Remote access apps a weak link in cyber security efforts
Hackers, it turns out, are looking to bring the mayhem with the least amount of work necessary. For many of them, according to a new report from Homeland Security, finding the easy way into a company’s database often includes using apps that grant remote access to employees and vendors.
According to the report, hackers scan for remote access apps, use high-speed programs to determine an individual’s log-in information, and off they go.
"As we start to make more secure software and systems, the weakest link in the information chain is the human that sits on the end — the weak password they type in, the click on the email from the contact they trust," Vincent Berq of FlowTraq, a network security firm, told The New York Times.
According to Verizon’s 2014 Data Breach Investigations Report (DBIR), there were 1,300 confirmed data breaches across all industries in 2013 with 148 incidents of data loss in retail. Chains including Target, Neiman Marcus, Michaels, Schnucks and Raley’s were among those who saw their security breached.
Hackers stole more than 175 million customer records between April and June this year, according to a new SafeNet report. Of those, 145 million were a result of retail industry breaches. Last week, reports surfaced that Goodwill Industries was investigating the theft of customers’ credit card data.
A new RetailWire m•Paper sponsored by Junction Solutions, Retail POS Security: Limiting Risk in a Risky Era, offers recommendations for controlling remote access to sensitive data including:
- Banning unauthorized personnel;
- Controlling personnel changes: managing credentials when people are hired, change positions or leave a company;
- Auditing security practices of vendors and partners;
- Reviewing systems to check for unknown or dormant users;
- Eliminating weak passwords and requiring passwords be changed on a periodic basis. (Consider using two-factor authentication.)
- Checking In From Home Leaves Entry for Hackers – The New York Times (tiered sub.)
- 2014 Data Breach Investigations Report – Verizon Enterprise Solutions
- 375 Million Customer Data Records Compromised in 2014 – Retail Industry Hit Hardest – SafeNet, Inc.
- Amid Goodwill’s probe of possible data theft, local branch said no evidence of breach – Pittsburgh Post-Gazette
- Michaels says 3 million customers hit by data breach – The Washington Post
- Retail POS Security: Limiting Risk in a Risky Era – RetailWire
Discussion Questions
How would you advise retailers to deal with cyber security issues around remote access apps? What other steps other than those offered in the article would you recommend retailers take to deny access to criminals looking to breach their security?
The real challenge is the inside job. All it takes is one employee like Snowden to get high enough clearance. Just like all retail, it’s about the people you trust in your organization and how you train, monitor and reward them.
IMHO what we have in this article is the low-hanging fruit of recommendations, i.e., “banning unauthorized personnel” (duh) and having “stronger passwords.” The awkward truth is that there are three problems at the heart of the security issue, and all three are self-inflicted wounds:
Roger Sessions, the complexity theorist, concludes that fixing the chronic IT problem will restore a TRILLION dollars to the U.S. GDP. It will be well worth the effort with huge rewards in terms of economics, safety, performance and pretty well everything else that drives business today.
The bottom line here is that there are myriad ways to breach every retailer’s network, and current data assurance efforts won’t be enough.
In dinner event after dinner event this year, I’ve talked with CIOs and VPs of IT who say that their boards of directors want more evidence that their networks are protected, but are leery of spending more money. The Verizon Data Breach Investigations Report is a terrific resource for retail CISOs who need additional ammunition to justify more investment.
A significant percentage of security vulnerabilities pertain to web and mobile applications. To address application security challenges effectively, retail and CPG organizations need to test software and applications across their entire portfolio. They need to assess software code, web and mobile applications for vulnerabilities, as well as automate correlation of static and dynamic application security testing results. Things like “Glass-box testing” a form of Interactive Application Security Testing (IAST), or using a JavaScript Security Analyzer or also a Cross-site Scripting Analyzer will help mitigate security risks. As a cross check, I would highly recommend a security software provider that is ranked in the “Leader Quadrant” in the latest Gartner Magic Quadrant for Application Security.