Target, Neiman Marcus and other retail breaches
Target Corp and Neiman Marcus are not the only U.S. retailers whose networks were breached over the holiday shopping season in 2013. According to multiple sources, smaller security breaches at other well-known retailers occurred and were carried out via similar techniques.
In each of these reported cases, investigations have found that “hackers” stole the personal information of at least 110 million customers, including names, addresses, telephone numbers, and email addresses. While most states have laws that require companies to contact customers when certain information is compromised, these breaches take it even a level further with the introduction of cardholder data being stolen.
Visa, Inc. issued two alerts in 2013 about a surge in cyber-attacks on retailers that specifically warned about the threat from “memory parsing malware”. In those alerts, published in April and August, Visa provided retailers with technical details on how the attacks were launched and advice on thwarting them.
Praetorian Secure is an experienced PCI-QSA in good-standing with the PCI-SSC. We have performed PCI-DSS assessments for both large and small organizations, with very complex environments and wide-ranging requirements. Given our experience with a variety of regulatory compliance initiatives, our PCI-DSS approach is viewed more as a partnership with our clients, and our goal is to gain a favorable compliance decision. While other organizations may focus on the simple requirements of compliance, Praetorian Secure works with our clients to outline the objectives, manage the project closely with your staff, and ensure the overall security posture of the organization is improved as compliance is met.
Attack Vector: Malware used for breach exposed
The malware used to initiate these security breaches is configured to gain access to certain Point-of-Sale (POS) payment applications responsible for processing authorization data, which includes full magnetic-stripe data. When this information is processed, the payment application decrypts the transaction from the cash register/point-of-sale and stores the authorization data in random access memory (RAM). This data must be decrypted to complete the authorization, which allows hackers to access full track data being stored in RAM and utilize memory parsing malware to steal it.
It certainly isn’t clear if these retailers ignored the warnings handed down from the card brands, but evidence would suggest that lack of due diligence and defense-in-depth security, logging, and monitoring caused a delay in incident response which may ultimately cost these organizations not only financial losses, but the negative reputation that sometimes is unrecoverable.
Target mitigations for reductions in payment application breach
While nothing is fail-safe against the attacks of individuals with malicious intentions, certain measures can be taken to mitigate the likelihood of an attack and the risk of data being compromised.
- Review Firewall configurations and the ports, protocols, and services being utilized.
- Segregate payment processing networks from other organizational networks.
- Apply access control lists (ACLs) on routers
- Restrict network segments for public-facing systems and backend databases.
POINT OF SALE (POS) SECURITY
- Implement hardware based point-to-point encryption
- Install PCI-DSS compliant payment applications.
- Deploy security patches for operating systems on a frequent and regular basis.
- Utilize strong-password security solutions for applications.
- Enable logging of events and monitor logs on a daily basis
- Utilize two-factor authentication for payment processing networks.
- Identify administrative privileges for users and applications
- Review systems for dormant and unknown accounts
MONITORING AND INCIDENT RESPONSE
- Implement a Security Information and Event Management system for managing and analyzing events from network devices.
- Offload logs to a dedicated server in a secure location.
- Establish an incident response team (IRT) to respond to breaches.
- Test and document incident response plans.
In addition to the defense-in-depth strategy, organizations should implement malware signatures to help detect a potential data breach on their systems.
Praetorian Secure Whitepaper
For more information best practices for PCI DSS Compliance and malware defense download our Whitepaper entitled ” PCI Malware Defense “
How We Can HELP!
To request more information about how your organization can better prepare for malicious activity and implementing the proper defenses to protect against them, contact Praetorian Secure call us at (855) 519-7238.