The Rippleshot Data Breach Blog

Tripwire Inc. Retail Cyberthreat Summit Recap

Written by Zach Walker | Jan 23, 2015 2:07:16 PM

 

With a growing problem of retail data breaches over the past year, our friends over at Tripwire Inc. put together a webcast bringing together five security experts to discuss the different phases in a retail data breach lifecycle. This group of experts includes: Sam Heiney, Product Solutions Director for Netop, Ken Westin, Security Analyst at Tripwire Inc., Randal Cox, Chief Scientist & Co-Founder at Rippleshot, Scott Waddell, CTO at iovation and Jeremy Henley, Director of Breach Services at ID Experts.

 

We take a 20,000 ft. snapshot of the webcast, addressing these main topics covered in the webcast:

  • Identifying what is driving the increase in retail breaches and common attack vectors
  • How organizations can prevent these points of intrusion, as well as detect behavior on their network associated with the intrusions and point-of-sale malware.
  • How breaches are detected after the fact, through the use of big data and fraud analytics detecting stolen credit card transactions
  • How retail organizations should respond when there is a breach, steps to notify customers and other details around cleanup of a compromise

For those interested in watching the webcast in its entirety, you can watch the recorded session here

 

 

First up in the webcast is Sam Heiney, Product Solutions Director at Netop. Netop provides software solutions to help connect its customers with their computers and smart devices, using such features as remote access, video chat and screen sharing. 

Heiney begins by analyzing why there appears to be such an increase in retail data breaches in the past year, by understanding the various threat vectors that an organization has and how to secure them. The three biggest threats to an organization’s network security include: users, discoverability and remote access.

According to Heiney, the primary threat for an organization is always its users, with human error listed as the leading the source of opportunity for cybercrime.  In the 2014 IBM Cyber Security Intelligence Index, IBM attributed nearly 95% of all IT security breaches to human error.

With more organizations moving towards implementing a bring your own device (BYOD) policy at the workplace, additional security measures should be implemented to help reduce security risks. There are different risks associated with BYOD policies that include the user, organization and the device itself. Heiney sums this problem up perfectly by stating, “If a device is discoverable, a device is vulnerable.” 

Device discoverability goes hand-in-hand with Heiney’s next topic, remote access availability. For cybercriminals, exploiting the remote access points that an organization uses internally or through a third-party vendor are the ideal targets of choice. An estimated 63% of the 450 data breaches analyzed in Trustwave’s 2013 Global Security Report were caused by a security exploit.

This should not come as a surprise, as remote access and third-party vendor exploits compromised POS Vendor Information Systems & Supplies and led to the intrusion of Target’s systems.

 

 

Ken Westin, Security Analyst at Tripwire Inc., begins by pointing out the major security flaws involving remote desktop protocol (RDP). Just by searching on the Internet, Westin was able to find 1,200 systems that had open RDP ports within 10 seconds.


 

Retail network intrusions and the installation of POS-focused malware have caused some of the more well known data breaches in 2014. Yet, organizations continue to complete the bare minimum, looking to check off the boxes for security standards. Or in some cases, a retailer can pass a security evaluation, only to later fall victim to a data breach weeks later.

For retail organizations to learn how to better protect themselves from a network attack, Westin believes that there are three main segments in a network intrusion attempt that need to be constantly monitored. Organizations need to plan on being compromised and need to begin asking, “What would a hacker see once they gain access to my organization’s systems?” 

 

 

As a cybercriminal, reconnaissance and enumeration of the targeted network is the first step to implementing a network intrusion plan. Just like something out of a bank robbery movie, a cyber attacker needs to recon their target, looking for potential flaws and exploits that can be used as their initial attack vector.

As an organization, focusing on strengthening your network systems and analyzing your network perimeter for vulnerabilities are the first steps in protecting critical assets. As Westin points out in slide above, an organization can begin the process of hardening their network configurations by reducing its surface of vulnerability. By limiting the number of access points, a cyber attacker can exploit is already a step in the right direction towards protecting your organization. 

Once a cyber attacker has completed their reconnaissance of an organization’s perimeter, their next step is to implement their initial attack vector. This can be accomplished through a variety of methods including network exploits, remote desktop access, phishing attempts and through 3rd party vendors/partners. Organizations need to focus on three steps when dealing with organization-wide vulnerabilities. Identifying, prioritizing and remediating which of the above vulnerabilities will help determine which are considerable threats towards your organization.

These attack methods are just a drop in the bucket when thinking about all of the attack vectors available to cybercriminals. But how serious of a challenge is this? According to a recent survey on application security risks, 98 percent of applications are susceptible to at least one application security risk and the average application introduces 22.4 security risks.

If a cybercriminal is able to gain network access through their initial attack vector, they will begin to scan for critical assets. These assets could include an active directory of an organization’s files, network applications and the servers that host the file patches meant to remediate these vulnerabilities. At this point in the network intrusion, it’s imperative for organizations to stay vigilant for any suspicious activity or file changes.

After a network breach has occurred at a retailer’s location, the sooner that the detection of the intrusion and theft of data can happen, the better. As security professionals, we should be doing everything to protect ourselves, but the truth is we will fail. Rippleshot’s Chief Scientist and Co-Founder, Randal Cox, points out payment card data breaches go undetected, on average, for more than 200 days. And rarely does a retailer detect their own data breach. Most often, the retailer is told about the breach by the payment network or law enforcement.

