ST&D: What are some of your recent security technology purchases, and why did you choose them?
We have installed the TopLayer IPS 5500 intrusion prevention device. We didn't have intrusion prevention or detection in place. The funding became available with the CISP, the cardholder information security program, which is now known as PCI. Part of the compliance plan stipulates an IDS. And an intrusion detection program is little more than something that tells you, "Hey, you just got bit." Well, it may also tell you all during the day, "You could have got bit, you could have got bit, you could have got bit." So there's an issue with false positives as well.
There's a couple of options available in the IDS world, some of which are open source, so very low cost, but you'd use them on general desktop OS or server type hardware. Depending on throughput capabilities, one of the concerns was not having a device that would cause our own denial of service. We didn't want to choke-again, security could affect performance; that's an ongoing theme.
The device we use chugs along at about a 2-3% CPU utilization. We've never seen it go higher than 6%. And we actually have it in front of our firewall, so it's catching some of the things that were taxing our firewall in the past. The other benefit is on the outbound side, one of the additional capabilities of the IPS5500 is a pseudo spyware blocker. So it may not prevent someone from downloading a spyware component from a malicious Web site, but most spyware components like that download the stub, then they activate and they try to talk to the mothership to get the malicious payload. The IPS5500 maintains a table of known malicious motherships, so even if the get the stub of the spyware they don't get the payload.
ST&D: Are there other new security solutions you've implemented within the past year?
We've used a DSL VPN connection, so we have a certain secure connection from the retail store back to us. We also encrypt our data before it goes to the VPN. So there are firewalls in place at each DSL location. It's no longer just a software firewall, but there is a hardware firewall out there. We've noticed there are some malicious Web sites that will attempt to turn off firewall services for software firewalls, so we wanted to avoid that by a hardware firewall.
Also, we're pretty big into an anti-spam solution. And some of the spam also carries spyware with it, so it does add to the security. Over the last 12 months this spam solution has quarantined over 1.6 million messages as spam. So even beyond security there's a productivity issue there too.
We've gone through some other things along with the PCI/CISP compliance, including record-level encryption, data aging. So even though we get customer info out in a retail store, there's really no reason for it to stay there for a long time. So it might reach back to the data store here, which has got more protection than the retail store. So there's a minimal risk of exposure at the store for a smaller amount (of data). I'd hate for even one customer's information to be breached, but that would be more palatable than having 5,000 or 10,000, like has happened to other companies.
We were actually proactive on this. Several years ago we had wireless point of sale in place. And some of those wireless POS were using the old 900MHz, which really had very little security. And we took that out and replaced it with hardwired ethernet. So that's part of the overall scheme. We pretty much don't use wireless anywhere within the enterprise at this moment.
ST&D: During big holiday seasons-Christmas, Easter, Thanksgiving-you might drive by a Honeybaked Ham store and see people lined up through the parking lot, with the cash register moved out to the sidewalk to allow more people in the shop. Is this a common practice for your stores, and what special security considerations go along with it?