Retail threats surged during 'the year of the POS breach'

While the economy recovered and retailers grew more optimistic, 2014 was "the year of the POS breach," with many highly publicized attacks compromising millions of personal records. As a result, some of the largest and most popular retail brands were severely damaged.

U.S. retailers were the primary target of point-of-sale attacks last year, according to the Dell Security Annual Threat Report issued this week. The attacks have evolved since previous years, John Gordineer, director of product marketing, Dell Security, told FierceRetailIT. "New trends included memory scraping and using encryption to avoid detection from firewalls."

"Dell SonicWALL created 13 POS malware signatures, compared with just three in 2013–a 333 percent increase–to combat numerous and diverse attacks," he said. Most of these POS hits targeted U.S. retailers.

The report found a surge in point-of-sale malware, increased malware traffic within encrypted (https) Web protocols, as well as twice the number of attacks on supervisory control and data acquisition (SCADA) systems over 2013. There was a 100 percent increase in attacks against SCADA systems.

"Everyone knows the threats are real and the consequences are dire, so we can no longer blame lack of awareness for the attacks that succeed," said Patrick Sweeney, executive director, Dell Security, in a press statement. "Hacks and attacks continue to occur, not because companies aren't taking security measures, but because they aren't taking the right ones."

Most of the retailers who were successfully breached thought they were on the right track with security, Gordineer said. For example, after Target's breach, the company issued a statement saying Target had recently been certified as meeting PCI standards. "PCI compliance is a good start but retailers need to do more," he said.

Another Dell report, the Global Technology Adoption Index, found that retailers focus more dollars on compliance than on IT security. "Engineering security programs solely based on compliance is not holistic enough," he said.

"Cyber criminals can get around compliance-based restrictions by taking a multi-vector approach." The Dell Security Annual Threat Report suggests retailers avoid relying on a single layer of defense and instead implement a multi-level, "defense-in-depth" program, he said.

Among the report's recommendations: keep operating systems of central computers patched and updated; keep the POS system isolated from the rest of the network and ensure POS systems only communicate with valid IP addresses, so attackers cannot siphon data off to their own servers; and restrict Web browsing on terminals to only POS-related activities, Gordineer said.

"To guard against the rising tide of breaches, retailers should implement more stringent training and firewall policies, as well as re-examine their data policies with partners and suppliers," Sweeney said.

The report further advised that retailers install firewalls between network segments and in the B2B portal, as well as prioritize security training during employee on-boarding and ongoing training. Gordineer said the adoption index survey showed employee security training is lacking across industries. "Security policy should generally trust nothing, including network and resources, and no one, including vendors, franchisees and internal personnel, and then have specified exceptions," he added.

Permit employees the access necessary to perform business functions, but don't sacrifice security, he said. In addition, separate groups to keep potential attacks contained; inspect all traffic and immediately investigate anomalies; implement strict e-mail security to block malware in spam and phishing emails; and unify distinct security technologies into a unified solution.

"With the right approach to security, retailers can turn things around," Gordineer said. "Retailers should continue to capitalize on the opportunities that technology brings them, while taking a savvy and well-rounded approach to security." Most of the 2014 breaches could have been avoided if retailers had followed that advice, he said.

This story was updated on April 21, 2015 to correct the spelling of John Gordineer's name.

For more:
-See this Dell press release
-See this Dell threat report
-See this Dell technology adoption index

Related stories:
Target proposes $10 million settlement for 2013 data breach
Backoff malware widespread, PCI Council issues call to action
How to prevent Target-like data breaches
Retailers still unprepared for security breaches
Data breaches add up to lost sales