In this article, reposted from CSPnet.com, W. Capra Partner, Matt Beale describes the steps that all retailers should take to perform an effective security health check.
Who isn’t afraid of getting their information stolen—particularly their credit-card numbers? No one wants to see a random Caribbean cruise or flat-screen TV appear on their monthly statement.
What most people don’t know is that thieves would rather have the information on a loyalty application form vs. a single credit-card number. That data—called personally identifiable information, or PII—would help would-be thieves get closer to applying for multiple credit cards under that person’s name. Imagine that can of worms.
That’s why it’s more important than ever to consider your larger security strategy—whether it’s developing a new loyalty program or complying with newer, more stringent Payment Card Industry (PCI) standards.
Controlling Your Security
Though sensitive data comes in various forms, many of the foundational pillars of comprehensive security are common and can run across a business’ entire digital environment. Let’s look at four major areas:
A security health check. Essentially, it’s a study of the retailer’s data environment to assess what hardware and software exists, identify vulnerabilities and develop a multiyear plan to address key issues:
- Blocking the initial compromise. An example of this is software that prevents malicious malware from making it into the company’s digital environment in the first place.
- Reducing the attack surface. This step identifies all the systems a hacker could access and reduces any domino effect. For instance, a company could build a firewall so that if one machine is compromised, it affects only five others vs. thousands.
- Identifying compromised machines. This means proactive monitoring, being in a position to make sure you’re not breached.
- Disrupting the attackers’ command and control. The idea is to disable any malicious element that found its way into the environment, such as keeping malware from sending data off site. Everyone thinks it’s important to prevent the breach, to be proactive, but you also need a plan for what to do in the event of a breach.
Application control. This addresses software that would ensure no malicious code will get into or be able to execute on any register, server or PC. It’s the opposite of anti-virus, which detects what’s wrong. With application-control programs, nothing can be installed or executed on the machine unless it’s on an approved list. For instance, any box with a Windows environment has hundreds of unused files that can run if a hacker gets access to a command prompt. Application controls not only stop malware from running, but they also keep anything you don’t need from becoming active.
Security Information and Event Management (SIEM) capability. This solution allows for the correlation and tracking of log files across many different types of devices. Those log fi les can provide clues of an impending attack. It’s like going into a jail and finding a prisoner with a knife before he has a chance to use it. In that analogy, the software would detect combinations of elements, triggers and events to identify the potential perpetrator before he attacks.
Security management review. Typically, corporate and retail technology systems fall under the same security umbrella. Unfortunately, they’re not the same. They have a different set of requirements, logistics and challenges.
Are You Lucky or Unaware?
Today, multiple issues are forcing retailers to think about security, with EMV (Europay MasterCard Visa) a big one. PCI is also raising the stakes, but so are pressures to develop mobile strategies and loyalty programs.
Underlying all that is security. So far, the majority of c-store retailers have been lucky and haven’t fallen prey to serious security attacks—knock on wood. Unfortunately, because of that luck, many retailers don’t see a need to budget for future security projects.
It could be a costly mistake, because while they might see themselves as lucky, I would say they just haven’t been targeted … yet. Or worse: They don’t know they’ve already been compromised.
Matt Beale is a partner with the W. Capra Consulting Group, leading its security and architecture practice. Reach him at firstname.lastname@example.org.