BLUF - Bottom Line Up Front
In mid-November last year, Target experienced a data breach where hackers stole credit card, personal, and sales information from over 100 million customers. Hackers installed malware on POS devices and exploited Port 80 to bypass firewalls. To prevent such breaches, companies should improve employee security awareness, limit data access, track devices, secure physical workspaces, and protect website integrity. Additionally, companies should store only necessary verification data, using third-party vendors for credit information. Small businesses face similar risks.
In mid-November last year, the retail giant Target experienced a security breach where customers’ credit card information was stolen. At first, it was thought that 40 million users had been affected but by January 2014, those numbers skyrocketed to a stunning 100 million.
Target p.o.s hacked
What emerged was the story of hackers who had appeared as “the good guys” in order to harvest as much information as they could from Target’s network. Not only did they steal sales data, but names, email addresses, home addresses and phone numbers.
And they didn’t just hit the network once. Data was harvested almost daily over the course of several weeks. Malicious software was installed on Target’s point-of-sale (POS) devices located at the checkout point. But the hackers also made use of Port 80, which is the route used for Internet browsing traffic.
The hackers used this port as a way to bypass software firewalls and roam freely within the network. As you can imagine, this is every IT department’s worst nightmare.
George Photakis, a former CIO of Anchor Hocking, said, “A big problem with the Target breach was that customer credit card information was stored on their servers. Which is amazing.” Photakis added that most companies use a third-party credit card administrator and it is the administrator that verifies the credit card information in order to prove it’s a valid transaction.
He added, “Most companies only store the verification codes and the third-party administrator’s keep the confidential account information. I can’t believe that a company as large as Target would not do this. I’ve never seen anything like it.”
It’s not just larger organizations that are at risk. According to Verizon’s Data Breach Investigation Report 2013, 75% of security breaches happen to small businesses.
What could Target have done to prevent this massive security breach? And more importantly, what can you do?
1. EMPLOYEE AWARENESS
It is extremely important to have an ongoing security education program for your employees that trains them to use strong passwords and avoid dangerous links, email phishing,
experiments, and attachments that may contain malware.
Your employees are like a virtual firewall. Unfortunately, they can also often be manipulated by a hacker. The adage, “trust but verify” is vital to remember. Many times a hacker will call an employee and appear as a fellow worker or person of authority. Very often, an employee will too easily trust someone and give them sensitive information, such as a password, in order to “help” someone. Only a consistent training program will remind employees that it is imperative to keep such information secure by never sharing it with someone whose identity
they can’t verify.
2. KNOW YOUR DATA AND LIMIT ACCESS
Another important step is to know who exactly has access to confidential data. Credentials should be limited. Your employees should know where confidential data is stored and that it’s in a secure location. Keep a record of the employees who have access.
Also, if you plan on terminating an employee, it is wise to limit their access before the termination occurs to prevent insider threats, where a disgruntled employee takes advantage of their access codes in order to damage the network.
3. TRACK LAPTOPS AND MOBILE DEVICES
Employees often forget the risk they take when transporting company electronics such as laptops and tablets. You should keep a record of all the devices your employees use and verify their whereabouts at all times. This is another opportunity to train your employees to secure your company’s confidential data by requiring a frequently updated tracking report as a means to prevent potential data breaches. There have been many times when an employee carelessly left a company laptop in their car and it was stolen. Use security tokens to ensure that only those with the right credentials are able to access sensitive data
4. KEEP YOUR OFFICE AND WORK AREAS SECURE
Your servers should be in a secure area with limited traffic. Locked doors or keypad entries will help limit the number of employees who can access your physical assets. Many hackers have pretended to be service personnel in order to get by a company’s gatekeepers, such as the reception desk. Train your employees to always be on the lookout for someone who doesn’t look like they belong in the area or an unfamiliar face.
5. DEFEND AND PROTECT YOUR WEBSITE:
Install anti-virus software on all of your servers and demonstrate that you are trustworthy by using trustmarks on your website. Make sure your employees are trained to recognize an alert and have a standard procedure for contacting the IT department if a threat is detected. Some software can work in the background of the end-user’s desktop so they’re not alerted but instead, the system administrator receives a notification. As a result, employees aren’t panicked and it can decrease the amount of help desk calls.
You may also like to read about Benefits of a Secure Software Development Life Cycle.