Home » The Art of Data Protection
Mor AhuviaNovember 26, 2014, 01:41 pm EST
You’ve started your holiday shopping already, right? If not, warm up those credit cards and get out there! The National Retail Federation estimates that sales in November and December will increase 4.1% to $616.9 billion. Furthermore, Shop.org predicts that online sales specifically will grow anywhere from 8-11% from last year, accounting for as much as $105 billion. But as consumers prepare their charge cards for battle, are retailers prepared to continue to fight the war against point of sale attacks?
Recently, the US Department of Homeland Security (DHS) released an advisory, in which the agency “encourages organizations, regardless of size, to proactively check for possible Point of Sale (PoS) malware infections.” Of special concern is a strain of PoS-targeted malware called “Backoff”, which, according to the advisory, “was not recognized by antivirus software solutions until August 2014,” and which according to the US Secret Service is estimated to affect over 1,000 businesses.
While specific to the Backoff malware, the advisory and its recommendations can be applied to numerous strains of PoS-targeted malware, which lead to more breaches than you would think. In fact, the 2014 Verizon Data Breach Investigations Report tallies 198 PoS breaches with confirmed data exfiltration in 2013. According to the report, “brute force remote access connections to POS still leads as the primary intrusion vector. A resurgence of RAM scraping malware is the most prominent tactical development in 2013.”
Correlating with the Verizon Report’s conclusions, the US-CERT’s alert on July 31, on which the DHS advisory is based, reports that the Backoff malware targets PoS terminals after first doing some reconnaissance work. The hackers scan the target system for legitimate remote-access software, which allows one system to remotely control another. After locating systems that have this type of program installed, and getting prompted by their remote-desktop login screen, hackers use brute force to open the target system’s password, using a program that systematically checks all possible passwords. Proceeding with installing the malware on the target device, the malware then scrapes the compromised systems’ RAM (memory) for credit card ‘track’ data, including cardholder and payment card details, which are fed to the system from a card reader or PIN terminal.
To thwart this type of intrusion, retailers are advised to employ countermeasures on several fronts, including the network, the PoS-connected system and the card reader. There are a few different security solutions that should be implemented to protect these systems from attack. First of all, point-to-point encryption should be deployed so customer data is protected from the moment a card is swiped in the card reader to the point where it reaches the payment gateway. This ensures that data is encrypted throughout the entire process and stays secure until reaching the end of the retail payment ecosystem. Additionally, two-factor authentication should be deployed in order to prevent data loss in the following scenarios:
- Brute-force remote access to a PoS device (in which access to payment card data is gained).
- Unauthorized access to the retailer’s network infrastructure, including access to datacenter consoles and cloud-based resources.
- Unauthorized access to web-based off-the-shelf enterprise web applications.
The important thing to keep in mind is that access to one application or device can be leveraged to compromise additional access points. For example, an infected PoS-connect system may lead to additional devices being compromised, as malware can propagate itself through network shares (shared network drives).
As demonstrated by the Target breach, retailers are being pressured to secure their systems not only by public repudiation in media headlines, but also by regulatory fines, compensation to consumers and the risk of senior management losing their jobs. Recovery from a breach is only exacerbated by the fact that 65% of consumers are less likely to shop at a business known to have suffered a breach, as uncovered in a recent SafeNet survey.
To learn more about the threats to point-of-sale systems, visit our educational and interactive Retail Payment Ecosystem site.
Mor AhuviaNovember 25, 2014, 12:47 pm EST
What does your organization’s IT ecosystem look like? Chances are that if your workplace is a typical one, then its IT ecosystem looks like a piñata that has just been bashed by a baseball bat. Strong authentication may be required of users accessing the corporate VPN or OWA, but is most likely not required if they are accessing a web portal, a virtualized solution such as XenDesktop, or a cloud-application such as Salesforce.com, ShareFile or Drop Box.
Rather, SaaS and virtualized applications are usually protected only by a password at worst, or by an application-specific two-factor authentication (2FA) method at best—the latter of which IT administrators don’t know if you’re actually using or not.
