These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Point-of-Sale Security Bit9 + Carbon Black Edition
by Kevin Beaver and Christopher Strand
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Point-of-Sale Security For Dummies, Bit9 + Carbon Black Edition Published by John Wiley & Sons, Inc. 111 River St. Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2015 by John Wiley & Sons, Inc. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. Bit9, Carbon Black, and the Bit9 + Carbon Black logos are registered trademarks of Bit9, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877-409-4177, contact
[email protected], or visit www.wiley.com/go/custompub. For information about licensing the For Dummies brand for products or services, contact
[email protected]. ISBN: 978-1-119-06306-3 (pbk); ISBN: 978-1-119-06300-1 (ebk) Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
Publisher’s Acknowledgments Some of the people who helped bring this book to market include the following: Project Editor: Carrie A. Johnson Editorial Manager: Rev Mengle Acquisitions Editor: Amy Fandrei
Business Development Representative: Sue Blessing Production Coordinator: Melissa Cossell
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 About This Book......................................................................... 1 Icons Used in This Book............................................................. 1
Chapter 1: Understanding Point-of-Sale Security Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Understanding Why Cybercrime is a Big Deal........................ 4 Getting to Know the POS Attack Surface.................................. 5 Industries impacted......................................................... 5 How businesses become targets.................................... 6 Knowing What’s at Stake............................................................ 7
Chapter 2: The State of Point-of-Sale Security . . . . . . . . 9 The Current State of POS Security............................................ 9 Common Types of Attacks....................................................... 10 End of Life and POS.................................................................. 11 POS Security Costs................................................................... 11 Methods of Protecting POS Systems...................................... 13
Chapter 3: Advanced Threats against Point-of-Sale Systems. . . . . . . . . . . . . . . . . . . . . . . . . . 15 Introducing Advanced Threats............................................... 15 Understanding Attacker Motivations..................................... 17 Executing Attacks in POS Environments............................... 18
Chapter 4: Recognizing Current Limitations in Point-of-Sale Protection . . . . . . . . . . . . . . . . . . . . . . . . 21 Antivirus Software Limitations................................................ 21 Signature-based scanning.............................................. 22 Performance impact....................................................... 22 Host Intrusion Prevention....................................................... 23 Incident Response Services..................................................... 24 Limited data availability................................................ 25 Limited scope.................................................................. 25 Home-grown tools.......................................................... 26 Expertise required.......................................................... 26 Non-continuous approach............................................. 26
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
iv
Point-of-Sale Security For Dummies Matching New Threats with New Capabilities...................... 26 Responding quickly........................................................ 27 Detecting potential threats automatically................... 28 Stopping malware execution......................................... 28
Chapter 5: Solving the PCI Challenge for Point of Sale. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 PCI DSS as a Measuring Stick................................................... 30 PCI’s Shift toward Application Control.................................. 31 Merging Compliance Policy with Security Controls............. 32 Ensuring Ongoing PCI Compliance......................................... 32 Mirroring the PCI Prioritized Approach................................. 34
Chapter 6: Deploying Proactive Point-of-Sale Security. . . . . . . . . . . . . . . . . . . . . . . . . . 35 Defining Your Requirements................................................... 35 Understanding the Security Maturity Model......................... 37 Managing Smart Policies.......................................................... 38 Integrating with other Security Products.............................. 40
Chapter 7: Ten Tips for Successful Point-of-Sale Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
W
elcome to Point-of-Sale Security For Dummies, Bit9 + Carbon Black Edition. This book outlines in plain English how to protect your point-of-sale (POS) systems and cardholder data from malware and other advanced threats. POS technology is being targeted by criminal hackers more and more. You don’t want to become yet another data breach victim.
About This Book Whether you’re just getting started down the path of securing your organization’s POS systems or you’re already neck-deep in the quagmire of security and compliance, there’s a lot to learn and a lot to lose. This book highlights the “must have” knowledge and requirements necessary for keeping your POS in check. We help you understand the history of POS technology and advanced threats. We also share with you the limitations of existing security controls and what you can do to ensure you have the proper protection for minimizing your business risks and complying with the Payment Card Industry (PCI) requirements. If you’re an administrator, manager, auditor, or anyone other wise in charge of managing or reviewing the compliance or information security of POS systems — this book is for you.
Icons Used in This Book The following icons are used to indicate special content in this book:
This is information you’ll want to commit to memory.
This is information that digs in a little deeper into the details in case you’re interested.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
2
Point-of-Sale Security For Dummies
This is information that helps provide advice to highlight or clarify a key concept.
Please pay attention when you see this icon! It provides cautionary information you won’t want to miss.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1
Understanding Point-ofSale Security Risks In This Chapter ▶ Looking into cybercrime and its impact on business ▶ Understanding why point-of-sale systems are under attack ▶ Studying the areas of weakness and challenges to securing point-of-sale
systems
C
ybercrime is occurring at unprecedented levels. In terms of time, money, and the resources needed to respond to threats and minimize the risks, breaches are exacting a costly toll on victims. These stealthy costs often don’t appear as line items on financial statements for a number of reasons. First, the costs of security breaches are often indirect, resulting in wasted resources and missed opportunities. They’re difficult to quantify. Second, organizations are incentivized to downplay the effects of security breaches to avoid unwanted attention from the public and media, not to mention severe penalties from regulatory bodies. Third, many breaches go undetected altogether. You can’t secure — or respond to — the security weaknesses and incidents you don’t know about. In this chapter, we outline why cybercrime matters — especially as it relates to point-of-sale (POS) security. We also discuss why POS systems are under attack as well as the threats and vulnerabilities experienced in POS environments that are contributing to the security challenges.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
4
Point-of-Sale Security For Dummies
Understanding Why Cybercrime is a Big Deal Almost every organization has some “digital gold” that outsiders may want to exploit. This data may include intellectual property, sensitive personal information about customers and employees, confidential business plans, or financial information. However, businesses with POS systems are particularly at risk given the potential for financial gains on the part of the criminal hackers. The real value in POS systems is in their financial transactions — specifically the credit card numbers and other personallyidentifiable information (PII) they process and store. When POS systems are attacked, the price tag can be enormous. The costs associated with POS security incidents include detecting and responding to a breach, notifying victims, conducting post-response support, and lost business. There’s also another factor: fines from government agencies, namely the Federal Trade Commission, as well as penalties and increased scrutiny associated with regulatory bodies and standards, such as the Payment Card Industry Data Security Standard (PCI DSS).
A security breach of your POS environment isn’t all about you and how your organization handles things internally. Often, many outside parties get involved in the initial investigations as well as any ensuing sanctions and ongoing audits that will likely be required. Clearly, data breaches involving POS systems are financially burdensome on the organizations experiencing them. In addition to these financial losses, organizations also suffer from lost time. Depending on the type of incident they experience, organizations may lose days, weeks, or even months of time to incident response activities. These losses are exactly what businesses operating in the retail industry don’t need, especially during heavy shopping periods such as the holiday season. Other businesses operating in different industries can be negatively impacted as well, especially if they lose the capability to accept credit cards.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Understanding Point-of-Sale Security Risks
5
Getting to Know the POS Attack Surface At its core, cybercrime is a numbers game. More businesses, networked computer systems, and security vulnerabilities lead to greater chance of attacks. Throwing POS network complexity, lack of visibility, and even politics into the mix breeds the ultimate playground for criminal hackers, rogue employees, and the like to carry out their attacks for ill-gotten gains.
