gds international - next - generation - retail - summit - europe - 4

8
WHITE PAPER The retail industry’s goal: getting as many people as possible into the store. Well, not quite actually. In fact what retailers really want are as many paying customers as possible. In fact there’s a certain ‘customer’ no one wants in the store—whether you do business online or off. Shoplifting, slippage, the five-finger discount: call it what you like, it is theft and sadly it has been with the retail industry since the very first little kid put his hand in a cookie jar the moment the store keeper’s back was turned. These days this cookie-kid is no longer the big threat. However, script-based ‘kids’ most certainly are. Results of the 2011 Verizon Business Data Breach Investigations Report (DBIR) show the electronic threat is clear and present. MEETING THE CHALLENGES OF A NEW WORLD OF RETAIL The way people shop has completely changed over the last decade and will continue to do so. Customers want a more customized enhanced buying experience wherever they are. Consumers today expect compelling, efficient and personalized shopping experiences. And it pays off. Evidence suggests that multi-channel customers who receive a compelling experience shop and spend considerably more. To do this effectively, it’s vital that you, as retailers, reach out to and connect with customers and business partners, suppliers, warehouses, stores, employees, and consumers. It is within this extended enterprise that crucial retail practices are supported, such as online ordering with multiple pick-up and delivery options; social networking strategies; pinpoint promotions and customer loyalty programs; real-time retailing with a visible supply chain. You’ll also need to be able to support a rapidly growing array of platforms to engage and meet customers’ needs: from PCs to smartphones; PDAs to kiosks; portable video displays to digital signage; express stores to Internet-linked game consoles. Yet with this wider variety range of platforms connecting to more places, comes a greater variety of potential risk. THE CURRENT THREAT LANDSCAPE First the good news: In general, according to the 2011 DBIR the number of total records compromised across all industries (based on our investigations analysis) declined from an all time high of 361 million in 2008 to 144 million in 2009, and then plummeted to 4 million in 2010. The survey offers a number of suggestions for the decline, with its leading hypothesis being that the successful identification, prosecution, and incarceration of the perpetrators of many of the largest breaches in recent history is having a positive effect. KEEPING ELECTRONIC HANDS OUT OF THE COOKIE JAR From when the first kid put his hand in the cookie jar as the store keeper’s back was turned, theft has been a reality in retail.

Upload: gds-international

Post on 12-Jan-2015

224 views

Category:

Technology


0 download

DESCRIPTION

Keeping electronic hands out of the cookie jar

TRANSCRIPT

Page 1: GDS International - Next - Generation - Retail - Summit - Europe - 4

WHITE PAPER

The retail industry’s goal: getting as many people as possible into the store. Well, not quite actually. In fact what retailers really want are as many paying customers as possible. In fact there’s a certain ‘customer’ no one wants in the store—whether you do business online or off.

Shoplifting, slippage, the five-finger discount: call it what you like, it is theft and sadly it has been with the retail industry since the very first little kid put his hand in a cookie jar the moment the store keeper’s back was turned. These days this cookie-kid is no longer the big threat. However, script-based ‘kids’ most certainly are. Results of the 2011 Verizon Business Data Breach Investigations Report (DBIR) show the electronic threat is clear and present.

MEETING THE CHALLENGES OF A NEW WORLD OF RETAILThe way people shop has completely changed over the last decade and will continue to do so. Customers want a more customized enhanced buying experience wherever they are. Consumers today expect

compelling, efficient and personalized shopping experiences. And it pays off. Evidence suggests that multi-channel customers who receive a compelling experience shop and spend considerably more.

To do this effectively, it’s vital that you, as retailers, reach out to and connect with customers and business partners, suppliers, warehouses, stores, employees, and consumers. It is within this extended enterprise that crucial retail practices are supported, such as online ordering with multiple pick-up and delivery options; social networking strategies; pinpoint promotions and customer loyalty programs; real-time retailing with a visible supply chain. You’ll also need to be

able to support a rapidly growing array of platforms to engage and meet customers’ needs: from PCs to smartphones; PDAs to kiosks; portable video displays to digital signage; express stores to Internet-linked game consoles.

Yet with this wider variety range of platforms connecting to more places, comes a greater variety of potential risk.

THE CURRENT THREAT LANDSCAPEFirst the good news: In general, according to the 2011 DBIR the number of total records compromised across all industries (based on our investigations analysis) declined from an all time high of 361 million in 2008 to 144 million in 2009, and then plummeted to 4 million in 2010. The survey offers a number of suggestions for the decline, with its leading hypothesis being that the successful identification, prosecution, and incarceration of the perpetrators of many of the largest breaches in recent history is having a positive effect.

