Checkin’ the List Way More Than Twice

‘Tis the Season to Implement Next-Generation Security Across Your Omnichannel Retail Environment

The holiday season brings huge opportunities for retailers — and for hackers trying to invade your networks, disrupt systems and steal valuable information.

If your holiday IT security checklist focuses on PCI compliance only, you may be missing key defenses against today’s sophisticated cyber threats.

Learn how Level 3 protects your retail channels with comprehensive omnichannel security.

TABLE OF CONTENTS

Is Your Omnichannel Environment Prepared for Holiday Attacks?............3

Level 3 Network-Based Security.........5

Brick and Mortar Channel...................6

eCommerce and Online Channels.......9

Contact Center Channel.....................11

IS YOUR OMNICHANNEL ENVIRONMENT PREPARED FOR

HOLIDAY ATTACKS?

This holiday season you should fear the hacker, not the auditor.

While PCI DSS compliance is an important piece of the security checklist, it’s not enough to protect retailers from sophisticated cyber attacks that fall outside of the cardholder data environment (CDE). A PCI compliance audit is a little like making sure a lock is on your front door — but it doesn’t guarantee that the lock stays in place. Not to mention, cyber criminals are constantly uncovering new entry points and vulnerabilities to invade your network outside of the PCI environment.

With more holiday sales traffic over more channels than ever before, hackers have more opportunities to launch advanced cyber attacks and infiltrate your retail networks. You need to be prepared.

With the potential for significant business disruption and negative customer experience on the line, mitigating risk should be a top concern for the entire retail organization. Everyone across the brand — from marketing to merchandising to sales — should have a vested interest in building defenses that prevent damaging attacks.

97% of retail CIOs say security is their #1 concern.1

1 National Retail Federation/Forrester Research Inc, Retail CIO Agenda 2015: Secure and Innovate, Feb. 2015

BACK TO TABLE OF CONTENTSPREVIOUS PAGE | NEXT PAGE 3

RETAIL IT SECURITY ENVIRONMENTS ARE EVOLVING — AND SO ARE ATTACKER EXPLOITS

Why are retailers so vulnerable this holiday season?

First, many retailers operate in siloed, legacy IT environments without a uniform security policy. This outdated IT infrastructure opens up risks and vulnerabilities for advanced cyber threats. Second, highly distributed and hybrid retail environments, combined with new endpoints — like kiosks, BYOD, IoT, mPOS and Wi-Fi — provide an expanded attack surface for cyber criminals to exploit.

To better protect your omnichannel retail environment, you need more than just a patchwork approach that introduces single points of vulnerability and failure. Retailers need to implement advanced detection of malicious activity in addition to preventative measures. With stronger security controls on systems outside of the cardholder data environment, you can move beyond PCI to create a more holistic security strategy.

While there is no silver bullet to stop cyber thieves, Level 3 can help deliver network-based adaptive security architectures to better defend against advanced threats. Wouldn’t that make the holiday season nice this year?

16% of retailers believe they have implemented advanced perimeter protection.2

2 Retail Info Systems News, Business-Driven Security, July 2016

BACK TO TABLE OF CONTENTS PREVIOUS PAGE | NEXT PAGE4

LEVEL 3® NETWORK-BASED SECURITY: To Stop Attackers, You First Have to See Them Coming Retailers need a foundation for their omnichannel environment that builds layers of security beyond PCI compliance. And to see attackers before they invade the network, it’s critical to leverage actionable threat intelligence that tracks two-way communications to identify suspicious and malicious network activity.

With more than 65,000 TCP ports in a firewall, hackers are constantly scanning your systems for open, internet-facing ports they can use to steal data. But hackers aren’t your only concern during the holidays. Temporary and contract employees can also bring infected devices into the network.

Without the right tools, you may not recognize the exploit. How do you stay on top of it all?

PCI Compliance Is Essential, but Alone It’s Not EnoughSince PCI compliance only requires an annual audit, retail security should consider focusing on what happens in between. Conducting regular vulnerability assessments and testing of the entire environment — including endpoints, applications and the network — is essential. Actionable threat intelligence also enables retailers to strengthen assessment priorities, resulting in better allocation of security resources and personnel.