POS systems are in the crosshairs for the same reasons that certain operating systems and applications always seem to be targeted by hackers — they’re in widespread use, and the weaknesses are fairly well-known. According to World Bank estimates, there are more than 34 million POS devices globally, nearly 10 million of which are in the United States alone. These numbers aren’t staggering considering the total number of computers around the world; however, POS systems are large targets and provide a great opportunity for bad things to happen nonetheless!
Industries impacted When you think of POS systems and their related security risks, retail probably comes to mind. Given their recognition and visibility, it’s no surprise that retailers find themselves the frequent targets of adversaries. Most retailers have relatively small IT and security staffs and find themselves struggling to apply those resources to both meet business requirements for 24/7 availability and simultaneously provide the level of security needed to protect sensitive credit card information flowing through their networks. Maintaining security and compliance can be difficult tasks in retail, as well. POS security risks don’t just impact traditional retail businesses. Numerous industries utilize POS systems in some capacity. If your organization transacts business in or around the following industries, it’s likely affected by POS risks.
✓ Casinos and gaming: Given the need for a paper trail, a large number of gambling and gaming transactions take place via credit cards.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
6
Point-of-Sale Security For Dummies
✓ Entertainment venues: Sports arenas, theaters, civic centers and the like are responsible for an enormous amount of credit card transactions each year.
✓ Healthcare: With an increasing population becoming dependent on the healthcare system, more and more transactions (doctor copays and related fees) are taking place via credit cards.
✓ Transportation: Airlines, bus and subway systems, and related transportation services do much of their business via credit cards. As society shifts away from cash and checks for payments, countless other industries are relying more and more on POS systems for their daily operations.
How businesses become targets In the modern era of business, computers are found in the darnedest places. From the reception area to the back office to the manufacturing floor, it’s not unusual to find POS systems scattered about like any other networked computer. In fact, most POS systems are merely embedded personal computers running specialized software and, quite often, outdated versions of the Windows operating system. Given the pervasiveness of POS systems in any given business, they’re routinely targeted just like any other host on the network. Once criminal hackers are able get in and confirm the presence of POS systems, they can become the target where all the malicious efforts are focused. After attackers target an organization, they have many potential avenues of infiltration. While servers are likely targets, even the lowliest endpoint’s sensitive information may be targeted or the endpoint itself may provide an actor with a toehold on the organization’s network that may be further exploited. Endpoints can then be used as entry points to get to other targets, such as servers, which are more likely to contain larger volumes of sensitive information. Specific vulnerabilities that are often present and subsequently exploited on POS systems — and any others in the attack chain — include
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Understanding Point-of-Sale Security Risks
✓ Default, blank, or otherwise weak passwords that allow direct system access
✓ Missing operating system and application patches that can be exploited for remote, and often undetectable, administrator-level, command-prompt access
✓ Absence of malware protection to analyze, block, and report threats in real time
✓ Minimal visibility into the overall network that helps ensure IT and security staff are kept in the dark
7
Because of these common weaknesses, businesses are often unable to adequately protect POS systems against advanced threats. Just as bad, IT and security staff often don’t find out about breaches until after the damage has been done.
Attackers don’t care how they get in. Be it a server, a workstation, or a mobile device, if a system is accessible — physically in person or logically over the network — it represents an entry point into your POS environment. Once attackers are able to infiltrate the network, the risks to your POS systems and credit card information are front and center — all bets are off.
Knowing What’s at Stake Advanced attacks against POS systems are not only sophisticated, but also they’re likely to go undetected — especially if security controls such as traditional anti-virus software are being relied upon. Time is money. The longer the attackers are able to control a POS environment the more damage that’s done. Having a well thought out security program that addresses the unique needs of your POS environment is critical to minimizing your business risks. Every detail from your security policies, your technical controls that help enforce your policies, and the unique procedures and response plans required by your business must be addressed on an ongoing basis. When developing a security program, there are many costs you must consider. In addition to the direct costs of security controls that you want to purchase, also plan for the costs of incident response. Investing in incident response pays dividends by lowering the cost of security breaches. Each
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
8
Point-of-Sale Security For Dummies time you respond to a security incident, you expend time and money investigating the compromise, notifying customers, and dealing with the aftermath. While the aftereffects of a customer data breach are worrisome in their own right, you must also grapple with how the breach will affect ongoing compliance with key Payment Card Industry Data Security Standard (PCI DSS) requirements. Non-compliance can result in steep penalties as well as significant damage to your organization’s brand. Not only is it critical to have the proper systems and processes in place, but also it’s equally important to have the right people managing it all in concert. All it takes is one piece of the POS security puzzle such as an inattentive help desk, a disconnected compliance manager, or network security operations team without the proper tools to miss the big one — the POS security breach that brings your business to its knees. Even when internal audit staff and external auditors are looking in the right areas with the right tools and audit procedures, something unnoticed, or seemingly benign, can turn into a real security and compliance problem.
It’s one thing to build out your POS security program but quite another to manage it well every day. Make sure every piece is getting the attention it deserves. But most importantly, don’t just do it for the sake of compliance — do it with the longer-term goal of minimizing information risks.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2
The State of Pointof-Sale Security In This Chapter ▶ Looking at the current state of security in point-of-sale environments ▶ Understanding the common types of attacks ▶ Considering the security costs ▶ Protecting point-of-sale systems
P
oint-of-sale (POS) systems are under attack around the world. The United States alone has numerous, high-profile breaches of POS security at large retailers. It appears that there’s no end in sight for these types of attacks. In this chapter, we discuss the impact of advanced security threats on POS systems and outline some specific attacks. We also cover the costs associated with POS security along with specific solutions for making POS environments resilient and secure.
The Current State of POS Security POS systems include a range of hardware devices, such as card readers, scales, scanners, and registers, as well as the software needed to support them. Increasingly sophisticated POS systems are linked to inventory management, ordering, and customer relationship management applications. POS systems make it possible for retailers to conduct transactions — often with credit cards — quickly and easily, providing a smooth and enjoyable customer experience.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
10
Point-of-Sale Security For Dummies The mere acceptance of credit card payments is the most notable security concern related to POS systems, as hackers motivated by financial gains attack retailers and other businesses in pursuit of credit card numbers and other personally identifiable information (PII).
Given the threats combined with what there is to lose, your POS systems should be a top security priority. The numbers don’t lie. According to the 2014 Verizon Data Breach Investigations Report, in 2013, POS intrusions made up the highest type of incident at food, beverage, and hospitality providers (75 percent) and retailers — which was at 31 precent. Also, 74 percent of attacks against accommodation, food services, and retail companies from 2011-2013 targeted credit card information.
Common Types of Attacks POS systems run on a range of operating systems, such as Windows Embedded, Windows XP, and newer versions such as Windows 7. They also run on Linux and UNIX. These systems are vulnerable to a range of attack types that could result in data breaches.
