Top tips: The Do’s and Don’ts of cybersecurity for retailers

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.netimperative.com/2016/02/top-tips-the-dos-and-donts-of-cybersecurity-for-retailers/

With $4.45 billion spent during a major online shopping weekend in November
2015 alone (Fortune), it’s clear that the need for retailers to safeguard
credit card data, consumer data, transactions and other sensitive data is
becoming ever more pressing. Such a large volume of critical data is passed
between various points every second, making it essential for the
infrastructure to be protected from end to end.

*Don’t: Assume your system is safe*


* Do: Accept a breach is going to happen *

Breaches are happening all the time. It’s an unfortunate fact, but one that
retailers must come to terms with: data breaches are inevitable. The amount
of data breaches hitting the hacking headlines this year alone shows that
retailers need to accept that hackers will get in, and instead should focus
on using crypto-segmentation strategies to limit what the hackers can
access.

*Don’t: Rely on breach detection and protection policies alone*

*Do: Focus on breach containment to keep the hackers at bay*

With the acceptance that breaches are going to occur must come the
recognition that breach protection and detection policies are no longer
enough to keep the hackers out. Instead, retailers must open up to the
world of breach containment, a strategy that focuses on limiting the scope
of a breach by containing it to a single segment of the network, instead of
leaving the hackers to move laterally throughout the system at their
leisure.

*Don’t: Define your software strategy by the network *

*Do: Make security application and user specific *

Long gone are the days where it’s acceptable for an effective security
strategy to focus purely on the network. Instead, modern, software-defined
security positions the security policies and protection functions around
applications and users, which, in a retail environment, means only giving
access to customer data to those that need it. For example, a sales
transaction and the accompanying payment card and consumer data should be
accessible to only the authorised sales person conducting the transaction.
The company logistics managers, corporate managers, HVAC contractors and
others do not need access to the transaction data. Yet the primary security
model used by retailers has no effective isolation of the payment card
application. In breach after breach, hackers have compromised a user
unrelated to the payment card systems, then moved laterally to get to the
payment card information.

*Don’t: Focus security on individual silos *

*Do: Manage security end to end across all silos*

The enterprise IT environment is fragmented across many silos, includ¬ing
LAN, WAN, Internet, mobile, Wi-Fi, cloud, data centre, remote facilities,
disaster recovery and backup and others. Each of these silos has its own
method of application protection and access controls, and is commonly
managed by separate teams in the enterprise. What’s more, enforcing
consistent policies and protection from end to end across all these zones
is enormously difficult given the fragmented nature of the technologies and
teams. To combat this, a strategy is needed that enforces protection and
policies horizontally across all silos, requiring no changes to the network
or applications, and putting all control in the hands of the security
manager.

*Don’t: Allow any network to be trusted *

* Do: Put in place segmentation and isolation to protect applications on
all networks*

The multiple hacks of 2015 show retailers must adopt a “No Trust” security
model, which assumes that there is no such thing as a trusted network or IT
environment. Instead, every user, device, network and application must be
treated as untrusted, and all enterprise systems should be considered
already compromised. Additionally, applications must be segmented, which
simply means that an isolation method such as encryption is used to isolate
the application flow and prevent access by unauthorised users. However, the
most effective approach is to isolate the sensitive data with strong
cryptography and tightly control access to it based on user roles. This
segmentation should then be applied consistently across all silos, for all
users in the enterprise.

An effective cybersecurity strategy needn’t be complicated; however, it’s
about knowing which strategies are effective and which approaches to take
in order to protect valuable customer data and avoid the PR catastrophes
faced by many retailers in the ongoing wave of headline-grabbing data
breaches.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.