Over the last few years, the stories about retailers have been falling and being ignored like rain on a hot tin roof. There have been so many failures of security that the public is getting numb to yet another announcement.
Sally Beauty Supply, the discount cosmetics retailer based in Denton, Texas was one of the most recent victims. In a statement issued by the company on May 28, 2016, they confirmed that “criminals used malware believed to have been effectively deployed on some of its point-of-sale systems at varying times between March 6th and April 17th, 2015.”
As an information security professional, it struck me odd that their system was so weak that its point-of-sale (POS) system could be attacked. Either it was attacked by physical access or that it was attacked via electronic means. In either case, it is a risk that can be foreseen and mitigated if the companies were serious about the process of risk mitigation than they were about squeezing every last cent out of the customer with the risks be damned.
This is not an anti-capitalism rant. This is a rant for capitalism with responsibility. While I do not begrudge anyone making money, I begrudge their doing so using less than ethical means. In my opinion, not maintaining the level of risk mitigation to prevent attacks after years of lessons learned from other companies is completely irresponsible.
Sally Beauty supply is the most recent example of problems with electronic POS attacks but is not alone. Sally’s spin, like the spin of others before them, will be that they were compliant with the Payment Card Industry’s Data Security Standard (PCI-DSS). Like others who have been attacked, they will point to their PCI-DSS compliance and audits as proof they did their due diligence. Then they will fire their auditors and other contractors blaming them for the attacks.
Maybe the problems are not with the auditors or contractors. Maybe it is time to look at PCI-DSS as the problem!
PCI-DSS does not require system architects to look at the risks of how their networks are put together. It does not require that companies ask why a POS system in Dallas has to talk with a POS system in Washington, New York, or San Diego. Maybe the inventory and price management systems need to be in communication, but do they need to be in communication with each other? In the physical world, can I walk into your door and access everything once I slip behind the front guard?
It never ceases to amaze me the implications that all of these companies do not have internal controls to mitigate risks across their network. I call it the candy theory: the hard shell surrounded by the soft middle that nobody thinks could be penetrated. And yet, that soft middle is penetrated on a regular basis and not from the usual sources.
Target was attacked from an account that was created for maintenance yet nobody asked why that account existed or was able to gain access to the POS system? Target is essentially admitting their networks are architected as if they believed in the flat-earth theory of management and paid the price.
Maybe it is time for everyone to stop thinking of information security as a checklist and start to think of it as a necessary business process. This is a process that should go beyond what PCI-DSS requests and beyond the bandages companies put on their problems. It is time for the industry to mature and get beyond the checklist.
I used to tell my university classes that information security is a process and not a product. Maybe it is time for everyone to make it part of the business process. Otherwise, you will spend your day chasing attacks and fixing the damage they cause rather than run your business.