Tag Archive for: malware

Upgrade to Microsoft Defender ATP.

The endpoint security market is crowded with competition. From Kaspersky to AVG, or McAfee and Norton/Symantec products, there is an entire industry built to suit consumer, prosumer and enterprise markets. As we look into enterprise solutions, Carbon Black, CrowdStrike, Sophos and a few other players make a good case for themselves, but Microsoft has been investing heavily in their security (over $1 billion per year) and has taken the lead with their flagship endpoint detection and response (EDR) tool “Microsoft Defender Advanced Threat Protection” (MDATP): the business implementation of Microsoft Defender.

Microsoft Defender ATP Licensing

MDATP premiered two years ago, but the licensing has always been a point of confusion for many businesses. Until just recently, the only way to get MDATP was a pricey bundled SKU (Microsoft 365 E5 $57/user/month, Windows 10 E5 $11/user/month) or an add-on license (Microsoft 365 E5 Security $12/user/month) that required you to have Microsoft 365 E3 or Office 365 E5 licenses. While these bundled SKUs are a great value for businesses that need the included services, those only interested in MDATP found licensing too complex and often too expensive.

Licensing MDATP just got a whole lot easier as the standalone SKU launched in March for CSPs and Enterprise licensing. MDATP standalone is $5.20 per month, per user on up to five devices or per server. The value is impossible to beat for the quality of the tool, the tightly integrated ecosystem and the added value afforded by the intelligence component of the dashboard. Compared to the industry standard, which is often licensed by endpoint, Microsoft has priced the software per user in order to differentiate and bring immense value to their clientele in the increasingly complex world of antivirus (AV) and EDR. In companies that have an increasingly complex, diverse and connected workforce, this is potentially a huge cost savings over competitors. If you were on the fence before, perhaps it's time to take another look at Microsoft Defender ATP.

 

But Why Choose Enterprise Advanced EDR Tools At All?  

Microsoft Defender ATPThe most important thing to understand about modern AV software is that malware has evolved aggressively over the last decade, but the approach to securing against their attacks has advanced much more slowly. As such, most products balance speed, security and other performance metrics in order to sell the perceived value of security while not really securing users’ systems against advanced threats. Common antivirus solutions are efficient at detecting malicious files on disks, for example, but over the years, more sophisticated threat actors have adapted. In order to successfully deploy malware, threat actors have made wider use of “fileless” malware in order to circumvent traditional AV protection. These advanced payloads run directly in memory without ever dropping an executable file on the disk. 

Since no malware file touched the hard drive, there was not ever a signature on the disk – which is what traditional AV software is scanning for. As a result, even with up-to-date, consumer-grade AV software, these more sophisticated malware attacks remain completely undetected. This is unforgivable in today’s threat environment, and a problem solved by MDATP's active threat intelligence. 

 

Threat Intelligence 

What is more important than a reaction to an attack? On-going intelligence and proactive interception of threats. This is just one area where Microsoft Defender ATP shines by taking an active approach to monitoring systems. Rather than waiting for a threat to appear, the software proactively anticipates attacks by utilizing a wealth of forensic data it has acquired from decades of studying threat actors and their methods. Microsoft Defender ATP engages cloud look-ups to ensure the latest signature updates are considered, in order to anticipate new attacks. The cloud look-up will send suspicious files into secured detonation chambers where they are launched to simulate an attack in the cloud. If analysis identifies a program or file as malicious, the cloud signatures will be updated and made available immediately for all Microsoft Defender ATP clients – pushing them to all endpoints. 

In addition to this sandbox methodology, Microsoft Defender ATP will monitor the user, process and system behavior continuously across protected organizations using their cloud-based, proprietary machine learning technology. An often overlooked aspect of Microsoft’s strength in security is that the Windows Security Research Team benefits from being able to collect the intelligence of over one billion consumer endpoint versions of their antivirus engine and deploy it instantly to Microsoft Defender ATP users. And in this sense, Microsoft Defender ATP has truly become much more than just AV software. It is a globally postured, enterprise tested, cloud-based software as a service (SaaS) tool.   

