Target effect: US retailers to share cyber intelligence

The National Retail Federation in the United States has announced plans to establish the Information Sharing and Analysis Center (ISAC), so that retailers can work together on incoming cyber security threats.

US DOJ to investigate Target data breach
US DOJ to investigate Target data breach

Following in the wake of serious attacks against some of the world's leading retailers – not least big-box store Target, which lost 40 million credit card details and almost 120 million customer records at the end of last year, the industry body has confirmed plans to launch the group June.

The aim of ISAC, according to the Reuters newswire – which broke the story, will be to help retailers share tips on fighting hackers, as well as share intelligence provided to them by law and government agencies.

The financial services industry ISAC, which is believed to be one of the more successful such bodies, is reportedly helping retailers to set up the new organisation.

"It will allow them to talk to each other about things that are hitting them, to know quickly if other people are experiencing the same things and if they've found good defences that they can tell each other about," Alan Paller, founder of SANS Institute, told the newswire.

This action seems to have come about partly on the back of the Target data breach, which occurred as a result of vulnerability on the point-of-sale solution. According to Reuters, companies privately complained in the aftermath of that incident that they had issues regarding obtaining information from law enforcement about the attack and how to prevent future action.

Alan Carter, cloud services director at SecureData, an independent IT security service provider, said that the formation of ISAC is a move in the right direction.

“The ISAC formation is a positive step, much like the recent launch of CERT and the long-term goal should be for it to expand internationally, with other industries hopefully following suit and taking cyber-security more seriously,” he told SCMagazineUK.com.

“We're all very aware of big data and its benefits, but soon enough this is going to be the only sure-fire way (if such a thing exists) of detecting new threats. Unfortunately the bad guys already have access to the technologies like firewalls and other point solutions, and are able to spend time analysing those platforms for vulnerabilities and back doors, meaning the only real option we're left with is this collaborative approach.” 

He added that industry collaboration is essential for the group to succeed: “It is understandable that companies will be reluctant to share this data with competitors, but on the whole it will be anonymous. Many vendors and resellers already have access to huge amounts of traffic every day and analyse this to improve threat detection; a collaborative approach should be viewed as a mere extension of this."

Marta Janus, security researcher at Kaspersky Lab, says that the movement could act as a step for other industries to collaborate on cyber threats.

“Sharing information about cyber threats between potentially threatened industries and law enforcement agencies should be one of the most important factors in the never-ending fight against cyber-crime,” she told SCMagazineUK.com. This cooperation should be bi-lateral to ensure the benefits for each party. Of course, some information may be too sensitive to disclose to the industry as a whole, but I believe that all affected parties should at least have access to details that might help them in the process of improving security and protection against future attacks.

“On the other side of the agreement, in the event of a security breach, private sector organisations should provide any relevant information to the law enforcement agencies working on the formal investigation.

“By working together with other businesses within the industry, and alongside government agencies, retailers can not only strengthen their protection against data theft and mitigate the risk of financial loss, but also contribute to the general security of their industry. Establishing an ISAC by the National Retail Federation is a big step towards this direction.”

There's also the hope that this US directive can fuel further action in the UK, although this work is essentially being carried out by the CISP Cyber-Security Sharing Partnership – which is part of CERT-UK.

The group, which celebrated its first anniversary in March and which has 378 organisations and more than 1,000 individuals signed up, said that it continues to work with numerous sectors, and says that cyber awareness is gradually improving.

“By joining CiSP, organisations are aware of the potential for cyber threat – we are working across sectors to enhance this awareness further and to encourage collaboration across sectors.  It is up to individual organisations to protect their own infrastructure but awareness of cyber threats is growing and they are taking it seriously,” said a spokesperson.

Last year's Retail Crime Survey, carried out by the British Retail Consortium, revealed that the ‘majority' of retailers see cyber attacks as a critical threat to their business, with hacking and denial of service attacks the most serious in the preceding 12 months. As a result, BRC encouraged retailers at the time to work closely with the National Crime Agency and the National Cyber Crime Unit, as well as collaborate with fellow retailers and law enforcement agencies.