As we continue posting the key themes we expect to see at this year’s RSA Conference, it’s time hit the source of all things FUD: recent retailer breaches. Security marketing is driven by catalysts, to create urgency, to buy products and services. There have been plenty so far this year, and we will hear all about them at the show.

It POSitively Sucks to be in Retail

Just when you were getting numb to all the angst around the NSA, Target got thoroughly owned via a busted web server accessed via third-party credentials that gave attackers access to all their POS systems and lots of other goodies on their internal networks. So clearly this year we will hear lots of rumblings about retailers and their inability to secure anything. At least brick and mortar retailers have great margins, no online competition, and limited attack surface, right?

At first we thought this kind of attack was the return of Gonzales and his band of merry wireless hackers. But actually that was an outside-in attack, where the attackers gained presence through stores and then moved into the data center. This is the opposite. They gained presence through the corporate network and then moved out to stores. Although the end result was the same: 70+ million credit cards and other personal information exposed.

Even better, these attackers waited until the holidays, when the card brands relax their fraud protections a bit, to start monetizing the cards. So they maximized their ability to steal stuff. Now that’s innovation, folks. I guess PCI 4.0 will have specify that all ROCs go into hiatus from Black Friday to New Year’s Day.

But the points you will hear this year will be typical FUD-laden nonsense. “Buy this box and everything will be all right.” That focuses on the wrong issue. As we mentioned in a recent Firestarter, it’s not the compromise that’s disturbing – it’s the fact that they penetrated so deeply and exfiltrated so much information without being noticed.

And if your new shiny business plan involves building 10,000 stores and aggregating 100 million credit cards, maybe you should start working on a different idea or hire some security rock stars onto the founding team.