Industry Comparison 

Flagship Information Technology researcher, Gartner, exists to produce actionable data to be used by consumers and enterprise. They are among the most respected names in the space. In 2019, they reviewed twenty competitors in the End Point Protection (EPP) space, and created a data quadrant to show how they stack up to one another. Microsoft Defender ATP led the pack in the “Leaders” category with the highest “Ability to Execute” among all the competitors. 

Gartner EDR Comparison

Gartner EDR Comparison

More Details 

A big part of the reason Microsoft Defender ATP scored so high on Gartner’s EPP report is the fact that the software covers so many things and takes such a proactive approach!  

  • Multi-layered protection: Microsoft Defender ATP provides multi-layered protection (built into the endpoint and cloud-powered) from file-based malware, malicious scripts, memory-based attacks, and other advanced threats 
  • Threat Analytics: Contextual threat reports provide SecOps with near real-time visibility on how threats impact their organizations 
  • A new approach to Threat and Vulnerability Management: Real-time discovery, prioritization based-on business context and dynamic threat landscape, and built-in remediation process speed up mitigation of vulnerabilities and misconfiguration 
  • Built-in, cloud-powered protections: Real-time threat detection and protection with built-in advanced capabilities protect against broad-scale and targeted attacks like phishing and malware campaigns 
  • Behavioral detections: Endpoint detection and response (EDR) sensor built into Windows 10 for deeper insights of kernel and memory, and leveraging broad reputation data for files, IPs, URLs, etc., derived from the rich portfolio of Microsoft security services 
  • “Deployment” is as easy as it gets by being built directly into the operating system. There is no agent to deploy, no delays or compatibility issues, and no additional performance overhead or conflicts with other products. No deployment and no on-premises infrastructure directly leads to lower TCO. 
  • Contain the threat: Dramatically reduces the risk by strengthening your defenses when potential threats are detected. Microsoft Defender ATP can automatically apply Conditional access to restrict the endpoint from accessing corporate data until the threat was remediated. 
  • Automated security: From alerts to remediation in minutes – at scale. Microsoft Defender ATP leverages AI to automatically investigate alerts, determine if a threat is active, what course of action to take, and then remediate complex threats in minutes. 
  • Secure Score: Watch your security score rise in the Microsoft Defender Security Center as you implement automated and recommended actions to protect both users and data. Microsoft Defender ATP not only tells you that you have a problem, but Microsoft Defender ATP also recommends how to solve it (and track the execution) with Secure ScoreVulnerability and configuration information provide weighted recommendations and actions to improve endpoint hardening and compare the current posture with the industry and global peers for benchmarking. 
  • Microsoft Threat Experts: Microsoft has your back — with Microsoft’s managed detection and response (MDR) service (called Microsoft Threat Experts), Microsoft supports customers’ incident response and alert analysis. Our automated threat hunting service helps ensure that potential threats don’t go unnoticed.  Source: Microsoft 

Unified EDR Across All Your Operating Systems, Microsoft Defender ATP Supported Operating Systems

Microsoft Defender ATP is one EDR solution that can cover all your endpoints, supporting the most common operating systems used in business at no additional cost. Native mobile device support for iOS and Android scheduled for release later this year. As per Microsoft's minimum system requirements, Microsoft Defender ATP will run natively on the following platforms:

Supported Windows versions
    • Windows 7 SP1 Enterprise
    • Windows 7 SP1 Pro
    • Windows 8.1 Enterprise
    • Windows 8.1 Pro
    • Windows 10, version 1607 or later
    • Windows server
      • Windows Server 2008 R2 SP1
      • Windows Server 2012 R2
      • Windows Server 2016
      • Windows Server, version 1803 or later
      • Windows Server 2019
Other supported operating systems
  • macOS (Mac OS X)
  • Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
    • Red Hat Enterprise Linux (RHEL) 7+
    • CentOS Linux 7+
    • Ubuntu 16.04 LTS +
    • SUSE Linux Enterprise Server (SLES) 12+
    • Debian 9+
    • Oracle Enterprise Linux 7
Coming Soon (ETA 2020)
  • Android
  • iOS

 

The Business 

We have covered the topic of Microsoft’s entire Office Suite in the past, and we briefly discussed the Microsoft Defender ATP advantage when we published “PLEASE DON'T ZOOM ME!” 