KEEPING ELECTRONIC HANDS OUT OF THE COOKIE JAR

From when the first kid put his hand in the cookie jar as the store keeper’s back was turned, theft has been a reality in retail.

Page 2: GDS International - Next - Generation - Retail - Summit - Europe - 4

Not only did the 2011 DBIR show a trend towards declining breaches, these breaches were also the most diverse in terms of threat agents, threat actions, affected assets, and security attributes involved that the report had found in its three year history. The report revealed a large number of highly-automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, country-wide device tampering schemes, cunning social engineering plots, and much more.

Over the course of the last three years there has been a rather marked swing in the source of breaches from insider attack to external threat. The general sense is that there has been a huge increase in smaller external attacks rather than a decrease in insider activity, with an associated and continued decline in partner-caused breaches.

In all, the 2011 DBIR showed that 92 percent of breaches analyzed stemmed from external agents, a rise of 22 percent over the prior year; 17 percent originated from internal sources, implicating insiders, down by 31 percent compared with the same time 12 months ago. Multiple party-based incidents fell by 18 percent to 9 percent; and less than a single percentage of breaches resulted from the actions of business partners, a 10 percent fall.

Even though the report revealed the all-time lowest amount of records breached in the three years of the survey, it also showed the all-time highest amount of incidents investigated. Report analysts suggest this means IT teams are more aware of and willing to report threat activity. Overall, it’s clear threats are still out there, especially for retailers where even a single successful attack can have huge consequences. Virtually everyone in retail knows about the major discount retailer who lost millions of customers’ credit card details a few years ago following a successful attack by two people armed only with a laptop and a Pringles tube.

VERIZON RETAIL SECURITY SOLUTIONS:Your infrastructure security requires a significant investment in time, resources, and effort. The most effective security plans should match security policies to retail challenges. Verizon Professional Security Services and Verizon Managed Security Services can help you develop such plans. We look at your current level of security and help you develop and implement policies and procedures based on your company’s needs. Our highly trained security consultants look at all aspects of your business, including your network infrastructure and business applications, and provide expert advice for reducing security risks. Offering include• Antivirus, antispam, and antispyware applications• Application log monitoring and management• Denial–of-service defense resources• Firewalls and routers VPN• Image and content control• Intrusion detection and protection• Proxy service

THE RETAIL THREAT POTENTIAL IN 2011According to the 2011 DBIR, the retail industry has the dubious distinction of being beaten only by the hospitality industry in terms of data breaches by business sector. Retail breaches even exceeded those targeting the financial industry by a few percentage points.

DBIR authors and researchers speculate the reason for retail’s increased popularity among the hacking fraternity may be attributed to the fact that along with hospitality, it presents a smaller, softer, and less reactive target than finance, for example. The researchers speculate criminals may be making a classic risk vs. reward decision and opting to “play it safe” in light of recent arrests and prosecutions following large-scale intrusions into financial services firms.

Page 3: GDS International - Next - Generation - Retail - Summit - Europe - 4

The numerous smaller strikes on hotels, restaurants, and retailers represent a lower-risk alternative, and cybercriminals may be taking greater advantage of that option.

In terms of compromised records by industry group, the report grouped retail and hospitality together and found their industries collectively responsible for 56 percent of all records illegally obtained. This compares with 35 percent for finance and only 9 percent for all other industries.

Given the huge significance of supply chains in retail, security among partners is a huge issue, and events related to partners registered highly in the 2011 DBIR. The blunt truth is that partners can contribute to a conditional event that creates circumstances or conditions that—if/when acted upon by another agent—allow a primary chain of events in a security threat to progress. In this respect, partners can be more akin to vulnerability than threat (which is why partners involved in them are not considered primary threat agents). Yet the DBIR 2011 shows that partners contributed to conditional events in 22 percent of incidents. A common example of this is is where a remote vendor responsible for managing a Point-Of-Sale (POS) system neglects to change default credentials, leaving it vulnerable to attack.

WHERE AND HOW SECURITY STRIKES OCCURRetail security incidents typically occur via remote access and desktop services, which again are on the top spot in the attack pathways list, with 71 percent of all attacks anaylzed by the 2011 DBIR as falling into the category of hacking .

Remote access and desktop services, in combination with the exploitation of default and/or stolen credentials, are big problems in both retail and hospitality industries. Opportunistic attacks are carried out across many victims who often share the same support and/or software vendor. Once an intruder discovers a particular vendor’s authentication method and schema, they potentially are able to exploit it across a vendor’s extended enterprise—affecting business partners and consumers.

Other, less complex, instances of embezzlement, skimming, and related fraud are reported, as well. The report found that in general such thefts are perpetrated by restaurant waiting staff, retail clerks, or other insiders who handle financial transactions as part of their job. In some cases, it’s found that employees used handheld skimmers and other devices to facilitate theft. While this may seem out of context within the scope of electronic attack, it is nevertheless a real (and common) method of stealing data—especially payment cards.

