4-47078 point of sale security for dummies ebook3

Click here to load reader

Post on 16-Jan-2016




0 download

Embed Size (px)


POS security


  • These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • by Kevin Beaver and ChristopherStrand

    Point-of-Sale Security

    Bit9 + Carbon Black Edition

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Publishers AcknowledgmentsSome of the people who helped bring this book to market include the following:

    Point-of-Sale Security For Dummies, Bit9 + Carbon Black EditionPublished by John Wiley & Sons, Inc. 111 River St. Hoboken, NJ 07030-5774 www.wiley.com

    Copyright 2015 by John Wiley & Sons, Inc.

    No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

    Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. Bit9, Carbon Black, and the Bit9 + Carbon Black logos are registered trademarks of Bit9, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.


    For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/go/custompub. For information about licensing the For Dummies brand for products or services, contact BrandedRights&[email protected]

    ISBN: 978-1-119-06306-3 (pbk); ISBN: 978-1-119-06300-1 (ebk)

    Manufactured in the United States of America

    10 9 8 7 6 5 4 3 2 1

    Project Editor: Carrie A. Johnson

    Editorial Manager: Rev Mengle

    Acquisitions Editor: Amy Fandrei

    Business Development Representative: Sue Blessing

    Production Coordinator: Melissa Cossell

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

    About This Book ........................................................................ 1Icons Used inThis Book ............................................................ 1

    Chapter 1: Understanding Point-of-Sale Security Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

    Understanding Why Cybercrime is a Big Deal ....................... 4Getting toKnow the POS Attack Surface ................................. 5

    Industries impacted......................................................... 5How businesses become targets ................................... 6

    Knowing Whats atStake ........................................................... 7

    Chapter 2: The State of Point-of-Sale Security . . . . . . . .9The Current State ofPOS Security ........................................... 9Common Types ofAttacks ...................................................... 10End ofLife and POS.................................................................. 11POS Security Costs .................................................................. 11Methods ofProtecting POS Systems ..................................... 13

    Chapter 3: Advanced Threats against Point-of-Sale Systems . . . . . . . . . . . . . . . . . . . . . . . . . .15

    Introducing Advanced Threats .............................................. 15Understanding Attacker Motivations .................................... 17Executing Attacks in POS Environments............................... 18

    Chapter 4: Recognizing Current Limitations in Point-of-Sale Protection . . . . . . . . . . . . . . . . . . . . . . . .21

    Antivirus Software Limitations ............................................... 21Signature-based scanning ............................................. 22Performance impact ...................................................... 22

    Host Intrusion Prevention....................................................... 23Incident Response Services .................................................... 24

    Limited data availability ............................................... 25Limited scope ................................................................. 25Home-grown tools.......................................................... 26Expertise required ......................................................... 26Non-continuous approach ............................................ 26

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Point-of-Sale Security For Dummies ivMatching New Threats withNew Capabilities ..................... 26

    Responding quickly ....................................................... 27Detecting potential threats automatically .................. 28Stopping malware execution ........................................ 28

    Chapter 5: Solving the PCI Challenge for Point of Sale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

    PCI DSS asa Measuring Stick .................................................. 30PCIs Shift toward Application Control ................................. 31Merging Compliance Policy withSecurity Controls ............ 32Ensuring Ongoing PCI Compliance ........................................ 32Mirroring thePCI Prioritized Approach ................................ 34

    Chapter 6: Deploying Proactive Point-of-Sale Security . . . . . . . . . . . . . . . . . . . . . . . . . .35

    Defining Your Requirements .................................................. 35Understanding theSecurity Maturity Model ........................ 37Managing Smart Policies ......................................................... 38Integrating withother Security Products ............................. 40

    Chapter 7: Ten Tips for Successful Point-of-Sale Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Introduction

    W elcome to Point-of-Sale Security For Dummies, Bit9 + Carbon Black Edition. This book outlines in plain English how to protect your point-of-sale (POS) systems and cardholder data from malware and other advanced threats. POS technology is being targeted by criminal hackers more and more. You dont want to become yet another data breach victim.

    About This BookWhether youre just getting started down the path of securing your organizations POS systems or youre already neck-deep in the quagmire of security and compliance, theres a lot to learn and a lot to lose. This book highlights the must have knowl-edge and requirements necessary for keeping your POS in check. We help you understand the history of POS technology and advanced threats. We also share with you the limitations of exist-ing security controls and what you can do to ensure you have the proper protection for minimizing your business risks and complying with the Payment Card Industry (PCI) requirements.