 

 

And what happens when we as security professionals end up failing? If you’re a part of a mega-retailer like Target, your organization can lose billions of dollars, members of their c-suite, and most importantly for a retailer, they’ve lost consumer trust. Smaller retailers fare even worse. The Ponemon Institute says that 60% of all small businesses shut down within 6 months of said data breach going public.  

Organizations of all sizes need a variety of tools to help protect their networks through prevention, detection and remediation. But what’s the answer to this growing problem? One piece of the payment security puzzle is Rippleshot, a cloud-based platform that detects payment card breaches quickly and reliably. Rippleshot is able to do that by taking a radically different approach to detecting and mitigating the damage of a data breach.

We realized that no matter the approach used by a cyber attacker to steal sensitive payment data, they all have to eventually go fraudulent and spend those cards. So, we use only payment card transactions detect data breaches by identifying thousands of compromised cards at once. And we’re able to find these cards weeks to months before the fraudsters have a chance to spend them.

Rippleshot first detected the signs of a data breach at The Home Depot four months before Brian Krebs broke the story in September of 2014.  By partnering with a consortium of payment card issuers, Rippleshot knows the complete purchasing history of tens of millions of accounts spread across the US.

 

 

Since Rippleshot went live in January of 2014, thousands of breached store locations have been detected thanks Rippleshot’s algorithms and machine learning methods. We can localize these data breaches down to the chain, store or even POS level, down to the exact times. From a 30,000 ft. view, Rippleshot can show which stores have been breached, and which ones are most severe by color.

 

 

To wrap up Randal’s presentation, Rippleshot is safe, fast and possesses a unique data set, sensitive to the subtle indicators of a data breach. Rippleshot sits within a PCI DSS Level 1 cloud, and get our results strictly from the financial institutions that we partner with. Rippleshot does not exist inside a retailer’s network, which makes it impossible effect the infrastructure in any way.

Rippleshot is blazingly fast, sitting on roughly 7 million payment card transactions a day, cooperatively contributed by a consortium of card issuers. When Rippleshot’s data set reaches 4x growth, we will be able to detect data breaches twice as fast. After a Rippleshot study was conducted, we found that at least half of all compromised cards belong to a data breach that never reaches the news. These hidden breaches, the dark matter of data breaches, profoundly shape the payments industry. Since Rippleshot went live in April of 2014, we’ve seen hundreds to thousands of breached locations, every month.

By constantly monitoring the previously mentioned critical assets, an organization’s incident response team can search for suspicious activity or file changes. These are often the first indicators that someone has gained unauthorized access into a critical asset. If the cyber attacker is able to find the payment data or other sensitive information, they will begin the process of exfiltrating said data.

 Scott Waddell, the CTO of iovation, shifts focus to how retailers can begin continue to protect themselves by securing their bring your own device (BYOD) policies and along with identifying these potential threats. With an expected 2 billion smartphones to be used across the globe by the end of 2015, having a comprehensive device intelligence process is necessary for organizations.

 

 

When looking at the identification of a device as a retailer, the first step is to determine whether the device in question has been seen before. By then comparing the information of said device, with that of iovation’s device database, a retailer can begin to look for a relationship between those two devices.  This research is necessary to see if the device in question is guilty by association.

The next phase in iovation’s Device Intelligence Process is to determine if there are any anomalies found within the device. For example, is the device in question trying to hide its IP address by possibly using a virtual private network (VPN)? And finally, try to understand if this device or the device it is associated with has been involved in any exploits. 

 

 

Scott was kind enough to put together a list of common techniques that fraudsters use to gain network access through a variety of methods.  In an ever-changing game of cat & mouse, iovation’s list of countermeasures help spot the signs of fraudster evasion. Unfortunately, security professionals have to be right every time.  While their hacker counterparts only have to be right once to succeed.  When a retailer becomes victim to a data breach, it is often because of three unique possibilities or a combination of them. Either the hackers bring something clever and new to the table, or we drop the ball like Target. Or they just don’t know how to best protect themselves.

 

 

 

To close out the final presentation of the webinar, Director of Breach Services at ID Experts, Jeremy Henley, shows how organizations can best deal with a data breach, before and after. Before a data breach occurs and is later discovered, Henley recommends that all organizations complete the following:

  •  Complete a Privacy & Security Assessment
  • Develop or review an Incident Response Plan
  • Test your plan
  • Repeat

Reviewing an organization’s network for security exploits and privacy concerns is just the first step to ensure that the ins and outs of a network secure. The Incident Response Plan should not only exist in the event of a data breach, but there should be similar plans in place for any other security incidents including malicious insiders and social engineering. 

Just how organizations prepare and test protocols for fire, carbon monoxide and other drills, the Incident Response Plan for a data breach needs to be tested beforehand. We live in a time where organizations need to start asking WHEN not IF they will be breached. When a security incident does occur, the Incident Response Plan can come in handy in a variety of reasons including:

  • Organizations must rely on a trusted partner(s)
  • Help you determine if your incident is a breach
  • Develop a proportionate and compliant breach response
  • Provide the proper level of concern and care to the affected individuals (customers)

We are in the midst of a revolution in the payment ecosystem, with new solutions being created to combat growing fraud and data breach incidents. These cybercriminals are talented individuals who are constantly working to exploit the security protocols that retailers implement in their network systems. However, when an organization can utilize a variety of security systems, there can be an expected benefit that those systems would not possess on their own.

 

Tripwire Retail Cyberthreat Summit 

Rippleshot detects data breaches on average four months faster than traditional methods. Learn how to get data breach notifications about your own company and affected customers faster by signing up for a demo of Rippleshot’s product below: