High-Value Targets Retailers Under Fire Issue Like all organizations in the distributed industry sector, retail businesses are challenged with the objective of maintaining financial health and growing in an era when consumer behavior and shopping methods are evolving at a tremendous rate. In order to respond to such rapid evolution, these businesses are adopting the core concepts and principals associated with omni-channel retailing. Omni-channel retailing is the next generation of multi-channel retailing, with a focus on a seamless approach to consumer experience through all available shopping channels, e.g., mobile Internet-ready devices, computers, brick-and-mortar stores, television, radio, direct mail, catalog and so on. In order to accomplish this objective, retail businesses have deployed heavily customized software, rearchitected networks, established interconnectivity with new business partners, deployed specialized retail technology and further invested in web and mobile capabilities. And while retailers are working to ensure a more seamless experience and achieve customer market share, this integration can come at a hefty price far beyond the cost of implementation when capitalized upon by an attacker. Several characteristics of such networks in the retail environment help to make them a prime target for a sophisticated attacker: Diversified/distributed systems Rapid customization Integrated offerings High-value targets The compliance curse The checkbox approach Diversified/distributed systems The more diversified the system inventory, the more difficult it is to manage security effectively. Core tenets and services offered by information security departments are thinned across a diversified infrastructure, and the IT resources required to enforce security cannot act quickly enough to respond to remedial requirements. Common issues include: Decreased efficiencies in vulnerability identification, configuration enforcement and system patching Need for further customization and baselining of logging and monitoring resources in order to provide adequate coverage. As a result, detection and alerting capabilities are reduced. Need for additional ports and system interconnections to support diversified services. A larger number of legitimate services, protocols and interconnections make it significantly more difficult to identify malicious activity. Furthermore, the risks associated with diversification of systems are compounded when those systems span a vast and/or global network environment making the proverbial haystack larger, and finding the needle much more difficult..
Rapid customization In responding to consumer demand, retailers continually seek to enhance their internal technologies. Further, given the increased presence of analytical data, internal knowledge capital and pressures of management to be innovative, many retailers embark on development efforts to customize software in support of achieving business objectives. However, several risks can result from customization. For example, quickly developed applications may be developed insecurely and result in vulnerabilities that are later exploited. Integrated offerings Just as in many other industries, retail merchants often rely upon third-party vendors to support the business, and will often share cardholder data with these service providers, grant them access to the company networks, and/or allow them to place systems on those networks. Although this practice is commonly used to streamline and diversify offerings, it also poses risk by increasing the number of attack vectors. Merchants typically have limited visibility into business partner systems that are permitted to reside on a merchant s network. Without the ability to manage or monitor the system or review the system logs, it is difficult to know if and when a partner s system is compromised. It is important to ensure that contracts with partners include the right to a forensic review of their systems and system logs, in the event that an investigation is necessary. Partner systems that do not require access to cardholder data should be segmented from the cardholder data environment (CDE) or, if that s not possible, the merchant should treat that system as untrusted and encrypt the cardholder data (CHD) traffic on that internal segment to prevent eavesdropping. High-value targets Quite simply, most types of attackers (e.g., opportunistic attackers, organized criminals, cyber-terrorists) focus their efforts where there is the most profit to be gained. The result is that most malicious efforts and elaborate strategies are focused on exploiting vulnerabilities and systems specific to financial services institutions and retail businesses that process, store or transact personally identifiable information (PII). The compliance curse Compliance with Payment Card Industry Data Security Standards (PCI DSS) requirements has never been less of a guarantee of protection from credit card theft. The PCI DSS exists as a minimum security standard for merchants, and while this may reduce the risk of credit card theft to a level acceptable by the payment card brands, it does not eliminate the risk to businesses or address the sophisticated attacks to which they are exposed. To reduce the scope of their compliance obligations, some organizations have taken to segmenting their CDE; however, this segmentation is often not effective, as attackers can use connected zones as a way in, often leveraging common ports and services that are used legitimately within the environment. PCI DSS 3.0 attempts to qualify segmentation more strictly, but even this may not be enough. There is no requirement to encrypt card data at swipe or as it traverses the internal network. Therefore malware, such as traffic monitoring tools, key stroke loggers, memory scrappers, etc., that is introduced to the CDE and is able to evade anti-virus detection 1 could easily lead to credit card data being compromised. In addition, attackers frequently exploit privileged and service accounts, traditionally difficult to eliminate in the environment and a common exception ( compensating control ) for PCI. Other compliance standards (ISO 27001, NIST SP 800-53, COBIT) are too broad and high-level to address the specific vulnerabilities that attackers are exploiting. The SANS 20 Critical Security Controls for Effective Cyber Defense tie real-world attack types to specific security measures and controls, but require a high level of maturity in security capabilities and significant investment to achieve. While standards give comfort to senior management and third parties that security is being addressed, compliance can be a curse in the sense that it diverts security professionals time and attention from focusing on the specific risks to meeting general requirements. Security professionals should seek guidance relevant to their environment and focus on high-impact controls such as application whitelisting to help prevent malicious or unapproved programs from running, and implementing patch maintenance for third-party applications (e.g., PDF viewer, MS Office, ActiveX objects and other web browser plugins). 1 Research indicates that newly created malware has an anti-virus detection rate as low as 5 percent, http://www.imperva.com/docs/hii_assessing_the_effectiveness_of_antivirus_solutions.pdf. Protiviti 2
