UPS data breach: Another one bites the dust

What can brown do for you? If you’re one of the unlucky customers, the answer might be that brown can compromise your credit card information. UPS revealed that it is the latest high-profile company to fall victim to a data breach resulting from a point-of-sale system compromise.

The data breach was announced August 20, but the initial compromise was traced back to January 20. The attack affected 51 of the 4,000-plus retail stores UPS operates, and was identified and remediated on August 11. If you happened to be a customer at one of those 51 stores, though, during the timeframe the compromise was active, there is a good chance your credit card information has been captured.

“As UPS basically admits that the attackers were in their systems, undetected for 4-8 months, it shows the necessity of Enterprises to start using security tools that are able to detect attacks not just in real time (e.g IPS, NextGen Firewalls, etc.), but—more importantly—over time (e.g. By analyzing historical and ongoing traffic logs),” explains Aviv Raff, CTO and Chief Researcher for Seculert.

Organizations in general should give up on the fantasy that it’s possible to avoid compromise indefinitely, and adopt the mindset that if they’re not currently compromised, they soon will be. It is a matter of “when”, not “if”.

“The malware itself is sophisticated, but the method of intrusion is not,” stressed Ken Westin, a security analyst with Tripwire. “Attackers use publicly available scanning to tools to detect point-of-sale systems running remote desktop applications; then they rely on application vulnerabilities or brute forcing to gain access to systems where they installing the malware.”

Dwayne Melancon, CTO of Tripwire, agrees that greater vigilance is required. “The general trend toward continuous monitoring and standardize configurations, along with security configuration management, is a positive step. The challenge is implementing these controls quickly enough to make a difference.”

One concern is that smaller organizations are also affected, but lack the skills or resources to do anything about it. Greg Foss, senior security research engineer at LogRhythm, cautions, “Retail breaches such as the most recent one affecting UPS are becoming more and more common. More importantly, major incidents like this are just those that the general public has been made aware of; affecting well-known companies with expansive security programs that were still unable to detect the infection or found it after it was too late and the infiltrators had already made off with valuable data.”

Detecting and blocking known attacks is still very necessary. But, attacks like these underscore the need for continuous monitoring or other ongoing security programs focused on identifying anomalous activity and behavior on the network.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.