5 Steps Retailers Should Take to Handle a Cyberattack
2. Contain (or not contain). POS terminals have significant vulnerabilities that make it easy for hackers to target. Hackers have found ways to grab card data before it's encrypted into a POS system's memory. Whether it's foot traffic or website traffic, open ports — USBs, ethernets and tampering with POS devices — have all proven themselves as a security risk. Hackers can easily gain physical and virtual access to a network and move laterally to the targeted data.
Once an organization has identified the nature, extent and severity of the attack, the incident response team is faced with two options: contain it or remove it. Containing and stopping the attack involves quarantining the compromised hosts or systems or disabling some functions, removing user access to the system, and determining and blocking the access point. More advanced malware and threats, which can alter techniques depending on your reaction, might require moving right to the removal phase without tipping off the attacker that you're on to them.
3. Remove and recover. QR codes are used daily by retailers, however, they're easily manipulated by hackers, ultimately acting as a door into a retailer's network if hacked. Cybercriminals leverage these codes by taking users to a malicious website that infects the system without the user ever knowing, and then directing them to the correct website. QR codes are indecipherable to the naked eye; for experienced hackers, however, they're easily translated. Thoroughly removing a threat such as this is critical to reducing the risk of reinfection and regaining normal operation.
Once infected hosts have been identified, do the following:
- stop and kill all active processes;
- remove and save all files installed by the attack for later investigation;
- separate sensitive data from the network;
- apply necessary patches;
- update/reset all affected login accounts;
- assess file damage;
- reinstall affected files;
- notify all affected parties;
- disconnect affected hosts; and
- perform daily reboot.
4. Be proactive. Attackers are becoming increasingly sophisticated using advanced malware and techniques to hijack operating systems, applications and servers. These attackers learn from their experiences and often return with nuanced attack versions, putting organizations back on the defensive, and the vicious cycle continues.