Leadership and management course. Today we will be discussing cybersecurity strategy alignment framework in the retail industry lessons learned. My name is Cicero Chimbonda, I am your instructor for this course. Cybersecurity strategy alignment framework into retail industry. We will be evaluating the effectiveness of allying the cybersecurity strategy into a retail industry companies. And we will discuss also the lessons learned. The key discussion topics in this course, we will talk about regulations within the retail industry. We will also be discussing lessons learned from cyber security breaches in the retail industry, and then we will apply a framework to those lessons learned. Let's begin, cybersecurity regulations in the retail industry. Statistically, cybersecurity for the retail companies are at the utmost priority within the organization. As a cybersecurity leader, one needs to really understand the types of attacks that are targeting retail industries, needs to understand the trending that's happening. And the growing numbers of breaches that are in the industry, and also more importantly how to protect the customer's personal identifiable data and financial records. Statistically, 16% of companies that are breached according to a recent research, tally more than a million dollars in lost losses in the real retail industry. 33% of retailers that are attacked, that's 1 out of 33 that are breached, lose revenue over cyber attacks. 39% of retail industries and in a recent survey stated that they are not compliant with retail security standards. And lastly, 48% felt that their security infrastructure was not up to date with the latest threats. So as we can see, it is an area that is constantly growing in terms of attacks and it's an area that leaders have continual improvement to continue to apply. Let's look at the types of attacks, that hit most of retail industry. Point of sale, these are breaches that are on the top of the threats for retail cybersecurity. Many companies failed to control or add security Software's to their POS systems which means that they are outdated. The operating system is not patched or the firmware and therefore it becomes vulnerability, and also most POS systems the older ones are not encrypted. So it's real easy to exfiltrate data and make him that are not syeferd that are not encrypted. So again, the second type of attack that retail industries see are distributed denial of service. These are where packets are overwhelmed servers or websites or databases. And and with the internet of things, where most devices now have an IP address and are on the internet. Makes it real easy for how malicious attackers to launch DDoS against financial, I'm sorry retail industries, to the websites, databases or servers as we mentioned earlier. The second is ransomware, which is probably not a surprise for you and ransomware is on the rise we've talked about it, and they are getting more sophisticated. And then there's a resurgent, the number of ransom where jumped from 3.8 million to 638 million and just last year indicating that it's once again becoming the top threat for retail cybersecurity. Regulations, so obviously the government and regulatory bodies have laws in place and bills that have been passed to protect customer and client privacy and security. And making sure that regular companies in the retail space follow the following regulations, these are only some of them that are listed, here but let's talk about each one of them. So the can spam controlling the assault of non solicited pornographic or marketing. It's a business law, it's a to protect the privacy of or the ability for individuals not to get unsolicited email or if they do have it they have the option to opt out. The unsubscribed and also penalties are associated with this particular law if they're not followed, fines can be up to $11,000 for companies that don't adhere that. And then we have others, so these are in the retail space the COPPA the FDA FTC. The one the PCI payment card industry data security standard is a big one. And these are some retail risk mitigation processes that can be followed one is to educate your team members. Your the people are responsible for cybersecurity or risk invest in increasing your IT funding, can lead to cyber security hardening in the retail space. Consolidate cybersecurity solutions and vendors that you're working with, share with an organization. They have the national retail federation NFR which is a cyber risk sharing body. Which can you can feed into it and also get information from it, and then partnering up to team up with subject matter experts, firms vendors that can help you harden your security posture. Let's look at a couple use case in this space. First of all they have we have the target. The target is one where it happened in 2013 it was a breach where exfiltration of 106 million records were exfiltrated. We know that it was done basically on behalf of nation states, there were two individuals that pleaded guilty, they were former Russian law enforcement enforcement agents. And they basically used the point of sale as their point to to insert code on PHP, FTP file transfer protocol was used to exfiltrate the data token passwords, remote desktop protocol was used to laterally move within the network and the web app. And there was a malware that was that was used, so there was a lessons learned actually even before we talk about lessons learned that the retail giant target actually ended up paying 18.5 million dollars in settlement for this attack. And so it can be very costly if we don't protect our networks. Lessons learned ,one is hardening access controls. Part of the lessons learned is that they needed to segregate networks. There was inter connectivity between certain networks and so it was easy for escalation and lateral movement within the network. LTD allowed protocols and making sure that there's no rogue access patterns and and alerting if there is having those types of controls. Monitoring users lists basically active directory and making sure that whatever user identity access management tools that are being used, they have the proper alerting mechanisms, and also using