Preventing Wireless Data Breaches in Retail

WHITE PAPER

Preventing Wireless Data Breaches in Retail

Preventing Wireless Data Breaches in Retail The introduction of wireless technologies in retail has created a new avenue for data breaches,

circumventing traditional security architectures. Several recently publicized data breaches in the

retail industry have exploited wireless vulnerabilities. Attackers have been able to access

sensitive information such as credit/debit cards that have resulted in brand damage,

financial/regulatory liabilities and disruption of business for retailers. The Payment Card Industry

(PCI) is now mandating stricter wireless security measures and the cost of non-compliance is

significant. Wireless Intrusion Prevention Systems (WIPS) thwart wireless attacks and provide

the most cost effective solution to meet PCI wireless security requirements. AirDefense is the

market leader in WIPS and its solutions are widely deployed in retail for wireless security, PCI

compliance and remote troubleshooting of wireless networks.

Retail Wireless Security Overview Retailers have used wireless technology to drive business efficiencies for over twenty years. Recently, sophisticated thieves have recognized that these wireless deployments offer the perfect entry point into the network allowing them to access and steal valuable customer information. Figure 1 illustrates a typical retail store network. The store network may include one or more of the following components – (i) Point of Sale terminals, (ii) Line of business server(s), (iii) Wireless Access Points (AP), (iv) Wireless devices (e.g., mobile terminals, barcode readers, printers, etc.), (v) wired switches, WAN circuits and firewalls. Security conscious retailers have started segmenting their wireless and wired networks using Virtual LAN (VLAN) technology and have also incorporated store firewalls or Access Control Lists (ACLs). Many retailers have WLANs deployed in stores for inventory management, mobile POS, wireless printing, etc. With the proliferation of low cost standards based WLAN, retailers have the following new security issues to consider:

Rogue Access Points - A rogue AP is an unauthorized wireless AP physically connected to the wired retail network. A rogue AP can be installed by an employee/contractor or a malicious attacker. It is important to realize that rogues can show up on any network segment and even in stores that have no WLAN deployed.

Figure 1: Typical retail store network and wireless vulnerabilities

Copyright © 2002-2007 AirDefense, Inc | www.airdefense.net 3

Rogue APs provide attackers with unrestricted access. They allow the attacker access to internal servers just as if they were connected to an internal Ethernet port.

Rogue APs can be installed on any network, including POS networks that have been intentionally segmented from wireless networks

Rogue APs can be installed in networks that specifically prohibit wireless devices

Identity Theft - A hacker can masquerade as an authorized wireless device and connect to an authorized AP. Once on the network, all the rogue AP scenarios previously discussed are applicable.

MAC address based ACLs are useless since wireless MAC addresses are broadcast and hackers can easily change the MAC address of their device to match that of an authorized device.

Wired Equivalent Privacy (WEP), the legacy WLAN encryption standard widely deployed in retail, can be cracked in a few minutes. Once hackers have the WEP key they have unrestricted access to the network allowing them to attack internal servers and applications.

Wi-Fi Protected Access (WPA) Pre-Shared Key is easy to implement and does not have the vulnerabilities of WEP; however, one common key is used between many devices. Hackers have been known to steal portable data terminals or use social engineering to obtain the pre-shared key. Once the key is stolen, the entire network is vulnerable until administrators change the key at every AP and every portable data terminal.

Non-Compliant APs - Wireless APs are frequently misconfigured. According to Gartner, a majority of all wireless security incidents will happen as a result of misconfigured devices. Misconfigurations happen for a variety of reasons including human error and bugs in AP management software.

A misconfigured AP in a store or distribution center can be detected and exploited by a hacker to gain access to the network similar to rogue APs.

WLAN APs and infrastructure contain well-known vulnerabilities that can result in information disclosure, privilege escalation, and unauthorized access through fixed authentication credentials.

Denial of Service (DoS) - Hackers can easily perform wireless DoS attacks preventing devices from operating properly and stopping critical business operations.