Case in point, earlier this year, a breach that appears to have involved two hosted resources used by Bit.ly led the company to update its users that it had “Enforced two-factor authentication on all 3rd party services company-wide.” Put into numbers, it becomes clear that most organizations are struggling with implementing consistent access controls across their virtual, on-prem and cloud-based resources:
- 82% of organizations deploy VPNs
- 74% deploy virtualized solutions
- 68% support employee-owned devices
- 61% have adopted at least one cloud application
Moreover, 74% of IT and security professionals are looking for solutions that support compliance and security as most of them are currently struggling to audit their current IT estates . In other words, workplaces that haven’t expanded beyond the traditional corporate network perimeter are now in the minority, and often comprise either highly conservative or highly secure bodies, such as government, military and other public sector establishments.
The good news is that organizations can in fact implement consistent access controls, and specifically strong two-factor authentication, throughout their IT ecosystem. They can gain visibility into access events occurring across their resources—be they on-prem or hosted—with the help of a single audit trail produced by a single authentication backend. In fact, we have a solution brief that can tell you all about it.
With a huge amount of resources invested in developing a brand’s intellectual property, be it source code, formulas, and engineering blueprints, to name a few—and with over 500 cyber-espionage breaches tallied by Verizon’s Data Breach Investigations Report in 2013 alone—securing an organization’s data, wherever it resides, has never been so critical.
Diagram – SafeNet Enterprise Authentication
 Source: VPN adoption rate – Best Practices for Securing Remote and Mobile Devices WP: http://www.beyondtrust.com/Content/whitepapers/Best-Practices-for-Securing-Remote-and-Mobile-Devices-WP.pdf
 Source: BYOD, VDI and Cloud adoption stats, Spiceworks 2014 State of IT Survey: http://www.spiceworks.com/marketing/state-of-it/report/
 Source: Infographic: [Infographic] Unlock the Potential of Data Center Consolidation: http://data-protection.safenet-inc.com/2014/02/infographic-unlock-the-potential-of-data-center-consolidation/#sthash.44TeyLjt.dpuf
Control your data in the cloud.
If there is one piece of advice that we have heard repeatedly from industry experts in the last six months, it is this. Every business has sensitive data, and whether the advice is from an industry analyst, virtualization expert, or security guru, the message is the same: customers of the cloud must encrypt their data and maintain control of the encryption keys.
Many organizations believe this can only be done on their premises, and if that’s the case, what’s the point of the cloud? Often, companies hesitate to bring compliance-regulated or business-sensitive data to the cloud—especially when stealing a virtual machine can be as simple as copying a file. What access does the cloud provider have to the data? What access do government agencies have—and what can they compel the provider to do without the company’s knowledge?
This lack of trust in the cloud is what’s preventing customers from gaining the economic and time-to-market advantage that cloud computing has to offer. And it’s holding back the addressable market for cloud service providers (CSPs). Any CSP that can address this issue will have a huge advantage—a larger addressable market, a bigger footprint for cloud use in existing customers, and a security bar that competitors may not be able to meet.
What can CSPs do in order to solve this problem? The answer is adding customer-managed encryption and key management to their cloud service offerings. With encryption keys that the customer (not the CSP) owns and manages, control of the data and separation of duties can be fully illustrated, even in multi-tenant cloud environments. This control and separation enables customers to bring sensitive workloads and data to the cloud – driving more value for the customer and the cloud provider.
This is not to be confused with service provider-managed encryption (sometimes called server-side encryption). Server-side encryption can be useful, but doesn’t address the issue of data separation. If the service provider is providing the encryption and the key management, it may help separate a customer’s data from other tenants or protect against media disposal by the provider. However, it doesn’t keep the service provider, or of particular interest right now, government agencies compelling the service provider, from accessing decrypted customer data.
SafeNet has a security solution that CSPs can deliver to customers to encrypt their data and maintain full ownership of their encryption keys—thus illustrating control and separation of their data from the CSP and government agencies that may compel them to provide data.
