security trends in the retail industry

© 2016 IBM Corporation

Nick Bradley Sr. Manager and Practice Lead, MSS Threat Research IBM Security Michelle Alvarez Researcher and Editor, MSS Threat Research IBM Security

Security Trends in the Retail Industry

2 © 2016 IBM Corporation

Today’s panelists

Nick Bradley Practice Leader Threat Research Group IBM Security https://securityintelligence.com/author/nick-bradley/ https://www.linkedin.com/in/nick-bradley-3406442

Michelle Alvarez Threat Researcher, Publisher and Editor Managed Security Services IBM Security securityintelligence.com/author/michelle-alvarez/ linkedin.com/pub/michelle-alvarez/65/867/445


!  2014 review

!  2015 findings

–  Attack types targeting retailers

–  Black Friday/Cyber Monday trends

!  A look at Data Breaches: Attackers are shifting their focus

!  POS Malware

!  Potential actions for defense

!  Addressing fraud

Agenda


In 2014, the retail industry remained fourth overall in incident rates, but with an upward trend year-to-year over 2013

Source: IBM Managed Security Services data


!  Although the retail industry experienced fewer events than average, the numbers of attacks and incidents were higher than average

2014 saw attackers having a higher success rate with retailers than the cross-industry average



Prevalent attack vectors targeting the retail industry in 2015

!  Analysis of IBM MSS data accumulated between January 1 2015 and November 30 2015 reveals attack vectors affecting the retail industry.

Attacks from the Tor network

Malicious documents introduce malware

Shellshock

!  Criminals often use the Tor network to trade with each other and to launch attacks against surface targets

!  5% of attacks against retailers came from the Tor network—a higher percentage than any other industry

2

!  A vulnerability in the GNU Bash shell widely used on Linux, Solaris and Mac OS systems

!  The number three attack vector, making up just over 13% of the attacks

!  Remains a significant and persistent threat across all industries in 2015

3 4

!  The number one attack vector, making up almost 18% of the attacks

!  Attackers trick victims into opening malicious documents or clicking on links to malicious sites

!  Intent is almost always to have the victim download malware, which is the largest single attack type

!  The number two attack vector, making up just over 14% of the attacks

!  Also the number two attack type associated with retail security breaches

!  Weak SQL database security policy is a common denominator in successful attacks

SQL injection 1


!  Attackers do exploit the holiday season via spam, phishing and compromised websites

!  However, on average there is no significant uptick in attack activity in the Black Friday/Cyber Monday period

!  While traffic may appear to have spiked on Cyber Monday in 2015, the spike is only slightly above average for the holiday timeframe

Black Friday/Cyber Monday: attackers were shopping, not attacking



!  The IBM X-Force Interactive Security Incidents tool on the web provides a continuously updated view of notable security incidents across all industries

Retail security incidents occur at a consistent rate throughout the year

Source: IBM X-Force Security Incidents data (January 1 2014 – November 31 2015). http://www-03.ibm.com/security/xforce/xfisi/ Note: Data is a sampling of notable incidents for each year and not a full representation of all incidents.


!  The number of records reported is down…but the number of incidents is up

In 2015, breaches were occurring at a high rate, but companies were not reporting the number of records compromised

Records not reported

70%

2015 rate of reporting records compromised in a breach

Source: IBM X-Force Interactive Security Incidents data (January 1, 2013 – November 30, 2015). http://www-03.ibm.com/security/xforce/xfisi/

Source: IBM X-Force Interactive Security Incidents data (January 1, 2015 – November 30, 2015). http://www-03.ibm.com/security/xforce/xfisi/


!  Attackers are shifting from targeting a few large organizations to targeting a large number of smaller businesses

!  A lot of little payoffs can add up to the same $$$ as a few big ones –  Payment card records sell for between $1 and $25 on the black market

!  Large breaches can be less effective because compromised credit cards get cancelled faster when the target is a large company that reports all affected credit cards to banks

!  Smaller companies may also lack the resources to discover compromises quickly

Attackers are shifting their focus to smaller businesses



!  In 44% of the retail breaches sampled, malware was the most relevant attack type

!  In 42% of breaches, victim organizations have not to date disclosed exactly what type of attack they sustained

!  The banking Trojan “Shifu” scans for POS endpoints and, when it finds one, uses a RAM-scraping plug-in to siphon payment card data

!  The Dyre malware, used by cybercrime gangs to attack bank accounts, is adding retail targets to its configuration file, preying on online customer orders

Malware “planted” via malicious documents and links is the leading cause of retail breaches in 2015


!  POS malware is designed to extract customer payment card (credit and debit) data and send it back to the attacker’s command and control server

!  Half of the ten largest retail breaches recorded since 2011 were caused by POS malware.

!  These compromises resulted in the theft of nearly 195 million records, the majority containing credit card data.

In the retail industry, malware attacks against point-of-sale (POS) systems directly target payment card data



Recommendations for protecting enterprise and POS systems

Update POS software

Use endpoint protection

Restrict access to the Internet

Disallow remote access

Segment POS networks

Physically protect POS systems

Use strong passwords

Educate users


!  October 2015 in US liability for fraud shifted from card issuers to merchants not using EMV

!  Current debate: Which is more secure, chip-and-PIN or chip-and-signature? –  Chip-and-PIN vulnerability: PIN is encoded in magnetic stripe –  Chip-and-signature vulnerability: Signatures are easy to “scribble”

!  Will virtual payments replace cards…and present a whole new set of security challenges?

Addressing retail fraud: PIN vs signature or physical vs virtual?


What you can do to help protect against fraud

•  Encourage awareness of “lurkers”

•  Consider point-to-point encryption

•  Consider contactless POS systems

•  Report lost or stolen cards promptly

•  Record all your account numbers and their phone numbers

•  Don’t lend your cards or leave them unprotected

Retailers Consumers


!  This and other IBM® X-Force® threat research reports can be downloaded here

Get the complete picture

About this report

This IBM X-Force report was created by the IBM Managed Security Services Threat Research group, a team of experienced and skilled security analysts working diligently to keep IBM clients informed and prepared for the latest cybersecurity threats. This research team analyzes security data from many internal and external sources including event data, activity, and trends sourced from thousands of endpoints managed and monitored by IBM for Managed Security Services accounts around the globe.


!  IBM offers key security services to help you address these challenges

How IBM can help

IBM Security Framework and Risk Assessment

IBM Incident Response Planning

IBM Managed Security Services

IBM Emergency Response Services

Assess

Plan

Respond

Manage


Learn more about IBM Security

V2015-11-23

countries where IBM delivers managed security services

industry analyst reports rank IBM Security as a LEADER

enterprise security vendor in total revenue

clients protected including…

130+

25

No. 1

12K+

90% of the Fortune 100 companies

Join IBM X-Force Exchange xforce.ibmcloud.com

Visit our website ibm.com/security

Watch our videos on YouTube IBM Security Channel

Read new blog posts SecurityIntelligence.com

Follow us on Twitter @ibmsecurity

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOU www.ibm.com/security

© 2016 IBM Corporation

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml

Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Legal notices and disclaimers

security trends in the retail industry

Technology