Here, we will stress the importance of Microsoft Defender ATP, both as a complete integration and as a stand-alone product. Then, we will explain the value of having it deployed by a Tier 1 Cloud Solutions Provider (CSP) and Microsoft Gold Partner such as GoVanguard 

Microsoft Vs Everyone Else

Just Use Microsoft!

First of all, Microsoft has long assumed that products like Microsoft Defender ATP make the most sense bundled into a platform – and it does in most cases – because businesses are utilizing the power of Word, Excel, Teams and the other tools on a daily basis in their current office environments. As such, it was bundled for an extra $11.00 – $57.00 per month (depending on various options) to existing clients with an E5 license through their CSP. However, due to popular demand and some of the increasing incentives provided to Microsoft CSP partners, Microsoft Defender ATP can now be licensed for under $6.00 per user account. And that is another crucial point. The pricing is not per workstation, device or other number of endpoints. Microsoft Defender ATP is available as low as $5.20 at the user account level, which means that it can sync across Windows and MacOS devices, Android and iOS with all of the above mentioned features deployed in 2020.  

It is important to understand that, outside of globally-sized clients on an enterprise scale, Microsoft does not have a direct sales model, and you have choices when it comes to choosing a CSP. GoVanguard is the highest rated and credentialed among all classes of Microsoft CSP standards, and we are a full time information security firm. At the forefront of cybersecurity, we spend our days developing open source security solutions, engaged in red team attack simulations for high value clients, consulting on progressive threat intelligence and contributing to valuable security projects in the open source community. 

Choosing GoVanguard as your Microsoft CSP to license your entire cloud productivity and security solution comes with special benefits because of our unique expertise. Advising on licenses and beneficial features is included as part of our CSP relationship and you get the added benefit of partnering with a security-centric firm that can assist in proactively mitigating common security threats, as well as consult on a wealth of other security, infrastructure and platform parameters within your organization.

If you want to benefit from Microsoft Defender ATP or the any other part of the Microsoft 365 suite, please contact us today to discuss a trial. New to Microsoft? Get started with six months of E1 productivity for FREE!

 

At GoVanguard, we recommend a systematic approach to information security. Carefully and simply implemented security protocols can minimize the risk of exposure to data breaches and the penalties the proceed them. In order to successfully navigate data security protocols during this period of global pandemic, compliance protocols must be in place. That is why we have a rigorous cybersecurity risk assessment and program implementation regimen in place!   

Reach out to us today and see how easy it is to take control of your security and keep your data secure. 

Five-point checkup to secure your systems! 

The advent of the COVID-19 “coronavirus” has spooked worldwide markets and pushed an inconceivable number of professionals into their homes to work remotely. This introduces a nightmare for network security and the threat of disruption to business continuity. If you do not have a contingency plan in place or have been struggling to deploy a secure remote workforce effectively, please contact us. We are working extra hours through the pandemic to make sure businesses like yours remain safe and secure in this fast-moving situation.  

Until we connect, here is a five-point checkup for the things that you should be doing immediately in this crisis!  

1: Make staff aware of the huge uptick in phishing attacks. We wrote about this previously, but the cases continue to rise. Nobody from the CDC or “official” medical organizations are going to send around email attachments. With the fear of the unknown, and the lack familiarity with working from home, remote staff are being actively targeted by malicious actors. These remote workers urgently need to be made aware of the risks of these sorts of attacks. 

2: Are your endpoints secure? Remote work has gone up exponentially in a very short period of time. That means there are certainly insecure laptops and other assets connecting to internal networking infrastructure in a way that could be leaking critical data to malicious actors. This needs to be resolved as quickly as possible, as it is a primary target for attackers.