RAM-scraping malware is the greatest threat. This malware, which first appeared in 2008, has been behind the recent major retail breaches. It uses debugging software on POS systems to extract magnetic stripe data directly out of the computer’s memory. The code behind this type of attack has morphed over the years, including the addition of bot functionality and stealth capabilities to avoid detection, but at its heart remains the same. Other common types of POS system security breaches include
✓ Tampering with personal identification number (PIN) entry devices, where a bug is planted in the device to capture PINs and credit card numbers, or where the entire device is replaced with a substitute
✓ Installing electronic skimmers at a remote POS device, such as a gas station pump, to collect credit card data
✓ Identifying open network ports in the POS system — used for maintenance by the system vendor — and installing software, such as a keylogger, to capture login credentials, credit card data, or other sensitive information
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: The State of Point-of-Sale Security
11
✓ Installing malware directly onto the system via a USB drive
End of Life and POS When the operating system on a POS device is no longer supported by the vendor (for example, Microsoft), it creates significant challenges to keeping the POS secure and compliant. Windows XP-based POS systems are some of the most widely implemented in the world, and when Windows XP’s end of life occurred in April 2014, all POS systems that relied on it were exposed to significant vulnerabilities.
Unsupported operating systems such as Windows XP aren’t only vulnerable to attack, but also they can compromise your organization’s compliance with PCI DSS. Windows Server 2003’s end of life (July 2015) also represents a significant security risk, much like Windows XP, with a significant number of businesses relying on it to run critical applications. Windows Server 2003 creates an issue that’s directly tied to the security of POS systems because many such systems rely on server processing and storage to process transactions. If the server system is damaged or the integrity is broken, the entire system’s security and compliance could be compromised.
POS Security Costs An organization’s ongoing security posture, its ability to keep its POS systems in a compliant state, and the controls used to measure both certainly influence the cost of maintaining its POS environment. However, the security costs associated with protecting POS systems are insignificant compared to the costs associated with a breach of credit card data or PII. Costs related to POS system compromise include the following:
✓ Board-level and legal costs: The fallout from a security incident on POS systems should be a key concern for directors and legal counsel and can have negative effects on the board.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
12
Point-of-Sale Security For Dummies
✓ Executive office costs: Indirect costs, including firings and forced resignations, can be felt at the executive level. These costs have been associated with high-profile credit card breaches.
✓ Stock price: A security incident can have a direct impact on the stock price of publicly-held companies through distrust and an ultimate decline in shareholder value.
✓ Reputation and brand damage: Customers will move to what they perceive as safer businesses in the event of a highly-publicized incident.
✓ Legal costs and penalties: The investigation, reporting, and litigation costs associated with a security incident can be huge.
✓ Compliance and regulatory costs: Aside from fines, after a security incident, there’s often mandatory increased focus and scrutiny placed on the business by the regulators as it pertains to security auditing. Figure 2-1 shows the impact a security breach can have on your business.
Figure 2-1: T he impact a POS-related data breach can have on your organization.
You need to consider all costs related to security breaches when budgeting and planning for the security solutions of your POS systems. A positive result of this analysis is that you can use the These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: The State of Point-of-Sale Security
13
information to help build the case for a best-of-breed solution that solves your POS security challenges once and for all.
The return on your POS security investment may be difficult to quantify, but it’s real. Consider the reduced risk and the avoidance of costs associated with data breaches such as penalties, lost revenues, reputational damage, legal fees, and more. Given that recent breaches have cost retailers tens of millions of dollars, properly securing your POS systems is clearly worth the investment.
Methods of Protecting POS Systems Businesses relying on POS systems can defend them against RAM-scraping malware, Trojan horses, and other types of attacks using a number of tools and techniques including
✓ Secure card readers/point-to-point encryption (P2PE): Data is encrypted at the point of swipe, and the encryption is maintained as the data is transmitted to the payment processor.
✓ Application whitelisting: Only approved applications are allowed to run on POS devices, making it impossible for malware to execute even if it’s introduced to the environment.
✓ Firewalls: A security perimeter is built around networks and endpoints.
✓ Breach detection systems: Security teams are alerted when a breach is detected, based on a complex analysis (not to be confused with intrusion detection systems, which typically rely on signatures to detect illicit activity).
✓ Disabled remote access: Connectivity by POS vendors and other parties is disallowed.
✓ Updated and patched POS software: Vulnerabilities found in earlier versions of the software are avoided.
✓ Mitigating controls for operating systems beyond endof-life (for example, Windows XP): Counter the impact of unpatched systems.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
14
Point-of-Sale Security For Dummies
✓ Restricted POS systems’ Internet access: Malware from sources such as illicit websites and email applications is prevented.
✓ File integrity monitoring: System administrators are notified when system components are changed.
✓ Anti-virus software: “Nuisance” malware with known signatures is blocked.
✓ Vulnerability scanner: Potential vulnerabilities introduced to the network and applications are identified for research and remediation.
✓ DLP software: Confidential data is detected, monitored, and protected in a variety of ways, depending on whether it’s in use (endpoint), in motion (network), or at rest (storage).
✓ Physical access policies: Access to POS terminals is restricted to authorized personnel only.
✓ Routing cardholder data deletion: Stored data is routinely removed from the POS device.
A closer look at application whitelisting Application whitelisting refers to a highly effective method of stopping malware-based attacks that works by allowing only trusted software to execute in the computing environment. Like a bouncer at a party, you determine the software allowed to execute in your environment and the whitelisting tool stops everything else from running. A whitelist, in its simplest form, is a list of applications allowed to run in an environment. As a program attempts to execute, the whitelisting tool compares it to the approved list — typically looking at hash values to ensure authenticity — and
either permits the application to run or blocks it from executing. Because of the administrative overhead associated with maintaining a whitelist, leading products have adopted policy-driven approaches to application whitelisting where dynamic policies are used to identify and simplify the management of trusted software. Common policy techniques include the use of clouddelivered trust ratings, internal trusted software directories, and the use of trusted publishers. This approach allows all software published and signed by a trusted author to be automatically added to the whitelist.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3
Advanced Threats against Point-of-Sale Systems In This Chapter ▶ Getting to know advanced threats ▶ Understanding attacker motivations ▶ Looking at the various stages of attacks against POS systems
T
oday more than ever, cybercriminals are targeting your point-of-sale (POS) systems using a new breed of advanced threats in order to steal and exploit your customers’ personal and financial information. Retailers understand these security challenges, but many remain unable to adequately protect these systems due to a continued reliance on legacy antivirus solutions, which we discuss in more detail in Chapter 4.
Introducing Advanced Threats Advanced threats are organized, well-resourced, and determined to achieve the objectives set out by their leadership. Unlike the script kiddie or casual hacker of decades past, the advanced threat — often a government or organized crimefunded entity — is a formidable adversary seeking out a specific target for exploitation.
You can implement what might be considered solid security controls, but your POS systems still won’t be impervious to advanced threats using zero-day malware. If they want in badly enough, they’ll do what it takes to find a way to penetrate your network.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
16
Point-of-Sale Security For Dummies As an IT or security professional, you should have a strong knowledge of the characteristics of advanced threats. By understanding the motivations, tools, and objectives of your adversary, you can better prepare your defense-in-depth approach to securing your organization’s digital gold — namely the sensitive information involved with credit card transactions on your POS systems. The defining characteristics of the advanced threat include
✓ Range of technical tools: Advanced threats make use of a wide variety of technical tools. Instead of having a single piece of malware, the advanced threat often develops its own exploits. The code used by advanced attackers often makes use of otherwise undisclosed zero-day attacks for which the target (for example, POS systems) may have no defense.
✓ Tactical sophistication: Advanced threats have experience on their side. Often well-funded, they have had time to develop a playbook for breaking into organizations. Out of their expansive toolset they use the least sophisticated assets necessary to achieve success and still have the ability to adjust to the victim’s defensive posture.
