Beruflich Dokumente
Kultur Dokumente
Point-of-Sale
Security
Bit9 + Carbon Black Edition
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Publishers Acknowledgments
Some of the people who helped bring this book to market include the following:
Project Editor: Carrie A. Johnson
Editorial Manager: Rev Mengle
Acquisitions Editor: Amy Fandrei
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Book......................................................................... 1
Icons Used inThis Book............................................................. 1
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
iv
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1
systems
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
POS systems are in the crosshairs for the same reasons that
certain operating systems and applications always seem to
be targeted by hackerstheyre in widespread use, and the
weaknesses are fairly well-known.
According to World Bank estimates, there are more than
34 million POS devices globally, nearly 10 million of which
are in the United States alone. These numbers arent staggering considering the total number of computers around the
world; however, POS systems are large targets and provide a
great opportunity for bad things to happen nonetheless!
Industries impacted
When you think of POS systems and their related security
risks, retail probably comes to mind. Given their recognition
and visibility, its no surprise that retailers find themselves the
frequent targets of adversaries. Most retailers have relatively
small IT and security staffs and find themselves struggling to
apply those resources to both meet business requirements
for 24/7 availability and simultaneously provide the level of
security needed to protect sensitive credit card information
flowing through their networks. Maintaining security and compliance can be difficult tasks in retail, as well.
POS security risks dont just impact traditional retail businesses.
Numerous industries utilize POS systems in some capacity. If
your organization transacts business in or around the following
industries, its likely affected by POS risks.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Attackers dont care how they get in. Be it a server, a workstation, or a mobile device, if a system is accessiblephysically
in person or logically over the networkit represents an
entry point into your POS environment. Once attackers are able
to infiltrate the network, the risks to your POS systems and
credit card information are front and centerall bets are off.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Its one thing to build out your POS security program but
quite another to manage it well every day. Make sure every
piece is getting the attention it deserves. But most importantly, dont just do it for the sake of compliancedo it with
the longer-term goal of minimizing information risks.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
10
Given the threats combined with what there is to lose, your POS
systems should be a top security priority. The numbers dont
lie. According to the 2014 Verizon Data Breach Investigations
Report, in 2013, POS intrusions made up the highest type of
incident at food, beverage, and hospitality providers (75 percent) and retailerswhich was at 31 precent. Also, 74 percent
of attacks against accommodation, food services, and retail
companies from 2011-2013 targeted credit card information.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
11
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
12
13
Methods ofProtecting
POS Systems
Businesses relying on POS systems can defend them against
RAM-scraping malware, Trojan horses, and other types of
attacks using a number of tools and techniques including
Mitigating controls for operating systems beyond endof-life (for example, Windows XP): Counter the impact
of unpatched systems.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
14
Vulnerability scanner: Potential vulnerabilities introduced to the network and applications are identified for
research and remediation.
Routing cardholder data deletion: Stored data is routinely removed from the POS device.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
16
Tactical sophistication: Advanced threats have experience on their side. Often well-funded, they have had time
to develop a playbook for breaking into organizations.
Out of their expansive toolset they use the least sophisticated assets necessary to achieve success and still have
the ability to adjust to the victims defensive posture.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
17
Well-resourced: Governments, organized crime, terrorist groups, and other well-funded organizations are
behind advanced threats. The sponsors of these groups
provide them with financial means, technical talent,
and intelligence-gathering capabilities that enable their
success.
Understanding Attacker
Motivations
Many different types of advanced threat actors exist, and each
one has different motivations. The common driving forces
behind advanced attacks include the following:
Cybercrime: Many advanced attackers simply seek financial gain. They seek to steal money, obtain information,
or hijack computing resources in an attempt to achieve a
windfall.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
18
Executing Attacks in
POS Environments
Advanced attacks can be carried out against POS systems in
numerous ways. Given the network, application, and other
corporate complexities involved in POS environments, the
potential attack vectors are virtually endless. However, all
attacks do have some common themes, shown in Figure3-1,
that you need to be aware of.
