Security Experts Comment on Data Breach at Sally Beauty

Sally Beauty Holdings Inc. has confirmed that there was an “illegal intrusion” into the company’s payment card systems. It is the retailer’s second data breach in a little over the year. Here are insights on the breach from four security experts:



Steve Hultquist, chief evangelist at RedSeal, the security analytics company:



“Sally Beauty's latest breach is another in a long line of successful attacks against enterprise network environments. These breaches continue to prove that today's enterprise networks are so complex and intertwined that knowing precisely what access paths could be used by attackers is impossible without end-to-end access path analysis taking into account all possible permutations of network state.



“It is these analytics and their review that are most often missing, leading to gaps in the network security architecture that can be exploited by the automated attacks constantly launched against virtually every network. It's critical that every organization take action to give themselves the greatest possible potential to rebuff any attacks.”



Michele Borovac, VP at HyTrust, the cloud control company:

“This second Sally breach illustrates how vulnerable companies continue to be, even when they should be on notice. Attackers are getting smarter and perimeter measures are not enough to stop the kill chain. Many of the recent breaches had a common thread: the attacker gained access to administrator credentials. Organizations must take a fresh look at their internal security systems, processes, and people and put controls in place to protect these privileged accounts.”



Dr. Mike Lloyd, CTO at RedSeal:

“People say lightning doesn’t strike twice, but rain certainly does, and credit card breaches seem to be becoming the new normal for Internet weather. It’s proving extremely difficult for organizations to protect their customer’s data, due to the amazing complexity of the infrastructure that allows us to just swipe a piece of plastic and walk out of a shop with merchandise. It’s easy to use, but it’s not at all easy to secure, because there are so many different interacting networks involved.



Much like a chain, a network is only as strong as its weakest links, and it’s very clear now that we face persistent thieves, organized like ants, who will find whatever we leave open to take. This is why organizations must use automation to find security gaps before the inevitable breaches occur.”



Marcin Kleczynski, CEO of Malwarebytes, provider of the user-installed anti-malware solution:

“The financial industry needs to make a greater effort toward evolving our current digital payment technologies to something far more secure. Over the last few years we have primarily seen attacks against numerous organizations, all with the intent of stealing financial information from customers. It follows that continuing to trust in the security of these organizations is a bad idea.



“It is in the best interest of all parties involved to demand greater security in the financial world. We can do this by employing, or at least experimenting with, numerous security technologies like two factor authentication, Chip and PIN and even dynamic card numbers. These technologies create additional layers of defense so that even if a customer’s financial information is stolen, it is impossible for it to be used by the bad guys.



“Our current threat landscape has clearly pointed out the need for security reform in the payment industry and if something isn’t done soon, we will continue to see breaches that result in serious loss for customers and serious gain (or motivation) for cyber criminals.”