Level 3SM Adaptive Threat Intelligence looks at IP addresses, analyzes for suspicious network communications and alerts you to policy violations and vulnerabilities. The solution requires neither hardware nor software and offers a 100% cloud-based approach to actionable threat intelligence for retailers.

To help you stay ahead of rapidly evolving exploits, Level 3SM Threat Research Labs proactively analyze the threat landscape through comprehensive attack visibility across our global backbone. We correlate information from proprietary and external sources to better protect your retail networks across the omnichannel. And if suspicious activity is detected, we provide 24/7 alerts so you can respond quickly.

197 daysthat’s how long it takes for a retailer to detect an advanced exploit in their environment.3

“If the internet is the highway, some ISPs build the roads and on/off ramps, but they aren’t accountable for what cars and trucks do on it. Level 3 takes more responsibility for who’s driving recklessly on our highway and uses our network data to find bad guys even before they harm our network or customers.”

—Dale Drew, CISO, Level 3 3 Ponemon Institute, Advanced Threats in Retail Companies: A Study of North America and EMEA, 2015 BACK TO TABLE OF CONTENTSPREVIOUS PAGE | NEXT PAGE 5

Don’t Let Cyber Threats Enter Your Storefronts This Holiday Season As technology accelerates the pace of change, retailers are bringing the best of online digital engagement directly into the store environment. However, bypassing security controls to implement the latest in-store technologies and SaaS applications opens the door to vulnerabilities and cyber attacks. Protecting the retail environment begins with securing the access methods to the internet from the physical store and implementing advanced malware detection capabilities. Retailers operating with outdated, patchwork security and on-premises hardware models may struggle to manage and secure critical endpoints — and during the holidays, there’s no room for security errors.

“Quickly implementing the latest in-store technologies and digital

engagements at the expense of security is a strategy for failure.”

—Chris Richter, SVP Global Security Services, Level 3

Today’s cyber criminals are targeting more than just credit card data. They want financial records, employee information, healthcare records, PII — anything they can sell or use to craft phishing and social engineering attacks aimed at your employees. Without a security governance framework, you won’t have an organized and cost-effective way to defend against these exploits and zero-day attacks, and you may face a disastrous breach.

4 A.T. Kearney, Omnichannel Shopping Preferences Study, July 2014

BRICK AND MORTAR CHANNEL:

90% of transactions still take place in the physical store.4

BACK TO TABLE OF CONTENTSPREVIOUS PAGE | NEXT PAGE 6

THE BRICK AND MORTAR SOLUTION:

ADOPTING ADAPTIVE NETWORK SECURITY

ARCHITECTURES

To secure your store access methods, retailers should consider extending the security perimeter from the LAN or premises to the network with cloud-based firewalls that offer significant benefits:

• Eliminate patchwork security architectures that create vulnerabilities and single points of failure

• Enable Network Service Provider (NSP) optimization to eliminate security software updates and patching requirements

• Implement next-generation security controls: sandboxing, data loss prevention and application control

• Reduce complexity and simplify the security infrastructure• Streamline capex and opex without sacrificing performance

through cloud-based security

Level 3® Adaptive Network Security is a high-performance, cloud-based firewall with next-generation security capabilities for brick and mortar as well as mobile-device-connected end users. It even helps prevent damaging attacks, like ransomware, from being executed on critical systems by detecting malware infections and phishing attacks.

The Adaptive Network Security solution connects to regionally located cloud gateways and blocks packets that contain malware — while also scanning traffic for packets with unusual traits.

5 Retail Info Systems News, Business-Driven Security, July 2016

58% of retailers cite malware as the greatest security risk for 2016.5

BACK TO TABLE OF CONTENTS PREVIOUS PAGE | NEXT PAGE7

When suspicious activity is detected, Adaptive Network Security scans the packet against a constantly updated profile of malware characteristics. If the malware doesn’t match known characteristics, the solution allows it to execute in an environment that mimics the intended target. If the packet is malicious, Level 3 updates the list of known bad actors (master profile registry), which is then globally updated throughout our network of security gateways so that everything landing on the bad actor list is blocked.

