Know Your Normal — Tripwire Helps Protect Retail Data by Monitoring and Detecting the Changes that Signal an Attack
Posted: 1.4.18 Cyber Security

Know Your Normal — Tripwire Helps Protect Retail Data by Monitoring and Detecting the Changes that Signal an Attack

By: Jon McDonald

The Crunch: Today, retailers are in the midst of a dramatic digital transformation. As those businesses update their technology investments to compete in the today’s marketplace, they need to find a security solution to protect both customers and confidential business information. Tripwire provides that protection with a focus on detecting suspicious activity, isolating networks that carry customer credit card information, and locking down network traffic. With two decades of experience and expertise, Tripwire also provides valuable tips for shoppers to follow to protect their card information. Instead of targeting malware that constantly changes, Tripwire gets inside the minds of hackers to defend against their evolving tactics.

As the principal security researcher at global security and compliance solution provider Tripwire, Travis Smith is an expert on how to protect against cyberthreats. He says retailers need to approach network security like a puzzle, building the border first and then filling in the interior pieces.

To start, Travis recommends building borders. These boundaries would enable three key functions: detecting suspicious activity on a network or vulnerable internet-connected point-of-sale devices; isolating POS machines on their own network; and locking down their traffic, so devices only communicate with the IP addresses and websites needed to process transactions.

He then recommends using a solution like Tripwire Enterprise to monitor for any changes being made to the devices or software on the network. Tripwire Enterprise gives visibility to the devices and software on their network and helps organizations reduce their attack surface by making sure those assets are configured securely and properly. Users will also be alerted to any “bad” changes that could be indicative of an attack and/or puts their system in a risky state.

Those effective, user-friendly features make Tripwire Enterprise the flagship product of a company that has been a trusted name in data security for 20 years. Tripwire Founder Gene Kim developed the software while he was a student at Purdue University to detect both malicious and accidental changes in files, and help with recovery. In 1997, Gene launched Tripwire to bring his innovation to market.

Tripwire’s products have evolved over the last two decades, moving beyond file integrity monitoring to add comprehensive monitoring across a company’s network — including registry keys. But the focus on detection has remained unchanged and sets Tripwire apart in the cybersecurity industry.

“Detecting change is what we have been doing for a long time. That’s what our enterprise product does,” Travis said. “It fits well into a market such as retail because, if you look at kiosks, point-of-sale machines, and the networks that they run on, they are typically static environments. In those environments, one thing we preach to our retail customers is monitoring for change. Any change that is detected should be flagged as suspicious on these networks.”

Retailers rely on internet-connected devices to conduct business, but hackers target those devices to steal credit card numbers and other sensitive financial data. News accounts of major retail breaches are frequent occurrences. The financial consequences of a hack can drive a smaller retailer out of business.

Tripwire Enterprise is an established solution that can be a valuable part of a retailer’s security puzzle. More than 9,000 customers trust Tripwire, including government agencies around the globe and half of the Fortune 500.

Detection, Isolation, and Lockdown: Three Vital Pieces of Security

Retailers are an attractive target for cybercriminals looking to steal payment card and customer data because they often have vulnerabilities. In recent years, highly publicized hacks have exposed major flaws in security processes. One of the largest and most publicized retail data breaches occurred during the 2013 holiday shopping season. Hackers used credentials stolen from a third-party vendor to infect big-box giant Target’s POS system with malware and stole information for 40 million credit and debit cards.

Travis points to that hack’s success as an example of missed warning signs that proper detection could have prevented.

“They were attacked, and malware was installed on their point of sale machines in the days and hours before Black Friday,” he said. “For retailers, the period from early November to the end of the year is a complete freeze on all of their assets. They shouldn’t be installing any Windows updates. So changes to drivers and executable files is a huge red flag — especially that time of year.”

Travis points out that POS devices typically run embedded operating systems, like stripped-down versions of Windows or Linux, so they should be static environments and any change should be considered potentially suspicious. Tripwire gives retailers an easy-to-use platform to monitor systems in real time and detect any changes such as a new file or service.

Graphic of credit card and point-of-sale device

“We try to provide a single solution so you don’t have to log into each device or point-of-sale machine to see what’s going on,” Travis said. “We focus your attention on what you need to focus on, whether that’s a whole network of devices, an individual device, or a policy breach. We try to direct the IT administrator or auditor’s’ attention where it needs to be. With just a few clicks, they can apply all their rules and policies to their whole suite of endpoints.”

The second step to protection is isolation to prevent bad actors from gaining access to POS machines.

“You want to get point-of-sale machines and the retail network segregated from the rest of the business as much as possible,” Travis said. “You don’t want your POS connected to the same wifi that your customers are connecting to get general internet access. That’s a huge no-no.”

Another important move is locking down traffic so POS devices only communicate with the handful of IP addresses and websites needed to process transactions.

“There’s no reason a point-of-sale machine should be talking to an IP address in Russia or China,” Travis pointed out. “That would be definitely something you want to lock down.”

With those three measures in place, Travis said retailers also have to whitelist their applications so only a limited range of apps run on POS devices. And malware should never be among the tasks those machines are running, he added.

Unearthing Trends for Retailers and Consumers to Watch

Tripwire is an authority on tracking cybersecurity trends retailers and consumers need to watch, with a two-decade track record and thousands of clients across the globe. Travis said businesses today need to protect against a trend of fileless malware that has emerged in the last 18 to 36 months. This malware uses a device’s memory to access customer card information. Detection is key in that case, Travis said, because even fileless malware creates some type of change.

Photo of Travis Smith, Principal Security Researcher at Tripwire

Travis Smith, Principal Security Researcher at Tripwire, stressed the importance of protecting against emerging threats, like fileless malware.

Vigilance is important, especially because a survey found that nearly three quarters of retailers don’t even have a breach response plan. So, unless those organizations are highly proactive, they could suffer a major setback — or even go out of business — at the hands of a hack.

For shoppers, Tripwire recommends several steps to shield their sensitive information from hackers. Pay with cash, when possible, because that means no credit card information will be transmitted through an internet-connected device targeted by cyber criminals. For consumers paying with a card, use Chip and PIN options instead of only swiping the magnetic strip, which is processed by the terminal’s memory in clear-text.

When shopping online, only make credit or debit card purchases through encrypted sites, which are typically identified by an HTTPS in the address and a green lock near the address bar of the browser. And only enter credit card numbers into known and trusted sites. When possible, use a payment service such as PayPal or Venmo instead of your card number.

Tripwire: Getting to Know Hackers’ Tactics and Techniques

If retail network security is a puzzle, Tripwire helps put the pieces in place to get an understanding of what the full picture is. Too often, cybersecurity companies gather massive amounts of data but do not effectively block out the noise to focus on what is important, Travis said.

“They’re analyzing what a specific piece of malware looks like, but there are hundreds of thousands of pieces of malware released and updated every day,” Travis said. “We don’t necessarily care what the malware looks like, but we know their tactics, what they’re going to be doing, how they’re going to try to get that malware on a machine.”

With more than 9,000 customers, retailers choose Tripwire for a variety of reasons — PCI compliance, a specific security threat, incident response. Tripwire is a solution that can meet all of those needs.

“Our product is flexible that it reaches into all of those areas,” Travis said.