Last year, retailers reported the second highest percentage (77%) of ransomware attacks, just behind media and entertainment in Sophos's The State of Ransomware 2022 report. Retail is especially vulnerable because it has large staff numbers and high turnover rates, making security an ongoing struggle for network administrators. The same report pegged the average cost of ransomware remediation at $1.4 million.
When it comes to protecting retail networks, some basic prevention can go a long way toward avoiding major damage.
1. Train staff to spot the signs
Email is the main vector for malware to infect a network. Most malware requires a user to click an email attachment or open an encrypted zip file with a password provided in the message. Staff should know how to spot suspicious emails, avoid any interaction and report the incident. That training needs to happen early and often to make a difference.
2. Shield the network
Remember that it's the operating system's job to run the executables given to it. Any email filtering and antivirus or endpoint protection software must recognize common malware. Then it must either block it from getting onto the computer or prevent it from running. If the phishing email wasn't identified as dangerous, or the malware was sent from a normally trustworthy source, antivirus software is another line of defense.
3. Control scripting and executables
Retail staff should have well-defined job functions. IT teams should understand these functions, provide limited network access and track activity. Administrators should know when staff attempt to install or run new software or scripts that don’t align with their role.
4. Harness DNS and network filtering rules
Malware will usually try to make a network connection to establish a command-and-control channel to its operator so that it can be remotely steered through the network. Use filtering rules — referencing up-to-date threat intelligence lists — that apply at both the DNS lookup and IP connection levels. Ask DNS and firewall vendors whether they offer threat intelligence feeds or can help integrate a feed that's licensed separately. This may prevent malware from activating or block ransomware from exchanging the keys that it would use to encrypt data.
5. Assign the least privilege possible
If malware bypasses security and gains a foothold in a user’s system, it will run with all the rights of that user. Security leaders limit the damage by ensuring that each account has the least privilege possible, meaning enough for the user to do their job but no more. The specific recommendations will vary depending on the corporate environment.
- Does the user need administrative access to their local workstation? For example, most users do not need access to an entire file server, only specific directories.
- Can the user access resources with a password that is cached on their workstation?
- Do other systems require two-factor authentication, so that a compromised workstation cannot use stored passwords alone to gain access to other resources?
6. Enhance internal security controls
It's important to know which internal security controls can detect malware that is attempting to access resources on other systems or to spread itself to other systems.
- Is there network-based intrusion detection?
- What about endpoint protection that recognizes unusual patterns of communication?
- Is there traffic monitoring — and deep packet inspection on the gateway to the internet — to detect command-and-control channels?
The importance of internal controls for retail networks
Every layer of the defense-in-depth approach described above consists of one or more internal controls. If security leaders don't have control of their environment, then it's only a matter of time until bad actors take control for themselves.
Furthermore, for retail networks that run in a public space (or for any office that allows non-employee visitors), there are two key internal control issues that must be considered:
- Users connecting a work device (e.g., laptop, phone) to an untrusted network
- Foreign equipment connecting to a network.
In the first case, the six layers of defense discussed earlier still apply. The work device may not be able to trust the answers it gets to DNS queries on untrusted networks. The contents of downloaded files could also be manipulated. As a result, the onus for protection falls on antivirus and endpoint protection software. It’s also best to only connect to services with assurance and protection from protocols like HTTPS. Furthermore, some internal security controls may be necessary to limit access to corporate resources on untrusted networks.
For the second case, when setting up a network, always treat foreign devices as potential threats. They should be isolated on a guest Wi-Fi network or separate VLAN/subnet. If the foreign device is unintentionally infected with malware or is intentionally trying to subvert a network, controls like 802.1X Network Access Control (NAC) can prevent it from accessing the network even if physically plugged into a network port reserved for corporate devices. NAC requires successful authentication before a device can even request an address from a DHCP server.
Public access to workspaces also makes it especially important for retailers to maintain up-to-date network diagrams and a thorough inventory of hardware or software allowed on their network. Lists of subnets and associated connections will help further highlight potential gaps in security architecture and protect a network from the growing threat of ransomware.
Ransomware actors are opportunists. To maximize their chances to profit from ransoms, they want to affect as many organizations as possible. In the retail sector, stores may operate with limited on-site expertise while the security team works at headquarters. In many offices, all visitors are escorted while on the premises, but that’s impossible for a store open to the public. Protecting retail networks requires increased vigilance from IT and network teams. Applying a defense-in-depth strategy is a great place to start.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.