Earlier this week, Texas-based beauty supply chain Sally Beauty revealed that it was investigating "unusual activity involving payment cards" at some of its locations. If a breach is confirmed, it would mark the second time in 14 months that the large cosmetics retailer has had customer data compromised.
The short gap between events is leading some security pros to speculate that this may be a case of single breach that was not adequately remedied. It may be that the malware used in the March 2014 attack possessed a level of complexity that allowed it to persist despite thorough mitigation efforts. It is also possible that hackers were able to maintain an open and undetected backdoor into the Sally Beauty network after exfiltrating customer card information in the earlier event.
Whether this event is fresh or a continuation, it has provided the opportunity for a deeper dive into the earlier attack. Brian Krebs at Krebs on Security has posted an interview with a former Sally Beauty employee who revealed that the perpetrators of the 2014 attack used a fairly familiar method to gain access to Sally Beauty's network - namely, poorly secured remote access. In this case, it appears that an employee's credentials were used to gain entry through a Citrix remote access portal. Once in, the attackers were able to map the network and discover user information and passwords that allowed them to enter the point of sale network and copy malware onto roughly 6,000 POS devices.
This latest attack on retail technology serves as a reminder of the need to have a rigorous strategy for securing remote access. Solutions like Netop Remote Control ensure data integrity and give companies the ability to define user rights, manage user access, implement multi-factor authentication and document all activity. Without properly secured credentials and multi-factor authentication in place, retail and other enterprise networks will face the same vulnerabilities to attack as Sally Beauty.