INDUSTRY NEWS by Robert L. DiLonardo DiLonardo is a well-known authority on the electronic article surveillance business, the cost justification of security products and services, and retail accounting. He is the principal of Retail Consulting Partners, LLC (retailconsultingllc.com), a firm that provides strategic and tactical guidance in retail security equipment procurement. DiLonardo can be reached at 727-709-6961 or by email at rdilonar@tampabay.rr.com.
Cyber Threat Predictions for 2015
2
014 was undoubtedly the year of the data breach in retail. As an encore to the massive Target customer credit and debit card hack first reported in 2013, retailers such as Goodwill Industries, Dairy Queen, P.F. Chang’s, Neiman Marcus, and Home Depot, among others, reported significant point-of-sale breaches during the last year. A recent Forbes article underscores the severity of the situation, especially for retailers. Kevin Jones, senior IT security architect for Thycotic, opined, “Companies that have enormous resources dedicated to infrastructure security at point-of-sale terminals are failing.” SentinelOne Labs (sentinelone.com) published its very informative Advanced Threat Intelligence Report summarizing the top IT threats reported in 2014 along with predictions on what’s in store in 2015. Here are some of the lowlights.
Five Trends
Point-of-Sale. POS systems are sitting ducks for malicious malware because of older operating systems like Microsoft XP and outdated antivirus software. According to the experts, there is no silver bullet yet available. However, these threats should be mitigated over a period of time.
Erstwhile cyber criminals can now simply “visit a website, select the desired malware platform and capabilities to build a Trojan, choose their target assets (online banking credentials, credit and debit card numbers, healthcare records, and so forth), request a specific number of infections (targets), pay with an underground money transfer provider or bitcoin, and be in business.”
Top Hijacking Techniques
Eight-three percent of documented attacks in 2014 were perpetrated by only five techniques: Distributed Denial of Service (23 percent). A distributed denial of service (DDoS) attack occurs when a multitude of compromised systems attack a single target, causing denial of service of the targeted system to legitimate users. The flood of incoming messages to the target system essentially forces it to shut down. Structured Query Language Injection (19 percent). Using SQL, web applications interact with databases to dynamically build customized data views for each user, such as a list of merchandise for sale. An attacker can manipulate the parameter’s value to build malicious SQL statements. This could result in customers receiving a wrong item or being charged an incorrect price. Unknown (18 percent). Isn’t it scary that the IT “experts” are at a loss to explain the cause of almost one in every five data breaches? Defacement (14 percent). Website defacement is an attack on a website that changes the visual appearance of the site or a web page. These are typically the work of system crackers who break into a web server and replace the hosted site with one of their own. Defacement is generally meant as electronic graffiti, although recently it has become a means to spread messages by politically motivated cyber protesters or “hacktivists.” Account Hijacking (9 percent). As the name implies, hackers can hijack any type of account information—from emails to credit cards to social security numbers.
72
MARCH - APRIL 2015
Ransomware. This class of malware restricts access to the computer system that it infects and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive (cryptoviral extortion), while some may simply lock the system and display messages intended to coax the user into paying. The advent of the bitcoin has transformed ransomware into a cybercrime that anyone can use. Currently, there is no effective security measure against it. Top Target—Windows. However, attacks targeting MAC OS X, Linux, iOS, and Android are on the rise. The major cyber criminals haven’t focused on mobile payment platforms yet. Targeted, Advanced Evasion. In network security, evasion means the bypassing of an information security device to exploit, attack, or deliver some other form of malware to a target network or system without detection. Evasions are typically used to counter network-based intrusion detection and prevention systems, or to bypass firewalls. Another target of evasions is to crash a network continued on page 74 |
LPPORTAL.COM