    If youre an administrator, manager, auditor, or anyone other-wise in charge of managing or reviewing the compliance or information security of POS systemsthis book is for you.

    Icons Used inThis BookThe following icons are used to indicate special content in this book:

    This is information youll want to commit to memory.

    This is information that digs in a little deeper into the details in case youre interested.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 2 Point-of-Sale Security For Dummies

    This is information that helps provide advice to highlight or clarify a key concept.

    Please pay attention when you see this icon! It provides cautionary information you wont want to miss.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 1

    Understanding Point-of-Sale Security Risks

    In This Chapter Looking into cybercrime and its impact on business

    Understanding why point-of-sale systems are under attack

    Studying the areas of weakness and challenges to securing point-of-sale systems

    C ybercrime is occurring at unprecedented levels. In terms of time, money, and the resources needed to respond to threats and minimize the risks, breaches are exacting a costly toll on victims. These stealthy costs often dont appear as line items on financial statements for a number of reasons.

    First, the costs of security breaches are often indirect, resulting in wasted resources and missed opportunities. Theyre difficult to quantify. Second, organizations are incentivized to downplay the effects of security breaches to avoid unwanted attention from the public and media, not to mention severe penalties from regulatory bodies. Third, many breaches go undetected altogether. You cant secureor respond tothe security weaknesses and incidents you dont know about.

    In this chapter, we outline why cybercrime mattersespecially as it relates to point-of-sale (POS) security. We also discuss why POS systems are under attack as well as the threats and vulner-abilities experienced in POS environments that are contributing to the security challenges.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Point-of-Sale Security For Dummies 4

    Understanding Why Cybercrime is a Big Deal

    Almost every organization has some digital gold that outsid-ers may want to exploit. This data may include intellectual property, sensitive personal information about customers and employees, confidential business plans, or financial informa-tion. However, businesses with POS systems are particularly at risk given the potential for financial gains on the part of the criminal hackers.

    The real value in POS systems is in their financial transactions specifically the credit card numbers and other personally-identifiable information (PII) they process and store. When POS systems are attacked, the price tag can be enormous. The costs associated with POS security incidents include detect-ing and responding to a breach, notifying victims, conducting post-response support, and lost business. Theres also another factor: fines from government agencies, namely the Federal Trade Commission, as well as penalties and increased scrutiny associated with regulatory bodies and standards, such as the Payment Card Industry Data Security Standard (PCI DSS).

    A security breach of your POS environment isnt all about you and how your organization handles things internally. Often, many outside parties get involved in the initial investigations as well as any ensuing sanctions and ongoing audits that will likely be required.

    Clearly, data breaches involving POS systems are financially burdensome on the organizations experiencing them. In addi-tion to these financial losses, organizations also suffer from lost time. Depending on the type of incident they experience, organizations may lose days, weeks, or even months of time to incident response activities. These losses are exactly what businesses operating in the retail industry dont need, espe-cially during heavy shopping periods such as the holiday season. Other businesses operating in different industries can be negatively impacted as well, especially if they lose the capability to accept credit cards.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 1: Understanding Point-of-Sale Security Risks 5

    Getting toKnow the POS Attack Surface

    At its core, cybercrime is a numbers game. More businesses, networked computer systems, and security vulnerabilities lead to greater chance of attacks. Throwing POS network com-plexity, lack of visibility, and even politics into the mix breeds the ultimate playground for criminal hackers, rogue employ-ees, and the like to carry out their attacks for ill-gotten gains.

    POS systems are in the crosshairs for the same reasons that certain operating systems and applications always seem to be targeted by hackerstheyre in widespread use, and the weaknesses are fairly well-known.

    According to World Bank estimates, there are more than 34 million POS devices globally, nearly 10 million of which are in the United States alone. These numbers arent stagger-ing considering the total number of computers around the world; however, POS systems are large targets and provide a great opportunity for bad things to happen nonetheless!

    Industries impactedWhen you think of POS systems and their related security risks, retail probably comes to mind. Given their recognition and visibility, its no surprise that retailers find themselves the frequent targets of adversaries. Most retailers have relatively small IT and security staffs and find themselves struggling to apply those resources to both meet business requirements for 24/7 availability and simultaneously provide the level of security needed to protect sensitive credit card information flowing through their networks. Maintaining security and com-pliance can be difficult tasks in retail, as well.