Figure3-1: H
ow cybercriminals launch advanced
attacks against POS systems.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
19
Involvement of additional systems: In most cases, the captured data is exfiltrated from the POS system to another
system within the targeted environment for aggregation
and then uploaded to a remote system, which reduces the
chances of detection.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
20
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4
Recognizing Current
Limitations in Pointof-Sale Protection
In This Chapter
Understanding the limitations of traditional antivirus
Looking at the considerations for host intrusion prevention
Responding to threats quickly to stop malware outbreaks
he major retail security breaches have brought the traditional point-of-sale (POS) security model into the spotlight. Simply putit doesnt work. Criminal hackers have the
upper hand with their advanced malware attacks. Many of
the existing antivirus controls are ineffective at best. Incident
response times are getting longerthe very scenario you
dont need when your POS systems come under attack.
In this chapter, we discuss the limitations of current POS security
controls, outline how to match the new threats with new security
capabilities, and show you how you can respond to advanced
malware attacks more efficiently to produce the results you desire
and to minimize the security risks in your POS environment.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
22
Signature-based scanning
Antivirus softwares major weakness is that it depends on
signature-based scanning. Because antivirus software relies
on identifying signatures in the files it scans, it is not an
effective tool when confronted with unknown malware. If
the antivirus software doesnt yet have a signature for a file
thats found its way onto the system, that malware wont be
detected and will be able to run freely.
Performance impact
Antivirus software must analyze each and every bit stored on
a systems storage devices and in its memory, looking for the
presence of malware signatures. Given how quickly signature
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
23
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
24
The last thing you need in your POS environment is a security control such as BHIPS creating false alarms and blocking
legitimate business transactions.
Furthermore, the information provided by BHIPS is often too
shallow for useful analysis. It doesnt tell where unknown
executable files were spawned and often doesnt provide historical data that facilitates the time-based analysis required
by security analysts. The model used by behavioral systems
is also not capable of incorporating external information
containing the latest threat intelligence. Furthermore, standalone host-based systems cant assess network effects or correlate multiple reports received from systems across the POS
environment.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
25
Limited scope
When an incident response team arrives at an organization,
they have a clearly defined scope of services. This is normally
limited to identifying the circumstances surrounding a particular security incident and remediating the vulnerabilities that
contributed to that incident.
Incident response teams often use sophisticated forensics
analysis and response tools that are licensed to the incident
response firm. They dont leave these tools behind for you
to use on an ongoing basis. In cases where the tools are open
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
26
Home-grown tools
Many companies, and even some incident response firms, rely
on the use of custom-developed tools that have been handed
down through the ranks of incident responders. While they
may be effective, theyre the IT equivalent of duct tape and
chicken wire. Theres rarely any documentation or knowledge
transfer on how to use such tools outside of one or two people.
Expertise required
Incident response is a specialty skill and experienced professionals are highly sought after and very well compensated.
Only the largest organizations are able to maintain a full-time
incident response staff, making it difficult to maintain incident
response tools on an ongoing basis.
Non-continuous approach
Traditional incident response activities are targeted at a very
specific activity instead of designing the type of continuous
monitoring program thats essential to maintaining security in
the age of advanced attacks. The alternativeand the only
proven approachis to implement a solution that allows for
real-time continuous recording of POS systems activity.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
27
Responding quickly
Conventional security defenses are too slow. No matter how
dedicated and talented they are, IT and security staff simply
cant keep up with the volume of data flowing through the
enterpriseespecially in complex POS environments.
Security systems such as intrusion prevention systems, firewalls, security information and event management (SIEM)
systems, and antivirus software generate massive amounts of
information that adds to the overload. Many businesses experience hundreds, or even thousands, of alerts each day and
simply dont have the staff to respond to them all or to triage
them to a manageable level.
Not only must you find a way to respond to this information
overload, but also you must do so in a rapid manner. Its true
that a cybercriminal may take months to identify targets,
develop specialized malware that exploits specific vulnerabilities in targeted systems, and install command-and-control
capabilities on targeted systems. Despite this, most advanced
attacks arent detected or stopped in time to prevent theft or
damage.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
28
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 5
Not only do you have to ensure that your POS systems are
continually compliant with PCI but also that security controls
are in use and actively protecting the credit card data they
process and/or store.
