For the final retail cyber security blog post I will write an analysis of my blogs so far, what I've learned and where I gathered my sources.
First off, I chose this topic because it is relevant to my current field. I work in an organization that processes debit and credit card transactions for banks and merchants. In my area we deal with merchants of all sizes - large corporations and mom & pop facilities. I monitor applications for POS devices and online applications. Also, this industry is prone to attacks and hackers bent on securing Pii information from consumers and stealing data from companies. It is rare to go more than a couple months without hearing about a major data breach in the retail sector.
A majority of my sources were from news articles and the NIST special publications. You can gather a lot of information from the NIST and the media (while biased) does a great job highlighting the failure of companies to secure our data. Each week I learned more about the vulnerabilities and risks of the industry, the tools the hackers used to exploit those vulnerabilities, and the ways in which it can be prevented in the future. I hope this blog was beneficial for the perspective I could provide.
- Angie
Saturday, May 30, 2015
Tuesday, May 19, 2015
2015 Cyber Security Trends
Good Afternoon!
Today's blog post is going to feature what CIO online has predicted as the top trends for cyber security in 2015. As noted by the site, 2014 was the year of the "data breach" with large retailers and banks succumbing to attacks. This will still remain a large prevalent threat for the future, but already other trends are starting to emerge. Below I have listed the trends and something's to anticipate.
1. Cybercrime - those looking to exploit companies vulnerabilities for monetary gain or notoriety, and CIO has identified an increase in cyber criminal activity from former soviet states.
2. Privacy and Protection - Governments are increasingly imposing policy and regulation on corporations for the restriction of personal data. The emphasis on policy and hefty fines for failure to secure consumer data and the prevention of large scale data breaches will only continue.
3. Threats from 3rd party providers - Large companies often need
to share sensitive data with 3rd party organizations and vendors. Hackers are exploiting vulnerabilities in these companies to access the data of a larger corporation.
4. BYOD trends - the bring your own device trend in the workplace is now common. Personal Hard drives, lap tops, and smart phones are replacing company issued devices. While this has some economical impact, the abundance of "openings" it creates for a breach are significant. Using appropriate intranet and firewalls can prevent unauthorized access with BYOD.
5. Engagement with People - the people in a workplace are its strongest asset, and employees need to be more engaged in infosec measures. A disgruntled employee can spell disaster from an infosec perspective.
Read more about the 2015 trends here:
http://www.cio.com/article/2857673/security0/5-information-security-trends-that-will-dominate-2015.html
- Angie
Today's blog post is going to feature what CIO online has predicted as the top trends for cyber security in 2015. As noted by the site, 2014 was the year of the "data breach" with large retailers and banks succumbing to attacks. This will still remain a large prevalent threat for the future, but already other trends are starting to emerge. Below I have listed the trends and something's to anticipate.
1. Cybercrime - those looking to exploit companies vulnerabilities for monetary gain or notoriety, and CIO has identified an increase in cyber criminal activity from former soviet states.
2. Privacy and Protection - Governments are increasingly imposing policy and regulation on corporations for the restriction of personal data. The emphasis on policy and hefty fines for failure to secure consumer data and the prevention of large scale data breaches will only continue.
3. Threats from 3rd party providers - Large companies often need
to share sensitive data with 3rd party organizations and vendors. Hackers are exploiting vulnerabilities in these companies to access the data of a larger corporation.
4. BYOD trends - the bring your own device trend in the workplace is now common. Personal Hard drives, lap tops, and smart phones are replacing company issued devices. While this has some economical impact, the abundance of "openings" it creates for a breach are significant. Using appropriate intranet and firewalls can prevent unauthorized access with BYOD.
5. Engagement with People - the people in a workplace are its strongest asset, and employees need to be more engaged in infosec measures. A disgruntled employee can spell disaster from an infosec perspective.