✓ Integration with human threats: Advanced threats don’t limit their domain to technically sophisticated exploits. They understand and integrate the use of social threats as well, often leveraging phishing, social engineering, and traditional intelligence-gathering activities to amplify the effectiveness of their technical tools. The key here is that it’s a human on the other end. You need to make tactical decisions, be creative in the face of a roadblock, and so on. Given the complexity of POS environments, the level of risk is increased.
✓ Targeted at specific objectives: The targets of advanced threats are carefully determined and align with the objectives of their sponsors. They aren’t opportunistic but, instead, seek out the systems or individuals that are very likely to contribute to their objectives. Advanced threats conduct targeting analysis and understand their adversary before engaging in an attack.
When most people think about the objectives of advanced threats, they naturally think about the military and political objectives of nations and think that they don’t have resources that fit these objectives. Remember, however,
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Advanced Threats against Point-of-Sale Systems
17
that organized crime and political activists are also advanced threat sponsors. Simply having a public-facing website can make you a legitimate target. If you have POS systems, the criminal payoff and ensuing risks can be even greater.
✓ Well-resourced: Governments, organized crime, terrorist groups, and other well-funded organizations are behind advanced threats. The sponsors of these groups provide them with financial means, technical talent, and intelligence-gathering capabilities that enable their success.
✓ High degree of organization: Advanced threats operate more like military units than hacking clubs. They have well-defined leadership structures and operate very efficiently. They’re organized around their mission.
The advanced threat is unlike any risk faced by previous generations of IT and security professionals. Organizations, individuals, and POS systems targeted by advanced threats are at the receiving end of a formidable attack, and you must organize your defenses accordingly.
Understanding Attacker Motivations Many different types of advanced threat actors exist, and each one has different motivations. The common driving forces behind advanced attacks include the following:
✓ Cybercrime: Many advanced attackers simply seek financial gain. They seek to steal money, obtain information, or hijack computing resources in an attempt to achieve a windfall.
✓ Hacktivism: Other advanced attackers seek to use their hacking skills to advance a political agenda. They typically engage in denial of service attacks and website defacements designed to embarrass or disrupt their target.
✓ Cyberespionage: Attackers in this category seek to steal information to gain a political, economic, or military advantage, which can often be funded and directed by nation-state governments.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
18
Point-of-Sale Security For Dummies ✓ Malicious insiders: Advanced attackers aren’t necessarily limited to outsiders. For example, consider a disgruntled employee looking to steal information and sell it to a competitor or perform some type of sabotage. The types of attackers targeting a specific organization depend on that organization’s mission and its global reputation.
Executing Attacks in POS Environments Advanced attacks can be carried out against POS systems in numerous ways. Given the network, application, and other corporate complexities involved in POS environments, the potential attack vectors are virtually endless. However, all attacks do have some common themes, shown in Figure 3-1, that you need to be aware of.
Figure 3-1: H ow cybercriminals launch advanced attacks against POS systems.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Advanced Threats against Point-of-Sale Systems
19
These themes include the following descriptions:
✓ Vulnerability: Advanced malware attacks often start with something as basic as weak passwords, missing software patches, and the general gullible tendencies of users.
✓ Method: Advanced malware injects itself into memory, collects desired information (for example, credit card track data), exfiltrates the data to another system, and uses a command control (C&C) system for further actions as needed.
✓ Involvement of additional systems: In most cases, the captured data is exfiltrated from the POS system to another system within the targeted environment for aggregation and then uploaded to a remote system, which reduces the chances of detection.
✓ Opportunistic: POS malware families are very targeted and opportunistic and in many cases aren’t detectable with traditional antivirus detection. Advanced malware families continue to evolve as evasion techniques improve with several versions of each family in existence. This evolution helps to explain the continued difficulties in detecting and preventing this malware using traditional security controls.
The latest POS malware to make the news is being referred to as Backoff. Backoff is a family of retail-focused malware that has been witnessed recently in multiple forensic investigations, including those in the high-profile retail breaches. The malware typically consists of RAM scraping, keylogging, command and control, and process injection. A Backoff malware attack is what is often referred to as a stage-two attack. In this context, this means that Backoff is leveraged after attackers force their way in through remote desktop applications — typically via a weak Windows operating system password. After the attackers have accessed the remote desktop, they begin reconnaissance for any POS devices and attempt to install Backoff or similar POS malware on those systems. Even though attackers can take control of every other application in the attack chain, your POS system can be made safe and malware-free by putting the proper security controls in place such as the positive security model technologies that Bit9 + Carbon Black offers.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
20
Point-of-Sale Security For Dummies
Can Chip & PIN prevent advanced attacks? One of the security controls being suggested as a solution to the POS security problem is EMV, or Chip & PIN, technology. EMV, which stands for Europay, MasterCard, and VISA, is a decades-old global standard for integrated circuit cards with embedded microprocessor chips that store and protect cardholder data contained within a metallic square on the card. EMV Chip & PIN has yet to be adopted in the United States, although that is expected to change in 2015. EMV technology helps protect the card data that’s collected by POS systems, which will be locked up tight, deterring criminals from attempting to use physical card readers and skimmers. However, it’s not a silver bullet in the effort to protect sensitive data from compromise and to solve the POS problem completely. Other areas within the typical payment systems expose both card and customer data. Many of the well-publicized largescale POS system breaches targeted the software that was responsible for processing the credit card transactions as well as collecting customer information such as user IDs and personally-identifiable information. Many organizations still house a treasure trove of this information on
their back-end processing systems and servers that will still be prime targets. This information can even end up in log files, data backups, and on poorly-secured workstations and other endpoints, creating unnecessary risks. Criminals may also turn to other techniques to use the technology shift to their advantage, such as the recent surge of “replay” attacks. In these attacks, criminal hackers were using recently stolen credit card information to spoof transactions on the credit card networks as chip-enabled transactions. Even in the European marketplace, where Chip & PIN has been in place for years, the tone regarding POS security is no different. The threat of data compromise on POS systems and the risk to sensitive data is taken just as seriously. Having additional locks on the door (like EMV/Chip & PIN) is a great addition to your arsenal of protection, but you also need to make sure you have a real-time perspective on your systems. You need to take control of the data where it’s processed and resides but you also need the ability to take proactive measures in the event a security breach happens in your POS environment.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4
Recognizing Current Limitations in Pointof-Sale Protection In This Chapter ▶ Understanding the limitations of traditional antivirus ▶ Looking at the considerations for host intrusion prevention ▶ Responding to threats quickly to stop malware outbreaks
T
he major retail security breaches have brought the traditional point-of-sale (POS) security model into the spotlight. Simply put — it doesn’t work. Criminal hackers have the upper hand with their advanced malware attacks. Many of the existing antivirus controls are ineffective at best. Incident response times are getting longer — the very scenario you don’t need when your POS systems come under attack. In this chapter, we discuss the limitations of current POS security controls, outline how to match the new threats with new security capabilities, and show you how you can respond to advanced malware attacks more efficiently to produce the results you desire and to minimize the security risks in your POS environment.
Antivirus Software Limitations Antivirus software, first introduced in the mid-1980s, is used to detect, prevent, and remove malicious software (malware) such as viruses, worms, spyware, and Trojan horses. This traditional security control — still in widespread use today — was pretty
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
22
Point-of-Sale Security For Dummies good at detecting and blocking known malware. Antivirus software simply matched questionable threats to a signature database of known malware and — voila! — the threats were blocked. The problem with a signature-based approach is that it doesn’t provide an effective defense against advanced malware where the threats are unknown and often targeted to specific types of computers and applications such as those in POS environments.