Wireless DoS attacks can cripple a distribution center or store despite the best security standards like WPA2.

Hackers can insert malicious multicast or broadcast frames via wireless APs that can wreak havoc on the internal network.

It is important to realize that these wireless vulnerabilities cannot be solved by traditional firewalls and VPN based security solutions.


Cost of a Data Breach In 2006, Ponemon Institute published a benchmark study that examined the costs incurred by 31 companies after experiencing a data breach1. Breaches included in the survey ranged from 2,500 records to 263,000 records from 15 different industry sectors and cover the costs resulting from 815,000 compromised customer records. The total cost of a data breach averaged $182 per compromised customer record. The average total cost per reporting company was $4.8 million per breach and ranged from $226,000 to $22 million.

Direct incremental costs averaged $54 per lost record. This includes free or discounted services offered; notification letters, phone calls, and emails; legal, audit and accounting fees; call center expenses; public and investor relations; and other costs.

Lost productivity costs averaged $30 per lost record. This includes lost employee or contractor time and productivity diverted from other tasks.

Customer opportunity costs averaged $98 per lost record, covering turnover of existing customers and increased difficulty in acquiring new customers. Customer turnover averaged 2 percent and ranged as high as 7 percent.

Several recent high profile data breaches have occurred as a direct result of wireless vulnerabilities. The most recent one at TJX was highly publicized and resulted in at least 45.7 million credit and debit card data being compromised. According to the Wall Street Journal2, the TJX breach occurred as a direct result of weak wireless security. Hackers in Minnesota, whose operations had “hallmarks of gangs made up of Romanian hackers and members of Russian organized crime groups”, “first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory. ‘It was as easy as breaking into a house through a side window that was wide open,’ according to one person familiar with TJX's internal probe. The devices communicate with computers in store cash registers as well as routers that transmit certain housekeeping data.” According to Forrester research, TJX's breach-related bill could surpass $1 billion over five years. This includes costs for consultants, security upgrades, attorney fees, and added marketing to reassure customers, but not lawsuit liabilities.

Some other examples of retail data breaches involving wireless include DSW in 2005 (1.4 million cards compromised), BJ’s Wholesale Club in 2004 (40,000 cards compromised) and Lowe’s in 2004. It is important to point out that many data breaches are never reported as organizations try to minimize the negative publicity and business impact that would result from it.

1 2006 Annual Study: Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventative Solutions, PGP Corporation, Vontu, Inc. and The Ponemon Institute

2 How Credit-Card Data Went Out Wireless Door - Biggest Known Theft Came from Retailer With Old, Weak Security, By Joseph Pereira, Wall Street Journal, May 4, 2007; Page A1


PCI Compliance PCI released an updated version of their Data Security Standard (DSS)3 that went into effect starting January 2007. The PCI Security Standards Council is an open global forum, founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

There has been an alarming increase in credit/debit card and identity theft in retail that has led to the creation and enforcement of stricter information security requirements. Wireless specific requirements have also become stricter and retailers often find wireless as the Achilles heel from a security and compliance perspective.

“Merchants that have implemented or are considering using wireless technology must develop and deploy a comprehensive strategy to secure their systems from intrusion. … It has come to Visa’s attention that some entities are not properly securing their wireless networks, which increasingly leads to the compromise of cardholder data, brand damage, and other concerns — both financial and regulatory.” Visa, August 2006

PCI DSS version 1.14 places special emphasis on WLAN security. It requires that card holder environments change wireless defaults (passwords, SSIDs, WEP keys, etc.), analyze and identify all wireless devices, restrict physical access to wireless devices, log wireless activity, define wireless usage policies, etc. as shown in the following table.