    POS security risks dont just impact traditional retail businesses. Numerous industries utilize POS systems in some capacity. If your organization transacts business in or around the following industries, its likely affected by POS risks.

    Casinos and gaming: Given the need for a paper trail, a large number of gambling and gaming transactions take place via credit cards.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Point-of-Sale Security For Dummies 6 Entertainment venues: Sports arenas, theaters, civic

    centers and the like are responsible for an enormous amount of credit card transactions each year.

    Healthcare: With an increasing population becoming dependent on the healthcare system, more and more transactions (doctor copays and related fees) are taking place via credit cards.

    Transportation: Airlines, bus and subway systems, and related transportation services do much of their business via credit cards.

    As society shifts away from cash and checks for payments, countless other industries are relying more and more on POS systems for their daily operations.

    How businesses become targetsIn the modern era of business, computers are found in the darnedest places. From the reception area to the back office to the manufacturing floor, its not unusual to find POS systems scattered about like any other networked computer. In fact, most POS systems are merely embedded personal computers running specialized software and, quite often, outdated ver-sions of the Windows operating system.

    Given the pervasiveness of POS systems in any given business, theyre routinely targeted just like any other host on the net-work. Once criminal hackers are able get in and confirm the presence of POS systems, they can become the target where all the malicious efforts are focused.

    After attackers target an organization, they have many poten-tial avenues of infiltration. While servers are likely targets, even the lowliest endpoints sensitive information may be targeted or the endpoint itself may provide an actor with a toehold on the organizations network that may be further exploited. Endpoints can then be used as entry points to get to other targets, such as servers, which are more likely to con-tain larger volumes of sensitive information.

    Specific vulnerabilities that are often present and subsequently exploited on POS systems and any others in the attack chain include

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 1: Understanding Point-of-Sale Security Risks 7 Default, blank, or otherwise weak passwords that allow

    direct system access

    Missing operating system and application patches that can be exploited for remote, and often undetectable, administrator-level, command-prompt access

    Absence of malware protection to analyze, block, and report threats in real time

    Minimal visibility into the overall network that helps ensure IT and security staff are kept in the dark

    Because of these common weaknesses, businesses are often unable to adequately protect POS systems against advanced threats. Just as bad, IT and security staff often dont find out about breaches until after the damage has been done.

    Attackers dont care how they get in. Be it a server, a worksta-tion, or a mobile device, if a system is accessiblephysically in person or logically over the networkit represents an entry point into your POS environment. Once attackers are able to infiltrate the network, the risks to your POS systems and credit card information are front and centerall bets are off.

    Knowing Whats atStakeAdvanced attacks against POS systems are not only sophis-ticated, but also theyre likely to go undetectedespecially if security controls such as traditional anti-virus software are being relied upon. Time is money. The longer the attackers are able to control a POS environment the more damage thats done.

    Having a well thought out security program that addresses the unique needs of your POS environment is critical to mini-mizing your business risks. Every detail from your security policies, your technical controls that help enforce your poli-cies, and the unique procedures and response plans required by your business must be addressed on an ongoing basis.

    When developing a security program, there are many costs you must consider. In addition to the direct costs of security controls that you want to purchase, also plan for the costs of incident response. Investing in incident response pays dividends by lowering the cost of security breaches. Each

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Point-of-Sale Security For Dummies 8time you respond to a security incident, you expend time and money investigating the compromise, notifying customers, and dealing with the aftermath.

    While the aftereffects of a customer data breach are worrisome in their own right, you must also grapple with how the breach will affect ongoing compliance with key Payment Card Industry Data Security Standard (PCI DSS) requirements. Non-compliance can result in steep penalties as well as significant damage to your organizations brand.

    Not only is it critical to have the proper systems and pro-cesses in place, but also its equally important to have the right people managing it all in concert. All it takes is one piece of the POS security puzzle such as an inattentive help desk, a disconnected compliance manager, or network security operations team without the proper tools to miss the big one the POS security breach that brings your business to its knees. Even when internal audit staff and external auditors are looking in the right areas with the right tools and audit procedures, something unnoticed, or seemingly benign, can turn into a real security and compli-ance problem.

