For the final retail cyber security blog post I will write an analysis of my blogs so far, what I've learned and where I gathered my sources.
First off, I chose this topic because it is relevant to my current field. I work in an organization that processes debit and credit card transactions for banks and merchants. In my area we deal with merchants of all sizes - large corporations and mom & pop facilities. I monitor applications for POS devices and online applications. Also, this industry is prone to attacks and hackers bent on securing Pii information from consumers and stealing data from companies. It is rare to go more than a couple months without hearing about a major data breach in the retail sector.
A majority of my sources were from news articles and the NIST special publications. You can gather a lot of information from the NIST and the media (while biased) does a great job highlighting the failure of companies to secure our data. Each week I learned more about the vulnerabilities and risks of the industry, the tools the hackers used to exploit those vulnerabilities, and the ways in which it can be prevented in the future. I hope this blog was beneficial for the perspective I could provide.
- Angie
Saturday, May 30, 2015
Tuesday, May 19, 2015
2015 Cyber Security Trends
Good Afternoon!
Today's blog post is going to feature what CIO online has predicted as the top trends for cyber security in 2015. As noted by the site, 2014 was the year of the "data breach" with large retailers and banks succumbing to attacks. This will still remain a large prevalent threat for the future, but already other trends are starting to emerge. Below I have listed the trends and something's to anticipate.
1. Cybercrime - those looking to exploit companies vulnerabilities for monetary gain or notoriety, and CIO has identified an increase in cyber criminal activity from former soviet states.
2. Privacy and Protection - Governments are increasingly imposing policy and regulation on corporations for the restriction of personal data. The emphasis on policy and hefty fines for failure to secure consumer data and the prevention of large scale data breaches will only continue.
3. Threats from 3rd party providers - Large companies often need
to share sensitive data with 3rd party organizations and vendors. Hackers are exploiting vulnerabilities in these companies to access the data of a larger corporation.
4. BYOD trends - the bring your own device trend in the workplace is now common. Personal Hard drives, lap tops, and smart phones are replacing company issued devices. While this has some economical impact, the abundance of "openings" it creates for a breach are significant. Using appropriate intranet and firewalls can prevent unauthorized access with BYOD.
5. Engagement with People - the people in a workplace are its strongest asset, and employees need to be more engaged in infosec measures. A disgruntled employee can spell disaster from an infosec perspective.
Read more about the 2015 trends here:
http://www.cio.com/article/2857673/security0/5-information-security-trends-that-will-dominate-2015.html
- Angie
Today's blog post is going to feature what CIO online has predicted as the top trends for cyber security in 2015. As noted by the site, 2014 was the year of the "data breach" with large retailers and banks succumbing to attacks. This will still remain a large prevalent threat for the future, but already other trends are starting to emerge. Below I have listed the trends and something's to anticipate.
1. Cybercrime - those looking to exploit companies vulnerabilities for monetary gain or notoriety, and CIO has identified an increase in cyber criminal activity from former soviet states.
2. Privacy and Protection - Governments are increasingly imposing policy and regulation on corporations for the restriction of personal data. The emphasis on policy and hefty fines for failure to secure consumer data and the prevention of large scale data breaches will only continue.
3. Threats from 3rd party providers - Large companies often need
to share sensitive data with 3rd party organizations and vendors. Hackers are exploiting vulnerabilities in these companies to access the data of a larger corporation.
4. BYOD trends - the bring your own device trend in the workplace is now common. Personal Hard drives, lap tops, and smart phones are replacing company issued devices. While this has some economical impact, the abundance of "openings" it creates for a breach are significant. Using appropriate intranet and firewalls can prevent unauthorized access with BYOD.
5. Engagement with People - the people in a workplace are its strongest asset, and employees need to be more engaged in infosec measures. A disgruntled employee can spell disaster from an infosec perspective.
