Howard Glavin, Principal Consultant and Manager of Governance Services, IBM ISS X-Force
The big-box retailers are slower in deploying necurity? Something a medium-sized store can do
and not break the bank, like putting in a low-end firewall at each of the registers, which would
cost $100 a register, is very different from a big-box store perspective. If you're talking about
50 registers, that is not a lot of money. If you're dealing with the big-box stores out there
today, you're talking into the billions of dollars. It's fiscally got to be spent properly. The
other thing they've got at the large big-box stores is the longevity they've got to meet. It may
take them 18-24 months just to roll it all out. I don't think they are reluctant to do security. I
think what you see is them spending their money wisely and moving it out at a very predetermined
form, due to the accountability they have to the large corporation. Is the threat landscape
different for retailers? Is there a unique threat profile for retailers?
Of the frauds occurring today, 70% are credit card frauds. Of the frauds that are occurring that are credit card frauds, 60% of the frauds that steal large volumes of data are inside out -- inside third parties and actual employees. The bigger you are the
Right now the biggest losses are occurring because of trusted third parties that are doing
servicing for the big-box stores or any retail type industry. Retail by its very nature is very
exposed because they have more places for loss occur. Aren't most retailers currently using a lot
of third parties for services and technology?
They do and they don't understand the risks associated with it. If you're bringing in that third party and you don't know who they are, you may be brining in somebody that really is just a startup. Depending on the size of the retailers, they likely don't have the expertise to do networking and they're hiring anybody they can get for the least amount of dollars thinking they can do it securely. These people for the most part aren't honest. Call centers with the big-box stores -- If a call center employee can get a credit card number and security code number and they only steal one or two a month, they can augment their income anywhere from $300-$600 a month. That's tax free money in the door. As the economy turns sour more and the markets don't turn quickly, you're going to see more retail theft. That's going to cause the costs to go up, the profit margins to go down and going to hold the economy down. What would be a red flag if you bring in a third party?
If I were bringing in a third party the first thing I would have them do is sign my information
users' policy. That would obligate them literally in writing by contract that they were going to
abide by all my practices and procedures. The first red flag is when they come in and say they are
not going to sign individually. If all their contracts hold them harmless and they're not going to
join you as far as your liability, that's another red flag. If they come in and say they operate in
a secure manner, and you say, "Show me your client base" and they say, "No," that's another red
flag. Any time I'm going to hire anybody sitting there as a CISO in any company, one of the
questions I ask is to get three or four recommendations from their client base. I want three that
are going to be positive and I want a negative one. If they're not willing to give me that one
that's kicked them out, I'm not willing to do business with them. Let's talk about point-of-sale
systems. Can you talk about how companies should standardize on point-of-sale systems?
There are requirements coming down out of the Payment Card Industry (PCI) Council that are going
to dictate the type of device that you have to use; not by brand or manufacture, but by how it is
protected. Simple little things such as if the case is opened, the chip fries and there's no way to
use it. Because the bad guys are stealing them, remanufacturing them and putting memory chips in
them allows them to steal the data after the fact. The other thing about point-of-sale devices,
particularly if you go around the globe, is they're all different. Europe thought the chip and PIN
was going to be the panacea of POS devices and stop the fraud, in fact they found that the same day
it was released there were frauds occurring. The criminal element is out in front of this so you
have to use common sense. Everybody thinks technology solves a problem; technology doesn't do
anything except compound common sense needs. The PCI Council is requiring the use of 802.11x as an
appropriate level of wireless security. Is that going to be a problem for retailers?
They said that anything that is using WEP encryption for people already having it deployed will
come to end of life in 2010. For any new companies attempting to deploy it, it comes to end of life
in 2009. WEP devices will not be permitted after that time. The applications behind WEP and the
ability to break that technology is so prevalent, that it is becoming trivial. Every big-box store
is going to have a huge problem with this because most of them are running a Symbol technology or
an actual 802.11, and it's not only for wireless it's for anything that is running the WEP. Why are
companies still using WEP in the first place?
They have wireless devices out there that won't support anything but that. If you take anybody that has global stores, how many billions of dollars are they going to spend in the replacement of that hardware? A large store may have 50 wireless devices in it.