Adaptive Network Security can also help add a layer of protection for in-store Wi-Fi systems, which are vulnerable to attacks and infiltration. Beyond just following the PCI DSS for Wi-Fi, retailers must implement supplementary security measures to help protect both customers and employees using in-store Wi-Fi. By offering intrusion protection and detection, web content filtering and sandboxing, Adaptive Network Security enables retailers to do just that.

Success Story: Level 3 Stops PoS Malware for Brick and Mortar Customers

Point-of-sale (PoS) malware has proven to be a lucrative business across the globe, leaving breached retailers to fight a war of both reputation and liability. As PoS systems are targeted with greater frequency, malware developers are creating new strains at a breakneck pace. And with the slow rate at which U.S. merchants are transitioning to EMV chip and PIN technology, bad actors are only encouraged to more aggressively target retailers.

The PoSeidon malware family, first discovered in early 2015, was created to scrape credit card data found on compromised Microsoft Windows PoS systems, install a key logger and transmit captured data to exfiltration servers. Shortly after media coverage expanded, Level 3’s Threat Research Labs began tracking network traffic for the IP addresses associated with the PoSeidon malware domains.

By analyzing data, netflows and traffic behavior, Level 3 found previously unknown C2 servers and exfiltration servers that were part of the PoSeidon botnet. More importantly, Level 3 took actions on our network to immediately and proactively block these new malicious IP addresses and protect our retail customers, while notifying the industry to do the same based on our discoveries. Learn more about PoSeidon.

42% of retailers cite in-store Wi-Fi technology as posing the greatest security risk in 2016.6

6 Retail Info Systems News, Business-Driven Security, July 20167 As reflected by the Level 3 Threat Research Labs and Security Operations Center8 Level 3 Communications Blog: Beyond Bandwidth, Swipe at Your Own Risk: What You Need to Know to Combat Point of Sale Malware PoSeidon, May 2015

DID YOU KNOW Level 3 monitors 1.7M infected machines daily, 1M+ malicious packets per day, 1000 Command and Control Servers per day.

BACK TO TABLE OF CONTENTSPREVIOUS PAGE | NEXT PAGE 8

Stop Cyber Attacks and Keep Online Holiday Channels Up and RunningFrom distributed denial-of-service (DDoS) attacks to malware and data breaches, there are plenty of reasons to be wary of the ghosts of holidays past during the 2016 online shopping season. For most retailers, eCommerce has become the fastest growing sales channel and plays an important role in enhancing the customer experience and capturing valuable analytics. In fact, online sales grew six times faster than total sales for retailers in 2015.10

But online channels are vulnerable to DDoS cyber attacks, which attempt to block customers from accessing your web-facing assets. A successful attack can severely impact your bottom line while also damaging customer confidence in your brand. That’s why many retailers are increasing DDoS defenses to help ensure application availability, website uptime and infrastructure accessibility during the holiday season and beyond.

By leveraging a multi-layered security approach, retailers can take the necessary steps to escalate their network security and keep websites up and running. And with DDoS attacks growing in size, frequency and sophistication, it’s critical to work with a provider that not only has the ingest capacity but can also provide a proactive security approach to defend against advanced network threats. This approach is critical, as many Layer 3 and Layer 4 volumetric attacks disguise Layer 7 attacks into the retail network to steal sensitive company and customer data.

Level 3 can rapidly deploy a multi-layered, carrier-agnostic DDoS Mitigation service to help safeguard your infrastructure and web-facing assets, keeping them available 24/7. With 4.5TB of ingest capacity and nine global scrubbing centers, we mitigate more than 140 DDoS attacks per day for organizations around the globe.

9 Infosecurity Magazine, Retailers Take 197 Days to Discover Attacks, 201510 Internet Retailer, E-commerce Sales Grow Six Times Faster for U.S. Top 500 Merchants than Total Retail Sales, April 13, 2015

eCOMMERCE AND ONLINE CHANNELS:

44% of retailers experience over 50 cyber attacks each month.9

BACK TO TABLE OF CONTENTSPREVIOUS PAGE | NEXT PAGE 9

Leverage Threat Intelligence to Better Protect Your Websites For enhanced visibility into online threats, retailers should leverage threat intelligence to help detect malicious activity against their web-facing assets beyond traditional eCommerce security measures.