PCI DSS 1.1 Wireless Requirements Summary

Section Requirement

2.1.1 Change wireless defaults, disable SSID broadcasts

4.1.1 Never rely exclusive on WEP, upgrade to WPA or use other mechanisms to secure WEP

11.1 Use a wireless analyzer at least quarterly to identify all wireless devices in use

9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices

11.4 Use network intrusion detection systems

10.5.4 Copy logs for wireless networks onto a log server on the internal LAN

12.3 Usage policies for wireless

3 https://www.pcisecuritystandards.org/

4 https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf


AirDefense Solution for Retail The AirDefense Solution is based on patented technology5 that incorporates distributed smart IEEE 802.11a/b/g sensors reporting to a central server appliance. The remote sensors are deployed in stores, distributions centers and the retail headquarters. They monitor all WLAN activities 24x7 in their local airspace and communicate with the AirDefense server, which correlates and analyzes the data to provide scalable, centralized management for security and operational support of the WLAN. Administrators access the system via management console software installed on the computer. Figure 2 illustrates the top level architecture of AirDefense Enterprise - the industry leading WIPS. The AirDefense solution addresses three key areas for retailers:

1. Comprehensive Wireless Security – AirDefense Enterprise provides the industry leading solution for rogue wireless detection and containment, 24x7 wireless intrusion prevention and automatic wireless protection.

2. PCI Wireless Compliance – AirDefense Enterprise provides the most cost-effective mechanism to comply with PCI DSS wireless requirements.

3. Remote Wireless Troubleshooting – AirDefense Enterprise can significantly reduce the management cost of store and distribution center wireless networks by providing powerful tools for remote troubleshooting.

Comprehensive Wireless Security AirDefense Enterprise has the largest wireless threat library in the industry and provides the most accurate and scalable rogue mitigation capabilities.

Detection of All Rogue WLAN Devices and Activity - AirDefense recognizes all WLAN devices, which include APs, WLAN user stations, “soft APs” where stations function as APs and

5 US Patents 7086089, 7058796, 7042852

Figure 2: AirDefense Enterprise solution for retail wireless security, compliance and troubleshooting


specialty devices such as wireless bar code scanners and mobile terminals for shipping or inventory applications. AirDefense also identifies rogue behavior from ad-hoc or peer-to-peer networking between user stations and accidental associations from user stations connecting to neighboring networks. AirDefense Enterprise can accurate distinguish neighboring devices from rogue devices that are connected to the retail network. In a mall with several stores one is likely to see many neighboring wireless devices and it is crucial that a WIPS be able to accurately classify neighboring devices from actual rogue devices that are connected to the store network.

AirDefense Enterprise can be setup to automatically terminate a rogue device over the air. Alternatively, the device can be blocked on the wired side using switch port suppression. To find the location of the rogue device, AirDefense provides accurate map based location tracking using signal strength triangulation. The system intelligently sorts through multiple floor plans and enables the IT administrator to locate and track rogue devices in real-time.

Wireless Intrusion Prevention - AirDefense utilizes its 24x7, real-time monitoring of 802.11a/b/g networks for the most accurate intrusion detection of known and unknown attacks. With stateful monitoring of all WLAN activity based on attack signatures, protocol analysis, statistical anomaly and policy violations, AirDefense identifies network reconnaissance activity, suspicious WLAN activity and impending threats and attacks against the WLAN. AirDefense recognizes multiple forms of WLAN scans including scans from NetStumbler, Wellenreiter, Windows XP, etc. AirDefense correlates information from all remote sensors over time to identify suspicious activity such as a user station on the watch list entering the airspace, anomalous traffic from unusual off-hours activity, clear-text leakage, etc. AirDefense Enterprise also detects a range of WLAN attacks such as identity thefts used when an attacker impersonates a valid wireless device, out-of-sequence communication triggered by session hijacking or Man-in-the-Middle (MITM) attacks, multiple forms of Denial-of-Service (DoS) attacks, dictionary attacks from excessive failed attempts to authenticate to an AP from a single station, etc.

