Officeworks spooked into infosec overhaul by Target breach

Wesfarmers-owned office supply chain Officeworks will upgrade its firewalls, vulnerability analysis and endpoint security systems after being scared into action by the 2013 attack against US retailer Target.

Wayne Tufek

On the sidelines of the RSA APJ conference in Singapore, IT security architect Wayne Tufek told iTnews the retailer was analysing its current state to help understand where the gaps and risks in its security systems lie.

"[The analysis] will determine our future architecture, and we're coming up with the projects we need to address those risks," Tufek said.

"We're doing quite a lot of work around vulnerability analysis, endpoint security, and we're implementing new firewalls."

Tufek's team is also evaluating a number of products for log consolidation and analytics, he said.

"We looked at products from vendors such as FireEye, Macafee, [and] LogRythm. At the moment we're going through an evaluation process to understand how good a fit those products are in environment." 

A key design feature of Officeworks' systems is the physical separation of its cloud-based web store from its point-of-sales [PoS] systems. 

"We haven't been attacked a great deal from DDoS. Other companies in the Wesfarmers group. We do benefit somewhat in that our web store isn't on-premises in our data centre, it's in AWS," Tufek said. 

"So from the point of view of the attack impacting other systems within Officeworks, they're logically and physically separate." 

Focus on PoS, third-parties

Tufek said Officeworks was taking lessons from the 2013 security breach on US retailer Target. It is not affiliated with its Wesfamers-owned namesake in Australia.

The Target breach, which affected the US retailer's point of sale (PoS) systems, exposed credit card and personal data of around 110 million customers. 

"Our PoS is connected to the network. We're going through a process of analysing our security at the endpoint," Tufek said. 

"However, the way credit cards work in Australia is a little different to the US. We like to adopt the [Australian Signals Directorate's] top four [strategies for mitigating cyber intrusions], especially for PoS and our other endpoints as well. 

"The thing you need to worry about there are the third party risks - [Target's] initial breach occurred because of a third-party vendor."

Tufek said the attack highlighted the importance of two-factor authentication when giving third-party vendors access to corporate networks. 

"Target weren't using two-factor authentication. That's critical when you have other people accessing your information, so we've addressed that," he said.

"Once they were able to get in, they moved from a lower priority system over to the credit card environment. Network segmentation becomes important in that instance, and we're addressing that through our firewall project. "

Check your alerts

While Target US was using FireEye's malware detection tool, Tufek said information overload from security dashboards and log consolidation systems prevented effective action being taken. 

"One of the issues we're seeing is that you have hundreds and hundreds of alerts, and sooner or later you get lazy or there's too many alerts and you can't deal with them all," he said.

"So what do you do? It's about tuning your tools and getting to the one percent of events that matter. "

For Officeworks, some of the biggest vulnerabilities are a product of poorly-trained end users, Tufek said.

"You get to the point where you spend $100,000s on your technical roles, but you're forgetting the people using the systems are the ones you really need to focus on," Tufek said.

"On a typical endpoint, you might have an antivrus client, a firewall, and two-factor authentication and be spending $300 or $400 per endpoint. But you'd be hard pressed finding an organisation spending $300 or $400 to educate their people about how they should be acting or what they need to be aware of.

"[Security people are] technical experts, we're not experts in people. It's like asking your HR department to build a firewall for you - they're not going to do it properly.

"It's about getting that balance between organisational change, learning and awareness that requires, and that's something that's coming to the fore."

Andrew Sadauskas attended the RSA APJ conference in Singapore as a guest of RSA.