Howard Glavin, Principal Consultant and Manager of Governance Services, IBM ISS X-Force
The big-box retailers are slower in deploying necurity? Something a medium-sized store can do and not break the...
bank, like putting in a low-end firewall at each of the registers, which would cost $100 a register, is very different from a big-box store perspective. If you're talking about 50 registers, that is not a lot of money. If you're dealing with the big-box stores out there today, you're talking into the billions of dollars. It's fiscally got to be spent properly. The other thing they've got at the large big-box stores is the longevity they've got to meet. It may take them 18-24 months just to roll it all out. I don't think they are reluctant to do security. I think what you see is them spending their money wisely and moving it out at a very predetermined form, due to the accountability they have to the large corporation. Is the threat landscape different for retailers? Is there a unique threat profile for retailers?
Of the frauds occurring today, 70% are credit card frauds. Of the frauds that are occurring that are credit card frauds, 60% of the frauds that steal large volumes of data are inside out -- inside third parties and actual employees. The bigger you are the greater potential there is to have your data stolen. What a lot of companies spend a tremendous amount of money doing is protecting against the external threat. Yet, when I go back I've been finding that 92% is insider. Social engineering or some other method is used, but [hackers] get the information from somebody on the inside to get the data outside. That's holding true to form today and the credit card industry is saying the same thing.
Right now the biggest losses are occurring because of trusted third parties that are doing servicing for the big-box stores or any retail type industry. Retail by its very nature is very exposed because they have more places for loss occur. Aren't most retailers currently using a lot of third parties for services and technology?
They do and they don't understand the risks associated with it. If you're bringing in that third party and you don't know who they are, you may be brining in somebody that really is just a startup. Depending on the size of the retailers, they likely don't have the expertise to do networking and they're hiring anybody they can get for the least amount of dollars thinking they can do it securely. These people for the most part aren't honest. Call centers with the big-box stores -- If a call center employee can get a credit card number and security code number and they only steal one or two a month, they can augment their income anywhere from $300-$600 a month. That's tax free money in the door. As the economy turns sour more and the markets don't turn quickly, you're going to see more retail theft. That's going to cause the costs to go up, the profit margins to go down and going to hold the economy down. What would be a red flag if you bring in a third party?
If I were bringing in a third party the first thing I would have them do is sign my information users' policy. That would obligate them literally in writing by contract that they were going to abide by all my practices and procedures. The first red flag is when they come in and say they are not going to sign individually. If all their contracts hold them harmless and they're not going to join you as far as your liability, that's another red flag. If they come in and say they operate in a secure manner, and you say, "Show me your client base" and they say, "No," that's another red flag. Any time I'm going to hire anybody sitting there as a CISO in any company, one of the questions I ask is to get three or four recommendations from their client base. I want three that are going to be positive and I want a negative one. If they're not willing to give me that one that's kicked them out, I'm not willing to do business with them. Let's talk about point-of-sale systems. Can you talk about how companies should standardize on point-of-sale systems?
There are requirements coming down out of the Payment Card Industry (PCI) Council that are going to dictate the type of device that you have to use; not by brand or manufacture, but by how it is protected. Simple little things such as if the case is opened, the chip fries and there's no way to use it. Because the bad guys are stealing them, remanufacturing them and putting memory chips in them allows them to steal the data after the fact. The other thing about point-of-sale devices, particularly if you go around the globe, is they're all different. Europe thought the chip and PIN was going to be the panacea of POS devices and stop the fraud, in fact they found that the same day it was released there were frauds occurring. The criminal element is out in front of this so you have to use common sense. Everybody thinks technology solves a problem; technology doesn't do anything except compound common sense needs. The PCI Council is requiring the use of 802.11x as an appropriate level of wireless security. Is that going to be a problem for retailers?
They said that anything that is using WEP encryption for people already having it deployed will come to end of life in 2010. For any new companies attempting to deploy it, it comes to end of life in 2009. WEP devices will not be permitted after that time. The applications behind WEP and the ability to break that technology is so prevalent, that it is becoming trivial. Every big-box store is going to have a huge problem with this because most of them are running a Symbol technology or an actual 802.11, and it's not only for wireless it's for anything that is running the WEP. Why are companies still using WEP in the first place?
They have wireless devices out there that won't support anything but that. If you take anybody that has global stores, how many billions of dollars are they going to spend in the replacement of that hardware? A large store may have 50 wireless devices in it.