In this chapter, we discuss the benefits of utilizing PCI DSS
as a continuous measuring stick to gauge the effectiveness
of POS security. We also outline how the theme shift of the
recent version of PCI DSSversion 3.0can have a positive
influence on the goal of ensuring a continuous security measure for POS systems.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
30
The task at hand may seem daunting when you consider all the
variables that need to be considered for POS systems in the
current threat landscape. However, if you step back and take a
look at the new requirements in PCI DSS 3.0 from a prioritized
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
31
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
32
Provide reports that enable IT to take proactive, corrective actions and/or prove compliance
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
33
Focus only on those events that are relevant to your business and lower the cost of obtaining compliance data
against a smaller dataset
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
34
Table5-1
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 6
Deploying Proactive
Point-of-Sale Security
In This Chapter
Defining your unique requirements
Understanding the Security Maturity Model
Managing your smart policies
Working with other security products
ows the time for the rubber to meet the road. You have
some decisions to make, systems to set up, and processes
to manage so you can stay ahead of the advanced malware
curve on your point-of-sale (POS) systems.
In this chapter, we discuss defining your unique requirements,
assessing how the Security Maturity Model fits in, managing
your ongoing smart policies, and ensuring your POS security
controls work well with other security products on your
network.
36
Phased approach to default deny: Flexible threat detection, response, and prevention solutions allow you to
work your way toward a default deny approach (blocking
everything from the get-go) in a manner consistent with
the culture and operating environment of your organization by allowing
You to see how far that gets you in terms of measuring risk and assessing operational impact
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
37
Professional services with proven expertise in deploying protection: Most deployments of POS security software take place with a professional services engagement.
Make sure you choose a product backed by a team of
professionals with experience deploying security software in organizations similar to yours.
By spending the time and effort thinking about what you
really need on the front end, you can maximize the value of
your POS security software deployment management for
years to come.
Understanding theSecurity
Maturity Model
As you prepare to select and deploy proactive POS security
protection, its a good opportunity to assess the current state
of your organizations information security. The following
four areas help you determine the maturity level of your
program:
Oversight
Technology
Process
People
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
38
Nonexistent (0)
Ad hoc (1)
Repeatable (2)
Defined (3)
Measured (4)
Optimized (5)
Performing this self-assessment provides you with an idea of
the current state of your security controls and can assist you
in defining the requirements for your POS threat detection,
response, and prevention program. The products and vendors
you choose should be able to work within your technical environment and culture, bringing you value regardless of where
your organization lies on this spectrum.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
39
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
40
Integrating withother
Security Products
Many organizations use Security Information and Event
Management (SIEM) systems to correlate the many sources of
security information across the enterprise, looking for signs
of attack. When choosing components of your security infrastructure, you should select products that fully integrate with
your SIEM and allow the use of correlation rules.
Of course, every organization is unique, so the correlation
rules that you use must be specific to your data sources
and should include POS security information. A correlation
rule that works with events from a Snort intrusion detection
system may or may not be effective with information gathered
from a similar NetWitness product. When designing correlation rules, organizations should ask these questions:
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 7
In this chapter, we give you ten ways you can more easily
reach your POS security and compliance goals:
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
42
Extend the life of your systems to keep them compliant. Often you cant upgrade for extended support after
an operating systems end of life. By implementing a
positive security model, you can stay compliant in any
end-of-life situation and get protection from zero-day and
other attacks against your POS systems. This approach
will keep you in-the-knowat all timeswhats running on every in-scope system across your organization.
Rather than guessing whats compliant and whats not,
you can determine on a real-time basis if you have any
vulnerabilities and whether any in-scope systems have
fallen out of compliance.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
43
Use real-time sensors to test your security system regularly. By maintaining continuous, real-time file integrity
monitoring and control, you can protect critical configuration files from unauthorized changes and meet file integrity
monitoring and audit trail rules associated with your POS
systems. Youll be able to identify all suspected vulnerabilities across your POS environment and proactively take
action against specific types of files based on your organizations policies. You can achieve complete visibility into
all changes and vulnerabilities that software updates may
introduce by giving employees file rights and approvals
into your organizations trust metrics. This increased visibility provides a wealth of information for penetration testing and will expose all known and potential vulnerabilities
prior to those exercises. It will also help you determine
which penetration tests to run because the coordinates
can be created against a set of known possibilities rather
than a negative set of data that can be difficult to decipher.
Build measurable business intelligence around your business assets. By having good visibility into real-time file asset
inventory information, you can build intelligence around
all your file assets, including their prevalence, trust rating,
threat, and inherited vulnerabilities. Having such a high
level of visibility enhances your ability to report on any
asset at audit time or during pre-compliance assessments
and security intelligence-gathering exercises, enabling you
to take a proactive stance against anything running within
your enterprise thats deemed untrustworthy.
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
44
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.