//////////////////////////////////////////////////////////////////////////////////
customers turning their backs on retailers
they no longer trust. As such, retailers
should be doing all they can to defend
against cyberattacks to minimise the risk to
their business.
Kevin Bocek, Chief Cyber Security
Officer, Venafi Using the same encrypted tunnels that
customers, mobile apps and APIs use, they
can travel around largely undetected while
appearing trusted. A retailer might have
spent a fortune on expensive intrusion
detection, anti-virus and firewalls but without
any ability to look at the encrypted traffic
flying across the retailer’s network, these
defences are rendered useless.
Retailers need to do much more to bring their
defences in line with customer expectations.
Yet in theory, this should be reasonably
straightforward. After all, customer’s security
expectations aren’t particularly complicated;
we as consumers simply expect that our
personal details are secure. Put simply, retailers cannot rest on their
laurels: just using a valid encryption protocol
and having the required security controls
mandated by PCI is not enough. They all
need to work together correctly. Encryption
is most likely the hardest and most poorly
understood part of cybersecurity.
This means deploying encryption to
protect all data in transit – in particular
sensitive information such as our address
or card details. This is a core expectation
under PCI DSS and it’s so important that
for the last three years the PCI SSC has
spent significant energy on making sure
old TLS and SSL encryption protocols are
not in use. If it’s not used properly, or if the WAF, NGFW,
IPS, DDoS security controls are not enabled
with the machine identities – specifically
TLS keys and certificates – to decrypt and
inspect all traffic, then retailers have wasted
large amounts of their investment and it’s no
wonder attacks can still be successful.
But hackers are increasingly hijacking
encryption in order to hide their attacks. In
2016 more than 40% of attacks against
retailers came through encrypted traffic.
Gartner expects 70% of attacks in 2020 to
come over encrypted traffic. Retailers cannot
simply assume that because traffic has been
encrypted, that it is therefore secure.
www.intelligentcio.com
INDUSTRY WATCH
– like TLS keys and certificates – that create
and enable encryption. This goes beyond
simply keeping a record of each machine
identity, it calls for establishing controls over
all keys and certificates and being able to
feed them to all security controls to look for
cybercriminals hiding in encrypted traffic.
Without this, DDoS attacks, web application
exploits, and other network attacks will
still be successful. Only once retailers
have this capability can they truly protect
their customer’s payment information –
and until then, they will not be meeting
customer expectations. n
Today getting keys and certificates to all
of these security controls is confusing,
complicated, and time consuming. Huge
breaches like the one at Equifax can still
exploit simple vulnerabilities if they hide in
encrypted traffic where security controls like
WAF and NGFWs can’t do their job.
The answer for retailers is to automate the
process of managing the machine identities
Kevin Bocek, Chief Cyber Security
Officer, Venafi
INTELLIGENTCIO
95