Level 3SM Adaptive Threat Intelligence goes beyond traditional security approaches to proactively monitor traffic in near real-time for malicious activity between the retail website and known bad IP addresses on the internet. We will then alert you when suspicious activity is detected. For example, the alert may indicate that your website has been compromised (e.g., due to an unpatched vulnerability) and is communicating with a command and control infrastructure and its botnets. Adaptive Threat Intelligence can also alert retailers to early indicators that a known bad actor is scanning the website for vulnerabilities to exploit, so we can notify you before attackers compromise your online properties.

Success Story: Level 3 Prevents Global Retailer from Holiday DDoS Extortion Attack Cyber extortion — where companies must pay a ransom or risk a crippling attack — is on the rise for retailers. In this case study, an anonymous criminal source demanded an undisclosed amount of money from a global specialty retailer via the threat of an impending DDoS attack. If left unchecked, the threat had the potential to take the company offline, costing them substantial revenue loss during the busiest time of year. The retailer had to determine whether to rely on its own security defenses or pay the attackers. The choice was clear — they called Level 3 to take control of the situation.

Level 3 first initiated DDoS mitigation counter-measures to stop bad traffic from passing through the retailer’s network without taking the company offline. Once the counter-measures were in place, the Level 3 SOC used its proprietary threat analytics tools to analyze the customer traffic flow data. Threat analytics tools allowed the Level 3 SOC to fine-tune counter measures by defining the attack type and isolating the source and destination of the attack. The SOC team then monitored the customer’s network for 24 hours to make sure the attack was completely over.

Once the attack subsided, the Security Solutions Architect team helped deploy a permanent DDoS mitigation solution to divert contaminated traffic to scrubbing centers for cleansing. By working with Level 3, the retailer was saved from devastating revenue and brand reputation loss during the critical holiday shopping season and had the defenses in place to combat advanced DDoS attacks in the future. Learn More

11 WhiteHat Security, 2015 Website Security Statistics Report, 201512 PYMNTS/Forter, Global Fraud Attack Index, Q3 2016

86% of websites contain at least one serious vulnerability.11

FACTOID: Botnets represented 83% of all eCommerce fraud attacks in the U.S. in 2016.12

BACK TO TABLE OF CONTENTS PREVIOUS PAGE | NEXT PAGE10

Protect Against Fraudulent Callers To increase customer loyalty and gain a competitive advantage, retailers strive to provide the best possible customer experience. As a key touchpoint, contact centers are a personal way to resolve issues and increase sales, with retailers making investments in technology features that provide enhanced service and customer experience. But contact centers are also a doorway into fraudulent activity and social engineering aimed at stealing customer data — especially during the holiday season and New Year. These activities can be costly for retailers, who are liable for both fraudulent chargebacks and the cost of the lost inventory. And since both criminals and friendly fraudsters take advantage of less personal encounters in the contact center, the risk of chargebacks is greater in a card-not-present (CNP) environment.

Unfortunately, many retail organizations don’t secure contact centers as well as online or brick and mortar channels. The October 2015 EMV liability shift has also contributed to increased contact center fraud. In the U.K., fraud for CNP transactions increased from 30 to 69 percent of total card fraud between 2004 and 2014.15

Today’s attackers also use the contact center to gather and test acquired data before migrating to other channels using a credential they’ve attained from a contact center agent via social engineering. After all, contact center agents can be especially susceptible to fraud attempts since they are focused on providing a positive customer experience and keeping callers happy.

The solution for retailers is not only to provide better agent training, but also to invest in technologies that eliminate the human single point of failure. By implementing next-generation security defenses as part of their overall corporate security strategy, retail organizations can improve their ability to protect against attacks and contact center fraud.

Secure Contact Centers with Layers of DefenseFor the best defense, retailers are leveraging cloud-based contact center platforms that easily integrate advanced authentication and fraud detection/prevention technologies to provide real-time information and actionable insight.

And with cloud-based Level 3® Contact Center Services, retailers can do just that — seamlessly enabling customized business responses and advanced features to help reduce exposure in CNP channels.

