The worldwide WannaCry ransomware attack in May 2017 proved less destructive than initially feared, but it was another reminder of the danger that lurks in our inbox. And although it is now believed that the initial problem stemmed from an exposed and vulnerable SMB port, rather than being distributed via an email campaign as many originally thought, data show that phishing has become a widely used mechanism for distributing ransomware, according to NTT Security in its 2017 Global Threat Intelligence Report.
All businesses are on notice—but should retailers be particularly concerned?
Absolutely. Cyber attacks on retailers may not top the list, but they’re up there. NTT’s study finds that 77 percent of all detected ransomware globally hits four main sectors: business and professional services, 28 percent; government, 19 percent; health care, 15 percent; and retail, 15 percent. Retail is also among the hardest-hit victims of phishing campaigns.
“Health care and retail appear in the top five industries targeted by both phishing and ransomware,” according to the NTT threat report. It makes sense, the report concludes, “as these are two of the industries which have the strongest drive to maintain continual operations. The strong correlation between phishing and ransomware attacks in health care and retail is likely no accident, and highlights the impact phishing campaigns can have.”
Finally, a last bit of new research further highlights the challenge of today’s cyber attacks on retailers. According to a Glasswell survey, despite the well-publicized risks, 82 percent of users open email attachments if they appear to be from a known contact. In such a threat environment, “relying on the vigilance of employees clearly leaves a business open to devastating cyber attack risks that will siphon off precious data or hold the business to ransom,” said Glasswell CEO Greg Sim.
Still, it’s impossible to remove people from the risk equation, and security awareness campaigns have an important role to play in preventing cyber attacks on retailers.
One Problem, Many Forms
People are a persistent challenge—sharing devices, passwords, and opening unsolicited emails that provide hackers a way into the network. Additionally, it is sometimes the case that the employee groups with responsibilities for aspects of data protection often don’t coordinate effectively. Despite spending more on defending data, there are a couple of reasons why vulnerabilities persist and the number of successful attacks remains problematic.
Data attacks today are multi-dimensional; they occur via social, electronic, and physical means. And they are all persistent, if not growing:
- Social media is increasing the amount of information hackers can learn about individuals, which they are using to craft increasingly convincing malware-infested emails.
- The number of ways a hacker can force his way into the IT network is growing alongside the increase in device connectivity.
- Physically infiltrating a facility to facilitate data theft or destruction is still “crazy easy” for a skilled adversary, insists Chris Nickerson, a red team expert and founder of Lares Consulting, an information security consultant firm.
The fact that the above threats frequently converge is a primary source of data security weakness. “Whenever two things are pieced together, the weak spot is the glue,” said Nickerson in a presentation at a cyber security conference last year. He added that vulnerability often resides in the lack of communication between the various owners of data security, including physical security, IT, and HR. In light of converged threats, the absence of a joint security program makes true data security unlikely.
One Multi-Pronged Solution May Protect against Cyber Attacks on Retailers
Active penetration exercises that attack the “glue”—and go beyond automated vulnerability scanning of network systems—is a great way to get the various team players to coordinate strategy and communicate better to enhance security, says Nickerson. It opens a dialogue, he said. So when LP and asset protection alert IT to vulnerabilities that they become aware of, IT welcomes those reports as a challenge to be solved.
Holding back a lot of organizations from extensive penetration testing is an unwillingness to watch the expensive technology they’ve invested in being easily compromised. But that’s a general attitude that leaders of security and businesses need to rid themselves of, insists Nickerson. He asserts that few organizations can stop a skilled red team from doing most of what it wants and believes that most companies “probably put too much faith in vendors and security products.”
“People think, ‘No one is going to get into our data center; we have a badge system,’ but badge systems never alert when a picture is changed,” notes Nickerson. In red team tests, he’ll infiltrate the network and change an employee’s photo to a member of his team. When that individual’s badge doesn’t work, staff will look him up, see he’s in the system, and let him in.
“Since a picture is considered proof, he’ll get a temp badge,” said Nickerson. And because access systems rarely alert when privileges change, he can remotely give to members of his infiltration team access into any part of a building he wants. Such easy intrusions work most of the time, says Nickerson, who notes that he routinely pops electronically secured doors with just some copper wire, or trips request-to-exit system sensors by pushing a heat-generating device under a door and holding it next to the panel.
What does all this mean to you? The important takeaway, suggests Nickerson, is not to regard a red team’s success as security’s failure. Instead, perceive it as new intelligence for how to refine and improve network security. “The more we think from an adversarial perspective, the more we can know if we’re getting what we want out of our systems,” he said. “Testing should hurt. You should be sore, like after going to the gym for the first time in a while. And then, over time, it hurts less.” You’ll never be able stop skilled adversaries 100 percent of the time, says Nickerson, but you can keep making it more difficult so that they pick another target—and that’s all you really need to do.
Nathan Drier, a security consultant and ethical hacker at Trustwave, recently described some social engineering tactics a red team can employ to test network defenses against human error. They’re basic, but he suggests that you may find them to be surprisingly successful.
- Pretend to be from a trusted third-party vendor and send an email asking the end user to open an attached file or visit a particular ‘malicious’ website.
- Send out an email telling select employees that IT has upgraded them to a newer version of their external webmail service. People who log in would provide hackers with usernames and passwords.
- Drop ‘infected’ USB thumb drives on the ground in the parking lot and track how many are connected to the company network.
- Pretend to be typing an important email or talking on the phone, and ask someone entering a restricted area to hold open the door. If tailgating works, find an empty and secluded cubicle and plug in a wireless access point, which co-conspirators outside would be able to use to map the internal network.
- Check for data leakage via physical trash, such as vendor information, passwords, usernames, schematics, network information, and other valuable data.
- Call your organization and express an interest in a particular job, and see if you’re able to get to them to agree to review your resume. Then send it in and see if recipients open the attached ‘malware’ file.
This article was originally published in 2017 and was updated June 13, 2018.