A few major takeaways from Trustwave’s 2013 Global Security Report reveal that the retail industry was at the top of data breach investigations at 45 percent. A total of 96 percent of customer records (payment card data, PII (personally identifiable information) and email addresses) were targeted, while the rest included confidential information, intellectual property, electronic protected health information (ePHI) and business financial account numbers.
In 2012, the retail industry saw a 15 percent increase compared to 2011 in data breaches. Web applications, including ecommerce, are also the most targeted asset for hackers, accounting for 48 percent of investigations. Another 47 percent were point of sale and payment processing systems. While PCI DSS (Payment Card Industry Data Security Standards) should protect against potential data breaches of credit cardholder data, not all retail companies are aware of how to achieve compliance.
One highlighted case study found that hackers were using malicious software to remotely hack into a Seattle-based restaurant’s payment system to steal credit card data and send it to a computer server located in Kansas. After determining the same hackers were target other retail businesses in over 20 states, the actual loss was found to be nearly $20 million for a total of 180k stolen credit card numbers. At that price tag, investing in a secure, PCI DSS hosting solution is worth it.
Find out how to create the secure hosting solution with our PCI Hosting packages and technical security tools. Trustwave also reports that 63 percent of incident response investigations had outsourced a major component of their IT support to a third party, and that small businesses within the retail and food & beverage industries were most often impacted. The report also acknowledged that some small businesses didn’t realize that the third party was responsible for only a subset of the security controls.
If you plan to outsource your IT security or hosting to a third party such as a PCI compliant hosting provider, be sure to go over a matrix of security controls to determine who is responsible for which PCI DSS requirements. Also known as conducting a gap analysis to find out where security holes may exist, this process may help prevent a data breach after the contract is signed.
Remote access is one way hackers were able to infiltrate systems, including exploiting poorly configured remote administration; open remote access ports and weak or vendor-supplied default passwords. In 2012, SQL injection and remote access were 73 percent of methods used by cybercriminals to steal credit cardholder data. Trustwave recommends strong password requirements and properly configured firewalls to keep remote access secure.
Another way to secure systems made accessible by remote network access may be VPNs (virtual private networks) with two-factor authentication. Visit two-factor authentication for more about how it works.
SSL certificates verify the identity of a website, allowing web browsers to display a secure website and start an encrypted browsing session, sending information securely back and forth from a web server to the browser. As a cryptographic protocol that ensures data is shared securely online, an SSL certificate can help guard against potential online threats.
However, digital signatures are also being targeted with malware. Last year, one of Adobe’s servers used for signing Adobe software was hacked. Hackers distributed signed malware until certificates were revoked, according to Trustwave.
Web application firewalls (WAF) are another way to protect web servers and databases from online attacks like SQL injections. A WAF can identify and block malicious traffic and user requests, intercepting them before they hit the web application server and compromise your databases and servers.
For more information about other ways to secure your servers, read about our Technical Security services.
Or, if you’re confused about how to meet technical security requirements of PCI DSS, read our PCI Compliant Hosting white paper. It discusses the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing, and vendor selection criteria.
Trustwave’s 2013 Global Security Report (PDF)
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.