Businesses—not just retailers—spend months developing plans for the holiday shopping season. Unfortunately, many of them haven't thought about security during those strategy sessions.
"People have different mentalities when they look at the end of the year," says Chris Strand, senior director of compliance at Bit9.
We've already listed some of the challenges associated with the end-of-the-year and the holiday shopping season. We also have a RSAC webcast on Nov. 20 with David Matthews, the former director of incident response at Expedia, focusing on incident response. We also need to consider how a seasonal freeze impacts the security team's ability to keep the organization secure, Strand says.
Retailers typically institute a "seasonal freeze" from November through the holidays where changes and updates aren't allowed on endpoints because they may result in some downtime. If the point-of-sale terminal is offline for an update, that is a terminal not capturing payments. If the computer used by a customer service representative has to reboot, that's time the customer has to wait to get their concerns addressed.
Regardless of the organization's reasoning for change freezes, this means there is a growing gap between new threats and the endpoint's available level of protection. Even with security tools in place, if there is a new strain of malware released during this time period, many of the computers will be left vulnerable, and that doesn't even account for possible zero-day attacks, Strand says.
That's not to say that the freeze is complete—if there is a serious issue, organizations will take the time to fix the problem. "The problem is that this is still reactive security," Strand says.
For many businesses, the holiday season is tremendously important to their bottom line. Retailers are pushing major deals to entice consumers to shop. The hospitality and transportation sectors are busy with seasonal travelers. There is a lot of planning around advertising, sales, marketing, and social media, and information security teams need to address and potential risks and issues before these plans are live, Strand says.
Criminals know what the holiday season looks like for organizations, and they know what kind of circumstances are in place that could play in their favor. Much like the fact that criminals attack at 5pm before a long weekend, they frequently craft their campaigns to take advantages of the challenges imposed by the holidays.
Consider retailers. Many stores will bring out backup point-of-sale systems to be able to handle the increase in sales volume and foot traffic. These systems may have been offline since the last holiday season, and are quite likely out-of-date. IT may be under pressure to just power them up and get them up and running, and worry about finding out what's installed and what needs to be updated later. However, until security teams have a chance to check the machines and make sure they are clean and also up-to-date with the latest information, those systems are vulnerable and pose serious risks, says Strand.
This is an issue from a compliance standpoint, since IT may not have a sense of whether these machines are still compliant, he says.
With all the data breaches we've seen in 2014, there is a sense that EMV, the chip-enabled payment card technology already in use in Europe, will fix the problem. The problem is that not a lot of organizations are set to accept chip-based payments this year, Strand says. The issues from last year are still relevant this year because the deadline to switchover is not until 2015.
So what can information security teams do as the holiday season approaches? They should focus on controls, Strand suggests. "Take small steps."
Monitor the endpoint. This is the time to be looking at what the baseline is and to make sure the business processes are clearly defined and enforced. If everyone is clear and executing "business as usual" activities, then security teams will be better equipped to detect anomalies. Regardless of the complaints about PCI, it can serve as a good baseline, to make sure the systems are executing as expected.
There are still some systems out there—not as much as there used to be—still running XP with just antivirus. "It looks like we haven't learned anything" from this year, Strand says.
"It's hard to come up with the perfect security scenario to protect themselves," Strand says. Focus on proactive monitoring and enforcing business processes to keep the organization safe this year.