Tripwire, Verizon advocate cyber-readiness

The National Retail Federation projected a 3.6 percent increase in 2016 retail holiday sales, and leading security firms are warning companies to protect their data. Recently published reports by Tripwire Inc. and Verizon Inc. suggest retailers can do more to safeguard physical stores and ecommerce sites. The Tripwire study, published Oct. 10, 2016, surveyed 763 information technology (IT) professionals, 100 of whom were in the retail sector. Verizon's 2016 Data Breach Investigations Report analyzed over 100,000 incidents that occurred in 2015, including 3,141 confirmed data breaches.

Tim Erlin, Senior Director of IT Security and Risk Strategy at Tripwire, cautioned IT professionals against complacency. "The increased scrutiny of retail cyber security in the wake of major breaches has forced organizations to focus on securing their environments, yet these survey results show that there's still a lot of room for improvement," he said.

Verizon's study found that 99 percent of reported cyber attacks in 2015 occurred within a period of hours but went undetected for weeks, sharply down from response times in 2014. "There is a dramatic decline in internal discovery and a corresponding increase in discovery by fraud detection in our dataset this year," the authors wrote.

Seven-point protection plan

Tripwire analysts recommend protecting physical and digital infrastructures with a seven-point plan established by the United States Computer Emergency Readiness Team (US-CERT). "When implemented across an organization, these controls deliver specific, actionable information necessary to defend against the most pervasive and dangerous cyberattacks," the company stated.

US-CERT strives for a safer, stronger Internet for all Americans by responding to major incidents, analyzing threats and exchanging critical cybersecurity information with trusted partners around the world, according to its website.

Following are the seven elements to address as part of US-CERT's protection plan:

1. Accurate hardware inventory
2. Accurate software inventory
3. Continuous configuration management and hardening
4. Comprehensive vulnerability management
5. Patch management
6. Log management
7. Identity and access management

Tripwire cited the following data as evidence of the need for early and automated threat detection:

• 84 percent of respondents were confident they could detect intrusions on their networks, but only 51 percent knew exactly how long the detection process would take.

• 43 percent of respondents knew how long it would take their vulnerability scanning systems to generate an alert after detecting unauthorized entry on the network; 81 percent believed it would happen within hours.

• 51 percent of respondents believed their automated tools do not detect all necessary information, such as locations and departments, needed to identify unauthorized configuration changes to endpoint devices.

• 36 percent of respondents said less than 80 percent of patches succeed in a typical patch cycle.

• 38 percent of respondents claimed that not all detected vulnerabilities are typically fixed within 15 to 30 days.

Advanced tools, surveillance

Both Verizon and Tripwire advise IT professionals to use advanced security tools to protect against increasingly cunning cybercriminals. Verizon cited phishing as a dominant cyberattack method. As multilayered protections against phishing scams, the company proposed spam protection, list blocking, email header/attachment/URL analysis and reporting of suspicious emails.

The Verizon report encouraged companies to authenticate, segment, and monitor all devices, apps and personnel connected to their networks. Report authors also gently poked fun at the idea of enforcing best practices within a security department. "One can't really say 'don't screw up again', or 'pay attention to what you are doing, for Pete's sake,'" they wrote. "Nevertheless, there are some common sense practices that can be implemented to help keep errors to a minimum."

In addition, they recommended the following for reinforcing internal guidelines:

• Learn from your mistakes: "Keeping a record of common errors that have plagued your organization can be used for something other than to mock fellow employees at the company Christmas party," the authors wrote. "Collecting this information can be used to implement new training materials for security awareness. Did Jim in accounting cc: everyone in to his latest rant again? Talk about it. Just don't mention Jim by name. Incorporate frequent 'Oops moments' into security training."

• Remember, you are the map: "Now that you are keeping a record of wrongs (love may not do it, but wise IT departments do), use that data to map the most common errors to effective controls that can help to minimize the frequency with which they occur, and mitigate the damage they do when they do take place," they noted.

• Stop trash talking: "When assets are ready for disposal, make sure that there is a documented procedure for wiping all assets before they are trashed or resold," the authors advised. "Ensure that any and all assets go through a rigorous process of check and recheck by the IT department before they can be decommissioned and disposed of. Our dataset is rife with examples of assets being sold to a third party while chockfull of PII and other sensitive data."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.