Read more about the 2015 trends here:
http://www.cio.com/article/2857673/security0/5-information-security-trends-that-will-dominate-2015.html
- Angie
Tuesday, May 12, 2015
Preventing an Attack: lessons from Home Depot and Target
In today's technological world there is an increase in malicious activity. Given this, large retailers need to constantly revise their security protocol and procedures. It is simply not enough to install basic security components and prepare for the worst. Companies need to assume they are under attack as they possesses the data hackers find attractive - credit card number and personally identifiable information. It has been discussed in the media that some of the large hacks as of late (namely Home Depot and target) were victims of opportunity... The attackers exploited known vulnerabilities in the networks and POS devices.
To prevent these attacks, retailers need to think of security first and foremost, it needs to be built into the system - not an after thought. Firewalls in the network and encrypting the data within the POS and as it traverses the system to the issuers or to the database would ensure security. The SANS institute recommends, for example, networks should be designed, so POS systems are not accessible, if a hacker breaks into another system on the network that is connected to the Internet. These vulnerabilities were exploited in Home Depot. For this reason, it is crucial that after the security is implemented - routine audits and vulnerability scans are completed to find and repair leaks.
Approaching security with the assumption you will be targeted will certainly make it apparent that security and the proper preparation steps are essential to maintaining business.
- Angie
To prevent these attacks, retailers need to think of security first and foremost, it needs to be built into the system - not an after thought. Firewalls in the network and encrypting the data within the POS and as it traverses the system to the issuers or to the database would ensure security. The SANS institute recommends, for example, networks should be designed, so POS systems are not accessible, if a hacker breaks into another system on the network that is connected to the Internet. These vulnerabilities were exploited in Home Depot. For this reason, it is crucial that after the security is implemented - routine audits and vulnerability scans are completed to find and repair leaks.
Approaching security with the assumption you will be targeted will certainly make it apparent that security and the proper preparation steps are essential to maintaining business.
- Angie
Tuesday, May 5, 2015
Risk Tolerance and the Retail Sector
Risk tolerance is defined as the amount of risk an organization is willing to accept, given the value they would like to establish and create in an organization. Each retail organization needs to understand the value they are creating, and how the risk associated with that value needs to be determined, controlled, and eventually mitigated should an attack occur.
Obviously, there is no such thing as a perfect system. Because of this, it is imperative to determine the risk appetite of the organization. Some would argue that the financial crisis of 2007-2008 occurred due to lack of risk assessment, and direction about who or what was responsible for that risk. Likewise, companies in a retail setting need to understand and determine the risk to protect their trade secrets and customer information.
The retail industry should be regulated like the banking industry due to the highly sensitive data they possess. They would need to develop a low risk appetite, meaning implementing controls and safeguarding information to a point of overreaching. If a new company were to establish itself without a risk plan, they could outsource their IT infrastructure and personnel to partially relieve themselves from the burden. This is referred to as risk transferrence and it would be a preferred method for smaller retail locations who would need to just focus on selling and producing goods for purchase. This strategy is also not perfect as the organization would need to fully research the IT company with which they are entrusting their data, and also that the risk would not be 100% transferred.
Analyzing risk appetite is an important aspect of overall risk management.
-Angie
Obviously, there is no such thing as a perfect system. Because of this, it is imperative to determine the risk appetite of the organization. Some would argue that the financial crisis of 2007-2008 occurred due to lack of risk assessment, and direction about who or what was responsible for that risk. Likewise, companies in a retail setting need to understand and determine the risk to protect their trade secrets and customer information.
The retail industry should be regulated like the banking industry due to the highly sensitive data they possess. They would need to develop a low risk appetite, meaning implementing controls and safeguarding information to a point of overreaching. If a new company were to establish itself without a risk plan, they could outsource their IT infrastructure and personnel to partially relieve themselves from the burden. This is referred to as risk transferrence and it would be a preferred method for smaller retail locations who would need to just focus on selling and producing goods for purchase. This strategy is also not perfect as the organization would need to fully research the IT company with which they are entrusting their data, and also that the risk would not be 100% transferred.
Analyzing risk appetite is an important aspect of overall risk management.
-Angie
Tuesday, April 28, 2015
Risk Analysis in the Retail World
This week the blog will be focusing on risk analysis and assessments.