Compared with hacking or malware, omission—that is, something not done that, according to policy and/or standard operating procedures, should have been done—is quite an uncommon security threat vector but is one which crops up relatively highly within the retail and hospitality industry. A frequent example of this is the failure to change default credentials. This was most commonly linked to inadequate processes on the part of the victim to validate that things get done properly and consistently.

Who is behind data breaches?

92% stemmed from external agents

17% implicated insiders

<1% resulted from business partners

9% involved multiple parties

Source: 2011 Verizon Data Breach Investigations Report

How do breaches occur?

50% utilized some form of hacking

49% incorporated malware

29% involved physical attacks

17% resulted from privilege misuse

11% employed social tactics

Source: 2011 Verizon Data Breach Investigations Report

Where should mitigation efforts be focused?

Eliminate unnecessary data; keep tabs on what’s left

Ensure essential controls are met

Check the above again

Assess remote access services

Test and review web applications

Audit user accounts and monitor privileged activity

Monitor and mine event logs

Examine ATMs and other payment card input devices for tampering

Source: 2011 Verizon Data Breach Investigations Report

Page 4: GDS International - Next - Generation - Retail - Summit - Europe - 4

THE THREATS TO CLOUD AND MOBILE PLATFORMSOf all the new platforms in the new multi-channel retail environment, perhaps the two most significant are the cloud and mobile. Cloud computing represents tremendous opportunities for retail in terms of cost control, flexibility and efficiency. It’s a progression to a services-oriented architecture (SOA) whereby retail IT applications and general resources need not be physically purchased but are available online and paid for as and when they are used.

Similarly the mobile channel has two main benefits. Firstly it puts your store in your customers’ hands wherever they are, whenever they care to shop. That means, going shopping is customers making a connection—from whatever platform or channel suits them—whether online or on premise.

The other benefit is that with a mobile channel your business can reap operational benefits and yield extra revenue. In a similar way to online shopping, it won’t be long before offering a mobile channel becomes a standard business requirement.

Sadly it didn’t take long for electronic attackers to see mobile, and also the cloud, as entry points into your infrastructure. You should work on the assumption that they are rapidly assessing the opportunities they bring.

Fortunately, in terms of both mobile and the cloud, the 2011 DBIR revealed that such assessments have yet to translate into a great deal of direct hits against retailers.

For the cloud, the 2011 DBIR found that the source of attack was more related to giving up control of assets and data and not controlling the associated risk, rather than any technology specific to the cloud.

For mobile, the report showed that data loss events with tablets, smartphones, and wireless phones as the source ranked low, indeed. However, security

investigators fully expect mobile threats to increase and diversify along with the use, uses, and users of such devices. They say it is inevitable that as the convenience and functionality of mobile devices drives widespread adoption, it’s likely security will find itself rushing to catch up to safeguard sensitive data.

DISCOVERING, REACTING TO AND REDUCING THREATSThe information you hold about your customers and the reputation of your brand are arguably the most valuable assets you own. As you continue to prioritize customer satisfaction, promote effectiveness, and interact with customers and partners through new applications and technology, defending these assets is a key priority. Poor information security configurations within retail organizations are providing a wide door for attackers to exploit. In an industry with traditionally low margins, this can add up.

The most thorough way to close that door, and make sure your business lines operate as you’d like them to, is to employ a dedicated security department whose sole job it is to monitor threats and make sure your organization is protected. Even though such an action would be effective from a technological basis, from a business perspective it is hardly the most cost-effective, certainly contrary to the prevailing trends of downsizing staff.

Maybe as retail organizations move rapidly away from one-size fits all products to personalized services, retailers should consider securing assets in the same way. So, where to begin? Look to professional services providers who can help you develop and implement policies and procedures tailor–made to your retail organization.

Such experts can construct systems that mitigate risks while relieving you of the need to make added investments in staff and technology that having a dedicated IT security department would demand.

As retail organizations move rapidly away from one-size fits all products to personalized services, you should consider securing your data assets in the same way.

Page 5: GDS International - Next - Generation - Retail - Summit - Europe - 4

Managed security services suites can allow you to monitor and control a variety of applications, devices, and other network resources and protect your business from the numerous threats you and your extended enterprise are likely to face.

As you select a security vendor partner, the experts you work with should recognize that supply-chain and store-level inventory visibility, as well as reducing out of stocks and improving efficiencies are top priorities.

