[SecurityRatty] tag: retail

On Security & Risk Management Innovation

Wed, 12 Nov 2008 11:23:30 +0000

Pre-Script - It should be noted that the outcome of this discussion - in the last paragraph - is one smart way you can approach the “We need to reduce your budget” discussion (if that discussion hasn’t come already).

I’ve often read people who say that we (security, risk management) need to “think like the attacker”. And when you read this sort of article, that usually alludes to trying to anticipate the tactics an attacker might use to mess with your C, I, or A. Smart stuff, that, and very useful when architecting security solutions. But as I was training some folks Monday, I was thinking in the back of my head about Threat Capability (TCap) in FAIR. As you might know, we like to estimate the capability of a threat to apply some level of “force” against our assets. This ability to apply force is a byproduct of the attacker’s skills and resources. And thinking of how an attacker applies skills and resources, I came across another way we might “think” like an attacker.

Traditionally, I’ve thought of “skills” as being a byproduct of the toolset an attacker has. This mindset probably stems from my time with Penetration Testing teams, where in the process of scoping the PenTest I would ask our clients to select the level of effort that they wanted us to throw at them. If a client chose “high” we’d throw every ‘spoit we had at them. If they chose “low” we’d limit ourselves to a more commonly available toolset.

But while the resources part of TCap is time & materials (money) - the skills are really more than just the toolset. Skills would include the ability of the attacker to be creative and innovative. As an example of that innovation from those PenTesting days - when we got a “high” effort request, we would always try to couple that with some “social engineering”-type of attack, or some unique means of delivering an existing exploit. Our creativity was not necessarily a byproduct of a unique exploit or tool we had, but the process by which we might deliver pre-existing or commonly available exploits. I remember when we first got ahold of a handful of 32mb thumb drives (hey, 32mb was huge back then) and “dropped” a few in the lobby of a client’s retail space. The keystroke loggers and phone-home script weren’t new, but using the thumb drive as delivery vehicle certainly was.

So I’ve started to really think about this concept of innovation, and how if “thinking like an attacker” means to be innovative, we ought to do the same. I’ve been thinking of two main categories of innovation this morning.

INNOVATION

The first I’ll call Technology Innovation. And by Technology Innovation, I mean some new, unique, “ahead of the curve” technology that an attacker can use against us. The obvious example of which is a zero-day. It’s that “high” tool set our PenTesters would use against the clients. For security departments, this might be the latest security product designed to enhance our ability to P, D, and/or R.

Alternately, we can be creative in the way we deliver (manage) existing technology. I think of this as Process Innovation. It’s doing more with what we already have, just like the PenTest team would be creative in the delivery of an existing exploit.

Unfortunately for us - attackers have traditionally had quite a leg up on us in terms of Process Innovation. It is much easier fro them to be creative, as they are free of political constraints and bureaucracy. In contrast, when the security industry tries Process Innovation, the results are checklists and “standards”. It’s committees and consensus. An extreme example of which might be something like SABSA - a great work if you want to understand some very smart people’s comprehensive understanding of organizational security - but the “adoption”of which will do very little to help you be innovative in P/D/R.

It’s worth noting that ultimately, this is one reason I don’t like regulatory compliance efforts - they simply serve to prove how mundane your security department is, wasting valuable resources that could be spent on creating ways to be more effective.

PROCESS INNOVATION AS A SUBSTITUTE FOR TECHNOLOGY INNOVATION

As we come to the close of 2009, some surveys suggest that security spending isn’t horribly impacted yet by the economy (the latest from E&Y points to only 5% of their respondents getting budget cuts). But if this is a protracted downturn, and because InfoSec is an operational expense, I would expect cash to become more and more difficult to keep. And regardless if technology spends do slow, I believe it makes sense to think about Process Innovation because I see Process Innovation as a means to increase effectiveness without significant capital expenditures (effectiveness increases because our ability to manage risk has a direct correlation to the amount of risk we have).

The bad news is, of course, that great innovation is hard. It is R & D. Failure is usually a pre-requisite to success.

The good news is, our current state is so bad that many of us don’t need to come up with a whizbang new way of reducing software defects in the SDLC as innovation. Simply inserting a risk analyst into the PMO’s processes might count as a big enough victory. Be cautioned, though, that if we’re substituting the risk reductions provided by technology acquisition - Process Innovation might actually be even more “expensive” as it requires us to expend political capital. But there are (forgive the term) innovative ways to spend this political capital.

For example, by taking a second now and figuring out the 3 things that the rest of the organization can do to make your life easier, when that “I need to reduce your budget” talk comes, you can be prepared to negotiate. Get a political capital “loan” or “investment” from the C-Suite reducing your budget. Something to the effect of: “I expected this, and am happy to give up my budget. But if our tolerance for risk hasn’t changed, what I’d like to do is get you to personally back my office on three projects I’ve identified that can reduce our risk without requiring significant capital expenditure.”

UPC Switching Scam

Fri, 31 Oct 2008 03:43:35 +0000

It's not a new scam to switch bar codes and buy merchandise for a lower value, but how do you get away with over $1M worth of merchandise with this scam?

In a statement of facts filed with Tidwell's plea, he admitted that, during one year, he and others conspired to steal more than $1 million in merchandise from large retailers and sell the items through eBay. The targeted merchandise included high-end vacuum cleaners, electric welders, power winches, personal computers, and electric generators.
Tidwell created fraudulent UPC labels on his home personal computer. Conspirators entered various stores in Ohio, Illinois, Indiana, Pennsylvania and Texas and placed the fraudulent labels on merchandise they targeted, and then bought the items from the store. The fraudulent UPC labels attached to the merchandise would cause the item to be rung up for a price far below its actual retail value.

