Into the Breach: Is Your Retail Data Vulnerable?


by Ryan Rubin
Managing Director – Leader, Identity & Access Management Services


The fallout from recent headline-grabbing data breaches has entered a critical phase. Retailers face hundreds of lawsuits, according to stories appearing in the Los Angeles Times and Lawyers and Settlements. Executives at some retailers hit by cybercrime have been called before congressional committees of the U.S. government to discuss the breaches.

Protiviti has made the issue of retail data security a high priority, not only in the United States but also in the United Kingdom (where I reside) and worldwide. Our security experts in the field continue to see malware targeted at the retail sector, and point-of-sale systems in particular.

You’ll find a wealth of information on the topic of retail data security on our website. For discussion purposes, let’s start with the four basic questions every director of a retail organization should ask:

  • Have we already been breached?
  • Would the information technology department know?
  • If we have not been breached, do we know that our systems can stand up to a targeted cyberattack?
  • Are we ready to respond?

The answers to these questions, and others, are the subject of our recent Protiviti point-of-view paper entitled “High-Value Targets – Retailers Under Fire,” in which we lay out a macro approach for reducing the risk of cyberattack and recommend asking these additional questions:

  • Do our contracts with strategic partners include the right to a forensic review of their systems and system logs?
  • Do we segment partner systems that don’t require access to cardholder data from the cardholder data environment?
  • Do our security professionals focus on the highest-impact controls?
  • Do we acknowledge that a breach is inevitable and ask if the cost of detailed logging outweighs that of a long investigation?

I know I’m posing a lot of questions here, but as directors and managers, you are in the question-asking business. To that end, I’ll leave you with one final list of questions, composed by my colleagues Jeffrey Sanchez and Scott Laliberte, both managing directors here at Protiviti. Answering these questions will help you devise a ground-level approach to cyber risk management as introduced in their recent webinar, “Prevention of Data Breach in the Retail Industry.”

  • Do we have controls at each phase of the “breach kill chain,” that is, when the malware is trying to get into our system, for example, or trying to sneak our data out?
  • Have we installed password management software?
  • Do we have secure remote access and administration of our systems?
  • Do we run updated point-of-sale software apps—even though it’s a challenge to push new technology out to thousands of stores?
  • Do we use hardware-based, point-to-point encryption?
  • Are our payment applications PA-DSS-compliant and installed properly?
  • Do we use the latest version of our operating system?
  • Do we use application whitelisting to prevent unknown executables (the “.exe” files that are commonly used to download and install software and patches) from executing, and have we worked around the administrative issues that whitelisting can cause?
  • Have we ensured that only preauthorized ports, services and IP addresses are communicating with our network?
  • Do we know who has privileged access to our environment and are we in control of monitoring such users?
  • Have we created strict access control lists that segment public-facing systems and back-end database systems that house payment card data?
  • Have we implemented tools to detect anomalous network traffic and anomalous behavior by legitimate users?

The market is learning that the cost of the exposure of private customer or consumer information can be crippling; for a large organization, it can reach hundreds of millions of dollars.

Is your organization doing everything it can to prevent data breaches? Do you have any best practices you’d like to share in the comment section below?

On a final note, Protiviti is exhibiting at the Black Hat Conference in Las Vegas, August 2-7, where I’m looking forward to meeting colleagues and organizations engaged in improving security and privacy measures. We’re in Booth 1064. If you plan to be at the event, please stop by!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s