P.F. Chang customers probably felt like they were taking a step back in time when cashiers ran their credit cards through ancient systems and handed them back carbon copy receipts to sign. But if the customers then asked why the cashier wasn’t using the normal point of sale system, they would have been disturbed by the revelation of an all too modern problem: P.F. Chang had experienced a security breach, as the company announced publicly on June 10, 2014.
Unfortunately in today’s world, breaches occur more frequently than one would expect, but for companies with “Big Brand Recognition” breaches like these generate a lot of media attention. As the compromised company races to determine how many locations have been impacted and verify if data was actually stolen or altered in some way, the company’s reputation can be damaged for years to come, significantly reducing its sales and market share.
Not surprisingly, hackers have been targeting retailers because the payoff—the ability to obtain thousands or millions of valid credit card numbers—is huge. The security breach at P.F. Chang’s is yet another example of how any retailer—large, medium, or small—is at risk.
As I am writing this blog, P.F. Chang’s is still in the investigation stage; the company’s security experts haven’t yet disclosed exactly how hackers bypassed its security defenses. Other retailers that have been compromised in the last year (such as Neiman Marcus, Target, and Michaels) reported that malware was injected into their point of sale systems—systems that they might rely on partners to manage and protect. Although there appears to be some commonality in the attacks on these retailers, any part of a retailer’s onsite or online systems is at risk. Encryption alone cannot protect the transactions; the keys and certificates that enable encryption are often targeted for attack themselves.
One key defense strategy against such security breaches is having a Computer Security Incident Response Team (CSIRT). This team of security experts takes responsibility for responding to cybersecurity incidents within the organization. The team must be quick, agile, and knowledgeable about any security issue. Further, the team must define roles and responsibilities, document processes, and facilitate communication and collaboration across the entire organization and its partners. During a security issue, the team becomes command and control, actually coordinating through matrix business teams, to determine the company’s needed actions and response. Because a CSIRT team partners across the company, they are able to leverage the expertise of the cross-functional members to ensure they understand impact to the business, legal issues, as well as ensure they have a good communication strategy. This will allow the team members to create actionable plans that mitigate the company’s risk factors.
Tabletop exercises of security breaches and attacks are a critical part of any defense strategy. I was very lucky that in my past roles as CISO, I had amazing CSIRT teams with great employees (yes—I am throwing in a shout out here for all of my awesome employees!) We regularly held tabletop exercises which addressed credit card information theft or other potential emergencies that could impact the company. Some were small activities and some also included the executive leadership team up to the CEO. When these activities were completed, we would conduct a post mortem to determine what did and didn’t go well, until we were confident that everyone—including all the company’s partners—knew who to contact in the case of a threat, how to clean up any damage, and how to recover quickly.
A great scenario to add to your CSIRT tabletop planning should focus on a neglected security issue: an attack against a trusted key or certificate. Your CSIRT should know how to protect these assets and how to respond to compromises. Unfortunately, since joining Venafi, I’ve found that many people don’t know how many keys and certificates they have or where these assets are deployed. To avoid chaos when an attack occurs, companies and their partners must have an inventory of all—and I mean all—certificates and keys. The foundation of security is to know what you are protecting—therefore you must have an inventory of all hardware, software, and identities (and their corresponding user IDs, keys, and certificates).
Over the last few months, as I partner with CIOs and CISOs globally, Venafi is helping companies find insecurities in their companies’ public-facing SSL landscape. For example, when companies use wildcards, MD5, and self-signed certificates, they provide openings for hackers. Venafi solutions, which help your security teams easily pinpoint problems like these and quickly resolve them, fill in a critical gap in many security teams’ threat management plans.