacking .Remote access and desktop services, in combination with the exploitationof default and/or stolen credentials, are big problems in both retail and Where should mitigationhospitality industries. Opportunistic attacks are carried out across many efforts be focused?victims who often share the same support and/or software vendor. Oncean intruder discovers a particular vendor’s authentication method and Eliminate unnecessary data; keepschema, they potentially are able to exploit it across a vendor’s extended tabs on what’s leftenterprise—affecting business partners and consumers. Ensure essential controls are metOther, less complex, instances of embezzlement, skimming, and related Check the above againfraud are reported, as well. The report found that in general such theftsare perpetrated by restaurant waiting staff, retail clerks, or other Assess remote access servicesinsiders who handle financial transactions as part of their job. In some Test and review web applicationscases, it’s found that employees used handheld skimmers and otherdevices to facilitate theft. While this may seem out of context within Audit user accounts and monitorthe scope of electronic attack, it is nevertheless a real (and common) privileged activitymethod of stealing data—especially payment cards. Monitor and mine event logsCompared with hacking or malware, omission—that is, something not Examine ATMs and other paymentdone that, according to policy and/or standard operating procedures, card input devices for tamperingshould have been done—is quite an uncommon security threat vector Source: 2011 Verizon Data Breach Investigations Reportbut is one which crops up relatively highly within the retail and hospitalityindustry. A frequent example of this is the failure to change defaultcredentials. This was most commonly linked to inadequate processeson the part of the victim to validate that things get done properlyand consistently.
THE THREATS TO CLOUD AND MOBILE PLATFORMS Of all the new platforms in the new multi-channel retail environment, perhaps the two most significant are the cloud and mobile. Cloud computing represents tremendous opportunities for retail in terms of cost control, flexibility and efficiency. It’s a progression to a services-oriented architecture (SOA) whereby retail IT applications and general resources need not be physically purchased but are available online and paid for as and when they are used. Similarly the mobile channel has two main benefits. Firstly it puts your store in your customers’ hands wherever they are, whenever they care to shop. That means, going shopping is customers making a connection—from whatever platform or channel suits them—whether online or on premise. The other benefit is that with a mobile channel your business can reap operational benefits and yield extra revenue. In a similar way to online shopping, it won’t be long before offering a mobile channel becomes a standard business requirement. Sadly it didn’t take long for electronic attackers to see mobile, and also the cloud, as entry points into your infrastructure. You should work on the assumption that they are rapidlyAs retail organizations assessing the opportunities they bring.move rapidly away from Fortunately, in terms of both mobile and the cloud, the 2011 DBIR revealedone-size fits all products that such assessments have yet to translate into a great deal of direct hits against retailers.to personalized services, For the cloud, the 2011 DBIR found that the source of attack was more relatedyou should consider to giving up control of assets and data and not controlling the associated risk,securing your data assets rather than any technology specific to the cloud.in the same way. For mobile, the report showed that data loss events with tablets, smartphones, and wireless phones as the source ranked low, indeed. However, security investigators fully expect mobile threats to increase and diversify along with the use, uses, and users of such devices. They say it is inevitable that as the convenience and functionality of mobile devices drives widespread adoption, it’s likely security will find itself rushing to catch up to safeguard sensitive data. DISCOVERING, REACTING TO AND REDUCING THREATS The information you hold about your customers and the reputation of your brand are arguably the most valuable assets you own. As you continue to prioritize customer satisfaction, promote effectiveness, and interact with customers and partners through new applications and technology, defending these assets is a key priority. Poor information security configurations within retail organizations are providing a wide door for attackers to exploit. In an industry with traditionally low margins, this can add up. The most thorough way to close that door, and make sure your business lines operate as you’d like them to, is to employ a dedicated security department whose sole job it is to monitor threats and make sure your organization is protected. Even though such an action would be effective from a technological basis, from a business perspective it is hardly the most cost-effective, certainly contrary to the prevailing trends of downsizing staff. Maybe as retail organizations move rapidly away from one-size fits all products to personalized services, retailers should consider securing assets in the same way. So, where to begin? Look to professional services providers who can help you develop and implement policies and procedures tailor–made to your retail organization. Such experts can construct systems that mitigate risks while relieving you of the need to make added investments in staff and technology that having a dedicated IT security department would demand.
