Security In Retail

by Richard Halter

?The Wizard of POS - Honored Listee In Marquis Who's Who - Consultant

October 6, 2024

Everybody is vulnerable to a hacker.? A comprehensive cybersecurity program needs to go significantly beyond the traditional application of general information technology security concepts to successfully protect an organization’s data and systems. To ensure that all aspects of an organization’s cybersecurity are protected from potential adversaries and incidents a cybersecurity program that implements a “defense-in-depth” approach is necessary.

Security Domains

When people think about security they usually think about technology - usernames and passwords for example.? But there are actually three pieces to this puzzle.

People Domain – the people part of the security domain is the weakest link.? A general lack of security awareness leads People tend to pick weak passwords and share those passwords with others, making it easier for dedicated adversaries to identify and use them. People, unlike machines, can also be susceptible to social engineering attacks and scams, allowing access to an organization’s networks and data.

· Technology Domain – The IT environment is constantly changing. Some organizations maintain out-of-date equipment and software, which lack the latest or most effective security protocols. Some organizations do not properly configure systems to interact properly, causing weak points for adversaries to exploit. Some technology is new, complex and untested, allowing potentially undiscovered vulnerabilities into an organization’s IT network.

· Process Domain – Operational processes need to be in place to continuously observe and manage how people implement and use technology.. Lack of sound and repeatable processes can lead to security holes.

All three of them together comprise what is necessary for good security.? This paper will focus on the technology area.

Security Stack Vulnerabilities

?As you can see, security is complicated, and these are the places where the hackers try to gain access & control.? When data transfers through the ecosystem, there are three area where it is vulnerable.? Each of them is assaulted in different ways.?

First there is “Data-in-Motion” refers to data being transmitted from one endpoint to another.?? When you look at “Data-in-Motion” there are several places where the data is potentially vulnerable.? Starting with the “Session”.? That is the connection from one end to the other.? It basically says “Who are you” and “Can you connect to me”.? This is typically controlled by an “Access Control List”.

The next level of “Data-in-Motion” is the “Role Layer”. This is where Usernames and Passwords come into play.? Every connection needs a good secure login of its own.? So, you don’t replicate what is going on.? That way you make it more difficult for hackers to get into.

“Sessions” and “Roles” together compromise the “Authentication Layer”.? That says you are who you say you are and you have the right to connection to me.? In addition, it describes what depth of access you may have to the data.

The next level is the “Message Level”.? This is to make sure the message I sent is actually the message you receive and it hasn’t been changed somewhere in the middle.

The inner most level is the “Data”.? This can contain information like a Social Security Number or a Credit Card Number and it must absolutely guarantee that it can’t be compromised.

Together the “Message” and “Data” compromise the “Integrity”.? It helps make sure the right information is communicated to the right people.? Once data reaches an endpoint – e.g., for use in an application – it is often temporarily stored in a device – referred to as “data-in-memory.”

At the end the data is stored somewhere, where the data is held for a longer term.? There, it is stored in some type of media (sever, CD, DVD, flash drive) within the organization or in the “Cloud.” This storage is “Data-at-Rest.”

Security Questions

Securing the data at each point along this path requires different methodologies to answer different needs:

·??????? What are your background check procedures and results for personnel?

·??????? What is the encryption key management policy?

·??????? Who has access to data at rest?

·??????? How do you detect if an application is being attacked (hacked), and how is that reported to me and my employees?

·??????? What tools do you use to ensure that my data is removed from your cloud platform after my system is turned down and/or decommissioned?

Do you support multi-tenancy and if so, how is privacy assured between tenants?

·??????? Session Layer – “who are you and can you connect to me” Access Control List

·??????? Role Layer – Username and Password – every connection needs its own login

·??????? Message Layer – Guarantees the Message hasn’t been changed

·??????? Data Layer – The content was not compromised – credit card number

Hacker Attack Methods

?What are some of the attack methods hackers use to try and get into your system?? We’ll start with the most famous one and that is the attack at Target.

IoT (Internet of Things) devices need to be included in your corporate strategy.? The Target attack came through an air-conditioning unit.? They got into the Target system and once in, they distributed malware to the various Point of Sale systems.? The malware then sent POS information to a computer external to the company.? From which the hacker then got his information.? What were the hackers looking for?? In this case, they were looking for “Data in Memory”.? This is where the authorization information is stored in clear text in memory to speed up the authorization process.

Let’s move around the circle.? The next one is Skimming which is related to authorization.?? In this case the hacker put a skimming device over the credit card reader in the forecourt area.? They recorded your credit card information as you swiped it.? This one is easy to detect because before you insert your credit card, first try to remove the reader.? If there is a scammer installed, it will easily come off into your hand.? I do this now before I insert my credit card into any reader.

Moving on around the loop, the next one is “Phishing”.? This is where the hacker sends you an email saying something is wrong with your account and they need access to your information to verify you are who you say you are.

Continuing around the loop, the next one is called “Man in the Middle”.? This one is where the hacker sets between your website and the application.? They then record any sort of authorizations that go between the two.

The next one on our journey is probably one of the earliest hacking techniques called “Brute Force”.? Here they keep assaulting your website with various usernames and passwords until they found one that was successful.? Today the success of this technique is limited because of the three try rule where they freeze your account after three unsuccessful attempts to enter.? For those of us who are in Password Nightmare World, this solution is a real pain but for our protection it is absolutely necessary.

The next one is called “Phone Phreaking”.? Here they call you up on your phone and tell you they are from your bank.? They tell you there is a problem with your account, and they need to verify your information.?? It can change your life.

The next one isn’t an attack method as much as it is a way to interrupt your business operations, particularly with your internet. It is called “Denial of Service”.? What they do is get a lot of computers to try and access your site simultaneously.? They get your site so busy responding to them; they can’t respond to legitimate requests.? In today’s world this happens, not as a hack, but when a whole lot of people want to buy tickets to a very famous artist and the site freezes.

This is just a sample of how hackers try to get into your systems to gather information for nefarious reasons.? There are a lot more.? This is just to give you an idea of all the stack vulnerabilities previously discussed.

Conclusion – What can I do?

Sessions

???????????????? – Clean Access Control Lists

???????????????? - Isolate IoT devices onto their own network loop

Roles – Choose Good Username & Password

Message – Choose Good Encryption such as Blockchain

Data

???????????????? – Choose Good Encryption

???????????????? - Isolate credit card system from the rest of the network

Data in Memory – Encrypt Data

Data at Rest – Separate Long-Term information from Short-Term information

?

?

To see more details check out this YouTube Video - Security in Retail (youtube.com)

-?????? Check out my book "ARTS for Retail Using Technology to turn your consumers into customers and make a profit” (3 book series) Kindle Edition https://lnkd.in/g4SqtRB8. You get a MILLION dollars worth of knowledge from over 1500 subject matter experts for less than $25.

-??????I’ve created a whole set of YouTube videos https://www.youtube.com/user/richardthegeek/videos to show how to use this information.

-??????I’ve also created a School of Retail with courses:

·?????? on the "Modern Retail Architecture" It is a 10 lesson self-paced course.

·?????? on "Unified Commerce" https://schoolofretail.thinkific.com/courses/unified-commerce..

·?????? on "Modern POS World" It is a 14 lesson self-paced course.

·?????? My next one is under construction called "Standard Agile Retail Data Model - Who did what"

Reach out to me to learn how to get access to these courses.? “May the force be with you!”

?