Data breach prep essential
Target’s data breach in mid-December was a wake-up call for shoppers and retailers alike.
Target has yet to say what exactly occurred and has hired a third party forensics firm to investigate the breach.
Jerry Irvine, CIO of Prescient Solutions, said that what is unique about the incident is that hackers went through Target’s point-of-sales system, rather than through the company’s backdoor, so to speak.
“Typically, a large-scale breach you would think would be done more in a corporate office as opposed to the front-end, point-of-sales systems, so this being a large distributed point-of-sales attack is kind of a unique type of event that has occurred,” Irvine said.
“Other breaches that have occurred were in the backend database level, not at individual stores. That’s really the main difference in how this was done.”
Irvine said that companies must be vigilant about protecting the data they are collecting.
He noted this is often more of a challenge for smaller businesses due to available resources.
Irvine said it’s especially typical for a small business to have one network that handles everything, and that is a big mistake.
“Their networks should be totally segmented,” he said. “So your point-of-sales system does not have any access to the Internet at all. Even if there is a Wi-Fi on it, there is no way for anybody to get to the Internet or to get to your point-of-sales system from the Internet, so segmenting those is important.”
He said segmentation is important on the backend as well.
“Web servers that allow end users to make purchases have to be accessible from the Internet, but the databases that they access don’t,” he explained. “There should be secure connections between those servers and your database, and that database should not be accessible from the Internet.”
Irvine said businesses should also be regularly updating applications and firmware.
“Patches are being created for hardware and software all the time that fix vulnerability, and if you are not updating those and keeping your systems current, you are leaving yourself open to risk,” he said.
He noted that retailers are not the only businesses at risk, either; hotels that issue guests key cards to unlock their rooms, for instance, need to make sure their firmware is always up to date because it’s easy for someone to create their own card to open a hotel room door.
Businesses also can mitigate risks by testing applications.
“Most small organizations have limited resources to do this, but you should be testing your applications,” he said. “You can use what’s called a ‘fuzzer’ or an application scanner to go in and scan the code on your websites and on your databases to make sure that there are no vulnerabilities, and if it does find vulnerabilities, to be able to resolve them.”
Finally, businesses should have a plan for how they will handle a data breach if one does occur.
Irvine suggests that companies conduct a thorough risk analysis, including responses that preserve forensic evidence so that they will be prepared and can respond rapidly while preserving evidence.
“What are all the possible types of breaches that could occur, and then have a scenario or a response for each one of them,” he said. “Companies have to define what their processes are going to be at the time an event is defined. What do they do and how do they resolve it?”