Just last week, retail giant Target Corp. confirmed it had suffered a massive data breach, compromising approximately 40 million of its customers' credit and debit cards. The incident highlighted the importance of retail security, but experts claim many retailers actually deemphasize -- or even ignore -- basic data security practices during the make-or-break holiday shopping season.
According to the National Retail Federation, holiday sales can account for anywhere between 20% and 40% of annual sales for some retailers, and to capitalize on that opportunity, IT systems need to be running smoothly.
For that reason, Ron Gula, CEO of Columbia, Md.-based vendor Tenable Network Security, said that to ensure systems are functioning without interruption, many retailers will sacrifice information security during what he described as the "holiday IT lockdown" -- a freeze period during which the IT staff isn't allowed to make any changes that could jeopardize the availability of key systems.
John KindervagForrester Research
During that period, which normally occurs during November and December, he said some retailers ignore security measures as basic as patch installations, while others go as far as to skip IT audits and security assessments. In particular, companies have often complained about performing vulnerability scans during the holidays because of the risk of system outages and other performance issues, but Gula said that the resilience provided by modern scanners and databases has made that view outdated.
John Kindervag, vice president and principal analyst at Cambridge, Mass.-based Forrester Research Inc., said the most basic security practices, which ironically are critical to ensuring the security of customer data and avoiding a Target-like disaster, just don't happen during the holiday shopping season.
"Patching. Configuration updates. Firewall rule changes. Almost none of that happens during 'lockdown,'" Kindervag said. "Lockdown means what it says: nothing gets touched unless there is an absolute emergency."
A side effect to the lockdown period is that the IT staff at some retailers takes more vacation time during November and December, according to Kindervag, because the inability to make changes leaves them with less work, and that further increases the likelihood of a security incident taking place.
"In world where things are very dynamic, especially attacks, [a lockdown period] could very well open a retailer up to some degree of risk because they may not be as responsive as they otherwise might be," Kindervag said.
Zane Lackey, director of security engineering for the e-commerce website Etsy, said he does typically notice a reduction in the amount of new application code that is deployed by retailers over the holiday season to ensure reliability, though it does provide the security benefit of having less code to review.
Lackey said he views the holiday season and accompanying slowdown in IT activity as an opportunity for security teams. During November and December, his group works on major projects that the company has planned for the coming year.
"There's plenty of reason to have your hair on fire during the holidays," said Lackey via email. "But I'd argue that most organizations are focused on security all year and not just during the holidays."
What about PCI DSS?
Experts say retailers that choose to lockdown IT operations during the holiday season not only expose their environments to more risk, but also potentially face the wrath of the Payment Card Industry Security Standards Council (PCI SSC). As part of its version 3.0 update to the PCI Data Security Standard (PCI DSS), the PCI SSC is attempting to make the standard a year-round process for companies, as opposed to the current view many businesses hold of PCI DSS as a once-a-year exercise.
Jeffrey Man, Tenable's product marketing manager for PCI solutions and who previously spent nearly 10 years as a Qualified Security Assessor (QSA), said that he long advised organizations to take a "business-as-usual mindset" approach to PCI DSS. Even before version 3.0, he noted many of the standard's requirements had an "element of periodicity."
Still, whenever he would check retailer's servers for installed patches, for example, he would invariably find a gap during the holidays when patches, including those issues as part of Microsoft's Patch Tuesday releases, weren't applied. Instead, according to Man, retailers would wait until the new year to roll out patches. Since patches often need to be tested and applied in chronological order, he said it could take them anywhere from weeks to even months to catch up.
"Retailers love to freeze their environment during the holidays, and [that approach and PCI DSS don't jive together very well. So most of my customers either had to be very creative about how they approached that requirement in terms of compensating controls," Man said, "or frankly, a lot of times they'd just hope the QSA coming in to assess them didn't notice."
Kindervag agreed that, from a PCI compliance perspective, there are certain security controls that simply can't be ignored for any length of time. He specifically pointed to the requirements around encryption and log monitoring as examples of areas that must be maintained at all times to be PCI-compliant.
"You just can't not do those things to make your life easier during one particular time of the year," Kindervag said.
Though experts cite the security risks associated with implementing a holiday IT lockdown, how should retailers approach the vital shopping season to limit both IT security risk and business risk? Arthur Wong, senior vice president and general manager for HP's Enterprise Security Services, said that retailers should focus on implementing monitoring capabilities before the holidays, and then increasing those capabilities during November and December.
"When I talk about monitoring, I'm talking about a managed security environment," Wong said, "where you're looking for attack commonalities and incidents maybe even towards a specific industry."
Wong also recommended retailers attempt to schedule audits, including those for PCI DSS, during less intense times of the year. That doesn't mean ignoring those compliance regulations, but to simply provide more time for IT staff to focus on security during the holidays. He said that same advice holds true for other industries that face particular crunches at the end of business quarters or other points over the course of the year.
Gula also emphasized the importance of having significant monitoring capabilities and security controls in place throughout the year, saying that it's the companies that don't have those measures in place year-round that tend to be ill-prepared for the frenetic holiday season.
He said even for organizations that are afraid of the impact that normal security operations can have on mission-critical systems, there are less-intrusive alternatives that a retailer can use to ensure an incident isn't happening under its nose, including credential management, network monitoring and log analysis.
"It doesn't address not patching your systems or managing your firewall rules," Gula said, "but it does offer you some sense of [knowing whether you have] a critical vulnerability on your network that could cause a business outage that you need to react to."
Gula's hope is that retailers will eschew the holiday IT lockdown mindset altogether. To do that, organizations need to constantly be asking questions about the threats targeting them. Otherwise, Gula asks, how can retailers even go about making that risk determination?
"When you have these IT freezes, you're doing it so you have more stability," Gula said, "but if you're sacrificing security just so you have more uptime, you're making it easier for attackers to take you down without a minute's notice; that's a Faustian bargain. It's not a good tradeoff."