14 Pindrop, 2016 Call Center Fraud Report, 201615 Financial Fraud Action UK, Fraud the Facts 2015, 2015

CONTACT CENTER

CHANNEL:

45% growth in call center fraud from 2013 to 2016.14

BACK TO TABLE OF CONTENTSPREVIOUS PAGE | NEXT PAGE 11

A Powerful Combination for Retailers

By implementing authentication as well as fraud detection/prevention technologies in the contact center, retailers can better prevent fraudulent chargebacks, reduce costs and streamline security strategies, while also securing customer data and maintaining brand trust.

AuthenticationThe authentication process determines if a caller’s Automatic Number Identification (ANI) is spoofed. Authentication takes place during the ring cycle, so every customer’s identity can be verified before their call is even answered. Any calls deemed suspicious can be immediately routed to forewarned staff for closer scrutiny. The solution proactively defends against attacks by examining the validity of the calling party number, determining if the ANI is spoofed and applying a risk score based on 30 call attributes.

Fraud Detection and Prevention Detecting and preventing contact center fraud takes place after an agent answers the call or when the caller communicates with an interactive voice response (IVR) system. The solution analyzes the number, matches it against an extensive database of known ANI’s from fraud gangs around the world, and returns a real-time ‘fraud risk score’ for each call. If the number doesn’t appear in fraud databases, the solution listens to the first 10-12 seconds of a call for irregularities and returns a score that indicates the probability of fraud.

How Level 3 Helps Reduce Contact Center Fraud: A Use Case

Retailers with customer-facing contact center agents are under constant attack by fraudsters using the phone channel to conduct advanced social engineering and fraudulent transactions. Let’s take a look at how a retail organization could leverage advanced fraud detection/prevention capabilities to help reduce annual exposure in the contact center:

A best-in-class retailer needs help mitigating ongoing annual exposure of almost $15M in contact center fraud and decides to turn to Level 3 to help implement a cloud-based fraud detection solution that seamlessly integrates with their existing Level 3® Contact Center Services platform.

To gain buy-in from the C-suite, Level 3 applies the advanced fraud detection technology to previously recorded calls and flags agent conversations that need to be investigated further by the retailer’s internal security team. A blind test of Level 3’s solution on this previously collected call data accurately flags fraudulent calls consistent with known estimated losses and also alerts the retailer to previously unknown fraud attempts.

Based on these results, the retailer then decides to activate the easy-to-implement fraud detection technology on Level 3’s cloud-based platform and applies the technology to live contact center calls that helps stop fraud in real-time. As a result, fraud in the contact center begins to decline by adding layers of advanced security defenses that allow the retailer to better detect and mitigate attacks.

BACK TO TABLE OF CONTENTSPREVIOUS PAGE | NEXT PAGE 12

With Level 3 Checking Your List, You Already Know the Answer

WILL YOUR HOLIDAY SHOPPING SEASON BE MERRY?

Today’s retail organizations are constantly under attack from sophisticated cyber criminals. As fraudsters find new methods to attack brick and mortar, eCommerce and contact center channels, you need comprehensive security that integrates across your retail network.

With the holiday season just around the corner, it’s important to remember that PCI compliance doesn’t equal comprehensive security. To stop threats and better safeguard your omnichannel environment, you need a holistic solution that couples global visibility with layers of advanced protection.

When you team up with us, you’re in good company. Level 3 helps secure your omnichannel retail operations with network- and cloud-based security to combat today’s evolving cyber threats. And we consistently meet the needs of top national and global retailers:

8 of the Top 1017

World’s Most Valuable Brands

8 of the Top 1018

Top U.S. Retailers by Revenue

8 of the Top 1019

Fastest Growing U.S. Retailers

8 of the Top 1020

Most Popular Online Retailers

For more information on how Level 3 can enable omnichannel retail, please visit our Retail Network Solutions page.

This holiday season and beyond, let Level 3 help build layers of security across your omnichannel environment.

16 A commissioned study conducted by Forrester Consulting on behalf of Zscaler, March 2015.17 Forbes, World’s Most Valuable Brands, May 201518 NRF, The Favorite 50 2015, Sept. 201519 NRF, Hot 100 Retailers 2015, Aug. 201520 NRF, The Favorite 50 2015, Sept. 2015

98% of decision-makers recognize integrated platforms can deliver better security than point solutions.14

BACK TO TABLE OF CONTENTS 13PREVIOUS PAGE