3. What tripwires do you have in place? Are your systems up to date? Does every end point have updated malware protection? Have those things been tested recently? Sometimes the most important thing to do is make sure all events are monitored and logged! We can deploy best-in-class monitoring software quickly, and we would love to consult on setting up monitoring rules for your network. 

4. Who gets alerted in the event of an attack or system failure? Malicious actors prey on the fact that most companies do not have a clear chain of command in place when a security breach occurs. If a breach occurs, it is crucial to identify and contain the threat to mitigate the impact of the breach. The same confusion occurs with the chain of command when critical IT systems fail. A good question to ask yourself is

“In the event of a critical IT system failure, do I have sufficient IT redundancy measures in place? 

5. What happens if your head of IT gets sick? Do you have an IT managed service provider? One of the most crucial aspects of ensuring continuity of business is to have overlap in your IT, security and compliance staff. If the reports are true, the likelihood of your employees contracting COVID-19 is a very real concern that must have a plan in place. According to sources, companies in Paris with 250 employees have a 95% chance of having at least one employee infected with the coronavirus. The US has yet to see the same kind of outbreak, but the number of cases is accelerating quickly!

At GoVanguard, we are working extra hard during this global emergency created by the COVID-19 coronavirus pandemic to combat threat actors taking advantage of the situation. Please get in touch with us today to help build a robust business continuity plan and protect your organization.  

Reach out to us today and see how easy it is to take control of your security and keep your data secure. 

Coronavirus spreads to Infosec

Cybercriminals utilize anxiety, fear and a lack of understanding in order to engineer the environments in which people start making predictably bad security decisions. Spear phishing attacks target unsuspecting members of organizations into thinking they need to urgently click something in an email that unleashes a payload or grabs login credentials. Victims are engineered to trust the alleged sender, or sometimes they fear the consequences of ignoring a big opportunity! This is a fundamental attack vector that infosec professionals combat every day, but the COVID-19 Coronavirus introduces a valuable new angle to the attack: fear of the unknown.  

With companies like Google telling their employees to work from home, there will almost definitely be a cascade of big businesses pushing for as much remote work as possible – driving up the stock value of Zoom video conferencing software amid an otherwise nasty, global sell-off. This is a great step toward establishing a more nimble, decentralized workforce, but it also sets up the dominos for lots of insecure systems to be connecting improperly to company servers, and that opens up a wealth of new exploits! 

 

But the virus itself is also a juicy social engineering attack vector.  

This week, threat actors have begun to exploit the fear of the virus to spread the seeds of cybercrime with threats ranging from coronavirus-themed malware attacks, booby-trapped URLs and credential stuffing scams. Two malware campaigns connected to the coronavirus have been discovered in the wild, just this week.  

The first is a phishing email targeted to spread Remcos RAT and malware payloads. The message has an attached PDF offering coronavirus safety measures, according to research from ZLab-Yoroi Cybaze. Instead of safety measures, the PDF, named “CoronaVirusSafetyMeasures_pdf,” includes executables for a Remcos RAT dropper that runs with a VBS file executing the malware.  

The email attack showed a high level of sophistication in its ability to avoid detection by common firewalls, ZLab-Yoroi Cybaze researchers observed in a post on the threat, stating: “It established a TLS protected connection to a file sharing platform named ‘share.]dmca.]gripe,’ possibly to avoid reputation warnings raised by next-gen firewalls.”  

Victims are prompted to download the file, which then installs two executable files in the system directory on the victim’s computer. A VBScript then becomes the springboard to run the executables across the system. 

Another new email campaign reported by the MalwareHunterTeam includes a coronavirus-themed Microsoft Office document allegedly sent from the “Center for Public Health of the Ministry of Health of Ukraine.” Along with offering legitimate information, the document contains malicious macros that install a backdoor to allow keylogging, clipboard stealing and the ability to take screenshots from a victim’s computer. 

 

Sneaky, sneaky!  

According to some researchers’ estimates, there have been over 4,000 coronavirus-related domains registered globally in the last three months with 3-8% assumed to be malicious or suspicious, and they are being used to add a sense of legitimacy to multifaceted phishing attempts.  