Heavy dependence on POS systems combined with advanced malware that can evade traditional antivirus controls creates the perfect storm for network compromise.
Signature-based scanning Antivirus software’s major weakness is that it depends on signature-based scanning. Because antivirus software relies on identifying signatures in the files it scans, it is not an effective tool when confronted with unknown malware. If the antivirus software doesn’t yet have a signature for a file that’s found its way onto the system, that malware won’t be detected and will be able to run freely.
In light of the rapidly-morphing malware landscape, keeping blacklist signature databases updated has become unsustainable for traditional antivirus software providers. In a POS environment, antivirus software scans the systems for the presence of these malware signatures. Any file suspected to contain malware may be deleted, quarantined, or repaired to prevent system infection. The issue with this approach is that advanced attackers often leverage zero-day attacks for which there’s no signature available. Attacks that are previously unknown to the security community will be able to slip right past a signature-based detection system. Additionally, malware authors can make very minor changes to their code that prevents it from matching existing signatures, rendering it undetectable by signature engines.
Performance impact Antivirus software must analyze each and every bit stored on a system’s storage devices and in its memory, looking for the presence of malware signatures. Given how quickly signature
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Recognizing Current Limitations in POS Protection
23
databases are growing, this scanning is resource-intensive, requiring the use of disk bandwidth, memory, and CPU capacity. When a malware scan runs on a system, the scanning software may have a noticeable performance impact on user activity — an undesirable side effect on POS systems. Specifically, scanners must check every file on the system, not just those that are likely to be threats. The scanner must check the entire contents of each file, looking for signs of malware. In a retail setting, store system administrators can schedule scans during idle periods, but that leaves large chunks of time when no scanning is taking place. If scheduled scans occur during operating hours, they could result in unacceptable disruptions to customer service. When users experience these issues, they’re more likely to attempt to disable or circumvent the security control that’s interfering with their work.
Point-in-time scanning can be bad for business. Due to the performance impact of antivirus software conducting full system scans, these scans are usually scheduled to occur daily or weekly. These scans are often during evening hours when the scans won’t impact normal user activity due to CPU, hard drive, and memory utilization. Even with POS systems running with the most advanced processors, solid state drives, and more memory than you can shake a stick at, system performance is still impacted by full antivirus scans. Not only are performance issues detrimental to POS transactions, but also such point-in-time scanning provides a threat window where malware can run uninhibited between scans.
Host Intrusion Prevention Certain IT administrators and security managers rely on host intrusion prevention systems to supplement the protection provided by antivirus software. These packages, also known as behavioral host intrusion prevention systems (BHIPS), monitor activity on a system for malicious actions on the part of executable files. Unlike antivirus software, BHIPS don’t rely on a database of known malicious software. Instead they monitor POS systems over time, develop a model of normal activity and then flag deviations from normal behavior for administrator review.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
24
Point-of-Sale Security For Dummies In theory, BHIPS are the ideal supplement to antivirus software in POS environments because they have the potential to detect — and block — advanced threats in real time. However, in practice these systems require an excessive investment of time and effort to fine-tune and maintain. They also have very high false-positive rates, triggering alerts on non-malicious activity. The combination of these two limitations often results in administrators and users disabling BHIPS capabilities because of the time spent maintaining them and responding to false alarms.
The last thing you need in your POS environment is a security control such as BHIPS creating false alarms and blocking legitimate business transactions. Furthermore, the information provided by BHIPS is often too shallow for useful analysis. It doesn’t tell where unknown executable files were spawned and often doesn’t provide historical data that facilitates the time-based analysis required by security analysts. The model used by behavioral systems is also not capable of incorporating external information containing the latest threat intelligence. Furthermore, standalone host-based systems can’t assess network effects or correlate multiple reports received from systems across the POS environment.
Incident Response Services When organizations find that they’ve fallen victim to a sophisticated cyberattack, they often retain the services of a firm that specializes in security incident response. These firms bring together teams of experts in a variety of security disciplines to quickly assess the incident, contain the damage, and restore the organization to secure working order as quickly as possible. While these services are often invaluable when responding to a security incident, they’re also quite expensive and available only for a limited duration of time. After the incident is resolved, the expert team leaves, and maintaining system security is once again incumbent on the organization’s IT and security staff. You need to be careful in your approach to malware attacks and not rely completely on these response services.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Recognizing Current Limitations in POS Protection
25
Limited data availability Information systems generate massive amounts of data and are capable of logging extremely detailed records about their activity. These logs often contain critical information necessary to reconstruct the events that took place during a security incident. Responders depend on the availability of a detailed audit trail to identify how an intruder gained access to a network, the scope of their activities, and the data that they may have stolen.
You know your network environment better than anyone else. When a breach impacts your POS systems, you can’t just hand over the reins to a third-party. You need to be prepared to be intimately involved in the response process: to ask questions of the incident response team, to answer their questions, and to ensure everything is being addressed in the best interests of your organization. One of the major limitations of incident response services is that it’s more than just collecting data — it’s about collecting the right data and having a suite of tools available that allows you to understand it in context. When an incident occurs, the response is hampered by the lack of visibility into system events that took place while the attack was under way. Responders want to be able to quickly understand the relationships between systems and trace the spread of malicious files within the enterprise. Without purpose-specific tools in place before a breach, gathering all the data necessary for an effective incident response could take weeks or months.
Limited scope When an incident response team arrives at an organization, they have a clearly defined scope of services. This is normally limited to identifying the circumstances surrounding a particular security incident and remediating the vulnerabilities that contributed to that incident. Incident response teams often use sophisticated forensics analysis and response tools that are licensed to the incident response firm. They don’t leave these tools behind for you to use on an ongoing basis. In cases where the tools are open
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
26
Point-of-Sale Security For Dummies source or the organization opts to purchase a license, the incident response firm wouldn’t normally integrate them into your normal IT and security operations.
Home-grown tools Many companies, and even some incident response firms, rely on the use of custom-developed tools that have been handed down through the ranks of incident responders. While they may be effective, they’re the IT equivalent of duct tape and chicken wire. There’s rarely any documentation or knowledge transfer on how to use such tools outside of one or two people.
Expertise required Incident response is a specialty skill and experienced professionals are highly sought after and very well compensated. Only the largest organizations are able to maintain a full-time incident response staff, making it difficult to maintain incident response tools on an ongoing basis.
Non-continuous approach Traditional incident response activities are targeted at a very specific activity instead of designing the type of continuous monitoring program that’s essential to maintaining security in the age of advanced attacks. The alternative — and the only proven approach — is to implement a solution that allows for real-time continuous recording of POS systems activity.
Matching New Threats with New Capabilities Organizations seeking to maintain secure POS operations in this risk-laden environment must maintain a set of security controls designed to meet today’s threats instead of those that were deemed adequate in years past. A new way of thinking is required and some important security decisions need to be made.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Recognizing Current Limitations in POS Protection
27
Responding quickly Conventional security defenses are too slow. No matter how dedicated and talented they are, IT and security staff simply can’t keep up with the volume of data flowing through the enterprise — especially in complex POS environments. Security systems such as intrusion prevention systems, firewalls, security information and event management (SIEM) systems, and antivirus software generate massive amounts of information that adds to the overload. Many businesses experience hundreds, or even thousands, of alerts each day and simply don’t have the staff to respond to them all or to triage them to a manageable level. Not only must you find a way to respond to this information overload, but also you must do so in a rapid manner. It’s true that a cybercriminal may take months to identify targets, develop specialized malware that exploits specific vulnerabilities in targeted systems, and install command-and-control capabilities on targeted systems. Despite this, most advanced attacks aren’t detected or stopped in time to prevent theft or damage.
