Retail security and compliance where on earth is it headed
1 / 22

Retail Security and Compliance – Where On Earth is it Headed? - PowerPoint PPT Presentation

  • Uploaded on

Retail Security and Compliance – Where On Earth is it Headed?. An overview of the retail sector’s IT threats and how to be more effective in preventing them. Agenda. Introduction Retail in the news Why cyber security is important ? Where are the threats ? What can you do ?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Retail Security and Compliance – Where On Earth is it Headed?' - waneta

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Retail security and compliance where on earth is it headed

Retail Security and Compliance – Where On Earth is it Headed?

An overview of the retail sector’s IT threats and how to be more effective in preventing them.

Agenda Headed?


Retail in the news

Why cyber security is important?

Where are the threats?

What can you do?

Additional Resources


About coalfire
About Coalfire Headed?

Coalfire is a founding member of the PCI Security Standard Council’s (SSC) program for Qualified Security Assessors (QSAs) and has been a QSA under Visa’s CISP initiative since 2003. We are also an Approved Scanning Vendor (ASV) and Payment Application Qualified Security Assessor (PA-QSA). We have completed more than 4,000 PCI projects for merchants, service providers and payment application developers and we are recognized as one of the top five assessors based on the number of Reports on Compliance completed for service providers and Reports on Validation completed for payment application developers.

About jeff messer
About Jeff Messer Headed?

  • Senior IT Security Consultant

  • 15+ years of information technology and business experience.

  • Extensive experience in delivering security assessments, compliance auditing, general IT and application controls assessments and system development reviews

  • Industries

    • Retail, higher education, healthcare, transportation, banking, finance, entertainment and leading edge technologies.

  • Hands-on experience in developing and implementing IT security strategy, directing and managing an IT department and knowledgeable in various areas including:

    • Network & Systems Security

    • Risk Management

    • Vulnerability Assessments

    • Authentication & Access Control

    • System Monitoring

    • Regulatory Compliance

    • Systems Integration Planning

    • Penetration Testing

  • Certifications

    • CISSP - Certified Information Systems Security Professional

    • CISA - Certified Information Systems Auditor

    • QSA - Qualified Security Assessor

Retail in the news
Retail in the news Headed?

  • US FBI Warns Retailers of Further Cyber Attacks Similar to Target Data Breach

  • Target - 40 million payment card records and 70 million customers' records

  • Neiman Marcus - 1.1 million cards

  • Michaels (2nd breach)

  • Sally Beauty - 282,000 cards

  • Sears?

  • According to the FBI there were 20 infections with BlackPOS. So far, Target and Neiman Marcus are the only two to go public.

Why cyber security is important
Why cyber security is important? Headed?

  • Increasing reliance on technology

  • Attacks are increasing faster than ability to stop them

  • Lots of money can be made from stealing the data

  • Public image can be tarnished quickly

  • Corporate espionage

  • Federal agencies moving to the cloud

Where are the threats
Where are the threats? Headed?

  • POS Software

  • Mobile POS

  • Remote Desktop/Terminal services

  • Wireless Access

  • Access rights

  • Outsourcing managed services

  • Unencrypted data over the network

  • SQL injections

  • Weak controls

Pos software
POS Software Headed?

  • Have you patched your POS devices lately?

  • When was the last time you upgraded?

  • Do you perform any vulnerability scans?

  • Have you turned on logging?

  • PA-DSS and P2PE certification options

Magnetic Card Reader POS

Mobile pos
Mobile POS Headed?

  • Using an iPad or mobile POS device over wireless?

  • How is the device secured?

  • Is the data cached locally?

iPad running POS

Remote desktop terminal services
Remote Desktop/Terminal Services Headed?

  • Do you have a device plugged into the internet?

  • If they use cellular or 3G/4G, where is the firewall?

  • DigiInternational

  • Lantronix

Network Access Server

Wireless Radio

Ethernet Switches

WIFI and Web Access for Ethernet Devices

Wireless routers
Wireless routers Headed?

  • How is your network setup?

  • Have you performed a wireless assessment?

  • Rogue access points?

Wireless Access Point/Router

Access rights
Access rights Headed?

  • Generic and shared accounts?

  • Default accounts?

  • Default passwords?

  • User = Password?

  • Segregation of duties?

  • Logging of ‘root’ or ‘admin’ accounts?

  • User Account reviews?

User and Access Rights Administration

Outsourced managed services
Outsourced managed services Headed?

  • What have you outsourced?

  • Have you checked your contract?

  • Are you monitoring their work?

Third-party administrating firewall rules

Unencrypted data over the network
Unencrypted data over the Headed?network

  • Have you properly segmented your network?

  • It’s a private/corporate network, that’s safe, right?

  • Where does responsibility begin/end for sending data?

  • We only send unencrypted data across trusted networks.

“Sniffing the wire”

Sql injections
SQL Injections Headed?

  • Have you “escaped” or blacklisted any commands?

  • Have you limited the database permissions of the web app?

  • Have you restricted the type of commands, or applied “parameterized statements”?

SELECT*FROM users WHERE name ='a';DROPTABLEusers; SELECT*FROMuserinfoWHERE 't'='t';

Sample SQL Injection Line

Weak controls
Weak controls Headed?

  • When was the last time you performed a risk assessment?

  • Do you have an external, independent auditor?

  • Are you experiencing high turnover?

  • Do you do perform background checks?

  • We rely on a third-party and they do it…

What can you do
What can you do? Headed?

  • Firewall management

  • Segment your POS network

  • Training

  • PCI compliance

  • Point-to-point encryption (P2PE)

  • Deploy a Security Information and Event Management (SIEM) to monitor network events

  • Use two-factor authentication when accessing payment processing networks.

  • Monitor alerts from Visa, MasterCard, and Amex

  • Ensure you are using certified hardware and software

  • Whitelist programs

Enhance your existing cyber security
Enhance your existing cyber security Headed?

  • Social engineering

  • Penetration testing

  • Application penetration testing

  • Wireless assessment

  • IT risk assessment

  • POS forensic testing

  • Vulnerability scanning

  • IT Audits

Top 5 trends that we see ahead
Top 5 trends that we see ahead Headed?

  • Cyber attacks are going to continue to increase in frequency, complexity and scale.

  • Mobile is no longer the exception.

  • The move to cloud computing will show demonstrable cost savings … but will add new risks

  • Data breaches will continue to drive new security standards and spending

  • Information risk management is no longer an “IT problem” its a board problem.

Additional resources
Additional resources Headed?

  • Whitepapers, webinars, blog

  • What to do if you are compromised?

  • Respond to a breach?

  • Identity Theft Resource Center -

    • 2014 ITRC Breach Report


    • 2014 ITRC Breach Stats Report


  • Incident Response - Best Practices

    • Data Breach Response & Preparation -

  • Interactive Breach/Hacks Diagram


For additional Headed?information, contact…

Jeff Messer

Senior IT Security Consultant


16420 Bake Parkway, Suite 100

Irvine, CA 92618

Office: (949) 271-7014 x7089

Cell: (949) 355-9096

[email protected]