Working with the Enemy: Malicious Insiders

No organization wants to think that one of its own trusted employees is out to get the firm. However, a study by Intel found that 43% of data losses are the result of “internal actors” – and about half of these incidents were due to the intentional acts of malicious insiders, not accidents or carelessness. Meanwhile, the rise of the Darknet, a shadowy corner of the internet that can only be accessed using special software that hides users’ locations and identities, has made it easier than ever for disgruntled or desperate people to sell their employers’ information, including system login credentials, to criminals.

Security researcher Brian Krebs reports that some organizations are paying security firms or partnering with law enforcement to monitor Darknet forums for malicious actors attempting to sell company secrets. The problem with this approach is, by the time an employee has put together a package of company information and offered it up for sale on the Darknet, the damage has already been done – and the Darknet ad may not represent the first time the employee has sold information. Many malicious insiders operate for years before being detected. When protecting against malicious insiders, the best defense is a good offense; companies must identify malicious actors and stop them before they attempt to sell data to hackers.

How can organizations monitor insider activity and detect malicious insiders without impeding daily operations or making employees feel they are under lock and key? Lazarus Alliance recommends the following proactive steps:

Develop a comprehensive cyber security policy, including acceptable use.

The first step is to make sure that all of your employees know exactly what is expected of them regarding acceptable use of company hardware, software, and network access. For example, employees may be prohibited from accessing social media networks from company computers or from removing company tablets or laptops from the premises. The policy should include a description of the disciplinary consequences of violations. While an acceptable use policy won’t deter malicious insiders, by establishing specific rules, companies can more easily detect deviations and take corrective measures.

Give employees the minimum level of system access they need to do their jobs.

Employees should have access to the company systems they need to perform their job duties – and no more. For example, a billing clerk has no need to access employee tax and salary data, and employees in the marketing department should not be able to create new user accounts and set network privileges. Restricting system access puts an obstacle in the path of malicious insiders.

Continuously monitor your network for unusual user behavior.

Your organization’s systems should be monitored 24/7 to detect unusual user behavior, such as a user logging in from a different location or at a highly unusual time (such as the middle of the night), or accessing parts of the system they wouldn’t normally need to. Not only will network monitoring allow you to detect the work of malicious insiders; it will also allow you to detect credentials that were stolen via phishing schemes.

Malicious insider threat monitoring is a continuous process, and information security threats are always evolving, which is why it’s a good idea to enlist a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting our clients from insider threats and other security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help you protect your organization against insider threats.

Wendy’s Data Breach: Forget the beef, where’s the cyber security?

The scope of the recent Wendy’s data breach, which has already resulted in a class-action lawsuit against the fast-food giant, is about to get much bigger. Krebs on Security reports having received information from “a number of sources in the fraud and banking community” alleging that “that there was no way the Wendy’s breach only affected five percent of stores [as Wendy’s originally reported] — given the volume of fraud that the banks have traced back to Wendy’s customers.” Even worse, these same sources allege that “the breach was still ongoing well after Wendy’s made the five percent claim in May.”

Backed into a corner, Wendy’s finally released a statement to Krebs on Security admitting that the number of locations affected was expected to be “considerably higher” than the approximately 300 originally reported. However, Wendy’s declined to estimate how many locations were involved, citing an ongoing investigation. Interestingly, the company emphasized that the breaches affected only independently owned franchise restaurants, not company-owned locations, and claimed that the breach was the fault of third-party service providers hired by franchisees to service and maintain their POS systems.

If that sounds like Wendy’s is passing the buck, it’s because they are. Rather than taking responsibility for the cyber security shenanigans going on under the Wendy’s banner, Wendy’s is choosing to place the blame on its franchisees and their third-party vendors: “They’re independently owned and operated, so we have no control over what they do!” It remains to be seen whether the courts will side with Wendy’s on this legal hairsplitting, but it’s unlikely that consumers will see things Wendy’s way. To a consumer, a Wendy’s location is a Wendy’s location, regardless of whether the corporation owns it or has franchised it out, and if consumers do not trust that their payment card data is safe at Wendy’s, they’ll stop patronizing their restaurants.

How Could the Wendy’s Data Breach Have Been Prevented?

Wendy’s claims that its POS systems were compromised using credentials stolen from POS service providers; these credentials allowed hackers to remotely access the POS systems. As discussed in a previous blog, there are numerous measures that restaurants and retailers can take to secure their POS systems, including monitoring the system for suspicious activity, such as someone logging in from an unusual location or accessing parts of the system they would have no legitimate reason to. The Wendy’s data breach could have been prevented had the company taken its cyber security seriously and implemented proactive security measures, but the company chose not to. Instead, it chose to pass the buck on its POS security, and then attempt to deflect responsibility onto its franchisees instead of getting out in front of the problem.