You’ve heard the saying “When seconds count, the police are only minutes away.” The same goes for security threats against your POS environment. Time is of the essence. Without good information, it’s hard to respond efficiently to advanced attacks. After an attacker successfully infiltrates a system, the actual theft of data can take place rapidly. Massive amounts of information can be stolen in mere minutes or seconds. Security systems must be capable of quickly identifying an attack in progress and taking automated action to prevent damage.
In addition to reducing the delay in initiating a response, security systems should increase the efficiency of response staff. In some cases, enterprises implementing next generation security tools have been able to achieve significant time savings. With the new technology, one guy in one hour can do what it used to take ten guys ten days to do.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
28
Point-of-Sale Security For Dummies
Detecting potential threats automatically The modern threat operates faster than any incident response team can analyze and react to information. Security technologies that are configured to require administrator intervention before a response occurs are ineffective because the time taken by the administrator to analyze the attack may be longer than the short duration of the attack itself. Given the cardholder data that’s at risk, this time window is especially crucial for attacks against POS systems. Effective security controls must be capable of autonomous operation. This doesn’t mean that you don’t need trained security staff; it simply means that they should be spending their time installing, maintaining, and monitoring automated response controls instead of conducting security response manually. Even the best security tools must be custom-tailored to the unique operating environment of your organization and that’s where well-trained IT and security professionals can lend valuable expertise.
Stopping malware execution Embedding automated detection techniques in your environment is the first barrier to advanced threats, but successfully protecting your organization’s security requires actually blocking and preventing suspicious software execution until the issue is resolved on the affected POS systems. Unless and until you have the proper means for stopping the actual execution of malware, there’s work to be done.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 5
Solving the PCI Challenge for Point of Sale In This Chapter ▶ Using PCI compliance as a baseline for POS security ▶ Shifting toward proactive security control ▶ Looking at PCI’s prioritized approach for POS security
T
he Payment Card Industry Data Security Standard (PCI DSS) was created to set a standard for controls that protect credit card data used in transactions, stored in databases, and transmitted over systems — all of which are included as functionality on most point-of-sale (POS) devices. This coverage means that the majority, if not all POS systems, are covered under the PCI DSS compliance requirements.
Not only do you have to ensure that your POS systems are continually compliant with PCI but also that security controls are in use and actively protecting the credit card data they process and/or store. In this chapter, we discuss the benefits of utilizing PCI DSS as a continuous measuring stick to gauge the effectiveness of POS security. We also outline how the theme shift of the recent version of PCI DSS — version 3.0 — can have a positive influence on the goal of ensuring a continuous security measure for POS systems.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
30
Point-of-Sale Security For Dummies
PCI DSS as a Measuring Stick The threats to sensitive data on POS systems have been growing rapidly ever since PCI DSS was put into action. With that growth, there’s been a tendency among businesses and auditors to measure POS security effectiveness directly against the requirements within the PCI standard note for note. The end goal for POS systems should be the most effective security program to protect sensitive data rather than a compliance check mark. Compliant doesn’t always mean secure, and a mere checklist of requirements does not get your POS systems to a “final” state of security. The “just get by” approach is being called out, so to speak. When aligning POS security with the current PCI requirements, consider the industry-accepted recommendations:
✓ Don’t underestimate the effort involved. PCI compliance requires time, money, and executive sponsorship. It needs to be part of everybody’s job — application developers, system administrators, executives, and even staff in shops and call centers — not just left to the IT security team.
✓ Make compliance sustainable. An organization must complete thousands of tasks throughout the year to stay compliant. To be sustainable, compliance needs to be embedded in “business as usual” as an ongoing process.
✓ Think of compliance in a wider context. The best thing you can do to simplify your PCI compliance workload and achieve real security is to put your compliance program within your wider governance, risk, and compliance (GRC) strategy.
✓ Leverage compliance as an opportunity. Done properly, PCI compliance can drive process improvements, identify opportunities to consolidate infrastructure, and generate additional equity. Think of it as an opportunity rather than a burden.
The task at hand may seem daunting when you consider all the variables that need to be considered for POS systems in the current threat landscape. However, if you step back and take a look at the new requirements in PCI DSS 3.0 from a prioritized
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 5: Solving the PCI Challenge for Point of Sale
31
perspective, figure out what controls you need to address first, and address the ones that have the greatest effect on your critical business processes, it’s not as complicated as it may seem. After you have the critical controls in place, think about how to prove that the controls are actually doing what they are supposed to be doing. You will have the answers to the compliance questions that come up during audits, and you will put your POS systems in a better state of security.
PCI’s Shift toward Application Control One of the biggest changes in the PCI DSS 3.0 standard is the move toward being more proactive when it comes to measuring your security controls. For POS systems, this involves ensuring that the information used to measure both the compliance and security status is as close to real time as possible while focusing the analysis on a smaller subset of data. The first validation shift that can help to enable compliance and improve security posture is a move from negative to positive security. With this model, rather than blocking the attacks that are known to be bad, you allow the transactions that are known to be good. This shift provides continuous compliance and full protection while enabling real-time visibility of your in-scope PCI assets. You’ll get a better hold on measuring risk, verifying controls, and continuously monitoring security. The addition of approval trust-based security positioning will enable merchants with POS systems to reduce the administrative costs of normal pre- and post- compliance analysis, free up endpoint system processing power, and protect systems after critical patch support has ended.
Moving POS endpoints into a positive security posture helps to lower administrative effort, reduces scope, and enhances performance. It allows focus on the “known good” rather than a list of things that are bad, and eliminates the need to constantly scan the POS endpoint to detect malware. Positive security easily exposes and enforces the adherence to compliance while protecting POS systems by placing them in a default-deny state, where anything that’s not part of the trustpolicy cannot execute.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
32
Point-of-Sale Security For Dummies
Merging Compliance Policy with Security Controls The convergence of security controls with compliance policies has been gradual. It hasn’t always been a natural synergy for security and compliance to work together in this way. When it comes to measuring the true security posture of POS systems, there are many benefits to using PCI DSS as a guide to implementing such controls. The ideal outcome is a convergence of compliance and security providing active intelligence — providing answers on the enforcement of the audit controls and also on the current security posture and risk. Many PCI controls can be used to help synchronize the compliance evidence with the security metrics. For POS systems, a positive solution must
✓ Require very few system resources
✓ Proactively drive a security policy to the endpoints by allowing only trusted applications to run
✓ Detect, identify, rank, eliminate, and block malicious software In addition, a positive security solution can
✓ Provide visibility into what’s happening on all IT assets
✓ Categorize the risks, without relying on signatures
✓ Verify and scrutinize the security controls
✓ Perform continuous monitoring of these controls
✓ Provide reports that enable IT to take proactive, corrective actions and/or prove compliance
Ensuring Ongoing PCI Compliance By placing POS systems into a positive security posture, measured against a trust-policy (only the software you trust can run on your enterprise systems) you will be able to continuously monitor and record all activity on your POS systems and other corporate endpoints for real-time detection and
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 5: Solving the PCI Challenge for Point of Sale
33
denial of unauthorized software. You will be able to monitor the state of compliance at any given point within the assessment process to ensure that compliance really does equal the true state of security. There are other benefits to a trust-based application control environment that can bring you closer to continuous PCI compliance. You will be able to
✓ Build intelligence around all of your file assets, including their prevalence, trust rating, and inherited vulnerabilities
✓ Report on any asset for an audit, a pre-compliance assessment, or security intelligence gathering
✓ Meet file integrity monitoring, control, and audit trail rules with continuous, real-time file monitoring
✓ Protect your critical configuration files from unauthorized changes
✓ Enforce your trust policies whether your systems are online or offline
✓ Focus only on those events that are relevant to your business and lower the cost of obtaining compliance data against a smaller dataset
PCI DSS 3.0’s effect on POS security PCI DSS 3.0 has had a substantial effect on the security of POS systems. Under this latest version of the PCI standard, POS systems are scrutinized much more than in the past. When assessing POS systems for security and compliance, keep these three main theme changes in mind: ✓ You must be able to identify, detect, and alert on any change to critical data.