SafeNet ProtectV and KeySecure enable service providers to deliver a low-overhead solution that effectively separates and protects customer’s sensitive data and proves customer ownership of encryption keys in popular cloud and virtualization platforms. All customer data assets are properly isolated and the customer maintains ownership of their data, always—even in shared, multi-tenant clouds. (In addition to ProtectV for virtual instances and infrastructure-as-a-service, SafeNet has other customer-managed encryption solutions for other cloud-based use cases.)
If you’re a CSP interested in giving your customers a customer-managed encryption solution on any VMware-based cloud platform or an AWS partner driving solutions in Amazon Web Services’ EC2, or Amazon VPC, contact SafeNet today. The combination of SafeNet ProtectV and Virtual KeySecure is a low-overhead, low-impact solution to effectively protect sensitive data and prove ownership of encryption keys.
After collecting publicly available information about worldwide data breaches, the Breach Level Index (BLI) showed that there were over 183 million data records lost or stolen from July through September 2014.
As our new infographic shows, that means there were nearly 2 million records lost or stolen every day. That’s 23 records a second. Of the 320 reported breaches in Q3, 46% involved identity theft, making it the #1 type of data breach.
The quarter reaffirmed that cyber attackers are unrelentingly targeting valuable financial and personally identifiable information, as the financial services industry experienced 42% of the third quarter breaches and the retail industry experienced 31%.
The financial services industry was hit particularly hard due to the JPMorgan Chase breach, in which 76 million data records — including customer names, email addresses, phone numbers and addresses — were stolen, and the breach was given a 10.0 risk score by the Breach Level Index. Thankfully, financial records were not obtained.
For more information and to keep track of the latest data breaches, visit breachlevelindex.com.
Alexandra LatingNovember 17, 2014, 03:31 pm EST
Something that never ceases to amaze me is how early stores in the U.S. start preparing shoppers for the holiday season. It seems like Halloween just happened (which it did) and stores are already playing holiday music and putting decorations on display. It’s really like we almost skipped Thanksgiving entirely. But with only two and a half weeks until Black Friday, retailers have their eye on the prize – holiday shopping season.
And who can really blame them? The National Retail Federation estimates that sales will increase 4.1% in November and December alone, rising to $616.9 billion. Additionally, holiday sales will account for a little over 19% of all retail industry sales for the year.
So whether I am ready or not, it’s time to starting preparing the good old holiday shopping list. After going through the grueling activity of narrowing down who makes the gift list, the real fun starts – who gets what. For me, this is a critical element of holiday shopping. It’s so easy to get distracted (and spend way more than you meant to) if you don’t have a plan.
Retailers need to make sure they have their holiday shopping season checklist ready, too. The holiday season isn’t just a favorite of retailers and consumers. It really is the most wonderful time of the year to be a hacker. They’ve been preparing for the holiday season long before the fall, and they’re primed and ready to attack your customers’ data.
As a retailer, you need to be ready for any attack that they may pose with the complicated and highly vulnerable retail payment ecosystem. So while my list is filled with sweater sizes and gift card preferences, a retailer’s list should cover all of the basics of a robust data security solution.
So what should be on the retailers holiday list?
- Point-to-Point Encryption – Prevent hackers from intercepting your data as it is encrypted and decrypted while it moves through the payment ecosystem
- Code Signing – Ensure that attackers can’t manipulate software updates by posing has legitimate sources, stealing customer information and transaction data from point-of-sale and point-of-interaction systems
- Strong Authentication – Don’t let hackers exploit your passwords to gain entry to systems and acquire easy access to customer data
- Data Encryption – Whether at rest or in motion, your data is always vulnerable to attack, and attackers are always looking to steal your data
Checking all of these off the list is the only way to completely ensure the security of your customer’s personal and transaction data.
Check back for new installments of this blog series to learn about the importance of these security solutions and just how critical they are to protecting your data. And what else could a retailer want this year?!
For more information about how to address cyber threats to transaction data, visit our Retail Payment Ecosystem site.
Mor Ahuvia November 26, 2014, 01:41 pm UTC
Mor Ahuvia November 25, 2014, 12:47 pm UTC
Andrew Gertz November 18, 2014, 11:53 am UTC
Alexandra Lating November 17, 2014, 03:31 pm UTC
Mor Ahuvia August 4, 2014, 09:30 am UTC