AirDefense reduces false positives by correlating wireless and wired side information in conjunction with rich historical context maintained in its forensic database instead of just looking at the present snapshot. AirDefense recognizes documented and undocumented (day-zero) attacks, because it does not rely solely on attack signatures.

Once an accurate assessment of an intrusion is made, AirDefense Enterprise provides wireless and wired termination capabilities to mitigate the threat in real-time.

PCI Wireless Compliance Complying with the PCI wireless requirements is tedious and expensive for most retailers.

Quarterly Wireless Scanning - PCI DSS Section 11.1 requires that retailers use a wireless analyzer at least every quarter to identify all wireless devices in use. Note that this is required regardless of WLAN deployment status, the intent being to neutralize rogue wireless devices that can show up even if WLANs have not been deployed. Scanning a few stores and assuming that the rest are similar is not sufficient. Reputed auditors will insist on scanning reports of all stores clearly classifying authorized, neighboring and rogue wireless devices at each location. Further, relying on wired-side scanning alone will not meet the requirement since wireless devices not


actively connected to the wired infrastructure or on isolated network segments may not show up on a wired-side scan.

AirDefense Enterprise sensors scan the store 24x7 above and beyond the quarterly PCI requirement. Every device is centrally logged in the server’s forensic database and PCI compliance reports can be scheduled and automatically generated by the system. The forensic data can be archived for months and provides the necessary system auditability should a breach occur or auditors want verifiable information.

Reporting and Forensics – AirDefense Enterprise allows organizations to trace any suspicious device by rewinding and reviewing minute-by-minute records of connectivity and communication with the network to improve network security posture, and to assist in forensic investigations and ensure policy compliance. Wireless activity is logged and data is stored in a tamper-proof way to ensure a full audit trail is maintained. AirDefense Enterprise updates and maintains around 300 different statistics for every wireless device, every minute, and is capable of storing this data for months. The forensic data is mined to produce detailed PCI compliance reports in different formats. The summary section of an example PCI report generated by AirDefense Enterprise is shown in Figure 3. These reports are generated automatically on a scheduled basis or could be manually generated. In addition, fully customizable reporting is available allowing retailers to generate custom reports based on their specific requirements.

WEP CloakingTM - The PCI standard also mandates that WEP should not be used by itself. If it must be used, other layers of protection should be added. Several retailers and other organizations that handle card holder data are struggling with PCI compliance with the new WEP requirements. Many of them have legacy WEP wireless networks in stores and distribution centers with data collection terminals, wireless Point of Sale (POS) terminals, Manager’s workstations, VoIP phones, wireless printers, and other WLAN devices that simply cannot be firmware upgraded to WPA. These devices often do not have sufficient processing capabilities to allow them to implement the enhanced computational requirements of WPA. Some devices such as VoIP phones have a longer battery life with legacy 802.11b WEP radios.

“The Payment Card Industry’s data security standard requires that WEP encrypted networks either be upgraded or supplemented with additional security. AirDefense’s WEP Cloaking solution offers a new, cost-effective avenue for compliance.” Bob McCullen, CEO, AmbironTrustWave

Figure 3: AirDefense sample PCI Compliance report


AirDefense’s WEP CloakingTM is the first and only patented6 technology to protect enterprises using WEP from common attempts used to crack the WEP key. Leveraging the AirDefense Enterprise platform, the WEP Cloaking module uses the same AirDefense Enterprise sensors to constantly protect APs, laptops and handheld devices, by intelligently injecting chaff WEP frames designed to confuse WEP attack tools. The AirDefense WEP Cloaking solution is a compensating control for PCI Section 4.1.1. It provides a solution for immediately securing retailers using WEP without forcing them to immediately upgrade all WLAN equipment to meet near term deadlines for PCI compliance. These upgrades are costly and time consuming and WEP Cloaking provides the flexibility retailers need to upgrade their overall WLAN infrastructure over time while being secure and compliant during the process.