This begs the question, is the Wendy’s data breach a harbinger of things to come as the fast-food industry transitions from human clerks to automated ordering kiosks and touch screens? Consumers and the government are not yet asking this question, but if incidents like the Wendy’s data breach multiply, it’s certain they will be.

The core competency of a restaurant is food preparation, not information security, which is why restaurants should partner with a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting retail and restaurant POS systems from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats, as well as help them get and remain PCI DSS compliant.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.

POS Data Security?

The next time you buy a burger at McDonald’s or Wendy’s, a computer may be the one asking, “Would you like fries with that?” After decades of depending on human workers to take orders – and payments – American fast food chains are finally moving into the computer age, driven by rising minimum wages, a tightening labor market, a push for efficiency, and a growing number of internet-savvy consumers who prefer to interact with computers than human clerks.

Discussion of this “Rise of the Machines” in the media has largely centered around the minimum wage and the displacement of low-skilled labor. Missing from the conversation has been any mention of point-of-sale (or POS) system security in these automated ordering systems – even though Wendy’s, which recently announced it will be rolling out ordering kiosks en masse, suffered a POS data security breach earlier this year. The breach compromised approximately 300 locations, went on for several months, and has resulted in a class-action lawsuit accusing the fast-food chain of inadequate data security procedures.

Automated ordering systems are not new. Regional convenience stores Wawa (headquartered near Philadelphia) and Sheetz (a Pittsburgh-area chain), both of which have extensive custom deli and hot foods menus, installed ordering touch screens over a decade ago. However, these systems, unlike the ones Wendy’s and other fast-food restaurants intend to install, only take food orders and do not process customer payments; customers get printed order slips to take to a cashier for payment. And, of course, gas stations, supermarkets, and some retailers have had self-checkout lanes for years.

The surprising thing is that large fast-food chains have taken so long to automate customer ordering and payments – and this is where the concern over POS data security lies.

In some ways, automation in the fast-food industry is similar to automation in the healthcare industry. As mentioned in previous blogs, among the reasons why the healthcare industry is so prone to cyber attacks is that it clung to paper records for years, and when it finally did automate, it did so practically overnight, without any employee training. Similarly, the majority of fast-food companies continued to use human workers long past the time they needed to. The push to automate fast-food ordering is fairly new but very strong; at least one major chain has expressed that it is in a hurry to implement automation in the wake of minimum wage increases on city and state levels.

Since the fast-food industry is known for razor-thin profit margins and aggressive cost-cutting, and making burgers – not POS data security – is its core competency, whether fast-food chains will take cyber security seriously or repeat the mistakes of the healthcare industry remains to be seen.

However, as the ransomware attacks and data breaches that have plagued the healthcare industry have proven, no industry can afford to take a laissez faire attitude toward cyber security, especially when installing completely new systems. The fast-food industry needs to be proactive as it makes the leap from human clerks to self-serve kiosks. Among the measures restaurants can take are:

1. Do a review of your security policies and procedures to ensure PCI DSS compliance. Compliance with the PCI DSS is mandatory for any company that accepts payment cards, and procedures should always be reviewed when a new system is installed to ensure PCI DSS compliance is maintained. Here is a helpful primer on PCI DSS compliance basics.
2. Be sure to purchase your new system from a reputable dealer. Since fast-food ordering kiosks are an industry that is about to explode, inevitably, shady dealers will pop up offering what appear to be fantastic deals on new systems – that turn out to have multiple security vulnerabilities. Make sure you’re buying your equipment from a known, reputable company.
3. Make sure your new POS system can handle EMV technology, or “chip-enabled” cards. One of the ways hackers attack POS systems is by installing card skimmers that steal data off of the magnetic stripe old-style payment cards use. Chip-enabled cards eliminate this problem. However, not all payment cards are chip-enabled at this time, so it’s important not to leave self-serve kiosks completely unattended. Have at least some on-site staff available who are trained to spot card skimmers.
4. If you offer free WiFi to your customers, do not set your POS terminals to access it. Otherwise, a hacker can come into your store and use the WiFi to get into your system.
5. Monitor your POS terminals for suspicious activity. Are your terminals being accessed by or communicating with unknown external sources? Just like any other network, POS systems should be monitored for suspicious activity; had Wendy’s monitored its systems, the breach the company suffered may not have gone on for so long undetected.
6. Have a comprehensive cyber security plan in place, to include training on POS data security for any employees who access the restaurant’s computers. Protecting your customers’ payment card data is as important as adhering to food safety and sanitary practices.

POS Data Security Doesn’t Have to Be a Stomachache!

Because the fast-food industry has depended on manual ordering processes for so long, the transition to automation may seem confusing or even overwhelming for restaurant owners. That’s why it’s a good idea for restaurants to enlist the services of a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your POS system from security breaches.

We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats, as well as help them get and remain PCI DSS compliant. Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your restaurant protect its POS data and ensure compliance with PCI DSS.