That requires a lot of really clueless checkout clerks.

Shoppers advised about deadly mall attacks

Sun, 26 Oct 2008 12:51:00 +0000

In a joint effort between U.S. Dept. of Homeland Security and Mall retail associations, mall employees and shoppers are being advised on how to protect themselves against assailants armed with guns.

It is a sad reflection of the society in which we live, but statistics show that there is a real need for such training. Between 2004 and 2008, there have been 17 shooting incidents in U.S. malls. The shootings have resulted in 34 deaths and 33 injuries.

The issued guidelines warn that the shootings are often committed by current and former retail employees with grievances against their employers (workplace violence) or are related to an associate with domestic problems (domestic violence).

We continue to advocate for better training for mall security officers. Unfortunately, many times employers have to face huge lawsuits before they are willing to spend money on any additional security training. The ironic part is that had they done the right thing to begin with, in many cases they could have saved tens of millions of dollars in those same lawsuits and not suffered reputation damage and loss.

PCI Bans WEP SecurityStarting 2010

Mon, 06 Oct 2008 05:38:19 +0000

Version 1.2 for the PCI Data Security Standard was released last week.

One interesting outcome is that the insecure wireless WEP protocol will be banned…but not until June 2010. Says Ars Technica:

Although TJX has become the poster-child for consumer data theft over WiFi, it is (by far) not the only company to use insecure wireless technologies. Wireless security manufacturer AirDefense released a report in late 2007 saying that a quarter of the 4,748 retail access points it surveyed across the US had no security whatsoever, while another quarter only used WEP, “one of the weakest protocols for wireless data encryption.” Just under half (49 percent) of the surveyed hotspots used WiFi Protected Access (WPA) or WPA 2—much stronger encryption protocols than WEP.

If you’re wondering about what other impacts will have, you might want to read through the PCI site or sign up for the SecureWorks webcast on October 14th to learn more.

Schwarzenegger again nixes data breach bill

Mon, 06 Oct 2008 00:00:00 +0000

For the second time in 12 months, California Gov. Arnold Schwarzenegger has vetoed legislation that would have set new IT security requirements designed to protect credit and debit card data in retail systems.

Major Industries Drop The Ball On Data Security

Fri, 03 Oct 2008 10:10:17 +0000

Verizon, recently analyzed "four years of data from over 500 cases worked by the Verizon Business Investigative Response team," to produce a report that gives an in-depth look into how data breaches are occurring in four major industry groups: financial services, food and beverage, retail, and technology services.

Major Industries Drop The Ball On Data Security

Fri, 03 Oct 2008 10:10:17 +0000

Outsourcing Aids Many Data thefts, Verizon Says

Thu, 02 Oct 2008 00:55:00 +0000

The reliance of restaurant chains and retail stores on outside companies to handle credit-card processing and other information-technology functions is partly to blame for a rash of consumer data breaches over the last few years, according to data sleuths at Verizon Communications.

IBM software bundle targets retail theft, data breaches

Tue, 30 Sep 2008 20:00:00 +0000

IBM is targeting retail security with a package of software and services designed to prevent physical loss of merchandise, protect against electronic threats and comply with credit card industry regulations.

Wee-Fi: CSIRO Wins Patent Appeal; Zune-Fi in SF; Kodak ESP 9

Mon, 22 Sep 2008 05:53:19 +0000

Australian tech office wins appeal: Buffalo sinks further into the hole as it loses its appeal against a judgement over its use of what the Australian CSIRO technical agency asserts is its patented technology used in all 802.11 implementations. The case, in the patent-holder-friendly US Eastern District Court of Texas--a venue that may be dethroned as a forum coveniens for patentholders' suits in new legislation--prevents Buffalo from importing or selling gear in the US with Wi-Fi technology embedded. In Japan, the patent office threw out CSIRO's patent. While Cisco paid CSIRO as the result of an acquisition of an Australian company a few years ago, most US-based technology giants are involved in resisting the patent's continued validation and enforcement. I've read the patent and some of the suits, and as a non-patent expert, it's clear CSIRO original invention didn't cover what's at stake. However, CSIRO was allowed in a subsequent filing to extend its patent to cover already-in-use technology in a way that seems odd to me, but happens in patents all the time. Many millions of dollars and many more years may be expended before a resolution happens. CSIRO apparently isn't asking for insane fees, although anything paid to them would be passed along to consumers. If companies settled, this might result in an increase of 1 to 5 percent on retail prices. It may ultimately effect WiMax, too, though no suits in that area have been filed.

Finding Zune-Fi: Ina Fried of News.com wanders the polite streets of San Francisco in search of Zune connections over Wi-Fi. She finds a few, and has a good experience. One cafe owner sees the ease with which she can stream music and calls it cool. She can't connect at the long-running Google-sponsored free Wi-Fi at Union Square, however, which means the Wi-Fi likely has an accept button that must be pressed. Surely Microsoft could insert a little technology that would allow a browser-free acceptance of terms? Probably involves Yet Another Protocol: the Wi-Fi Terms Browser-Free Presentation Protocol (WTBFPP).

Kodak adds interesting Wi-Fi enabled all-in-one: The new Kodak ESP 9 is a multi-function printer (fax, scan, print, copy) that connects to a network via Wi-Fi or Ethernet. The $300 device spits out 30 pages per minutes in color, 32 ppm in black only. Kodak claims that the model line to which the ESP belongs uses ink in a vastly more efficient manner than the "average of comparable consumer inkjet printers."