As we enter the Christmas shopping season, many retail organisations go into a “production freeze” where they halt updates and configuration changes in their payment and order fulfillment systems to limit the risk of interruption and slowdowns to mission critical systems. IT teams and security folks are scrambling to test and lock in configurations, verify controls, and plead to their respective deities that systems perform exactly as intended during the shopping rush.
This creates a particularly interesting situation: there will be very little in the way of updates to those systems over the next 90 days. Any steps to prevent an incident – that would make an organisation a harder (or more expensive) target for criminals — are now on hold until after the holiday rush.
Think of this in terms of the security lifecycle: Prevent, Detect, Correct – it’s also a good way to simplify the NIST cyber security framework1,2 from this point forward, energy investment should shift from prevent, to detect and correct.
Attackers already inside an organisation will stay quiet until the time is right, as they will see more credit cards in the next couple of weeks than the next six months combined.
How organisations can prepare for the days ahead
- Check all third party access and remote access pathways into payment networks. Change passwords and lock out vendors that do not need access right now.
- Be 100% confidant that payment networks do not have access to the internet, on any protocol, in any way. Some systems do online payment clearance and settlement – makes sure those systems can only talk to specified host names or addresses on defined ports.
- Double and triple check network restrictions and segmentation, make sure guests and contractors cannot find a path into the payment networks.
- Some organisations have enough similarity in their systems (like point of sale registers and kiosks) they can compare live systems to “known good” configurations – look for anomalies.
- Carefully observe account behaviour. Monitor for and immediately investigate out of character behaviour and login events from unexpected locations, especially in sanitized zones like payment networks, web, and database systems.
- Increase your visibility through information sharing. There are groups like the R-CISC where retailers are safely sharing information and actively identifying attacker tools and techniques, as well as tips on how to identify if they have a foothold in your environment.3