Big Retail = A Honey Pot of Data

The retail industry is a high value target for cyber attacks, simply due to the transactional nature of the business. The large numbers of financial transactions means that there is a honey pot of data and countless opportunities for cyber criminals to steal sensitive customer information.

Online transactions, Point of Sale (POS) systems, and retail environments where there are transient workforces and high staff turnover simply equals increased risk. And far too often, POS systems run on old systems with no Malware protection and sometimes unpatched operating systems. Big retailers with operations that include a large numbers of stores, hundreds of POS systems, fragmented procurement, and multiple distribution centers are attractive environments for a cyber criminal or criminals planning an attack.

To further the risk of an attack or breach, many retailers also outsource their IT or cyber security capabilities to third parties – which means retail organizations need to (seriously) consider supply chain security as well.

Review our other blog on this topic here.

Preventing eCommerce Cyber Attacks – It’s all about the Benjamins

The threats of cyber attacks for retail companies are very clear and unfortunately abundant, from the introduction of Malware to steal financial data, unauthorized insiders gaining access to private systems and databases, to the creation of fraudulent transactions and routing money to other destinations. It’s all about the Benjamins baby.

A high profile example of the risks in retail comes from Forever 21 in 2017. A large number of the company’s POS systems were infected with Malware for nearly seven months, enabling cyber criminals to steal credit card data that had been stored in the logs of completed transactions. Forever 21 reported that the Malware obtained the shoppers’ card number, expiration date, internal verification code – and in some cases also cardholders’ names.

Another well known name that has fallen foul of cyber attack(s) is Macy’s. An investigation into the 2019 breach of Macys.com found that the attack was linked to a website that stole customer payment data on the “Checkout” and “My Wallet” pages. Macy’s was also attacked in 2018. That breach allowed criminals access to sensitive credit and debit card information, names, and birthdays of “a small number” of Macys.com and Bloomingdales.com customers.

Right now, as business across the globe becomes increasingly more digital and as eCommerce continues to expand – particularly as COVID-19 has kept consumers at home and driven them to shop almost exclusively online – the reality is that digital retailers simply cannot operate without prioritizing cyber security.

Protecting Credit Card Transactions

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for any company that handles credit card payments.

Among the requirements for achieving PCI compliance is the ability to monitor access to systems and any activity on the network, ensuring that encryption and perimeter security is active, restricting access to data and systems, and requiring the use of strong passwords. Monitoring and reporting are key requirements for PCI DSS.

The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. 

Examples of system components include, but are not limited to the following:

  • Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE.
  • Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
  • Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
  • Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
  • Applications including all purchased and custom applications, including internal and external (for example, Internet) applications.
  • Any other component or device located within or connected to the CDE.

Reference Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1 May 2018

Log Management & Cyber Security

Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs.

Effective log collection & management will allow you to:

  • Implement audit trails to link all access to system components to each individual user.
  • Implement automated audit trails for all system components for reconstructing these events: all individual user accesses to cardholder data; all actions taken by any individual with root or administrative privileges; access to all audit trails; invalid logical access attempts; use of and changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges), and all changes, additions, deletions to accounts with root or administrative privileges; initialization, stopping or pausing of the audit logs; creation and deletion of system-level objects.
  • Record audit trail entries for all system components for each event, including at a minimum: user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, system component or resource.
  • Use time synchronization technology, synchronize all critical system clocks and times, and implement controls for acquiring, distributing, and storing time.
  • Secure audit trails so they cannot be altered.
  • Review logs and security events for all system components to identify anomalies or suspicious activity. Perform critical log reviews at least daily.
  • Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis

One of the key requirements is not just collecting log data on these activities but also having the ability to review it daily as required by the regulation. Snare makes this easy by providing out-of-the-box capability to generate the appropriate reports needed to be compliance for PCI DSS.

Further to this capability Snare can also provide Database Activity Monitoring (DAM) to ensure that application level controls are not bypassed and direct database access is used instead, and both File Integrity Monitoring (FIM) and Registry Integrity Monitoring (RIM) to ensure that changes made to key files or suspicious registry activity (including the installation of malicious applications) is detected.

Make sure you also check out our best practices white paper for PCI DSS here.

Need to get your log management solution in place?

Reach out to our team. We work with over 4,000 customers across the world to help manage logs and prevent the types of costly and damaging cyber security breaches referenced in this article.

