Retail Companies: 5 Tips to Strengthen Your Network Security
Physical stores have become victims of customer credit and debit card breach. In the last year, there were about 20 retailers compromised by a major security threat, this is according to a study by security firm BitSight. In a survey of 300 retailers by the same firm, it was revealed that 58 percent of the companies had worse security performance than in 2013. View the full report here.
Some examples of the major retail security breach are Target, which had over 40 million credit and debit cards compromised, and Home Depot, with 56 million payment cards compromised.
How Retailers Can Protect Themselves from Cyber Attacks
It is important that companies invest in strengthening their cybersecurity structure and avoid relying on old security technology such as network firewalls only. We’ve asked eLearnSecurity IT Security expert, Stefano Angaran, for his thoughts on how to protect your company network system from hackers.
1. Keep Systems Updated
While this point may seem obvious, it’s not an easy task to keep hundreds of heterogeneous devices (PC, PoS, Self-Checkout Lanes, etc..) up to date with the latest security patches, but it has to be done. In fact, investigations on Target data-breach pointed out that part of the attack was performed exploiting a decade-old vulnerability in Windows XP Embedded. Companies should devise a policy to monitor patches and automate updates delivery, at least to critical systems.
2. Isolate Third-party Accounts
Both Target and Home-Depot breaches initial attack points were provided by stolen credentials from third party vendor companies. Counting on security best-practices of external entities is not enough. Following the good ol’ “Principle of least privilege” is the baseline here. Limit access to what is minimally required. For increased security, when possible, vendor should be given access only to external isolated systems e.g. a project management tool should be hosted inside a network isolated from PoS systems.
3. Increase Security Awareness
Humans are the weakest link in the security chain. Many actual attacks target employees (e.g. phishing) and offer an easy way to gain a step inside the company network perimeter. In the Target attack, the credentials used to initially access the company network were stolen by a classic email malware downloaded by an employee at a third party air conditioning firm. Investing in the education of employees and provide proper training will save companies money and reputation losses in the future.
4. Thorough Penetration Testing
Managing and securing large scale information systems like the ones in use at big companies like Home Depot or Target is not trivial. Many different aspects should be considered but to fully understand the security risks and weakest points, firms should invest in regular penetration tests. Security professionals can point out vulnerabilities in the systems and, more importantly, also give recommendations to solve or mitigate them.
5. Do Not Expose Sensitive Information
Investigations on Target attack show that the company exposed a lot of internal sensitive information on pages accessible from their public website, without even needing a login; information varies from instructions to how to submit work orders to a list of suppliers, even a Windows Domain username. That’s a gold mine for crooks that can fine-tune a cyber-attack. Firms should thus review their public resources and restrict access to the most sensitive ones.
IT Security breaches will be bigger as cyber criminals become more advanced. Institutions and organizations have no choice but to keep up to protect themselves from attacks.
Penetration Testing Professional Training Course
The need for cybersecurity professionals is high given the recent breaches. Become an IT Security expert and learn to conduct penetration tests. With over 3,000 students in 140 countries, Penetration Testing Professional is the most comprehensive and practical online course on Penetration Testing. Get started with a FREE trial here: PTP Free Trial
Stefano Angaran is Senior Developer and IT Security researcher at eLearnSecurity. He has over 7 years experience in Web development with a strong focus on writing secure code. He is also the Author of the WiFi Security section of the Penetration Testing Professional training course.