Learning the lessons of the Target breach
Tuesday February 11 2014
IT security expert Corey Nachreiner provides retailers with six key network security learnings from the recent Target data breach in the US
Between 27 November 27 and 15 December last year, unknown attackers breached the network of US retail giant Target and stole the debit and credit card data of 40 million account holders, including an additional 70 million accounts with personally identifying information (PII).
“Now that we know some of the facts around the breach we need to look at what retailers can learn to try and avoid it happening again,” said Corey Nachreiner (CISSP), director of security strategy and research at WatchGuard Technologies. “Over the past few years there has been a steady increase in malware that specifically targets PoS [point-of-sale] systems and the Target breach shows how popular it has become with cyber criminals.”
“Since many PoS systems are just Windows or Linux computers, PoS malware looks and acts very much like normal malware, but with some distinct differences,” said Nachreiner. “First, it’s designed to search the victim computer’s active memory, rather than just searching its file storage system. This is because PCI requires retailers to encrypt sensitive data in motion or at rest. But no matter how aggressively data is encrypted there is a split second where the device getting the data has to see and store it in active memory. Second, PoS malware is designed to sniff out credit card magstripe data.”
Preparing to defend PoS systems
So, how do you prepare for PoS malware
? Nachreiner gave Retail Technology
some basic tips:
- Patch PoS systems – Like any system, this is vital to fix unnecessary flaws that make it easier to install malware.
- Enforce a separation of duties – If you’re browsing the Internet or checking your email from the same device that you use to run PoS software to take payments - you’re doing it wrong.
- Educate your cashiers – Nachreiner pointed out that, ometimes simple vigilance makes the best defence. If staff understand that PoS systems are susceptible to malware, they can be on lookout for unusual signs of attack or infection.
- Migrate away from XP – Reportedly, up to 95% of ATMs are running on Windows XP systems. Microsoft is ending support for XP in the next four months or less, which means it will not receive security updates in the future. "So, don’t use XP on your PoS systems," he said.
As well as preventing malware, Nachreiner provided some other ways to protect your PoS systems. Firstly, he urged retailer to segment their trusted network. "Many organisations still have a myopic view of how they segment their network," he said. "In every organisation, there are people or assets with different levels of privilege or sensitivity. Use a firewall or UTM [unified threat management] device to segment your internal, trusted network with more granularity.
"In this case, an external HVAC subcontractor’s credentials helped the attackers access Target’s network. If these internal HVAC systems were further segmented from the PoS systems on a network level, it would have made it harder for attackers to make lateral movement within Target’s networks."
Taking a more proactive stance
The security expert also urged retailers to take a more proactive stance when it comes to malware detection. Antivirus (AV) technology still relies very heavily on reactive, signature-based detection. This means that it can’t find and block new malware until after it is first analysed, which is typically not until after it’s infected at least one victim.
"More proactive detection technologies use techniques like behaviour analysis or code emulation. Most recently, new malware detection controls use something called virtual execution to run unknown binaries in a fully virtualised environment, in real time," he said. "These newer solutions find previously undiscovered malware by monitoring for suspicious behaviours before any damage is done.
"One way to protect data directly is with data loss prevention (DLP) technologies that can see sensitive data as it passes your borders. DLP is not foolproof - smart attackers might encrypt things to get it past sensors -- but it does pose another roadblock," he added.
And he it would also pay to put more focus on detection and response, describing cyber security is a "continuous arms race", where organisations will never have the perfect defence. "That’s why you should focus some of your security efforts on security visibility and analytics," he added. This kind of monitoring can help quickly identify network anomalies or security events, so that incident response team can react immediately and cut off any attacks in progress.
“Any retailer could suffer a breach like Target and in my opinion the company actually handled it quite responsibly,” Nachreiner concluded. “Even if you do all the right things and implement all the right defences, a simple human mistake can be the hole that lets that persistent advanced attacker in.” Nachreiner concludes, “Rather than blame the victim, we need to learn from these events and make it harder for criminals to succeed next time.”
Target blog is available in full here
Tagged as: Target | security | data | breach | PCI DSS | PoS | Windows | Linux | encryption | firewall | UTM | HVAC | antivirus | DLP | WatchGuard