Learning the lessons of the Target breach

“Now that we know some of the facts around the breach we need to look at what retailers can learn to try and avoid it happening again,” said Corey Nachreiner (CISSP), director of security strategy and research at WatchGuard Technologies. “Over the past few years there has been a steady increase in malware that specifically targets PoS [point-of-sale] systems and the Target breach shows how popular it has become with cyber criminals.” 

“Since many PoS systems are just Windows or Linux computers, PoS malware looks and acts very much like normal malware, but with some distinct differences,” said Nachreiner. “First, it’s designed to search the victim computer’s active memory, rather than just searching its file storage system. This is because PCI requires retailers to encrypt sensitive data in motion or at rest. But no matter how aggressively data is encrypted there is a split second where the device getting the data has to see and store it in active memory. Second, PoS malware is designed to sniff out credit card magstripe data.” 

So, how do you prepare for PoS malware? Nachreiner gave Retail Technology some basic tips:

As well as preventing malware, Nachreiner provided some other ways to protect your PoS systems. Firstly, he urged retailer to segment their trusted network. "Many organisations still have a myopic view of how they segment their network," he said. "In every organisation, there are people or assets with different levels of privilege or sensitivity. Use a firewall or UTM [unified threat management] device to segment your internal, trusted network with more granularity. 

"In this case, an external HVAC subcontractor’s credentials helped the attackers access Target’s network. If these internal HVAC systems were further segmented from the PoS systems on a network level, it would have made it harder for attackers to make lateral movement within Target’s networks."

The security expert also urged retailers to take a more proactive stance when it comes to malware detection. Antivirus (AV) technology still relies very heavily on reactive, signature-based detection. This means that it can’t find and block new malware until after it is first analysed, which is typically not until after it’s infected at least one victim. 

"More proactive detection technologies use techniques like behaviour analysis or code emulation. Most recently, new malware detection controls use something called virtual execution to run unknown binaries in a fully virtualised environment, in real time," he said. "These newer solutions find previously undiscovered malware by monitoring for suspicious behaviours before any damage is done. 

"One way to protect data directly is with data loss prevention (DLP) technologies that can see sensitive data as it passes your borders. DLP is not foolproof - smart attackers might encrypt things to get it past sensors -- but it does pose another roadblock," he added. 

And he it would also pay to put more focus on detection and response, describing cyber security is a "continuous arms race", where organisations will never have the perfect defence. "That’s why you should focus some of your security efforts on security visibility and analytics," he added. This kind of monitoring can help quickly identify network anomalies or security events, so that incident response team can react immediately and cut off any attacks in progress.

“Any retailer could suffer a breach like Target and in my opinion the company actually handled it quite responsibly,” Nachreiner concluded. “Even if you do all the right things and implement all the right defences, a simple human mistake can be the hole that lets that persistent advanced attacker in.” Nachreiner concludes, “Rather than blame the victim, we need to learn from these events and make it harder for criminals to succeed next time.” 

Nachreiner's Target blog is available in full here.

Tweets by RetailTechUK