Recently, Target became a high-profile victim in the ongoing battle between information security professionals and professional criminals. Make no mistake. Those on both sides of this struggle are highly skilled professionals. While the popular image of a computer criminal is a student living in his parent’s basement, the truth is that more sophisticated information security incidents display the marks of organized crime rather than a lone computer prodigy. There is enormous profit in credit card fraud to attract skilled professional criminals.
It is easy, and perhaps even comforting, to write off the information security personnel entrusted to secure Target’s payment card system as incompetent amateurs. Doing so gives us the luxury of resting in false comfort of our own imagined superiority. While the details of the Target breach are still unfolding, news stories suggest that the Target cardholder data environment was accessed using the credentials of a refrigeration contractor. This demonstrates that the greatest security threats may not even be on the radar for most businesses. The greatest threat to your business may be so stealthy that you never knew about it until it is too late.
Stealth Attacks are the Greatest Threat
Most retail organizations would never seriously consider their HVAC vendor as a security threat. If a security professional gave it a moment’s consideration, it was likely limited to maintaining physical site security when technicians were on site. When forced to address so many potential sources of attack, it is understandable that an HVAC vendor was not at the top of the list the day before Target discovered a breach of tens of millions of credit card records. So how do you protect yourself against a threat you don’t see coming?
Protecting Against the Unseen
Protecting against a threat you do not specifically anticipate may seem impossible at first. However, there are techniques that can help prevent an information security breach. In the case of a breach of payment card data, an effective approach is to make the cardholder data environment (CDE) as small as possible. That means limit the footprint of the payment card information processing system. In this context, the system includes people, processes, applications, stored data and network transmissions.
To reduce the chances of a breach of the CDE, allow as few as possible to access it. This includes trusted employees and vendors. When approached on a “need to know” basis, it is clear that many within the organization (including HVAC vendors) simply do not need access to the environment at all. If the CDE is built as a separate, secured environment, those individuals without a requirement to work with cardholder data can be removed as a possible source of attack.
Another way to avoid having data stolen is to never keep it. In the case of credit card data, this can be done by using a payment processing gateway instead of storing payment card information within the local system. This means that someone gaining access to information stored in your system will not have access to your customer’s credit card data.
If you have no choice but to store cardholder data, store as little as possible. Some information should never be stored. The complete contents from a cardholder’s magnetic stripe should never be stored, nor should the card verification value (CVV) or personal identification number (PIN). Other cardholder may be stored, but it must be protected. One of the best methods of protecting stored data is encryption. Properly encrypted data is useless to an intruder without the cryptographic keys necessary to read the data.
Finally, vet anyone within the system environment. In the case of employees, this should include background checks and security awareness training. When working with outside organizations, independent, third-party validation (a PCI DSS report) is a must. This provides assurance that everyone in the system environment understands the security requirements of the system and is each is doing his or her part to keep the data secure.
The challenge of defending against an unseen threat can seem overwhelming, but a careful approach of limiting stored data, limiting access, protecting stored data and vetting those in the environment can protect you from the attack you never saw coming.