Remote Wireless Troubleshooting AirDefense Enterprise, with its 24x7 centralized monitoring, provides valuable wireless network troubleshooting tools that can significantly reduce the cost of managing and fixing WLAN issues by not requiring on-site presence.

Remote Troubleshooting - With a real-time view of all WLAN traffic and detailed traffic analysis, AirDefense assists network managers to remotely troubleshoot problems, identify and respond to network misconfigurations and check for network availability. AirDefense can provide the administrator with a live streaming view of all devices, channels, bands and networks to identify, hardware failure, RF interference, network misconfigurations, usage and performance problems, etc.

Performance Monitoring - AirDefense analyzes traffic flow across the WLAN to monitor performance of the WLAN by identifying usage characteristics, interference from neighboring WLANs, channel overlap and performance degradation. AirDefense measures WLAN performance based on defined thresholds for total traffic on a single channel, aggregate stations connecting to a single AP, an individual station connecting to an AP and an AP’s total throughput to and from the wired network. AirDefense maintains an inventory of WLAN devices broadcasting in the airspace and alerts network administrators to unplugged, stolen, or failing APs if the device has not been seen from the air within a designated period of time.

6 US Patent No. 7,058,796, “Method and system for actively defending a wireless LAN against attacks”


LiveRF – A lot of wireless connectivity issues arise because of interference and noise in the wireless medium. AirDefense Enterprise features a LiveRF module that allows retail network administrators to remotely visualize real-time RF coverage from an application perspective and assess the impact of noise and interference on different applications that are using the WLAN as shown in Figure 4. Given the transient nature of RF interference, LiveRF is indispensable for remote troubleshooting of physical layer wireless problems in real-time.

Return on Investment in AirDefense AirDefense Enterprise provides the best wireless security solution available to retailers in the market today and in most instances pays for itself within 1-2 years of deployment. Quantifiable return on investment is realized from for following three areas:

1. PCI Quarterly Wireless Scanning: The cost of an on-site wireless scan can range from $270 to $900 per store per scan. Note that this is required regardless of WLAN deployment, the intent being to neutralize rogue wireless devices that can show up even if WLANs have not been deployed. Assuming a conservative $270 per store per scan, a mid-sized retailer with 500 stores will spend $540K each year just scanning all the stores. AirDefense Enterprise provides 24x7 wireless scanning and once sensors are deployed rogues are contained and compliance reports can be seamlessly generated without requiring on-site presence every quarter.

2. Remote Troubleshooting: The average cost of an on-site visit to resolve a wireless problem is around $1500. AirDefense Enterprise can remotely troubleshoot 60% of wireless issues. With a conservative estimate of one wireless issue per store per year a 500 store retailer can save $450K annually fixing wireless network problems remotely with AirDefense Enterprise.

3. Upgrading from WEP: AirDefense WEP Cloaking provides retailers using WEP an upgrade path to WPA and beyond that can be spread over time while simultaneously guaranteeing that the WEP network is secure and PCI compliant. A typical mid-sized retailer has an average of 7 wireless devices (mobile units, printers, kiosks, etc) per store. The cost of upgrading these devices from WEP to WPA is $3.4M for a 500 store chain. WEP Cloaking can amortize the capital expenditure over several years.

Figure 4: AirDefense LiveRF module allows application aware RF coverage analysis


Figure 5 shows the four year cost of PCI wireless scanning, wireless troubleshooting and WEP to WPA upgrade for a typical mid-sized retailer with 500 stores averaging 100,000 sf per store with an average of 7 wireless WEP devices. The cumulative cost without AirDefense at the end of four years in this scenario is $7.4M. With AirDefense Enterprise, the cumulative cost drops to $5.6M. The AirDefense system pays for itself in a year, saves $1.8M over four years, provides hassle-free PCI compliance, comprehensive wireless security over and above PCI requirements while maximizing the performance and ROI of the WLAN deployment itself.