The Cost of Payroll Fraud (in the billions)

As payroll has increasingly become a dedicated function in the finance and accounting arena, and as regulation in the payroll segment increasingly means that payroll processing has become an IT function, additional risks have been introduced into this high dollar risk arena.

Risks in payroll include out of date payroll systems, non-compliance, and fraud – particularly from insiders with access to back-end databases.

One of the key risks is the lack of visibility into those who have access to the databases and what changes they have made. Usually, this is a very specific area and IT generally and IT Security specifically may not have a good way to see what’s happened inside of the database.

The Australian Payroll Association, in an August 23, 2020 article says the Federal Bureau of Investigations (FBI) reported that between 1 January and 30 June 2019, payroll diversion increased by 815 per cent and that in the past three years, fraud has exceeded $26 (US) billion dollar in losses. The majority of payroll fraud falls into one of three perpetrator categories – employer, employee or third party.

Detecting Payroll Fraud

PwC’s 2020 Global Economic Crime and Fraud Survey revealed 37% of fraud was internal, including 34% by middle managers, 31% by operations staff, and 26% by senior management.

Fraud might also be executed through the creation of “ghost” employees, fake timesheets or maintaining ex-employee records to funnel salary payments into fraudulent accounts. Perpetrators may create false suppliers, and reimbursements for authorised contractors to provide services at inflated rates.

Australia’s most famous payroll fraud case is probably the Clive Peeters case, where the company payroll manager reportedly stole over AUD$19M from her employer over a two-year period.

The solution?

A Database Activity Monitoring (DAM) solution like Snare MSSQL Agent can track sensitive data access, mask sensitive data from anyone inspecting log data (so they cant see the actual data in the database), and provide separation of duties between DBA’s, Sysadmins and forensic investigators.

Our own Snare CISO, Steve Challans says:

“There are many areas of a database that users can interact with. Good applications tend to have their own role based access controls in place to control what a user does and prevent them from doing anything malicious to the database and its contents. 

However, there is another class of users that have direct ODBC access and/or DBA/Sysadmin privileges that can override technical controls and make changes to the databases and its data. Activities such as ‘create table, drop table, and adding columns’, are structural and schema-related, while ‘insert, update, delete, and select’ are data-related. Having someone perform unauthorised data changes affects the integrity of the data, so the business can make bad or wrong decisions with the misleading data now being used. Copying data and data exfiltration is another problem with leaking sensitive personal or financial information or company secrets. There have been many instances of a bad employee making database changes to change the payroll or HR system for nefarious needs. In other cases, there has been a breach of some sort and the hackers have gained access to the DBA accounts to access or exfiltrate data from the customer’s database systems –  causing great damage to the business.”

Database Activity Monitoring


Gartner
defines Database Activity Monitoring (DAM) as a suite of tools that can be used to support the ability to identify and report on fraudulent, illegal or other undesirable behaviour, with minimal impact on user operations and productivity.

Monitoring databases is critical when manipulation of data in those databases can result in financial loss. DAM can contain data from network-based monitoring, as well as native audit information to provide a comprehensive picture of database activity. This data can be used to report on database activity, support breach investigations, and alert on anomalies.

DAM helps businesses address regulatory compliance mandates like the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), U.S. government regulations such as NIST 800-53, and EU regulations.

Monitor Activity with Snare’s Microsoft SQL Agent

Snare’s specialised Microsoft SQL agent allows the customer to be very granular with the monitoring of the SQL activity within a single database or an entire instance that covers multiple databases.

Individual users or classes of users such as the DBAs that have the SYSADMIN role can be monitored. Specific settings can be used to collect information on specific database, tables with sensitive data, or specific commands run in the database. This reduces the noise of general monitoring of all user activity on the SQL environment.

The Snare agent works on all current versions of SQL server, on windows platforms, and is cluster-aware to cover off the more complex, highly available needs.

Some other tools can generate enormous amounts of log data which can overwhelm some systems. The Snare agent can be tuned to collect the specific user activity and filter out the rest of the noise.

If you would like to learn more about Snare’s Database Activity Monitoring solutions or about our suite of log collection and management solutions, including Snare Central and Snare Agents, reach out to us. Our team has helped over 4,000 companies around the world protect their logs and prevent cases of payroll fraud.