January 15, 2009

NRF: Must-Do’s for Guarding Against Security Breaches

Rick Moss

By Rick Moss

Most tech solutions providers
on the exhibit floor at NRF this week appeared, shall we say, stubbornly
upbeat about 2009 business. One company principal said he saw no reason
at this point in the year for dire pessimism and half-joked that “if
everyone acts like it’s going to be a bad year, they’ll most certainly
have one.” No one was denying, however, the increased pressure
to provide proof of ROI for tech products in such a tough economic climate.
That may be a rather simple math equation for vendors that focus on labor
efficiencies or optimizing business processes, but in the area of network
security – specifically, the safeguarding of customer credit card information and
other critical data – potential buyers are dealing with a murkier cost/risk
analysis. So with purse strings tightened, CIOs and department heads may
be looking at their security situation and trying to figure out how to
plug the biggest holes at the lowest cost.

Verizon Business,
in their 2008 Data Breach Investigations Report, looked at incidents spanning
four years and more than 500 forensic investigations. The breaches they
examined included three of the five largest ever reported, and compromised,
in total, approximately 230 million records. Retail represented 35 percent
of the cases, the largest portion by industry. Eric Brohm, Senior Consultant,
Investigative Response, said attention should be drawn to two security
targets: involvement in secure systems by third parties, such as suppliers
and maintenance companies, and the use of eCommerce applications, which
are notoriously vulnerable to hackers. In the first case, Mr. Brohm said
vendors are prone to sloppiness in following simple security procedures,
often “forgetting to close the door on their way out” once their
work with a retailer is done. IT managers could reduce risks tremendously,
he said, by simply tightening control of these partners.

Manav Khurana, head of
industry marketing for Aruba Networks, described how
“unauthorized or accidental devices” (i.e. workers bringing in
their own equipment) can bring risks to a wireless network environment, opening
a back door to data. In high profile cases, roving hackers with laptops have
been known to sit in the parking lots of malls searching for WiFi networks
within that aren’t properly safeguarded.

PCI standards call for
auditing the physical environment of the store or office at least once
a quarter to find any wireless devices in use, explained Mr. Khurana. Of
course, companies can dispatch a tech with a handheld device to monitor
offices, stores and distributions centers, but that can be prohibitively
expensive. Aruba offers its AirWave Wireless Management Suite 6.2 (newly
released) that works with sensing devices that can automatically check enterprise
locations and provide detailed reporting to data center admins. Users can
view all enterprise locations on a world map and then, by drilling down,
display a floor plan of each location, pinpointing all the wireless devices
that exist and revealing which are posing security risks. Further, a PCI
Compliance Report feature gives an executive-level summary of all issues
across the enterprise in a one-screen report.

Configuresoft products similarly look at workstations
and servers in a physical or virtual environment and assess them for various
configuration aspects, including security. Again, the cost-savings, according
to Dave Shackleford, Director, Center for Policy
& Compliance, comes from “giving one administrator the ability,
from a single console, to do a lot of different things with all of their
systems.”
Configuresoft designs templates that are updated monthly to make it much
easier for admins to keep systems in PCI compliance and do routine chores,
such as patch management.

When asked where the
biggest holes are in systems, Mr. Shackleford said, “It would amaze
you, actually.” Rather than sophisticated, complex attacks, “it’s
really simple things that people lost track of,” for example, forgotten
old test systems that stayed online, multiple users sharing a common
password, or workers storing passwords in plain text files. (Sound familiar?)

Discussion Questions:
Do you expect that large retail companies will fall behind in their security
procedures and safeguards during the economic downturn? For your IT dollar,
where do you think efforts should be concentrated to plug security holes?

Discussion Questions

Poll

Sorry, there are no polls available at the moment.
5 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Mel Kleiman
Mel Kleiman

Many may fall behind but the price they pay for this will be extraordinary. All you have to do is look at the data that is showing that as the economy worsens theft, and attempted theft, go up. Information and credit card data have real value. Remember, it takes 3 things to steal – need, opportunity and the attitude. The attitude is there, the need for the money is rising, and now those with the need and the values will have the opportunity.

0
Cathy Hotka
Cathy Hotka

Retail IT shops have been underfunded for years, and retail CIOs have long complained about lack of funding for critical security work. The IHL store systems study shows clearly that POS replacement is being driven by security needs. It’s probably a given that there will be another major headline-making breach this year…will that encourage additional spending?

0
David Livingston
David Livingston

With all the closings and consolidations, this creates some soft spots in IT. Businesses sometimes let their guard down when going out of business or merging with another company. Then you have all those laid off workers going to work for competitors. People working for you now are probably one of the biggest threats. IT employees are often the least happiest employees, good times and bad. They need looking after.

0
Mark Burr
Mark Burr

It has little to do with the economy and everything to do with priorities. It’s never a priority until you are hit. Many are likely being hit and don’t even know it yet.

The biggest issue in this area is finding practical solutions that work. Many of the solutions that I have seen or have been involved with lack a couple of things; common sense and lack of understanding of the application use that is being protected.

0
M. Jericho Banks PhD
M. Jericho Banks PhD

The law of large numbers always applies, regardless of the economy or other external influences. If you’re in a “control mode,” analyze the big numbers first. This provides the most analysis per dedicated brain cell, and the most efficiency per analytic dollar spent. Yogi Berra said so, or would have if he’d considered it, so it must be true.

In my own small world of large numbers, I’m a careful guy who shops online A LOT. In several years of doing so, I’ve never encountered a problem. But recently two of my credit cards were compromised seven times. Fortunately both my banks caught the anomalies, but I still had to cancel both cards and get new ones. My bankers searched for the culprit(s) using the law of large numbers by starting with the biggest attempted frauds and working their way down. They caught the big guys, and then the smaller guys to whom they sold my information. “Yay” for me, except for the hassle, newfound caution, and uncomfortable paranoia.

In my e-commerce bidnesses, we take great care to protect customer account info and have never had a breach. But, I wonder whether this discussion is about protecting stores from theft, or customers from theft. It seems to be ambivalent. I’ve read comments regarding both, and am left wondering which is (or should be) the focus. Whichever it is, the law of large numbers will apply and Yogi would undoubtedly approve.

0

BrainTrust

Recent Discussions

More Discussions