✓ You must protect POS systems from threats, including those systems that haven’t traditionally been affected by malware. PCI DSS is very clear in what’s required of organizations when securing the POS environment. Every situation is unique. However, POS systems that store or process cardholder data likely fall within the scope of compliance requirements.
✓ You must ensure protection and PCI compliance at all integration points with the POS systems.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
34
Point-of-Sale Security For Dummies
Mirroring the PCI Prioritized Approach The PCI DSS Prioritized Approach is a culmination of all the individual PCI requirements divided into six key milestones for businesses to consider. It provides guidance on how to focus on PCI DSS implementation and helps to reduce risk to the cardholder data environment as early on as possible within the compliance process. Multiple benefits exist with mirroring the PCI Prioritized Approach when addressing security controls on POS. Table 5-1 shows four of the concentration areas you can benefit from.
Table 5-1
Benefits of the PCI DSS Prioritized Approach
PCI DSS Priority Area
The Positive Security Fit
Protect systems and networks
Protection: Anti-malware and stopping advanced persistent threats (prevention)
Secure payment card applications
Risk measure: Measure PCI and security risk and assess vulnerabilities (detection, visibility, prevention)
Monitor and control access
Monitoring critical systems (visibility, response)
Ensure all compliance controls are in place
Enforcement: Prove security policies and device control (visibility)
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 6
Deploying Proactive Point-of-Sale Security In This Chapter ▶ Defining your unique requirements ▶ Understanding the Security Maturity Model ▶ Managing your smart policies ▶ Working with other security products
N
ow’s the time for the rubber to meet the road. You have some decisions to make, systems to set up, and processes to manage so you can stay ahead of the advanced malware curve on your point-of-sale (POS) systems. In this chapter, we discuss defining your unique requirements, assessing how the Security Maturity Model fits in, managing your ongoing smart policies, and ensuring your POS security controls work well with other security products on your network.
Defining Your Requirements Not only does every organization have unique security requirements, but so does every POS environment. As you move toward selecting a POS threat detection, response, and prevention product, you should identify the requirements that are most important to your business and meet your specific needs. If you choose to conduct a request for proposal (RFP), you need to define these requirements well to solicit useful proposals from prospective vendors. Even if you don’t go the These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
36
Point-of-Sale Security For Dummies RFP route, it’s helpful to know what you’re seeking before you begin evaluating products. Otherwise, you may find yourself in a “you don’t know what you don’t know” situation that you don’t want to be in. As you set out on the path to selecting a POS security product, consider these key requirements:
✓ Visibility: Choose a product that allows you to record your environment continuously in real time. This realtime visibility fuels detection, response, and prevention. The more items of relevance — memory operations, parent processes, registry access — the better.
✓ Detonation capabilities: Choose a product that doesn’t lock you in to a single vendor. If you want to integrate with an existing detonation (the ability to execute suspect malware in an isolated virtual machine) or nextgeneration firewall product, make sure that the threat protection vendor has experience with that integration. Look for products that both take in information from detonators and can also push data out to those detonators.
✓ Enforcement capabilities: Your POS protection solution should provide you with a wide range of possible responses to a threat, including banning files by name or hash value and/or extracting suspect files from the system.
✓ Lightweight agent: Users don’t want a heavy agent installed on their POS systems. Your goal should be to find a product with a lightweight agent that helps you identify security threats and respond to them appropriately. Defense without business/productivity disruption is a fundamental goal.
✓ Phased approach to default deny: Flexible threat detection, response, and prevention solutions allow you to work your way toward a default deny approach (blocking everything from the get-go) in a manner consistent with the culture and operating environment of your organization by allowing
• Your other chosen strategies to naturally impart trust
• You to see how far that gets you in terms of measuring risk and assessing operational impact
• You to target low-hanging fruit that gets you one step closer
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 6: Deploying Proactive Point-of-Sale Security
37
✓ Signature-less detection: Your chosen solution should use a wide variety of data sources and detection approaches when evaluating suspicious files. You want to avoid signature-based approaches that are vulnerable to zero-day attacks. Ideally the product has a rules engine or API that lets you and your staff participate in the creation of new detection mechanisms. A vendor may even enable the sharing of security knowledge within its customer base and make that information available in the form of rules and policies.
✓ Efficient, high-value reporting and administration: The solution should provide you with standard templates and practices for getting information and actionable items and allow you to build out your own approaches as well.
✓ Professional services with proven expertise in deploying protection: Most deployments of POS security software take place with a professional services engagement. Make sure you choose a product backed by a team of professionals with experience deploying security software in organizations similar to yours. By spending the time and effort thinking about what you really need on the front end, you can maximize the value of your POS security software deployment management for years to come.
Understanding the Security Maturity Model As you prepare to select and deploy proactive POS security protection, it’s a good opportunity to assess the current state of your organization’s information security. The following four areas help you determine the “maturity” level of your program:
✓ Oversight
✓ Technology
✓ Process
✓ People
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
38
Point-of-Sale Security For Dummies For each area, you answer a series of questions that are compiled into functional area ratings and then overall ratings for each category. The maturity of your organization on each dimension is then assigned one of the following ratings:
✓ Nonexistent (0)
✓ Ad hoc (1)
✓ Repeatable (2)
✓ Defined (3)
✓ Measured (4)
✓ Optimized (5) Performing this self-assessment provides you with an idea of the current state of your security controls and can assist you in defining the requirements for your POS threat detection, response, and prevention program. The products and vendors you choose should be able to work within your technical environment and culture, bringing you value regardless of where your organization lies on this spectrum.
Managing Smart Policies Signature-based detection is simply not effective against advanced threats for POS systems. While some people say that the alternative — whitelisting or application control — is too hard, they’re not correct. These people think of whitelisting as a long list of appropriate files, but it’s bigger — and better — than that. Smart policies aren’t plain old “lists.” They’re covering mechanisms that catalog metadata, patterns, and system information to help detect nefarious behavior. They then impart trust to each of those items. Simply put, smart policies are a short list of observations and actions that describe a system state as positive, negative, or neutral. Smart policies distill application control and attack detection into an understandable and manageable task. That’s why they’re so valuable!