Managed security services suites can allow you to monitor and control a variety of applications, devices,and other network resources and protect your business from the numerous threats you and your extendedenterprise are likely to face.As you select a security vendor partner, the experts you work with should recognize that supply-chainand store-level inventory visibility, as well as reducing out of stocks and improving efficiencies aretop priorities.With a services approach, you get state of the art security delivered by experts whose role it is to stay ontop of the latest threats as and when they appear. This can help you to strengthen your existing securityand compliance programs, or allow you to create new ones from the ground up. Most importantly it canallow you and your organization to concentrate on what matters: selling goods and services.In terms of securing mobile services you can instruct the service supplier to address the fast changingunique security concerns related to the deployment and operation of a wireless infrastructure. This shouldcover all aspects of wireless security, including verifying the proper use of encryption and authentication,searching for rogue access points, and reviewing access point configuration. Such a methodology alsoworks for protecting wireless data around stores such as that generated by radio-frequency identification(RFID) tags in real-time inventory checking.For retail merchants migrating to or using cloud computing, a competent service provider can help youidentify threats quickly and efficiently. Work with an expert who has the real-world experience to protectyour business from common threats like denial of service (DOS) attacks. A strong partner can helpestablish filters for email and web traffic to steer clear of viruses, spam, and malware in general.PLAYING YOUR CARDS RIGHT TO REDUCE PAYMENT FRAUDFraud and general malpractice related to payment cards are both among the top issues retailersface today.In terms of practices you can deploy to detect breaches associated with misuse of credit cards, the mostcommon third party method is the Common Point of Purchase analysis, or CPP. At a very basic level, CPPidentifies probable breaches based on the purchase histories of stolen payment cards. You can use it tolimit financial losses due to fraudulent transactions, and it works quite well for that purpose.One of the most effective methods for protecting cardholder data is still compliance with The PaymentCard Industry Data Security Standard (PCI DSS). As in past DBIR reports, most organizations (89 percent)suffering a credit card breach had not been validated PCI compliant at the time. In comparison to pastreports, the 2011 DBIR’s PCI DSS compliance/non-compliance ratio leans more toward non-compliance.It also indicates the change is likely due to more level three and four merchants—such as smallerretailers, home-based businesses, hotels, restaurants—in the dataset, whereas previous caseloadsreflected a higher percentage of level one or two merchants and/or service providers such as largerfinancial institutions.Experts note PCI compliance is no silver bullet. Just being PCI compliant does not guarantee that all of yoursystems and data are secure. A comprehensive security program that protects your customer and companyinformation, as well as potential access and connection points in the network must be in place. Often adaunting task for internal IT teams low on resources, it can benefit a retailer to employ a managed servicesprovider to implement a PCI DSS program.
CLOSING THE COOKIE JAR LIDMany may assume the battle against cybercrime is being won, but it’s a battle that is still being fought andattackers have their eyes firmly on the prize—payment data. And in this world, the rules and tactics areever changing.To help reduce your risk, implement the basic tenets of an information risk management program andmaintain this initial investment over time. This would include your network and data defense technologybasics such as firewalls; anti-virus technology; identity and access management, as well as creating anofficial risk management policy and process development for keeping system security updated.Like wandering hands in cookie jars, electronic attacks on retailer networks probably won’t go away totally,but with the appropriate security framework in place you can close the lid on a lot of your jars. VERIZON RETAIL Verizon Retail is an IT consulting practice group focused on helping retailers simplify their IT infrastructure, better control costs, and protect their data and reputation with the ultimate goal of better serving customers. Through Verizon’s Framework for Retail, the company brings a standards-based approach to retailers. The framework leverages Verizon’s networking, managed IT and application solutions, specifically drawing upon Verizon’s cloud computing and security offerings. More information is available at verizonbusiness.com/solutions/retail Contact us at firstname.lastname@example.org For tips on realizing the full potential of your retail IT investments, visit the Verizon Retail Blog.)