Sherri Davidoff is the mother of young children. She drives to the grocery store in Missoula, Mont., in a station wagon. While she may seem positively ordinary — even bordering on uncool — don’t be fooled. Davidoff is a noted cybersecurity and digital forensics expert, an author, speaker and the CEO of LMG Security and BrightWise Inc.
Over the years she has worked closely with numerous retail companies, evaluating security systems and data breach responses. She’s no stranger to retail: Davidoff grew up working the counter at her great grandfather’s restaurant supply business.
“Retail is about relationships,” she says. “Unfortunately, credit card breaches affect the relationships that retailers have with customers. I think that’s undeserved because retailers are also in this difficult position where they are responsible for the security of payments, along with all the rest of the worries that come with running
Davidoff’s hacking prowess was honed during her days at the Massachusetts Institute of Technology, where she was part of an informal hacking community and was known as “Alien.” Today, she’s one of the first female white-hat hackers in an industry still dominated by men. Her latest book, Data Breaches: Crisis and Opportunity, will be released in August.
In June, Davidoff will speak at NRF PROTECT about emerging threats and potential solutions. STORES Editor Susan Reda recently spoke with Davidoff about ethical hacking, retail cyber threats and tips for avoiding potential data compromises.
What is an “ethical hacker”?
To me, hacking means you are thinking outside of the box and you’re really pushing the envelope and being creative. Unfortunately, hacking has had a negative connotation over the past 20 years because many hackers have turned to crime and we now have organized cybercriminal groups.
The term ethical hacking is a way of taking back the word “hacking” and bringing it to the side of the good and light where we remind ourselves that it is possible to hack for ethical purposes. [We] break into companies in order to show weaknesses — and we do it under contract, so it’s with permission and for good and beneficial purposes.
Is the retail industry more susceptible or on a par with other industries?
It seems that way due to negative publicity. It’s easier to detect payment card breaches than it is other types of breaches. When payment card numbers are stolen, third parties typically find out about that.
As a forensic analyst, I see a huge number of cases come through. Cases where business email is compromised are a good example. Organizations have their email hacked, intellectual property gets stolen, social security numbers get stolen, but they can handle those quietly, investigate them and notify a small number of people. When payment card breaches happen, it tends to be very public — merchants get outed, it’s in the news.
I’ve been hearing about “cryptojacking.” Can you talk about that and other trends retailers should be aware of?
“Cryptojacking” is where criminals infect your devices and use them to mine cryptocurrency. For example, at LMG, we infected a security camera. In this case we used it to mine cryptocurrency. Criminals can literally make money by the minute just by installing these programs on your computers or Internet of Things devices, and there’s hundreds of thousands if not millions of these vulnerable IoT devices out there.
You might think “No big deal, they’re just mining cryptocurrency. How does that impact me?” The problem is it shortens the lifespan of the device. It can cause the device to overload, it can cause the device to break and then again you have those operational impacts.
What I worry about even more for retailers is ransomware. We’ve seen it lock up organizations and then criminals will charge huge ransoms — anywhere from $5,000 all the way up to $200,000 or more to unlock an organization.
When people have faced a breach and they ask, “What do I do now,” where do you start?
We begin with triage. We want to stop the bleeding. If the issue is that their computers are being taken over with ransomware, we want to stop that encryption from spreading. That might involve pulling plugs and getting those systems off the network so they can’t continue to infect.
If there’s an attacker who’s in the network sucking out data, we want to block that attacker’s access. That might involve cutting off their network connection and changing passwords quickly. A quick implementation of two-factor authentication can be a challenge, so whatever issue is going on we need to move forward with triage as quick as we can.
Then we step back and we explore if there’s a legal issue or a potential data breach. If so, we need to preserve evidence. We need to determine exactly what the attacker accessed — did they get that spreadsheet of social security numbers you have?
In some cases, if you can’t figure out what the attacker got access to, you might have to assume they got access to everything. Preserving evidence is key, and then supporting a data breach investigation is the next piece.
Ultimately, it’s about getting to the root of the problem. How did the attacker get in? How did this problem happen? Cleaning it up and fixing it so it doesn’t happen again are key.
What tips do you offer to individuals?
I have three tips for prevention for everybody, whether it’s your personal security or your organization’s security. Number one, think before you click. You can’t just blindly click on links or attachments in phishing messages. Often, that’s how hackers get in.
Number two, take backups and make sure that they are working. If you get a ransomware infection, sometimes the biggest pain point is that you can’t restore that data and then you might be in a position where you have to negotiate with criminals. You don’t want to be there. Make sure you’ve taken backups and that they work.
Number three, use two-factor authentication. It’s so important and it’s a must today.
Retailers dealing with cybersecurity threats and surrounding issues struggle with responsibility. Does this fall to IT, loss prevention or risk management executives?
I help to design security for numerous companies. Who owns security and where that person should fit is a trending topic across many different industries. Today, large organizations need to have a chief information security officer, and that person ideally should not report to IT. They should be outside of IT. That would be my number one advice.
In general, security can be overwhelming and it’s important for us to band together, so I recommend talking to your peers. Reach out, join industry groups that are tackling security, see what they do, work together, and don’t ever feel like you have to go at it alone because this is a big challenge for everybody.
Make sure you reduce the data that you store. Any data you store is a liability, so if you don’t need to store sensitive information, the simplest thing you can do to reduce your risk is just to purge it. Cheap, effective ways to reduce your risk are often not advertised, but they do work.
Read more from our interview with Sharri Davidoff on NRF.com.