The basic definitions of risk analysis and assessment are the identification of levels of risk in an organization, and the process that assigns them scores/ratings to enable an organization to implement anticipate, mitigate, and control for threats to their organization, respectively. Given the abundance of retail attacks in the last decade, it is safe to assume merchants worldwide would benefit from further risk management in their organizations.
Put simply, the retail sector would benefit tremendously from increasing their risk management. The first steps would be to categorize assets including hardware, software, and personnel. From there, you would give each asset a value - for example, the highest asset value could be POS software. For instance, if a DDoS attack were to occur on this type of asset, it could result in a compromise of valuable customer information, and loss of money/business for the duration of the outage. With this information you would also combine any threat identification known to your particular business, goods, or even geographical location. It would also be beneficial to identify the likelihood a threat would/could occur, and the frequency with which it happens.
There are obvious inherent risks and threats in any industry, however the retail sector has been hit the hardest as of late. The tide might be turning in favor of other industries - those for which cyber criminals gain access to health information, or hack companies for 'fun' or political motivation (see Anthem, or Sony for example). But the pervasive threat facing the consumer world is abundant. Mitigating these threats through proper risk assessment, analysis, and management is crucial to maintaining this industry.
- Angie
The basic definitions of risk analysis and assessment are the identification of levels of risk in an organization, and the process that assigns them scores/ratings to enable an organization to implement anticipate, mitigate, and control for threats to their organization, respectively. Given the abundance of retail attacks in the last decade, it is safe to assume merchants worldwide would benefit from further risk management in their organizations.
Put simply, the retail sector would benefit tremendously from increasing their risk management. The first steps would be to categorize assets including hardware, software, and personnel. From there, you would give each asset a value - for example, the highest asset value could be POS software. For instance, if a DDoS attack were to occur on this type of asset, it could result in a compromise of valuable customer information, and loss of money/business for the duration of the outage. With this information you would also combine any threat identification known to your particular business, goods, or even geographical location. It would also be beneficial to identify the likelihood a threat would/could occur, and the frequency with which it happens.
There are obvious inherent risks and threats in any industry, however the retail sector has been hit the hardest as of late. The tide might be turning in favor of other industries - those for which cyber criminals gain access to health information, or hack companies for 'fun' or political motivation (see Anthem, or Sony for example). But the pervasive threat facing the consumer world is abundant. Mitigating these threats through proper risk assessment, analysis, and management is crucial to maintaining this industry.
- Angie
Wednesday, April 22, 2015
Security Controls
Happy Wednesday, Blog Readers
Today the focus of the blog will be on security programs: what they are, and how they can aid in businesses and merchants from internal and external threats to the confidentiality, integrity, and availability of their sensitive and non-sensitive data.
We, as the consumers, should expect a level of data confidentiality when making purchases from say, a pharmacy. Our medical information should not be shared with anyone without our consent - likewise, if making a purchase in a clothing or retail store, you would also expect the same level of privacy for important data like credit card information, or when applicable social security card information. What information can and should be shared with an organizations employees?
There are different levels of security for data, depending on how it is classified. In the current days of "big data", our shopping and consuming habits are being categorized, monitored, and analyzed by companies for various reasons. Ever notice the ads on certain websites are tailored just for you? Your browsing habits are being turned into data and statistics, to increase the likelihood you will purchase a product or revisit a site. This type of data is not currently categorized as highly sensitive (although it is a big off putting, no?), so the data I'm referring to would be highly sensitive: credit card information, social security number, and the like. There are certain security controls an organization can implement to ensure this data is not easily viewed by someone without authorization and access.
For example, an organization can and should secure highly sensitive data from those without authorization, be it physical or logical. Access control refers to the identification of the person, authentication, authorization, and accountability. There should be schemes in each business to determine who can and cannot access highly sensitive data - some might find that certain employees will have "read-only" privileges to not alter or delete data, while other more sensitive information can only be viewed by a high ranking member, like a manager.
Implementing the proper security controls further ensures our data maintains safe and secure.
- Angie
Today the focus of the blog will be on security programs: what they are, and how they can aid in businesses and merchants from internal and external threats to the confidentiality, integrity, and availability of their sensitive and non-sensitive data.
