What we learned from the 2018 Verizon Data Breach Investigations Report
By Ken Michael
Just as in other areas of business, retailers are often victimized by hackers looking to make a quick buck. More than 75 percent of breaches were financially motivated, according to the 2018 Data Breach Investigations Report produced by Verizon. Such criminals are opportunistic in their behaviors and will target whatever company or person makes it easiest for them to gain the cash they are looking for. With this in mind and a New Year on the horizon, retailers should look at what compromised others in their industry so they can take measures to best protect themselves in 2019.
Denial of Service
Denial of Service (DoS) attacks remained the toughest threat facing retailers in the 2018 Verizon report. For those businesses who rely strongly on their website for sales through e-commerce, “mitigation plans are a must, not a luxury.” While the report doesn’t classify DoS attacks as a breach since data is not typically compromised, the potential downtime and/or performance degradation of a retailer’s website can have a serious impact on the business’s bottom line and brand.
Here are some ways to prevent a DoS attack from crippling your retail site:
• Assume Your Website Is Always Under Attack- This will help you stay vigilant about cybersecurity.
• Implement Defenses- Defenses against availability, data integrity, and confidentiality must be employed, audited and tested regularly, and refined as necessary to protect your website.
• Turn on Reverse Path Filtering- This is often turned off by default with most routers but enabling this filter will counter most DoS attacks as they tend to come from spoofed IP addresses.
• Avoid Phishing Scams- Educate your employees about phishing scams to prevent them and utilize software that guards against such attacks.
• Sign Up with a Content Delivery Network (CDN)- Many people sign up for CDNs as a way to deliver content more quickly but it also offers an additional layer of security. Be sure to secure all content on your site through the CDN to prevent a breach.
Payment Card Skimmers
The second greatest threat to retailers involved payment card skimmers. This is a huge issue for traditional brick and mortar establishments. Nearly a third of the breaches investigated in the 2018 report involved payment card skimmers. Of those studied, a whopping 87 percent were found in gas pump terminals. The tampering of in-store PIN entry devices (PED pads) was not as prevalent but was a factor in the 2018 report results.
Consider these options for protecting your business and customers at brick and mortar locations:
• Use Loss Prevention- These employees can help keep watch over PED pads using cameras, security guards, and store layout designs that make it more difficult for thieves to escape undetected. These also put a damper on would-be shoplifters as well.
• Watch for Tampering- Extend the use of loss prevention to identify tampering of your PED pads with particular attention being given to gas pumps.
• Embrace Technology- Using the latest technologies can make it more difficult for “criminals to conduct card-present fraud.” For example, you may wish to employ chip and PIN, contactless-enabled POS terminals.
The third greatest threat to the cybersecurity of those in the retail industry stems from web apps. Web application attacks have been prevalent methods used by bad actors in the past and that has not changed.
“Input validation weaknesses such as OS Commanding or SQLi as well as use of stolen credentials are examples of hacking techniques used to compromise a web application,” according to the 2018 report. “Once the device is compromised, we often see code modifications in the payment application designed to capture payment card data as it is read into the app, as well as exfiltration of the data. Essentially the criminals are turning PCI-compliant applications that do not store payment card data into a very non-PCI-compliant and criminal-controlled data harvester.”
Some of the most common web application attacks involve cross-site scripting (XSS), SQL injection, DoS attacks, and cookie poisoning. Here are some tips for preventing these types of threats:
• Use an Intelligent Web Application Firewall (WAF)- This type of firewall can shield against an XSS vulnerability and will work in conjunction with the behavioral firewall to prevent more sophisticated attacks.
• Use a DoS Protection Tool- These tools help prevent DoS attacks. Some to consider include Imperva Incapsula, F5, and Nexusguard.
• Conduct Regular Network Scanning and Auditing- Regular scanning with hardware such as the Dox Box and auditing will ensure vulnerabilities such as viruses and malware are discovered and addressed as quickly as possible.
• Clear Your Cookies- Clear your stored cookies from your browser regularly to ensure there is nothing for bad actors to hijack. Teach employees to avoid signing up for sites or newsletters they will never look at again.
Retailers Hit Hardest
According to the 2018 Verizon report, the retail industry suffered the most breaches by far with a total of 22,788 of those studied. The information industry, which came in second, was far behind with only 1,040 confirmed breaches. This means retailers were nearly 22 times more likely to suffer a breach than businesses in other industries. We can attribute this to the proliferation and growth of e-commerce as well as the sheer amount of money that runs annually through the retail industry.
External Threats Trump Insiders
When it comes to breaches, retailers face a greater threat from external bad actors than internal ones per the Verizon report. Data shows that more than 90 percent of breaches to retailers included in the report were from outsiders with only seven percent being committed by insiders.
A total of 73 percent of the breaches committed surrounded the loss of payment data while 16 percent had to do with the theft of personally identifiable information and another eight percent was attributed by the Verizon report to the loss of credentials.
“In terms of data theft, web application attacks leveraging poor validation of inputs or stolen credentials came top,” reads the report. “But it’s not just the theft of data you need to worry about. Denial of service attacks can have serious consequences, including preventing transactions being processed and slowing down your website and in-store systems.”
Fast Theft, Slow Reaction
Most of the cybersecurity compromises (i.e. 87 percent of breaches) identified in the report took minutes or even seconds to steal the valuable data the criminals sought. The worst part is that 68 percent of breaches took months or more to discover.
Here are some things you can do as a retailer to protect your business and customers:
• Be Vigilant- Log files and change management systems can give you early warning of security compromises. The Dox Box is a great way to scan systems regularly for threats so they can be addressed quickly.
• Make Employees Your First Line of Defense- Regular employee training about the importance of cybersecurity will help protect your business, brand, and bottom line as well as your customers. Get them on board, trained, and keep them updated.
• Limit Data on a Need-to-Know Basis- Keep access to sensitive data and systems to just those who require it for their jobs. If their role changes, change their access immediately.
• Prompt Patching- Be sure to promptly patch known vulnerabilities as cybercriminals are still using these to successfully attack retailers like yours. Guard against most threats by simply keeping your anti-virus software up to date.
• Encrypt for Protection- Encrypt sensitive data to render it useless to hackers who may steal it.
• Use Multifactor Authentication- Phishing campaigns are still being used by bad actors quite successfully. Adding multifactor authentication can limit the damage done in the event credentials are stolen.
• Physical Security Counts- Remember that not all breaches are the result of a digital hack. Ensure your retail business has surveillance cameras and entry systems for areas with restricted access to reduce the odds that hard data is stolen.
For more information about protecting your retail business from becoming a target for cybercriminals or to employ any of the defenses mentioned in this blog as well as others, contact Dox now at (585) 473-7766 or visit us online. Thank you for your time and stay safe online.