Researchers at Cofense, said they observed a new phishing attack based on fake messages from The Centers for Disease Control (CDC) stating that the coronavirus has “officially become airborne” and there “have been confirmed cases of the disease in your location.” 

The email contains a phishing kit that asks recipients to click a link that appears to navigate to the CDC’s website to learn more about the local coronavirus threat.

COVID email

Phishing Email

 Behind the link is a series of malicious redirects used by attackers that take victims to one of several SSL-certified, top-level domains where users will be presented with a Microsoft login page. The recipient email address is appended within the URL, to automatically populate the login box with their account name. The user is prompted to provide their password, which will be sent to the malicious actor before redirecting the user to the legitimate CDC website. 

With these sorts of opportunities to launch sophisticated attacks against unsuspecting employees that are working from home in a manner which is uncommon for their routine while being under the threat of a poorly misunderstood pandemic is a recipe for a large uptick in malicious attacks, and companies need to prepare their organizations for the new vectors.  

Kaspersky has also issued their own findings about COVID-19 related email phishing attacks, stating: “The discovered malicious files were masked under the guise of .PDF, .MP4, .DOC files about the coronavirus,” researchers said in a statement released to Threatpost. “The names of files imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus-detection procedures, which is not actually the case.” 

The files contain a litany of security threats, including trojans and worms that are “capable of destroying, blocking, modifying or copying data, and interfering with the operation of computers or networks,” according to the firm. So far, ten different documents have been observed circulating. 

“As people continue to be worried for their health, we may see more and more malware hidden inside fake documents about the coronavirus being spread,” wrote Anton Ivanov, Kaspersky malware analyst. 

 

Staying protected 

So how can you avoid falling victim to these scam attempts? GoVanguard recommends that all companies.  

  1. Be extra cautious with emails and files received from unknown, but official sounding senders, especially if they prompt for actions and credentials. 
  1. Do NOT to click on ads or promotional links in emails. Instead, Google your desired retailer and click the link from the Google results page. 
  1. Beware of “special” offers. “An exclusive cure for Coronavirus” is not ever going to be emailed to you.  
  1. Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders. 

At GoVanguard, we recommend a systematic approach to information security. Carefully and simply implemented security protocols can minimize the risk of exposure to data breaches and the penalties the proceed them. In order to successfully navigate data security protocols during thi period of global pandemic, compliance protocols must be in place. That is why we have a rigorous cybersecurity risk assessment and program implementation regimen in place! 

Reach out to us today and see how easy it is take control of your security and keep your data secure 

Are you Compliant with the New York SHIELD Act?

The New York Shield Act has broadly increased the scope of how “private information” is defined, and how it must be dealt with by any business that maintains the customer data of any citizen of the state of New York. The “Stop Hacks & Improve ELectronic Data Security” Act is an attempt to modernize the way that financial data is secured. It also expands the definition of a breach, and changes the threshold at which a company is obligated to disclose the theft of data to the state and to citizens of New York.

While there are many federal and state laws across the country with varying standards, SHIELD intermingles with some, but is written in such a way that it supersedes older laws, and applies more broadly than existing law in New York. Any business, of any size, in any state that collects Social Security numbers, W2 forms or other relevant financial data of a New York citizen breach notification components came into effect on October 23, 2019. The security safeguard requirements of the SHIELD Act will be in effect on March 21, 2020.

The new law broadly expands on requirements and specifies many new steps that companies must go through in the reporting of a data breach, and offers plenty of suggestions to create reasonable safeguards against malicious attack.

Data Breach Notification

The SHIELD Act amends New York’s existing laws to broaden the obligations of all businesses to notify customers of a breach. The big change in the definition of “private information” now includes e-mail addresses, biometrics, as well as security questions and answers for password and identity authentication in addition to the more typical definition that includes financial account numbers and personal contact data. SHIELD also expands the definition of a “data breach” from unauthorized acquisition to merely unauthorized access to private information. If any unauthorized person in the business environment could view the protected information of client, the data should be considered compromised.

