Security Trends in the Retail Industry
•
5 j'aime•3,078 vues
View on demand webinar: https://securityintelligence.com/events/security-trends-in-the-retail-industry/ In 2014, significant threats and massive breaches made front-page news on a regular basis, and those that hit retailers seemed to be the ones that jumped to mind first. This may have been due, in part, to a sizable uptick in the number of cyber attacks against US retailers versus the prior year. In 2015 however, the cybercrime focus has shifted to online retailers and smaller businesses. With large retailers tightening security controls and safer chip cards coming into use, hackers are turning their sights to online transactions and smaller retail targets to capture consumer credit card data. Join us as Nick Bradley, Practice Leader of the Threat Research Group at IBM Security, and Michelle Alvarez, Threat Researcher and Editor for IBM Managed Security Services, discuss findings from two recently-published reports on the threat landscape in the retail industry: IBM 2015 Cyber Security Intelligence Index for Retail, and Security trends in the retail industry, an IBM X-Force Research Managed Security Services report. This webinar will cover: - An overview of security events, attacks, and incidents in the retail industry - Attack trends over Black Friday-Cyber Monday, including 2015 data - Who the attackers are, where the attacks are happening and what types of attacks are most commonly used - The number of records compromised, and where the weak points are in retailer networks - How cyber criminals are responding to the introduction of chip cards
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à Security Trends in the Retail Industry
Similaire à Security Trends in the Retail Industry (20)
Plus de IBM Security
Plus de IBM Security (20)
Dernier
Dernier (20)
Security Trends in the Retail Industry
- 1. © 2016 IBM Corporation Nick Bradley Sr. Manager and Practice Lead, MSS Threat Research IBM Security Michelle Alvarez Researcher and Editor, MSS Threat Research IBM Security Security Trends in the Retail Industry
- 2. 2© 2016 IBM Corporation Today’s panelists Nick Bradley Practice Leader Threat Research Group IBM Security https://securityintelligence.com/author/nick-bradley/ https://www.linkedin.com/in/nick-bradley-3406442 Michelle Alvarez Threat Researcher, Publisher and Editor Managed Security Services IBM Security securityintelligence.com/author/michelle-alvarez/ linkedin.com/pub/michelle-alvarez/65/867/445
- 3. 3© 2016 IBM Corporation ! 2014 review ! 2015 findings – Attack types targeting retailers – Black Friday/Cyber Monday trends ! A look at Data Breaches: Attackers are shifting their focus ! POS Malware ! Potential actions for defense ! Addressing fraud Agenda
- 4. 4© 2016 IBM Corporation In 2014, the retail industry remained fourth overall in incident rates, but with an upward trend year-to-year over 2013 Source: IBM Managed Security Services data
- 5. 5© 2016 IBM Corporation ! Although the retail industry experienced fewer events than average, the numbers of attacks and incidents were higher than average 2014 saw attackers having a higher success rate with retailers than the cross-industry average Source: IBM Managed Security Services data
- 6. 6© 2016 IBM Corporation Prevalent attack vectors targeting the retail industry in 2015 ! Analysis of IBM MSS data accumulated between January 1 2015 and November 30 2015 reveals attack vectors affecting the retail industry. Attacks from the Tor network Malicious documents introduce malware Shellshock ! Criminals often use the Tor network to trade with each other and to launch attacks against surface targets ! 5% of attacks against retailers came from the Tor network—a higher percentage than any other industry 2 ! A vulnerability in the GNU Bash shell widely used on Linux, Solaris and Mac OS systems ! The number three attack vector, making up just over 13% of the attacks ! Remains a significant and persistent threat across all industries in 2015 3 4 ! The number one attack vector, making up almost 18% of the attacks ! Attackers trick victims into opening malicious documents or clicking on links to malicious sites ! Intent is almost always to have the victim download malware, which is the largest single attack type ! The number two attack vector, making up just over 14% of the attacks ! Also the number two attack type associated with retail security breaches ! Weak SQL database security policy is a common denominator in successful attacks SQL injection 1
- 7. 7© 2016 IBM Corporation ! Attackers do exploit the holiday season via spam, phishing and compromised websites ! However, on average there is no significant uptick in attack activity in the Black Friday/Cyber Monday period ! While traffic may appear to have spiked on Cyber Monday in 2015, the spike is only slightly above average for the holiday timeframe Black Friday/Cyber Monday: attackers were shopping, not attacking Source: IBM Managed Security Services data
- 8. 8© 2016 IBM Corporation ! The IBM X-Force Interactive Security Incidents tool on the web provides a continuously updated view of notable security incidents across all industries Retail security incidents occur at a consistent rate throughout the year Source: IBM X-Force Security Incidents data (January 1 2014 – November 31 2015). http://www-03.ibm.com/security/xforce/xfisi/ Note: Data is a sampling of notable incidents for each year and not a full representation of all incidents.