multi factor authentication for sensitive systems. That was number two, and number three monitoring signs of reconnaissance, information gathering. Looking at LDAP queries even if there's abnormality or something suspicious alerting when when that happens. Sensitive servers, mission critical servers having them have white listing for allowable programs, so not letting services or programs run unless they are an allowable list. This was a lessons learned. We're not relying on only one anti malware or anti virus solution having multiple solutions in place that are legitimate, leverage those tools. And lastly participating in information sharing or analysis center, cyber intelligence sharing center gaining valuable intelligence on attackers tools. So that's something that they looked at. There is an article in ICIO, which was 11 steps attackers took to crack in target. It's a very good reading, look at that and, you can look how the chain kill of events happened in that article very interesting readings. The second use case that we'll look at in the retail space is one of Macy's Bloomingdale's. This wasn't happened in 2018, where a breach data breach happened. The number of records that was exfiltrated is undisclosed number, it was done by a 3rd party vendor. So this basically unauthorized party added unauthorized computer code and this into the Macy's dot com website. Macy's was worn by customers in its e commerce sites that the data had been breached and the security incident where unauthorized called by the vendors was acknowledged by Macy's credit and customer service is president. The Macy's had happened to have lawsuits settlements, that rose up to 257,000 up in 2019. There were consumer protection services that they put out to protect customers that had their PII compromised. So the total cost again is still rising from the Macy's breach based on the investigation that was done, there were several lessons learned but it was mainly payment card data stolen by JavaScript. That added a check out on the my account page. That's where the conclusive story language. Lessons learned monitor tools such as the mega cart, which is an online check out the basket tools. There's looking at that process, looking at the code, looking at how to track any malicious activity. And then the inspection of malicious code in the checkout process, having a process where there's constant scanning and inspection of the pages, where to look for web scheming code it's called. The other one is monitors store credit card information. So if there's any breaching of data that's out, that there is a way of alerting and asking the customers to change or disabled certain credit cards that have been compromised. New account credentials were also targeted. Usually websites when in the e commerce, you have the ability to do the transaction with an account and sometimes you can do it as a guest checkout. And it's in this process that they there's additional hardening of those processes. The attackers see that as an opportunity, beware and be attentive to website, domain hijacking. The domain name chosen by the attackers for data collection was very similar to the legitimate 3rd party services at Macy's websites. So making sure that the potential traffic that's being hijacked is being monitored and can be alerted. So let's apply the NIST framework to the retail industry in cyber security as we know. The NIST is framework that that uses the five following phases in its framework for computer security guidance. Has the identify with organizations must develop and understand their environment to manage the risks and the systems make sure they understand the assets, the data and their capabilities. Protect organizations must develop and implement appropriate safeguards to limit or contain the potential cyber security event. I detect organizations must implement appropriate measures to quickly detect cybersecurity events, respond incident response should be cybersecurity of priority. And must have the ability to contain the impact, and then recover mainly bring back the whole or restore any services basically implement business continuity while there is a an event. So how do we apply lessons learned in the target, or handling controls was one of the lessons they segregating networks and protect. This is the where it fits in and the NIST framework. The monitoring of access identity management and system so that falls into the detect, basically making sure that if any activity is done they're monitoring reconnaissance. Again this could be in the detect but we put it also and identify because you want to identify any point of a malicious or data that's being served for potential attack. Then you had this before the attack. This is a white listing programs again could be in the protect side but also in a response side, where you're looking for any activity that's not quite listed. And then you respond accordingly and then multi anti malware solutions. Again protecting adding security in depth so you're not just relying on one form of a solution or tool. And then lastly information sharing, once there's the breach or understanding if anything happened in putting it to a share group or receiving intel which could be in the identified portion of the mist framework. The Macy's breach be monitored tools such as mega card and others. So this is in the tactical could also be in the identified, the inspect malicious code. Again this is when websites you're constantly inspecting to make sure transactions are are being looked at having the tools AI and then also detect. It can also be in the in the detect side as well. The monitor store credit cards. This isn't a detect or they identify where you're monitoring tools, depending on what life cycle enhanced new account credentials. And this is in the harding and to protect and then be aware of attention and and attentive to website domain names, can identify and it can also be a monitor in this process. So as you can see there are many steps that could be looked at and these are just some samples, that can be used in the framework to harden and to enhance your security posture. This hands are of course and we'll see you next time, thank you.