Another significant change is that rather than simply notifying customers of a breach, the offending business party must also provide relevant links, phone numbers or other contact information for the agencies most appropriate to compensate for the specific types of compromised data. In some circumstances, this could include mandatory credit monitoring, but it could go as far as reporting specific cases to state and federal agencies for recovery and compensation of the individual affected parties.

Another shift is that for health care organizations which are bound to Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and are currently required to notify the Secretary of Health and Human Services of breaches under those regulations, the SHIELD Act adds the requirement to provide notification to the state Attorney General within ten business days of notifying the Secretary.

In-state businesses that experience a breach must also notify the New York State Office of Information Technology Services, who will provide a report on the scope of the breach and recommendations to improve the security of the system to the offending New York based business.

With such a large step in reporting requirements, it is crucial to make sure your compliance with SHIELD is up to par. If you are unsure, GoVanguard offers compliance assessment consultation and reporting as a first step to limiting your company’s exposure.

Safeguards

The SHIELD Act requires businesses to first be compliant with all other existing regulations like HIPPA… Businesses must also implement administrative, technical and physical safeguards to minimize risk.

This includes the following:

  • SHIELD requires staff to be trained to be in compliance with the new law.
  • Businesses must also have sufficient software and hardware controls, and they must maintain malware detection and protection tools. We recommend regular pentesting intervals to confirm the effectiveness of these systems.
  • The law may also mean records must be stored in a locked and monitored room and disposed of in accordance with very tight procedures.

While the law gives no leniency on penalties for small business, it does give some slack on standards that are “reasonable” and “appropriate” for the size of the business and the value of the data to comply with security standards.

Penalties

The SHIELD Act does not eliminate private rights to pursue restoration in court, but it does double the civil penalty from $10 to $20 per incident or $5,000, whichever is greater, for businesses who fail to sufficiently report a data breach. SHIELD also increases the statutory cap on the penalty from $150,000 to $250,000.

But even with the new and increased regulations and penalties, not everyone feels the Act goes far enough! Crane’s New York editorialist, Fouad Khalil, states:

“…the Shield Act, though a promising first step, is still very much a stopgap in the fight for complete consumer privacy. Organizations will still have more “control” over our private data because of a lack of enforcement.”

He goes on:

“At a time where consumer data protection is more important than ever, organizations trying to maintain sanity with all the laws and regulations must keep their privacy and security programs up to date. And government must be clear and forceful with the laws it is instituting. If both can play their part, this would be a victory for both consumers and businesses in New York.”

At GoVanguard, we recommend a systematic approach to information security. Carefully and simply implemented security protocols can minimize the risk of exposure to data breaches and the penalties the proceed them. In order to comply with The Shield Act, compliance protocols must be in place. That is why we have a rigorous cybersecurity risk assessment and program implementation regimen in place!

Reach out to us today and see how easy it is take control of your security and keep your brand’s reputation secure.

The Wawa credit card data breach is one of the worst retail failures of data security in recent history. 

Last week we reported on the consumer side of the Wawa credit card data breach that, as far as we can tell, affected every single swiped payment card between March and December 2019. In a nutshell, Wawa discovered a security breach back on December 10th, 2019 involving all of their POS systems, fast-forward to January 28th2020 and Wawa released a statement acknowledging that the recently stolen card holder data was featured on “Joker’s Stash”, a sprawling virtual hub of stolen card data that has served as the distribution point for accounts compromised in many of the retail card breaches. 

 This week, we will take a quick dive into some of the likely causes of the credit card data breach, baseline security controls that should have been in place, and some of the ways that GoVanguard recommends to help prevent security incidents like this from happening to your organization. 

Jokers Stash

Wawa Credit Card Data For Sale on “Joker's Stash”

 

So What Happened?

The root cause behind most data breaches perpetrated by external malicious actors (including this one) is typically poor implementation of administrative, technical and physical security controls. In the case of Wawa, malware was installed on multiple POS (point of sale) terminals – which is a common asset for malicious actors to target. 