- 9. 9© 2016 IBM Corporation ! The number of records reported is down…but the number of incidents is up In 2015, breaches were occurring at a high rate, but companies were not reporting the number of records compromised Records not reported 70% 2015 rate of reporting records compromised in a breach Source: IBM X-Force Interactive Security Incidents data (January 1, 2013 – November 30, 2015). http://www-03.ibm.com/security/xforce/xfisi/ Source: IBM X-Force Interactive Security Incidents data (January 1, 2015 – November 30, 2015). http://www-03.ibm.com/security/xforce/xfisi/
- 10. 10© 2016 IBM Corporation ! Attackers are shifting from targeting a few large organizations to targeting a large number of smaller businesses ! A lot of little payoffs can add up to the same $$$ as a few big ones – Payment card records sell for between $1 and $25 on the black market ! Large breaches can be less effective because compromised credit cards get cancelled faster when the target is a large company that reports all affected credit cards to banks ! Smaller companies may also lack the resources to discover compromises quickly Attackers are shifting their focus to smaller businesses
- 11. 11© 2016 IBM Corporation Source: IBM X-Force Security Incidents data (January 1 2011 – November 31 2015). http://www-03.ibm.com/security/xforce/xfisi/ Note: Data is a sampling of notable incidents for each year and not a full representation of all incidents. ! In 44% of the retail breaches sampled, malware was the most relevant attack type ! In 42% of breaches, victim organizations have not to date disclosed exactly what type of attack they sustained ! The banking Trojan “Shifu” scans for POS endpoints and, when it finds one, uses a RAM-scraping plug-in to siphon payment card data ! The Dyre malware, used by cybercrime gangs to attack bank accounts, is adding retail targets to its configuration file, preying on online customer orders Malware “planted” via malicious documents and links is the leading cause of retail breaches in 2015
- 12. 12© 2016 IBM Corporation ! POS malware is designed to extract customer payment card (credit and debit) data and send it back to the attacker’s command and control server ! Half of the ten largest retail breaches recorded since 2011 were caused by POS malware. ! These compromises resulted in the theft of nearly 195 million records, the majority containing credit card data. In the retail industry, malware attacks against point-of-sale (POS) systems directly target payment card data Source: IBM X-Force Security Incidents data (January 1 2011 – November 31 2015). http://www-03.ibm.com/security/xforce/xfisi/ Note: Data is a sampling of notable incidents for each year and not a full representation of all incidents.
- 13. 13© 2016 IBM Corporation Recommendations for protecting enterprise and POS systems Update POS software Use endpoint protection Restrict access to the Internet Disallow remote access Segment POS networks Physically protect POS systems Use strong passwords Educate users
- 14. 14© 2016 IBM Corporation ! October 2015 in US liability for fraud shifted from card issuers to merchants not using EMV ! Current debate: Which is more secure, chip-and-PIN or chip-and-signature? – Chip-and-PIN vulnerability: PIN is encoded in magnetic stripe – Chip-and-signature vulnerability: Signatures are easy to “scribble” ! Will virtual payments replace cards…and present a whole new set of security challenges? Addressing retail fraud: PIN vs signature or physical vs virtual?
- 15. 15© 2016 IBM Corporation What you can do to help protect against fraud • Encourage awareness of “lurkers” • Consider point-to-point encryption • Consider contactless POS systems • Report lost or stolen cards promptly • Record all your account numbers and their phone numbers • Don’t lend your cards or leave them unprotected Retailers Consumers
- 16. 16© 2016 IBM Corporation ! This and other IBM® X-Force® threat research reports can be downloaded here Get the complete picture About this report This IBM X-Force report was created by the IBM Managed Security Services Threat Research group, a team of experienced and skilled security analysts working diligently to keep IBM clients informed and prepared for the latest cybersecurity threats. This research team analyzes security data from many internal and external sources including event data, activity, and trends sourced from thousands of endpoints managed and monitored by IBM for Managed Security Services accounts around the globe.
- 17. 17© 2016 IBM Corporation ! IBM offers key security services to help you address these challenges How IBM can help IBM Security Framework and Risk Assessment IBM Incident Response Planning IBM Managed Security Services IBM Emergency Response Services Assess Plan Respond Manage
- 18. 18© 2016 IBM Corporation Learn more about IBM Security V2015-11-23 countries where IBM delivers managed security services industry analyst reports rank IBM Security as a LEADER enterprise security vendor in total revenue clients protected including… 130+ 25 No. 1 12K+ 90% of the Fortune 100 companies Join IBM X-Force Exchange xforce.ibmcloud.com Visit our website ibm.com/security Watch our videos on YouTube IBM Security Channel Read new blog posts SecurityIntelligence.com Follow us on Twitter @ibmsecurity
- 19. © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOUwww.ibm.com/security
- 20. © 2016 IBM Corporation Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third- party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Legal notices and disclaimers