2014 was undoubtedly the year of the data breach in retail. As an encore to the massive Target customer credit and debit card hack first reported in 2013, retailers such as Goodwill Industries, Dairy Queen, P.F. Chang’s, Neiman Marcus, and Home Depot, among others, reported significant point-of-sale breaches during the last year. A recent Forbes article underscores the severity of the situation, especially for retailers. Kevin Jones, senior IT security architect for Thycotic, opined, “Companies that have enormous resources dedicated to infrastructure security at point-of-sale terminals are failing.”
SentinelOne Labs published its very informative Advanced Threat Intelligence Report summarizing the top IT threats reported in 2014 along with predictions on what’s in store in 2015. Here are some of the lowlights.
Top Hijacking Techniques
Eight-three percent of documented attacks in 2014 were perpetrated by only five techniques:
Distributed Denial of Service (23 percent). A distributed denial of service (DDoS) attack occurs when a multitude of compromised systems attack a single target, causing denial of service of the targeted system to legitimate users. The flood of incoming messages to the target system essentially forces it to shut down.
Structured Query Language Injection (19 percent). Using SQL, web applications interact with databases to dynamically build customized data views for each user, such as a list of merchandise for sale. An attacker can manipulate the parameter’s value to build malicious SQL statements. This could result in customers receiving a wrong item or being charged an incorrect price.
Unknown (18 percent). Isn’t it scary that the IT “experts” are at a loss to explain the cause of almost one in every five data breaches?
Defacement (14 percent). Website defacement is an attack on a website that changes the visual appearance of the site or a web page. These are typically the work of system crackers who break into a web server and replace the hosted site with one of their own. Defacement is generally meant as electronic graffiti, although recently it has become a means to spread messages by politically motivated cyber protesters or “hacktivists.”
Account Hijacking (9 percent). As the name implies, hackers can hijack any type of account information—from emails to credit cards to social security numbers.
Five Trends
Point-of-Sale. POS systems are sitting ducks for malicious malware because of older operating systems like Microsoft XP and outdated antivirus software. According to the experts, there is no silver bullet yet available. However, these threats should be mitigated over a period of time.
Ransomware. This class of malware restricts access to the computer system that it infects and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive (cryptoviral extortion), while some may simply lock the system and display messages intended to coax the user into paying. The advent of the bitcoin has transformed ransomware into a cybercrime that anyone can use. Currently, there is no effective security measure against it.
Top Target—Windows. However, attacks targeting MAC OS X, Linux, iOS, and Android are on the rise. The major cyber criminals haven’t focused on mobile payment platforms yet.
Targeted, Advanced Evasion. In network security, evasion means the bypassing of an information security device to exploit, attack, or deliver some other form of malware to a target network or system without detection. Evasions are typically used to counter network-based intrusion detection and prevention systems, or to bypass firewalls. Another target of evasions is to crash a network security device, rendering it ineffective to subsequent targeted attacks.
Espionage Malware. Unfortunately, complex malware designed for espionage has fallen into the hands of cyber-crime groups. These products enable any type of malware to operate in stealth mode and be completely invisible to all security measures. The experts are watching this development closely.
What’s Next?
Mac OS X and Linux. Until now, these two operating systems have escaped heavy targeting by attackers. The large-scale adoption of these two operating systems in enterprise data centers indicates that they will become a target in the near future. Since these operating systems have been considered “safe,” there are very few security products available to protect against sophisticated attacks.
Enterprise Hostage-Ware. The SentinalOne Labs experts believe that ransomware will be used to coordinate a “time bomb” attack on a large enterprise. The potential impact of such an occurrence could be devastating and would force companies to pay a high price for the release of their systems.
Infrastructure Shut Downs. Apparently, according to the report, there have been a few unpublicized attacks that have shut down power grids for short time periods. Much of the critical infrastructure has old or outdated IT technology, making it especially vulnerable to attack.
Cyber Attacks for Political Retaliation. The experts predict that nations, such as Russia and China, will continue to use cyber attacks against their enemies. Russia is supposedly responsible for last year’s attack on Home Depot’s POS system, as well as numerous attacks on US-based financial institutions.
Attacks as a Service. Erstwhile cyber criminals can now simply “visit a website, select the desired malware platform and capabilities to build a Trojan, choose their target assets (online banking credentials, credit and debit card numbers, healthcare records, and so forth), request a specific number of infections (targets), pay with an underground money transfer provider or bitcoin, and be in business.”
I had no idea we are so vulnerable and seemingly ill prepared. If this didn’t get your attention, reread the last paragraph.
Physical Security Executives Gather to Demystify IT Techno-Babble
In response to the growing number of cyber attacks and data breaches that are increasing the exposure to corporate C-suites and boards of directors, a select group of thirty high-level security executives gathered in Chicago on February 26 for networking and sharing strategies to better position themselves in C-level discussions.
The intent of the meeting was to provide a plain-English translation of IT security concepts and actions intended to give the physical security leaders the background to engage in discussions of protecting information and technology with their corporate peers and executives.
“This was a unique gathering of senior security professionals that included the current president of ASIS International and three past presidents,” said Ray O’Hara, executive vice president of AS Solution and one of the past presidents. “It is amazing how much our existing security expertise directly relates to the information security world.”
Dave Tyson, chief information security officer at SC Johnson and the first CISO to lead ASIS as its 2015 president, addressed the attendees. A recognized expert on the topic, Tyson started his career in traditional security practice before earning his MBA in digital technology management. Prior to SC Johnson, he worked for companies such as IBM, eBay, and Pacific Gas and Electric.
Tyson provided the attendees easily understandable explanations of common IT buzzwords to demystify the techno-babble. The goal was to allow security practitioners to understand the challenges and make better business decisions related to:
- Infrastructure
- Applications
- Cloud
- Mobile
- Big data
- Social media
- TOR
- Dark web
Hosted by Keith Blakemore, director of security and loss prevention at WW Grainger, the gathering came about from discussions by Blakemore, O’Hara, and Tyson. A December 27, 2014, Forbes magazine article titled “Why It’s Time for a Board-Level Cybersecurity Committee” by Betsy Atkins, a three-time CEO and a director at Darden, HD Supply, and Schneider Electric, reinforced the need for the meeting.
In the article Atkins wrote, “Step one for every board is to understand that it is supposed to be offering oversight on these risks as part of its fiduciary duty. The board needs to assure there are internal controls in place to protect the corporation’s cyber assets. The stakes are high. A study found that up to $21 trillion in global assets could be at risk from cybercrime. What is needed is a solid board structure for monitoring and managing cyber risk in the company. To begin, [what] I recommend is a series of committee briefings so ‘cyber security’ is demystified and better understood.” The full article is available on Forbes.