With a services approach, you get state of the art security delivered by experts whose role it is to stay on top of the latest threats as and when they appear. This can help you to strengthen your existing security and compliance programs, or allow you to create new ones from the ground up. Most importantly it can allow you and your organization to concentrate on what matters: selling goods and services.

In terms of securing mobile services you can instruct the service supplier to address the fast changing unique security concerns related to the deployment and operation of a wireless infrastructure. This should cover all aspects of wireless security, including verifying the proper use of encryption and authentication, searching for rogue access points, and reviewing access point configuration. Such a methodology also works for protecting wireless data around stores such as that generated by radio-frequency identification (RFID) tags in real-time inventory checking.

For retail merchants migrating to or using cloud computing, a competent service provider can help you identify threats quickly and efficiently. Work with an expert who has the real-world experience to protect your business from common threats like denial of service (DOS) attacks. A strong partner can help establish filters for email and web traffic to steer clear of viruses, spam, and malware in general.

PLAYING YOUR CARDS RIGHT TO REDUCE PAYMENT FRAUDFraud and general malpractice related to payment cards are both among the top issues retailers face today.

In terms of practices you can deploy to detect breaches associated with misuse of credit cards, the most common third party method is the Common Point of Purchase analysis, or CPP. At a very basic level, CPP identifies probable breaches based on the purchase histories of stolen payment cards. You can use it to limit financial losses due to fraudulent transactions, and it works quite well for that purpose.

One of the most effective methods for protecting cardholder data is still compliance with The Payment Card Industry Data Security Standard (PCI DSS). As in past DBIR reports, most organizations (89 percent) suffering a credit card breach had not been validated PCI compliant at the time. In comparison to past reports, the 2011 DBIR’s PCI DSS compliance/non-compliance ratio leans more toward non-compliance. It also indicates the change is likely due to more level three and four merchants—such as smaller retailers, home-based businesses, hotels, restaurants—in the dataset, whereas previous caseloads reflected a higher percentage of level one or two merchants and/or service providers such as larger financial institutions.

Experts note PCI compliance is no silver bullet. Just being PCI compliant does not guarantee that all of your systems and data are secure. A comprehensive security program that protects your customer and company information, as well as potential access and connection points in the network must be in place. Often a daunting task for internal IT teams low on resources, it can benefit a retailer to employ a managed services provider to implement a PCI DSS program.

Page 6: GDS International - Next - Generation - Retail - Summit - Europe - 4

CLOSING THE COOKIE JAR LIDMany may assume the battle against cybercrime is being won, but it’s a battle that is still being fought and attackers have their eyes firmly on the prize—payment data. And in this world, the rules and tactics are ever changing.

To help reduce your risk, implement the basic tenets of an information risk management program and maintain this initial investment over time. This would include your network and data defense technology basics such as firewalls; anti-virus technology; identity and access management, as well as creating an official risk management policy and process development for keeping system security updated.

Like wandering hands in cookie jars, electronic attacks on retailer networks probably won’t go away totally, but with the appropriate security framework in place you can close the lid on a lot of your jars.

VERIZON RETAILVerizon Retail is an IT consulting practice group focused on helping retailers simplify their IT infrastructure, better control costs, and protect their data and reputation with the ultimate goal of better serving customers. Through Verizon’s Framework for Retail, the company brings a standards-based approach to retailers. The framework leverages Verizon’s networking, managed IT and application solutions, specifically drawing upon Verizon’s cloud computing and security offerings. More information is available at verizonbusiness.com/solutions/retail

Contact us at [email protected]

For tips on realizing the full potential of your retail IT investments, visit the Verizon Retail Blog.)

Page 7: GDS International - Next - Generation - Retail - Summit - Europe - 4
Page 8: GDS International - Next - Generation - Retail - Summit - Europe - 4

Verizon is a global leader in driving better business outcomes for mid-sized and large enterprises and government agencies. Verizon combines integrated communications and IT solutions, professional services expertise with high IQ global IP and mobility networks to enable businesses to securely access information, share content and communicate. Verizon is rapidly transforming to a cloud-based ‘everything-as-a-service’ delivery model that will put the power of enterprise-grade solutions within the reach of every business. verizonbusiness.com

Verizon Communications Inc. (NYSE, NASDAQ:VZ), headquartered in New York, is a global leader in delivering broadband and other wireless and wireline communications services to mass market, business, government and wholesale customers. Verizon Wireless operates America’s most reliable wireless network, serving more than 93 million customers nationwide. Verizon also provides converged communications, information and entertainment services over America’s most advanced fiber-optic network, and delivers innovative, seamless business solutions to customers around the world. A Dow 30 company, Verizon employs a diverse workforce of more than 195,000 and last year generated consolidated revenues of $106.6 billion. verizon.com

© 2011 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. Microsoft and Outlook are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. WP15119 9/11