Cybersecurity in Retail Podcast: Why retail can’t dismiss the need for cybersecurity

https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/623561916&color=%2309b8e3&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true

Transcript

Peter Hansen:

Welcome to the Capgemini Cybersecurity Podcast, where we will discuss security aspects in different industry segments with a focus on transforming the IT landscape. Retail will be addressed in this first series of podcasts. We will discuss how the retail sector is doing today when it comes to cybersecurity in general, challenges we see, and the impact from the rapid move to cloud and new data platforms. I’m your host, Peter Hansen, and today we are focusing on the cybersecurity threats we see when it comes to attacks and penetration attempts. With me from the UK I have Lee Newcombe. Welcome.

Lee Newcombe:

Hi Peter, thank you for inviting me on today. Yeah, my name’s Lee Newcombe. I sit in the Center of Excellence within the UK Cybersecurity Unit. Outside of Capgemini, I also chair the UK Chapter of the Cloud Security Alliance, which will become more relevant the more we focus on cloud.

Peter Hansen:

Welcome. As I said, I’m Peter Hansen. I’m part of Capgemini’s Center of Excellence Cybersecurity Unit in Sweden, focusing on governance, risk, and compliance and, therefore, also focusing on information security. As an introduction to this, according to the Thales 2018 Data Threat Report, 75% of retailers in the US have experienced a breach in the past, compared to 52% the previous year. US retailers are also more inclined to store sensitive data in a cloud compared to the global average. Lee, do you have any fun facts to share?

Lee Newcombe:

I’m not sure it’s fun so much as slightly scary. I’m currently looking at the Have I Been Pwned.com website, which is reporting that there are 7.8 billion pwned accounts on the website at the moment. More than one account per individual on the planet has been hacked already.

Peter Hansen:

That’s probably more scary than fun actually. There has been a lot of focus for many years now in terms of vulnerabilities. Vulnerabilities, which many see purely as patches. What would you say is the difference between vulnerability management and threat intelligence?

Lee Newcombe:

Vulnerability management is all about identifying where your information systems and data are vulnerable, so where they can be hacked, where they can be compromised. That’s not just a case of missing patches. It can be a case of poor configuration or perhaps things being exposed that maybe shouldn’t be exposed, in terms of services or maybe your data going where it shouldn’t go. There are ways to identify those vulnerabilities, using your familiar vulnerability assessment tools, like your Nessus and your Qualys, etc. Then, you can go away and fix the issues that those tools find for you.

Threat intelligence takes it from another angle. Threat intelligence is all about identifying who the bad guys are that might look to take advantage of those vulnerabilities – so the hackers, the organized criminals, etc., that would be out there looking to take advantage of those vulnerabilities. Threat intel is a particularly interesting area, because it touches on some of the other problems we have in security around terminology. If I say threat to you, it might mean something different than if I say threat to somebody else. I define threat as being the bad guys out there looking to do things. Other organizations might define threat as being a specific attack, for example.

Peter Hansen:

Yeah, I totally agree. Also, because one of the real aspects of moving to cloud is usually that you don’t need to maintain your environment. You don’t need to apply patches. Therefore, it’s kind of suggested that the actual threat towards your environment would be less, which it probably will. We’re not only talking patches when we’re talking about threats.

Lee Newcombe:

No, we’re certainly not. I think when we start talking about this in the cloud context, the threats stay the same. The same bad guys are out there, and they’re going to be going after your systems whether they’re on-premises or on the cloud. It’s the same threats. Indeed, the impact is similar as well. The only differences might be around some of the vulnerabilities that they’d look to take advantage of, because your attack surface is going to be somewhat different. You will have different places where you expose your systems and your data when you’re in the cloud than you do when you’re on-premises.

Peter Hansen:

Yeah. Some of the biggest breaches have actually been in the cloud environment or on the cloud environment, such as wrong configurations. Even if you have a fully patched system, fully patched cloud environment, that doesn’t mean that you are safe from bad configuration.

Lee Newcombe:

Yeah, don’t get me started on leaky S3 buckets. You quite often see the narrative that more information is leaked from the cloud, and that’s not usually the case. When you start thinking about things like Amazon S3 buckets, they are actually secure by default. Users have to purposefully open up those buckets to the internet for the bad guys to come in and take the data.

Misconfiguration in the cloud is one of the bigger issues. It’s not the case that the cloud is inherently insecure, but it can certainly be made insecure if you don’t do it properly.

Peter Hansen:

What about the discussion around whether you should use one of the big cloud providers, or if you should use a smaller, local cloud provider? Would you say there are any differences in how they see the basic security for those?

Lee Newcombe:

Oh, that’s very much an it-depends kind of question, isn’t it? I’m sure there are some very good, smaller cloud providers. I quite like the hyperscale cloud providers because they have the scale. They have that insight across their entire cloud customer base as well, in terms of what they’re seeing. They also have the scale in terms of innovation. When you see what Microsoft’s doing with Azure, so it’s got Sentinel out there now, which is a cloud-based SIEM, part of the Azure platform. If you look at what Amazon’s doing with GuardDuty for its threat monitoring and its security hub, where it can now take feeds from third-party products as well as its own sources.