The concerning part of the security incident, as told from Wawa’s own narrative, is that the malware was able to laterally move across multiple Wawa stores and all the way to central POS payment processing servers This means that it is likely that Wawa had no or poor network segregation in place which violates a core requirement of PCI-DSS: the standards which apply to all organizations that process card holder data (credit card and debit card transactions). It seems that Wawa did not have basic security and network segregation mechanisms in place like robust access control lists (ACLs) because physical stores should not be able to directly communicate between one another. Basic security controls like ACLs help prevent the lateral movement of malicious actors between information systems and contain the malicious actor to a specific location or system domain. 

Furthermore, the fact that the security breach went undetected for over nine months suggests that Wawa did not have any NIDS (network intrusion detection software) systemin place or it was not being monitored by staff – another PCI-DSS requirement for an organization like Wawa 

Lastly, Wawa unable to specify which stores were affected and which stores were not affected by the security breach. Wawa’s inconclusive response suggests that they had very little logs to analyze and pinpoint the exact lateral movement path of the malicious actor behind the security breachThis means there was probably no centralized logging facilities or SIEM (security information event management) in place – another PCI-DSS requirement for an organization like Wawa. 

Malicious Actor Attack Process

What Happens Next?  

The reputational and financial damage that this security breach will cause Wawa in the mid-long term is inestimable but Classaction.org says that the retailer is “swamped” with litigation; noting at least 11 major, federal lawsuits at this current moment.  

On January 29, 2019, Inspire Federal Credit Union added themselves to the list of plaintiffs. An unnamed, but official spokesman for Inspire Federal Credit Union stated 

“Furthermore, time will tell whether plaintiff is subject to an imminent threat of future harm because Wawa’s response to the data breach is so inadequate that it is doubtful that it has cured the deficiencies in its data security measures sufficiently to prevent a subsequent data breach.” 

Concisely put, it iapparent that Wawa had an immature information security program with deficiencies across many security controls including network segregation, malware detection, intrusion detection and centralized systems logging. All of these deficient security controls could have been enumerated and analyzed easily with a cybersecurity risk assessment, information security program gap assessment or network penetration test.  

 

What Can My Company Do To Avoid a Similar Breach?

The Wawa security breach demonstrates worst-case scenario for a retailer that depends on the trustworthiness of their brand, especially given the failure of so many basic security principles. 

GoVanguard is a cybersecurity provider on the forefront of an ever-changing, complex security landscape. We provide both snapshot-based and continuous security testing services including risk assessments and web/network penetration tests. 

Reach out to us today and see how easy it is take control of your security and keep your brand’s reputation secure. 

Many retail data breaches leak partial customer data, partial credit card numbers or other bits of information that malicious actors can scrape and use as part of broader attacks. But the Wawa data breach is different. Every single customer that used their physical credit or debit card at a Wawa store since the spring of 2019 has had their card number stolen by malware on Wawa's point-of-sale servers, and the info is already for sale on the darkweb!

GoVanguard Recommendations to Protect Yourself:

1.      For those affected, we highly recommend replacing your credit or debit card. If you choose not to do so, we recommend watching your payment transaction statements closely.

2.      Wawa is required to provide free Identity Protection Services to those who are affected. If you do not already have ID Theft and Credit Monitoring (like LifeLock), navigate to https://www.experianidworks.com/credit and sign up with the activation code 4H2H3T9H6.

3.      We recommend consumers switch to making in-store purchases with a digital wallet or mobile payment app like Apple Pay, Google Pay or  Samsung Pay. With these apps, the merchant does not receive the details of your credit, debit card or checking account. They only receive a unique, one-time code for that specific purchase. Even if the merchant’s point-of-sale system is hacked, you will not have to worry about your card number being stolen.

4.      For online retail purchases we recommend using Privacy.com (it’s free! They make money from interchange fees paid by merchants) that can generate merchant-specific card numbers and “burner” card numbers for online purchases so that you never have to use your real card number!

Next week, we will go over the details of the specific malware attack and how a systematic approach to monitoring and penetration testing would likely have mitigated the attack entirely. We will also discuss why a rigorous security protocol is crucial in all retail point-of-sale environments.

See you next week!