RH-ISAC BLOG

Biggest Holiday Risk Factors

Author: Muktar Kelati, Director of Intelligence Operations, RH-ISAC

This blog is part of the RH-ISAC holiday guidance blog series. For more blogs in this series, visit https://rhisac.org/blog/.

As we enter the holiday season, malicious actors ramp up their attacks, seeking to take advantage of the increase in traffic to both digital and brick-and-mortar retailers and hospitality organizations. Attackers tend to be opportunistic: targeted, specific attacks are far less common. As water seeks its own level, cyberattackers are seeking the path of least resistance to information they can monetize.

As a result, there is some evidence that certain industry types with reputations for less-than-robust security measures can, at times see a slightly higher-than-average number of attacks. Restaurants, franchises, small online retailers, medical facilities, educational institutions, local government (cities, counties, states) and other such entities may see a bit more than most, but any organization with lax security is at risk.

No matter the industry in which you operate, there are common risk factors to the security of your digital assets. Giving some attention to these common issues could help you stay cheery as the holidays go on.

  1. Poor employee security hygiene
    While the thought of using the same password for all of our accounts is anathema to those of us who’ve spent years in the digital economy, nevertheless, there are large swaths of the general public who still use the exact same password for every account they hold — including their work accounts, if there isn’t a policy in place that prevents it. Poor password discipline — including low password requirements, infrequent requirements to change passwords, employees sharing passwords or terminals, etc. is just one area that employee negligence or lack of awareness can open your organization up to attack.

    Data may not be backed up regularly enough, or employees may leave sensitive data available in the form of tablets or other connected devices not properly secured. They may discuss sensitive information in earshot of customers or clients. These actions are often not taken out of malice: but simply because the employees don’t realize the danger. Take the time to train your workforce on good security hygiene and put policies in place to keep them up-to-date.
  2. Poor patch and vulnerability management
    Every year, the number of major cybersecurity breaches that could have been prevented through the application of a single readily available patch or update is staggering. WannaCry and NotPetya, two malware names that can still make cybersecurity professionals wince, were as destructive as they were largely because of lax patching: both attacked a vulnerability that Microsoft had patched months earlier.

    Patch management is a key part of asset protection. Take the time, no matter how big or small your business is, to create an inventory of your e-assets. For each piece of hardware, track the software and version number running on it. Update as soon as new versions are released. If your company is too large and there are too many devices for your existing staff to realistically do this, consider external support for your vulnerability and patch management. The price of not doing so can be far, far higher.
  3. Misconfigured or poorly-secured online resources
    As more and more of our business activities migrate to cloud environments, a lack of experience with, and understanding of cloud security has been creeping up our list of “biggest things to worry about.” Accidentally misconfiguring a webserver or unintentionally exposing an AWS S3 bucket to the public can leave critical data wide open, in such an obvious manner than your cybersecurity team may not even think to check. For any external-facing resource, make sure you or your security team takes the time to review all policies and procedures and settings, and make your secure assets are truly secure.
  4. Point-of-sale (POS) vulnerabilities
    Good news is that most POS vulnerabilities remain preventable — you just need to ensure you’re following best practices in order to do so. The majority of POS attacks can be easily prevented by common security controls and a combination of best practices and effective security tools.

    Review the POS communications, connections, and settings on a regular basis, and make sure you’re patching your POS system every time a new update is released. Ensure that the only applications and systems connected to the POS are those that need access. Ensure that smartcards or chip readers are activated and set up correctly. Make sure the POS system has a strong password policy.

    If you’re looking at upgrading or replacing your POS system, look at those that include end-to-end encryption (E3), as well as data loss prevention (DLP). E3 can be a costlier option, but it adds a layer of protection to payment card data. Additionally, DLP can help prevent data exfiltration (i.e. malware sending your customer’s credit card numbers back to the hackers).

RH-ISAC will be sharing tips throughout the holiday season in a holiday guidance blog series. Below are holiday guidance blogs already posted. Visit the RH-ISAC blog for more industry relevant blogs.

  1. RH-ISAC Holiday Tips Featured on Dark Reading
  2. Top 5 Holiday Shopping Season Threats for Retail and Hospitality
  3. 8 Tips for the Holiday Season
  4. Positive Trends in Retail and Hospitality Cybersecurity