The checkbox approach Once, checking the box literally meant leveraging a checklist as a method of demonstrating organizational diligence in the accomplishment of governance. Today, much as everything else within the world of cybersecurity, the checkbox approach has become more evolved. The results, however, are similarly ineffective in addressing specific real-life threats. In modern day box-checking, organizations default to the execution of compliance tasks that meet the bare minimum requirements to satisfy industry requirements (e.g., PCI DSS). Assessors attempt to validate the security of a globally distributed enterprise by having a third party execute services remotely, and by spending mere days in the evaluation of a network that takes hundreds of personnel thousands of hours annually to manage. While the checkbox approach and a casual table-top incident response exercise will still allow retailers to demonstrate their compliance with industry regulations, today s typical attack scenario is far more difficult to manage. Most attacker malware can leverage various means of exfiltration. It is being designed to circumvent controls specifically developed to prevent or detect attempts to gain access to critical systems and infrastructure processing sensitive data, including credit card data and other PII. Further to the point, the checkbox approach is not sufficient in the identification of the weakest links, or chinks in the armor, that exist in organizational defense networks and can be subject to attacker reconnaissance and exploitation. Challenges Organizations are not prepared for the inevitability of cyberattacks and to a certain extent, they never will be. Based on our execution of incident response services and interactions with the law enforcement community, we understand the following: Some hacker networks have more optimized development capabilities than many mid-sized businesses. Credit card memory scraping malware continues to evolve in its capabilities to store, exfiltrate, and delete traces of itself and the resulting output. Hackers do their homework and custom-design malicious code to interact with even proprietary systems residing within business environments. Malware is being designed to cloak itself and leverage the most common services deployed in retail businesses and their most common technologies. It is unfortunate, but in many cases, attacker networks implement better security controls in the design of their software than Fortune 500 companies, leveraging sophisticated encryption, not relying on common ports, and designing software with redundancy to ensure the availability and execution of their services within the victim environment. Our Point of View While this outlook seems bleak, there are many actions organizations can take to help minimize the duration and impact of such attacks. Compensate for your compensating controls Many organizations rely on cost/benefit or business justifications to limit their implementation of specific security controls. For example, while it may be easier to continue to allow for the clear-text transmission of hard-coded passwords and perform heightened periodic monitoring and alerting of authentications to cardholder systems as a compensating control, an attacker will still fully utilize the clear-text transmission to his or her advantage. Environment awareness Card systems are vast, and in the absence of intermediary devices that will log specific system interaction, it is difficult to pursue an advanced attack within a globally distributed POS or financial system network. Applying firewalls at the perimeter only helps to identify malicious behaviors traversing two segments, but not the malicious activities occurring between one and the other. For this reason, it is important to know your systems, and maintain gold images and configuration data that allow for comparison and analysis in the event of an attack. Protiviti 3
Logging Yes, logging. Anti-virus software only detects a percentage of malware intrusion detection and prevention tools (IDS and IPS) only capture events that have signature or rules they are designed to prevent. The only thing absolute to assist in investigations and analysis is the raw logs. And while space may be costly, organizations should acknowledge that a breach is inevitable and ask themselves the question: Does the cost of verbose logging which can shorten an investigation considerably outweigh the cost of a much longer investigation that results in inconclusive evidence and forces the company to notify more consumers of a potential breach than might have been actually impacted by the attack? Broaden your focus Compromise of critical infrastructure can have a dramatic impact on financial systems, even if they are segmented. For example, a domain controller in a far-removed domain or group deserves the same control as a point-of-sale server, due to the domain controller s administrative capabilities. How We Help Companies Succeed Protiviti has responded to some of the most significant and industry-relevant security breaches in the last decade. Some of the largest Wall Street companies turned to us for critical help with their responses to cyberattacks. In addition, Protiviti led the financial services community for the past several years in the development and planning of global situational tabletops designed to better prepare organizations for cyberattacks, consistent with emerging attacker trends and capabilities. If your company is suspecting a credit card breach, Protiviti is one of 12 firms qualified by the PCI SSC to perform an investigation. We are uniquely qualified to provide assistance in security services both in the wake of a cyberattack and as an agent to assist organizations in a proactive response to one. Apart from industry recognition as a leading provider of incident response and forensic services by the PCI SSC, Protiviti has deep expertise in the areas of response execution, forensic analysis and response plan development. Our expertise stems from multiple engagements, industry participation, extensive professional relationships, training, and dedication to the development and enhancement of incident response practices. Example Protiviti recently came to the assistance of a large organization that suspected a sophisticated breach had occurred but was unable to prove it. Since no readily apparent signs of the breach existed, Protiviti initiated comparison of gold" images to binaries which existed on our client s system, searching for telltale signs of malicious binaries. We identified and reverse-engineered the credit card memory scraping malware that was discovered through our process. The malware had been customized for our client s specific environment, and several of the malware elements used had not yet been detected by any known anti-virus signature. While on the ground, Protiviti s team quickly put in place plans and action items to securely identify and remove presence of the attackers. Managing the incident response included working with all stakeholders to coordinate various aspects of breach management. As a result of our work, our client was able to stop the breach quickly and prevent further compromise of customers credit card information. Moreover, the client is now fully confident that it can continue to operate safely following this incident. Protiviti 4
About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000 and FORTUNE Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. Contacts Rocco F. Grillo, CISSP Managing Director Global Incident Response Leader +1.212.603.8381 rocco.grillo@protiviti.com Joseph A. Rivela, CISSP, GCIH Director Lead Response Coordinator +1.212.399.8657 joseph.rivela@protiviti.com Boyd S. White, CISSP, GCIH Manager Response Team Lead +1.212.399.8701 boyd.white@protiviti.com 2014 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services