You tend to find that the security innovation these days is with the hyperscale cloud providers. The smaller cloud providers, as I said, could have good expertise. They may well be targeted for local regulatory requirements. If you’re dealing with some more sensitive, maybe Government data, then that kind of sovereign cloud is a good option. In general, I, personally, prefer to go with the hyperscale guys.

Peter Hansen:

Okay. Looking at our experience and our customers that we have worked with maybe, especially, in the last five years when cloud has really spun off to be something, many of our customers have an environment which [inaudible] been a little bit neglected. Would cloud adoption in itself make the threat less for those companies?

Lee Newcombe:

I think there are two points I’ll pick up on that one. One is it depends. We mentioned about the S3 buckets and misconfiguration. If you don’t know what you’re doing and you’re putting all your data into this cloud and it’s misconfigured, then it may not help you. If you do know what you’re doing, there is a real opportunity to improve your security posture by moving to the cloud.

If you consider the last couple of years, you had WannaCry, you had NotPetya. NotPetya really identified the need to move away from flat networks. When you’re thinking about traditional legacy environments, we’re talking about retail, quite a few retail networks that I’m aware of are quite flat. They don’t have that segmentation, so that makes it really easy for something like NotPetya to just run straight through that entire environment and take out organizations. Whereas if you move to the cloud, you can then start thinking about doing your segmentation properly.

You could put each application into its own account. Then, if you do lose an application, you just lose that application and that single account. You don’t lose the entire infrastructure. Cloud done well, I think, is a really good opportunity to improve your security posture. Cloud done badly is like anything that’s done badly, it’s not going to work out very well for you.

Peter Hansen:

Yeah. With my focus area in information security, I think many are still forgetting about information ownership, information classification. For that, cloud adoption itself doesn’t really help.

Lee Newcombe:

Yeah. Where I’ve seen cloud adoptions fail, it’s where the organization hasn’t had the governance. They haven’t got the ownership, the cloud strategy. They don’t know who is responsible for managing cloud risk. If they’re going down that route of bimodal or multimodal IT, where you’ve got your slower moving, traditional IT in one part and your digital DevOps piece in another part, and they’re trying to apply the same security controls to both, that doesn’t work either. You’ve got to be able to get your security management and governance right as well as the wider organizational governance. Otherwise, it’s not going to work out for you.

Peter Hansen:

In terms of threat intelligence and the cloud environment, what would you say makes retail, as an industry, unique compared to, for example, finance or manufacturing?

Lee Newcombe:

Retail’s really interesting in that it has such a wide range of possible attack vectors. Lots of retailers are moving towards ecommerce, so you’ve got your website: obvious attack vector for a hacker. When you start thinking about the big retailers, they might have their own farms. If it’s a high street retailer selling farm products, they might have their own farms. If they’re selling products, then they might have their own factories. They’ll also have their own distribution centers. All of these are different areas that an attacker could use to attack them. Then, you start thinking about their physical stores and the store back office, again, another route in for the bad guys.

The other interesting thing about retail is they hold a lot of personal information. They could well be at least having access to payment card details, even if they don’t store them. That’s where the bad guys will go after them, because they realize that retailers are perhaps not quite as secure as other organizations holding those card details, such as the banks and the financial-services sector. That’s why you’ll find people like the Magecart criminal gang going after digital retailers, because that enables them to siphon off the payment card details off their websites. Retail is a highly targeted sector.

Peter Hansen:

That is based on share volume of interesting data [inaudible] credit card number, customer information, and so on.

Lee Newcombe:

Yes, indeed. Then, there are also other attack vectors as well. When you start thinking about the goods that they sell, so you could be thinking about shrinkage. From an internal staff perspective, retailers tend to suffer from maybe losing something like 1.5% of sales to shrinkage, which could be due to shoplifting, could be due to employees helping themselves to a little bit of the stock, or maybe playing about with the discount codes, etc. Shrinkage is a traditional problem in retail that doesn’t go away when you start thinking about digital retail either. Shrinkage is a bit of a problem.

Peter Hansen:

Yeah. The retail industry in specific, especially look at the business-to-consumer market, the retail industry has undergone quite a big shift in the [inaudible] last five years. Everyone is having an ambition to be really digital, to be really available, to be really well-exposed to the internet to be able to provide their customers the advantage of buying stuff from them. Also, working with security, that gives some challenges in terms of being able to keep up with business requirements of meeting the customer demands.

Lee Newcombe:

Yeah. Everybody’s got to keep up with Amazon these days, haven’t they? Everybody knows that Amazon is the big beast in the retail world at the moment. That’s what their customers are used to dealing with now. If you can’t service your customers in the same kind of way that Amazon can, then you’re going to get eaten up by Amazon at some point. Retail organizations have got to be able to adapt rapidly to those customer needs, which means that they need to be able to update their offers on a regular basis, update their stock on a regular basis, and then service their customers as quickly as they can in terms of meeting that thing from order to delivery. The customer experience has got to be strong.