We, as the consumers, should expect a level of data confidentiality when making purchases from say, a pharmacy. Our medical information should not be shared with anyone without our consent - likewise, if making a purchase in a clothing or retail store, you would also expect the same level of privacy for important data like credit card information, or when applicable social security card information. What information can and should be shared with an organizations employees?
There are different levels of security for data, depending on how it is classified. In the current days of "big data", our shopping and consuming habits are being categorized, monitored, and analyzed by companies for various reasons. Ever notice the ads on certain websites are tailored just for you? Your browsing habits are being turned into data and statistics, to increase the likelihood you will purchase a product or revisit a site. This type of data is not currently categorized as highly sensitive (although it is a big off putting, no?), so the data I'm referring to would be highly sensitive: credit card information, social security number, and the like. There are certain security controls an organization can implement to ensure this data is not easily viewed by someone without authorization and access.
For example, an organization can and should secure highly sensitive data from those without authorization, be it physical or logical. Access control refers to the identification of the person, authentication, authorization, and accountability. There should be schemes in each business to determine who can and cannot access highly sensitive data - some might find that certain employees will have "read-only" privileges to not alter or delete data, while other more sensitive information can only be viewed by a high ranking member, like a manager.
Implementing the proper security controls further ensures our data maintains safe and secure.
- Angie
Tuesday, April 14, 2015
Cyber Security Education and Training
This week's blog post will focus on cyber security, and information security training and education.
Given the abundance of cyber criminal activity, the retail sector is at a particularly vulnerable disadvantage as of late. While most organizations have security training in place for employees, the retail corporation's reluctance to implement security controls to mitigate and prevent attacks has been well documented. This lack of "action" is usually blamed on lack of funds, or an inability to budget wisely for InfoSec measures. Perhaps these companies need to take a closer look at the budget, and the information they are disseminating to employees and shoppers, or lack thereof.
InfoSec training is crucial to the overall security health of an organization. Teaching employees about proper safe guards can combat inappropriate or risky behavior that can leave an organization at risk for exposure. There are a few ways companies can engage their employees in InfoSec training: videos, posters, banners, and quarterly newsletters. It is important for each member of the organization to know they are responsible for IT security, and their actions will be held accountable.
Last year, Target corp announced they would be spending an additional $5 million dollars on a cyber security coalition to educate their employees and the public on the dangers of phishing, cyber crime, and consumer scans. Although this measure was touted as a PR move to "save face" with customers (given the 100 million data breach), the steps necessary to prevent a future cyber attack include proper training and education. Making the commitment to spend the additional funds in this manner shows Target takes cyber education and prevention of attacks very seriously.
Hopefully other retailers take note, and invest wisely.
- Angie
Given the abundance of cyber criminal activity, the retail sector is at a particularly vulnerable disadvantage as of late. While most organizations have security training in place for employees, the retail corporation's reluctance to implement security controls to mitigate and prevent attacks has been well documented. This lack of "action" is usually blamed on lack of funds, or an inability to budget wisely for InfoSec measures. Perhaps these companies need to take a closer look at the budget, and the information they are disseminating to employees and shoppers, or lack thereof.
InfoSec training is crucial to the overall security health of an organization. Teaching employees about proper safe guards can combat inappropriate or risky behavior that can leave an organization at risk for exposure. There are a few ways companies can engage their employees in InfoSec training: videos, posters, banners, and quarterly newsletters. It is important for each member of the organization to know they are responsible for IT security, and their actions will be held accountable.
Last year, Target corp announced they would be spending an additional $5 million dollars on a cyber security coalition to educate their employees and the public on the dangers of phishing, cyber crime, and consumer scans. Although this measure was touted as a PR move to "save face" with customers (given the 100 million data breach), the steps necessary to prevent a future cyber attack include proper training and education. Making the commitment to spend the additional funds in this manner shows Target takes cyber education and prevention of attacks very seriously.
Hopefully other retailers take note, and invest wisely.
- Angie
Subscribe to:
Posts (Atom)