Read more about the 2015 trends here:
http://www.cio.com/article/2857673/security0/5-information-security-trends-that-will-dominate-2015.html
- Angie
Tuesday, May 12, 2015
Preventing an Attack: lessons from Home Depot and Target
In today's technological world there is an increase in malicious activity. Given this, large retailers need to constantly revise their security protocol and procedures. It is simply not enough to install basic security components and prepare for the worst. Companies need to assume they are under attack as they possesses the data hackers find attractive - credit card number and personally identifiable information. It has been discussed in the media that some of the large hacks as of late (namely Home Depot and target) were victims of opportunity... The attackers exploited known vulnerabilities in the networks and POS devices.
To prevent these attacks, retailers need to think of security first and foremost, it needs to be built into the system - not an after thought. Firewalls in the network and encrypting the data within the POS and as it traverses the system to the issuers or to the database would ensure security. The SANS institute recommends, for example, networks should be designed, so POS systems are not accessible, if a hacker breaks into another system on the network that is connected to the Internet. These vulnerabilities were exploited in Home Depot. For this reason, it is crucial that after the security is implemented - routine audits and vulnerability scans are completed to find and repair leaks.
Approaching security with the assumption you will be targeted will certainly make it apparent that security and the proper preparation steps are essential to maintaining business.
- Angie
To prevent these attacks, retailers need to think of security first and foremost, it needs to be built into the system - not an after thought. Firewalls in the network and encrypting the data within the POS and as it traverses the system to the issuers or to the database would ensure security. The SANS institute recommends, for example, networks should be designed, so POS systems are not accessible, if a hacker breaks into another system on the network that is connected to the Internet. These vulnerabilities were exploited in Home Depot. For this reason, it is crucial that after the security is implemented - routine audits and vulnerability scans are completed to find and repair leaks.
Approaching security with the assumption you will be targeted will certainly make it apparent that security and the proper preparation steps are essential to maintaining business.
- Angie
Tuesday, May 5, 2015
Risk Tolerance and the Retail Sector
Risk tolerance is defined as the amount of risk an organization is willing to accept, given the value they would like to establish and create in an organization. Each retail organization needs to understand the value they are creating, and how the risk associated with that value needs to be determined, controlled, and eventually mitigated should an attack occur.
Obviously, there is no such thing as a perfect system. Because of this, it is imperative to determine the risk appetite of the organization. Some would argue that the financial crisis of 2007-2008 occurred due to lack of risk assessment, and direction about who or what was responsible for that risk. Likewise, companies in a retail setting need to understand and determine the risk to protect their trade secrets and customer information.
The retail industry should be regulated like the banking industry due to the highly sensitive data they possess. They would need to develop a low risk appetite, meaning implementing controls and safeguarding information to a point of overreaching. If a new company were to establish itself without a risk plan, they could outsource their IT infrastructure and personnel to partially relieve themselves from the burden. This is referred to as risk transferrence and it would be a preferred method for smaller retail locations who would need to just focus on selling and producing goods for purchase. This strategy is also not perfect as the organization would need to fully research the IT company with which they are entrusting their data, and also that the risk would not be 100% transferred.
Analyzing risk appetite is an important aspect of overall risk management.
-Angie
Obviously, there is no such thing as a perfect system. Because of this, it is imperative to determine the risk appetite of the organization. Some would argue that the financial crisis of 2007-2008 occurred due to lack of risk assessment, and direction about who or what was responsible for that risk. Likewise, companies in a retail setting need to understand and determine the risk to protect their trade secrets and customer information.
The retail industry should be regulated like the banking industry due to the highly sensitive data they possess. They would need to develop a low risk appetite, meaning implementing controls and safeguarding information to a point of overreaching. If a new company were to establish itself without a risk plan, they could outsource their IT infrastructure and personnel to partially relieve themselves from the burden. This is referred to as risk transferrence and it would be a preferred method for smaller retail locations who would need to just focus on selling and producing goods for purchase. This strategy is also not perfect as the organization would need to fully research the IT company with which they are entrusting their data, and also that the risk would not be 100% transferred.
Analyzing risk appetite is an important aspect of overall risk management.
-Angie
Subscribe to:
Posts (Atom)