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 6: Deploying Proactive Point-of-Sale Security
39
Do you trust all of the applications contained within your main software repository? If so, you can express that trust using a single smart policy. Do you automatically mistrust anything downloaded within a web browser? You can express that distrust in a smart policy as well. If you receive threat intelligence reports that rate a given binary file as “middling” and requiring further investigation, a smart policy can also handle that situation.
Smart policies can overlap, which means that multiple smart polices can apply to a single file. POS security systems allow this to occur and come to conclusions about a suspect piece of malware by taking all of the trust ratings into account. Next generation security products allow you to express policies as imparting trust on a spectrum.
Don’t take deployment flexibility lightly When it comes to enterprise security, one size does not fit all. Your operations may be more staff-centric or more automation-centric or somewhere in the middle. Your software deployment strategy may depend upon trusted repositories and configuration agents, or be nonexistent altogether. At the same time, your company culture may be open and permissive or more traditional and controlled. On top of that, you may want to focus more on detection — finding the bad guys — or more on prevention and the default deny strategy. Only you will know how these things work in your environment.
One thing’s for sure — you don’t want a vendor or specific product that tells you what to do and how to do it. Instead, you want one that looks at your requirements and environment and then works with you to develop the right approach. You need to be able to fit multiple solutions into the various parts of your ecosystem, and you need product knobs and dials that customconfigure each one. And depending on how daunting this sounds, you need a services partner that can guide you efficiently and effectively. This stuff really does matter!
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
40
Point-of-Sale Security For Dummies
Integrating with other Security Products Many organizations use Security Information and Event Management (SIEM) systems to correlate the many sources of security information across the enterprise, looking for signs of attack. When choosing components of your security infrastructure, you should select products that fully integrate with your SIEM and allow the use of correlation rules. Of course, every organization is unique, so the correlation rules that you use must be specific to your data sources and should include POS security information. A correlation rule that works with events from a Snort intrusion detection system may or may not be effective with information gathered from a similar NetWitness product. When designing correlation rules, organizations should ask these questions:
✓ What types of threats do we want to monitor?
✓ What are the typical attack patterns for such threats?
✓ What are the sources and types of events currently being tracked within the SIEM?
✓ Which of these events are used most often in monitoring for potential threats?
✓ How often do investigations resulting from those events result in false positives?
✓ When investigating an event, what types of additional information does the analyst need?
✓ Are we collecting the right data to make incident response quick and conclusive? Using these questions to guide event correlation across a variety of security products enhances your security capabilities in many ways. It can reduce the time it takes to prioritize alerts and investigate incidents from days to minutes. Investigations are further expedited by locating every instance of a suspicious file across your POS systems. You can then analyze files — both automatically and on-demand — that arrive on your POS systems to quickly determine their risk. Finally, you can ensure remediation by enforcing security policies that help in stopping an attack and preventing it from happening again.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 7
Ten Tips for Successful Point-of-Sale Security In This Chapter ▶ Ensuring optimal defenses by using proven security controls ▶ Making sure your point-of-sale risks are minimized
C
ybercriminals are getting increasingly sophisticated, and there’s no end in sight. The threats, risks, and compliance requirements associated with point-of-sale (POS) systems have become so challenging that IT administrators, security managers, and compliance officers are scrambling to find reasonable ways to get their arms around it all.
In this chapter, we give you ten ways you can more easily reach your POS security and compliance goals:
✓ Minimize the customer data you collect and store. Acquire and keep only the data required for legitimate business purposes and only for as long as necessary. When data is no longer of business value or relevant to security compliance, properly dispose of it. Shred paper documents and remove hard drives from your POS systems and related computers. You can even take your security efforts a step further by encrypting the sensitive data you collect on laptops, mobile devices, flash drives, and backup tapes. Encryption makes it more difficult for unauthorized parties to read in the event of loss or theft.
✓ Manage the costs and administrative burden of the PCI compliance validation process. Try segmenting your infrastructure among multiple teams to minimize the complexity and scope of compliance. Having full visibility
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
42
Point-of-Sale Security For Dummies into all enterprise assets beyond your POS systems (for example, network hosts, applications, and databases) along with the necessary templates to determine PCIrelevant data gives you a snapshot of the corporate assets that are affected and helps minimize the compliance pains.
✓ Maintain PCI compliance throughout the checkout process to guard data against all the possible points of compromise. If you’re able to detect transactional data point infractions in real time and stop anything introduced into your infrastructure that’s outside of known software (such as advanced threats), you can ensure that transactional data (such as credit card numbers) are protected at every step along the way.
✓ Develop a strategy to protect your infrastructure on multiple levels. Eliminate every opportunity for cybercriminals to exploit your POS terminals, kiosks, workstations, and servers. The ability to collect endpoint information in real time provides you with the information to properly assess the risks. Monitor traffic and create a central log of security-related information to alert you to suspicious activity on your network.
✓ Maintain real-time inventory and actionable intelligence on all network systems, and control the overall security of your infrastructure to maintain PCI compliance. Employ multiple layers of security technology to stymie sophisticated hackers. Establish a baseline for the software that should reside on your POS and related systems. Schedule security patches on your own timetable and eliminate the need for constant profile scanning that can negatively impact the performance of your POS environment.
✓ Extend the life of your systems to keep them compliant. Often you can’t upgrade for extended support after an operating systems’ end of life. By implementing a positive security model, you can stay compliant in any end-of-life situation and get protection from zero-day and other attacks against your POS systems. This approach will keep you in-the-know — at all times — what’s running on every in-scope system across your organization. Rather than guessing what’s compliant and what’s not, you can determine on a real-time basis if you have any vulnerabilities and whether any in-scope systems have fallen out of compliance.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 7: Ten Tips for Successful Point-of-Sale Security
43
✓ Use real-time sensors to test your security system regularly. By maintaining continuous, real-time file integrity monitoring and control, you can protect critical configuration files from unauthorized changes and meet file integrity monitoring and audit trail rules associated with your POS systems. You’ll be able to identify all suspected vulnerabilities across your POS environment and proactively take action against specific types of files based on your organization’s policies. You can achieve complete visibility into all changes and vulnerabilities that software updates may introduce by giving employees’ file rights and approvals into your organization’s trust metrics. This increased visibility provides a wealth of information for penetration testing and will expose all known and potential vulnerabilities prior to those exercises. It will also help you determine which penetration tests to run because the coordinates can be created against a set of known possibilities rather than a negative set of data that can be difficult to decipher.
✓ Build measurable business intelligence around your business assets. By having good visibility into real-time file asset inventory information, you can build intelligence around all your file assets, including their prevalence, trust rating, threat, and inherited vulnerabilities. Having such a high level of visibility enhances your ability to report on any asset at audit time or during pre-compliance assessments and security intelligence-gathering exercises, enabling you to take a proactive stance against anything running within your enterprise that’s deemed untrustworthy.
✓ Conduct regular audits of security measures, especially connections commonly used as gateways for attacks, and make appropriate adjustments. A full audit of all significant PCI data and the surrounding events associated with an attempted file alteration is necessary for auditors to quickly assess your compliance stance and produce the necessary reporting for PCI compliance validation.
✓ Educate employees about their role in data security. Inform all employees of the potential threats to customer data and the legal requirements for securing it. This should include designating an employee to serve as information security coordinator who is responsible for overseeing all security efforts. Having a clear security policy in place helps set expectations and guide employees on the proper use of data, creating a more secure environment.
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
44
Point-of-Sale Security For Dummies
These materials are © 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
WILEY END USER LICENSE AGREEMENT Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.