Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Shopping carts instead of firewalls
SECURITY SHELF

Shopping carts instead of firewalls 

Surely no retailer’s security plan includes leaving boxes of debit, credit, refund, and void records lying in an aisle as observed at RONA on Hunt Club Road in Ottawa several days ago. The shopping cart security perimeter perhaps deters the mildly curious, but clearly doesn’t comply with the privacy policy published on the firm’s web site:

“All personal information collected by RONA is protected by security measures appropriate to the sensitivity of the information. All personal information stored in electronic form, including all information collected through the RONA.ca website, is kept in confidential and secure data banks. Paper records in RONAs stores or head office that contain personal information are kept in locked cabinets. RONA evaluates its equipment and security procedures regularly and modifies them if necessary, so it can remain at the leading edge of security technology.”

Customers should be outraged that their information is being so poorly protected. If employees of a major retailer can leave paper records laying in plain view, where anyone could simply walk up and take them, how can customers have any assurance that retailers take security and privacy seriously? Policy documents are meaningless unless they translate to action.

Retailers are under attack; TJX, Target, Staples, Michaels, Kmart, and Home Depot — just to name a few — have suffered major security breaches. Hundreds of millions of customers have had personal information stolen and the torrent of security breaches shows no signs of slowing down.

Some firms succumb to sophisticated hackers who skillfully overcome otherwise adequate security controls. However, more often than not, poor design, out of date systems, and lax security processes make it far too easy for criminals.

Retailers focus on selling goods and making a profit, not information security. While the Payment Card Industry Data Security Standard (PCI DSS) created a lot of smoke, there has been little fire. The standard is woefully inadequate and does not take into account the current level of threat facing the retail sector. For example PCI DSS requires the “installation of applicable critical vendor-supplied security patches within one month of release.” It generally takes hackers hour or days to reverse-engineer security patches and create working exploits.

Many Point of Sale (POS) systems suffer from poor design and inadequate security controls, starting with their choice of operating system. Microsoft Windows may make for easier POS application development, but the operating system lacks the hardening and process isolation required in the POS environment. In addition, many POS systems are outdated, infrequently updated, and deployed with remote access and other administrative functions that present an unnecessary large attack surface.

POS systems require a level of endpoint protection that is seldom deployed to desktops and servers. No code should be allowed to execute that has not been explicitly approved in advance. A whitelisting approach would eliminate POS malware, but it requires a higher degree of discipline and process than most companies are willing to exercise.

A good security architecture will isolate POS systems from each other and from all other corporate systems. A compromise at one store should be contained by network and system design, and attacks on POS systems from the corporate network simply should not succeed. Implementing this type of architecture requires operational changes that many organizations aren’t yet ready for.

A variety of security technologies from firms such as Damballa, FireEye, McAfee, Palo Alto, RSA, Sophos, Symantec, and Trend Micro — if properly used — can help detect and prevent intrusions. But that’s a big “if.” For example, Target reportedly spent upwards of $1.6 million on an advanced malware detection system from FireEye and then failed to respond when the alarms sounded.

The challenge is that retailers have yet to create a culture of security among their management and employees. Until they do we’ll continue to see confidential data where it doesn’t belong, massive security breaches, and shopping carts instead of firewalls.

(At the time of writing, RONA has not responded to our inquiry.)

Related posts