Conclusions Retail wireless vulnerabilities have been recently exploited by organized crime seeking lucrative data such as credit card numbers and customer personal information. Recent high profile data breaches have highlighted the need for wireless monitoring and intrusion prevention. The cost of a data breach is substantial from immediate fines and business disruption to long term brand damage to legal liabilities. The Payment Card Industry has enforced new Data Security Standards with stricter wireless controls and audit procedures. Complying with the new wireless requirements is tedious and expensive. The AirDefense solution can lock down the retail airspace and provide the best wireless security available in the industry while facilitating cost-effective compliance from a wireless perspective. The same solution can be leveraged to substantially reduce the cost of troubleshooting remote wireless networks. AirDefense Enterprise has been deployed and tested by several Fortune 500 retailers worldwide.

Figure 5: Compliance, Troubleshooting and Upgrade Costs with and without AirDefense for a typical 500 store retail chain

Cumulative Cost

$-

$1,000,000

$2,000,000

$3,000,000

$4,000,000

$5,000,000

$6,000,000

$7,000,000

$8,000,000

Year 1 Year 2 Year 3 Year 4

Upgrading fromWEP

PCI QuarterlyScanning

WirelessTroubleshooting

TCO withoutAirDefense

TCO withAirDefense


About AirDefense

AirDefense, the market leader in anywhere, anytime wireless security and monitoring, is trusted by more Fortune 500 companies, healthcare organizations and high-security government agencies for enterprise wireless protection than any other wireless security provider. Ranked among Red Herring’s Top 100 Private Companies in North America, AirDefense products provide the most advanced solutions for rogue wireless detection, policy enforcement and intrusion prevention, both inside and outside an organization’s physical locations and wired networks. Common Criteria-certified, AirDefense enterprise-class products scale to support single offices as well as organizations with hundreds of locations around the globe.

AirDefense Enterprise, the flagship product, is a wireless intrusion prevention system that monitors the airwaves 24x7 and provides the most advanced solution for rogue detection and mitigation, intrusion detection, policy monitoring and compliance, automated protection, forensic and incident analysis and remote troubleshooting. As a key layer of security, AirDefense Enterprise complements wireless VPNs, encryption and authentication. Using a monitoring architecture of distributed smart sensors and a secure server appliance, the AirDefense Enterprise system provides the most comprehensive detection of all threats and intrusions. Unlike any other solution on the market, AirDefense Enterprise analyzes existing and day zero threats in real time against historical data to more accurately detect threats and anomalous behavior originating inside or outside the organization. The system automatically responds to threats according to appropriate business process and compliance requirements on both wireless and wired networks, making AirDefense Enterprise the industry’s most secure and cost-effective wireless intrusion prevention and troubleshooting solution.

AirDefense Personal, the industry’s first end-point security solution, provides uninterrupted protection for all mobile employees and their enterprise wireless assets, regardless of location – at work, home, airports or other wireless hotspots. Policy profiles are defined centrally on AirDefense Enterprise and automatically downloaded to each mobile user. If threats are discovered, AirDefense Personal notifies the user and sends the alerts to AirDefense Enterprise for central reporting and notification. This unique solution allows the network administrator to enforce corporate policies and provide complete protection for the mobile workforce, regardless of location.

The AirDefense InSite Suite is a collection of powerful tools available today for network architects to design, install, maintain and troubleshoot wireless networks. Tools included in the suite are: AirDefense Mobile, complementary to AirDefense Enterprise allows administrators to perform wireless assessments, security audits, locate and manage rogues. AirDefense Architect provides complete design and 3D RF simulation of WLANs based on building-specific environments. AirDefense Survey provides real-time, in-the-field measurements of Wi-Fi RF environments for site-specific surveys.

For more information or feedback on this white paper, please contact [email protected] or call us at 770.663.8115. All trademarks are the property of their respective owners.

http://www.theicor.org

Documents

Preventing Wireless Data Breaches in Retail