Peter Hansen:

Yeah. From the security professional point of view, the security professional needs to adapt in the same way. If we try to restrict business from adapting to this, they will simply bypass us.

Lee Newcombe:

Yeah. We’re past the days now where you can necessarily do a full-on penetration test of every single release when organizations are doing multiple releases on their website on a daily basis. That’s when you have to start thinking about shifting left and moving your security controls as far to the left as you can in the development lifecycle, so automating your security testing during development and embedding those controls within the wider development pipeline.

Peter Hansen:

Yeah, exactly, implementing secure DevOps or DevSecOps depending on who you talk to.

Lee Newcombe:

Yeah. I kind of flip-flop between whether or not I prefer SecDevOps or DevSecOps on that one, to be fair.

Peter Hansen:

Yeah. I think we have a lot of people doing that. Do you have any short examples of what can actually go wrong?

Lee Newcombe:

I mentioned Magecart earlier on, which is a really interesting criminal group. What they tend to do is they infect the supply chain. When you think about an organization’s website, there will be lots of third-party components on that website, perhaps maybe a chatbot or something like that. If Magecart can infect that chatbot, introduce a little bit of extra JavaScript code, then what they can do is act as credit card skimmers.

What happens is the customer will go to the website, input their credit card details, and this sneaky bit of code that they’ve managed to infect the website with will pass those credit card details off to an infrastructure that these criminal guys control. That’s one way where criminals are able to get hold of credit card data. That’s Magecart, who are a very active criminal group.

Peter Hansen:

Yeah. We have another example from last year where a third-party vendor, or a third-party component vendor, went out in, I think, it was February and announced their component to be vulnerable and that you needed to update it. In May, there was a big distributor of a specific service that actually was breached and had to go out to all these customers and apologize for it.

Lee Newcombe:

Yeah. Supply chain attacks are going to be a growing area of concern. The bigger organizations are getting their act together now, in terms of how they develop their own applications. You just need to be very careful then about what third-party components you introduce. That’s another advantage of going towards that DevSecOps approach is that you can then start thinking about introducing third-party dependency checkers into your development pipeline to make sure that the third-party libraries you’re using don’t contain known vulnerabilities.

Peter Hansen:

Yeah. Threat intelligence, as such, is really important as well, because we tend to focus a lot on technical threats. One of the things included in threat intelligence reports, such as the one from Capgemini, is also when we look at campaigns such as phishing and your spear phishing, whale phishing, all types of phishing, so it’s not only a technical aspect, but also the user aspect.

Lee Newcombe:

Yes. Business email compromise is a big thing that we see. Whenever I go off and talk with senior execs, it’s when I start talking about those phishing emails that I always get those slight smiles and twinkles in the eyes, because they’ve all received those kind of emails. I think my favorite example of that at the moment is an organization I’m aware of where the CFO actually retrieved one of these emails from their spam folder before processing the funds to transfer. There is a degree of user awareness training that has to go alongside all the technical controls you can put in place to try and avert this phishing risk.

Peter Hansen:

Definitely. Lee, do you have any final remarks or insights, what we will see in the next 24, 36 months?

Lee Newcombe:

I think we will continue to see increasing cloud adoption. I think in the retail sector, you will still see the retailers avoiding Amazon, because they view them as competitors. I think there’s a fertile ground there for Microsoft and Google, in terms of retail usage of cloud services. I think the other thing that we haven’t spoken about, but needs calling out, is the danger of shadow IT. Organizations, including retail, need to understand what cloud services they’re already using. They are probably already sending their data off to a variety of Software-as-a-Service offerings that they’re not already aware of. From a GDPR perspective, that’s a bit of a ticking time bomb from my perspective.

Peter Hansen:

Yeah. That is actually one of my biggest discussion topics. No matter what customer I talk to, focusing on the information and the basis of information wherever it’s stored, it usually is the fact that when you start digging into it, the information and the information owners pretty much lost control in some aspects, where the information ends. That is something that neither legacy nor cloud adoption will help.

Lee Newcombe:

No. You need to know where your information is if you’re going to be able to control it.

Peter Hansen:

Definitely. I would like to thank Lee for joining me today.

Lee Newcombe:

Yeah, thank you Peter. If anybody wants to reach out, they can always get me on Twitter. That’s @lee_newcombe.

Peter Hansen:

Thank you. I would also like to thank you for listening in from wherever you are in the world and also, once again, point out that there will be more episodes coming with retail in mind, which you will find in Capgemini’s channel through your favorite podcast player. If you enjoyed this, please also share via social media. We look forward to you joining us for a future episode of the Capgemini Cybersecurity Podcast. Goodbye.

Learn more

For more insights and analysis, tune into our Cybersecurity podcast series.