Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

9 Security Best Practices For Safe Shopping

  • It's that time of year again. Holiday shoppers are out in droves and, it stands to reason, cyber attackers are at the ready. Target's data breach announced last holiday season kicked off a rash of similar announcements throughout 2014 from the likes of Home Depot, Neiman Marcus, and Michaels. The latest target (pun intended) has been Sony, along with its PlayStation Network. There is little doubt that attackers are poised to take advantage of companies doing business online that have failed to learn from previous victims.

    While cardholder data breaches are a timely topic this time of year, they are by no means limited to the heavy shopping season. According to a 2014 Ponemon Institute study, an organization has a 22% chance of experiencing a data breach affecting at least 10,000 customer records in the next two years. Retailers are at grave risk, but all companies with network access to corporate files must make data security a priority throughout the year. They can start with these basic security measures, several of which are lessons learned from past breaches.  

    (Image: Thinkstock/iStockphoto)

  • Audit login credentials and secure access

    In last year's Target breach, attackers were able to move about the network undetected for weeks using a service provider's login credentials. To prevent the compromise of network credentials, businesses should audit every accounts repository throughout every organization. Disable or eliminate unused accounts, properly secure active accounts, and inspect existing accounts for evidence of compromise.
    Photo: Retail Target by StockMonkeys.com

  • Use strong passwords

    Point-of-sale (POS) and other payment systems are often set up with default passwords, which can be easily cracked or found online. It is like leaving the door open for any passerby. A vulnerability scanner like Nessus or NeXpose can help find default passwords, but passwords should also be manually verified in case the scanner doesn't have the default password for every system on the network. Any default passwords should be changed, and all passwords should be regularly reset using unique account names and complex passwords.
    Photo: Enter Your Password by Marc Falardeau

  • Segment the network

    The compromised credentials used by the Target attackers belonged to an HVAC provider responsible for monitoring energy consumption and temperatures in Target stores. There was no need for the HVAC company to have access to POS systems. However, the network was not segmented, so attackers were able to use these credentials to access and install malware on POS systems. Businesses of all types should reevaluate the network to ensure that credentials used by third-party providers cannot be used to access sensitive systems. Also determine which networks are connected and how, and verify that firewalls are implemented in the proper places.
    Photo: Networking by Norlando Pobre

  • Restrict Internet access

    POS systems should only have Internet access if required for POS-related activities. Opening the system to general Internet use exposes the POS system to security threats, and increases the risks of malware infection and data loss. Firewalls can be implemented to either completely block the POS system from the Internet or, if Internet connectivity is needed, to block all traffic except that to authorized systems. In addition, traffic to and from the Internet should be proxied and inspected via application proxies.
    Photo: No Internet by Marcelo Graciolli

  • Disallow remote access

    Preventing authorized remote management of POS systems may seem like overkill, but companies are not always diligent about ensuring that firewall configurations are correct and that the systems used to access POS systems are secure. Therefore, remote access should be disallowed at all times to prevent attackers from obtaining unauthorized access by exploiting remote access configurations on POS systems.
    Photo: Unplugged by photosteve101

  • Use antivirus/antimalware

    Running antivirus software is a known security best practice that deserves reiterating, as it can help prevent systems from becoming infected by known malware. However, it is important to note that antivirus programs only catch what they know. To be effective, they must be continually updated. Businesses can help reduce the risk of zero-day threats by implementing a full endpoint protection suite that includes traffic inspection, application whitelisting, HIPS and firewall, in addition to antivirus. It is also a good idea to run a full antivirus scan on every system following a high-profile breach or the discovery of a new threat.
    Photo: Virus III Internet Café by Jason Eppink

  • Update POS software

    Like any other software application, POS software can be vulnerable to malware attacks. It is imperative that merchants keep their software up to date by downloading and installing patches on a timely basis, and regularly upgrading the software itself. Businesses may be tempted, in an effort to save money, to avoid upgrading until technical problems arise. But keep in mind that vendors often include security and bug fixes in new versions of their software that can help keep cardholder and customer data safe.
    Photo: Infinite Target Registers by Patrick Hoesly

  • Evaluate compliance efforts

    Is your organization's objective to pass an audit or protect cardholder data? Regulatory and industry standard compliance do not equate with security. Don't assume that because you've checked all the boxes, that you're immune to an attack or data breach. The PCI Data Security Standard, at best, establishes a baseline for security. Evaluate your compliance efforts to ensure you're meeting the requirements, but don't stop there. Make protecting cardholder and customer data the end goal.
    Photo: Credit Card Security by Perspecsys Photos

  • Plan for the worst

    While the aforementioned measures can help reduce the chances of a data breach, it is impossible to completely eliminate that risk. Businesses today must assume that they will, sooner or later, experience a breach. This means that a solid and well-versed incident response program is in order. The program should specify where valuable data lives, who has access to it, the controls in place to protect it, and a step-by-step incident response plan that is practiced regularly. Don't wait for the holiday season to come and go; an up-to-date and tested incident response program helps eliminate mistakes, results in faster containment and reduces exposure any time of year.
    Photo: Emergency Preparedness Exercise at NRC HQ by Nuclear Regulatory Commission