By Pat Devlin
Increased competition combined with consumer caution has placed enormous pressure on retailers in recent years. To remain competitive, retailers need to invest in IT systems that will help retain and nurture customer and brand loyalty, as well as increase sales while simultaneously reduce operating costs. It is no surprise retail – particularly the distributed retail environment – has become one of the most complex IT environments in business today.
But the problem here is as IT systems become complex, risks increase.
In a distributed environment, one mistake can have massive repercussions. According to Gartner, 95 per cent of firewall breaches are the result of a misconfigured firewall, rather than the result of a clever hack or a flaw in the system. This means, as firewalls are rolled out at each branch or store, just one firewall misconfiguration can result in a network breach or data loss.
Hackers know this too, which is why a distributed network is particularly enticing to them. For retailers, strong defensive systems are a necessity to thwart the range of automated network attacks available to hackers and criminals.
There are also risks from web-based threats; viruses and other malware variants. Retailers are often targets for spyware, keyloggers and rootkits, malicious tools, which can be used to capture customer details, trade secrets, and financial and credit card data. Even the humble telephone system has the potential to cause trouble, as it can be vulnerable vulnerable to emerging threats such as “vishing” and directory harvesting.
For these reasons retail operators require a robust, wide-ranging Unified Threat Management (UTM) solution – one that incorporates application control and virtual private network (VPNs) capabilities, firewalling, intrusion prevention, gateway antivirus, and advanced protection against web threats.
The credit card imperative
The retail IT security landscape is further complicated by a growing mountain of regulatory requirements, such as Payment Card Industry Data Security Standards (PCI DSS).
PCI DSS is a uniform set of requirements laid down by the major credit card providers. It is designed to protect consumers and retailers by ensuring credit card data is kept safe and secure. The standards provide a framework of best practices for securing cardholder data, as well as general security best practices for applications, networks, and other IT resources. Any merchant who accepts credit cards must abide by PCI DSS version 2.0.
The PCI DSS requirements apply to all “system components,” including any network component, server, or application included in, or connected to, the cardholder data environment.
Six security goals and their requirements
1. Build and maintain a secure network
The first goal should be to install and maintain a firewall configuration to protect cardholder data. This means protecting traffic as it travels in and out of a distributed network, guarding against unauthorised access from the Internet and preventing hackers from gaining access to internal resources.
The second requirement is to not use vendor-supplied defaults for system passwords and other security parameters. Administrators must take care to change default passwords when first configuring appliances, and always ensure that only authorised personnel can make firewall or unified threat management (UTM) changes.
2. Protect cardholder data
The requirements for the second goal call for protection of stored cardholder data and encrypted transmission of cardholder data across open, public networks.
As a general rule, no cardholder data should ever be stored but if for some reason it needs to be, the data must be encrypted. When it comes to transmission, especially within a distributed environment, a VPN solution will help by providing secure site-to-site connections between networks or store locations. This ensures encrypted cardholder data is securely transmitted and remains protected from hackers and identity thieves.
3. Maintain a vulnerability management program
Here, the PCI DSS requirement calls for regular updating of antivirus software or programs. To avoid accidental lapses, retailers should consider subscriptions to their security solutions and ensure updates are performed automatically.
4. Implement strong access control measures
Access to cardholder data should be restricted to a need-to-know basis. This means putting systems and processes in place to limit access based on job responsibilities. Administrators should use their UTM solutions to enforce granular policies based on individual users or groups, as well as segment network traffic so that access to data is bound by least privilege rights regardless of the user, device, or network.
5. Regularly monitor and test networks
Track and monitor all access to network resources and cardholder data. A UTM solution should make this easier by providing an in-depth array of reporting and logging tools. Some will allow you to track individual users – a critical capability for forensics and vulnerability management. Others make compliance even easier by including pre-packaged PCI DSS reports, ready to run on your system.
6. Maintain an information security policy
Merchants need to maintain a policy that addresses information security for all personnel, something that may be difficult when dealing with a variety of geographic locations. The most secure way to address the requirement is to establish and enforce policy controls within the UTM solution. It will also help if IT staff keep abreast of the latest security news and best practices, particularly as they relate to the retail industry.
It is clear the security requirements of a distributed retail environment are now well beyond the capabilities of a simple firewall. Today’s network administrators must be mindful of a variety of risks, ranging from hackers bent on stealing cardholder data to legal and industry regulations like PCI DSS or even un-intentional damage from within. A single customer email gone public or a poorly edited Facebook post can do permanent damage.
Pat Devlin is the regional director of WatchGuard Technologies Australia and New Zealand.