    Its one thing to build out your POS security program but quite another to manage it well every day. Make sure every piece is getting the attention it deserves. But most impor-tantly, dont just do it for the sake of compliancedo it with the longer-term goal of minimizing information risks.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 2

    The State of Point-of-Sale Security

    In This Chapter Looking at the current state of security in point-of-sale environments

    Understanding the common types of attacks

    Considering the security costs

    Protecting point-of-sale systems

    P oint-of-sale (POS) systems are under attack around the world. The United States alone has numerous, high-profile breaches of POS security at large retailers. It appears that theres no end in sight for these types of attacks. In this chap-ter, we discuss the impact of advanced security threats on POS systems and outline some specific attacks. We also cover the costs associated with POS security along with specific solu-tions for making POS environments resilient and secure.

    The Current State ofPOS Security

    POS systems include a range of hardware devices, such as card readers, scales, scanners, and registers, as well as the software needed to support them. Increasingly sophisticated POS systems are linked to inventory management, ordering, and customer relationship management applications. POS sys-tems make it possible for retailers to conduct transactions often with credit cardsquickly and easily, providing a smooth and enjoyable customer experience.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 10 Point-of-Sale Security For Dummies

    The mere acceptance of credit card payments is the most notable security concern related to POS systems, as hackers motivated by financial gains attack retailers and other busi-nesses in pursuit of credit card numbers and other personally identifiable information (PII).

    Given the threats combined with what there is to lose, your POS systems should be a top security priority. The numbers dont lie. According to the 2014 Verizon Data Breach Investigations Report, in 2013, POS intrusions made up the highest type of incident at food, beverage, and hospitality providers (75 per-cent) and retailerswhich was at 31 precent. Also, 74 percent of attacks against accommodation, food services, and retail companies from 2011-2013 targeted credit card information.

    Common Types ofAttacksPOS systems run on a range of operating systems, such as Windows Embedded, Windows XP, and newer versions such as Windows 7. They also run on Linux and UNIX. These sys-tems are vulnerable to a range of attack types that could result in data breaches.

    RAM-scraping malware is the greatest threat. This malware, which first appeared in 2008, has been behind the recent major retail breaches. It uses debugging software on POS systems to extract magnetic stripe data directly out of the computers memory. The code behind this type of attack has morphed over the years, including the addition of bot functionality and stealth capabilities to avoid detection, but at its heart remains the same.

    Other common types of POS system security breaches include

    Tampering with personal identification number (PIN) entry devices, where a bug is planted in the device to capture PINs and credit card numbers, or where the entire device is replaced with a substitute

    Installing electronic skimmers at a remote POS device, such as a gas station pump, to collect credit card data

    Identifying open network ports in the POS systemused for maintenance by the system vendorand installing software, such as a keylogger, to capture login creden-tials, credit card data, or other sensitive information

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 2: The State of Point-of-Sale Security 11 Installing malware directly onto the system via a USB


    End ofLife and POSWhen the operating system on a POS device is no longer sup-ported by the vendor (for example, Microsoft), it creates sig-nificant challenges to keeping the POS secure and compliant. Windows XP-based POS systems are some of the most widely implemented in the world, and when Windows XPs end of life occurred in April 2014, all POS systems that relied on it were exposed to significant vulnerabilities.

    Unsupported operating systems such as Windows XP arent only vulnerable to attack, but also they can compromise your organizations compliance with PCI DSS.

    Windows Server 2003s end of life (July 2015) also represents a significant security risk, much like Windows XP, with a significant number of businesses relying on it to run critical applications. Windows Server 2003 creates an issue thats directly tied to the security of POS systems because many such systems rely on server processing and storage to process transactions. If the server system is damaged or the integrity is broken, the entire systems security and compliance could be compromised.

    POS Security CostsAn organizations ongoing security posture, its ability to keep its POS systems in a compliant state, and the controls used to measure both certainly influence the cost of maintaining its POS environment. However, the security costs associated with protecting POS systems are insignificant compared to the costs associated with a breach of credit card data or PII.

    Costs related to POS system compromise include the following:

    Board-level and legal costs: The fallout from a security incident on POS systems should be a key concern for directors and legal counsel and can have negative effects on the board.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 12 Point-of-Sale Security For Dummies

    Executive office costs: Indirect costs, including firings and forced resignations, can be felt at the executive level. These costs have been associated with high-profile credit card breaches.

    Stock price: A security incident can have a direct impact on the stock price of publicly-held companies through distrust and an ultimate decline in shareholder value.

    Reputation and brand damage: Customers will move to what they perceive as safer businesses in the event of a highly-publicized incident.

    Legal costs and penalties: The investigation, reporting, and litigation costs associated with a security incident can be huge.

    Compliance and regulatory costs: Aside from fines, after a security incident, theres often mandatory increased focus and scrutiny placed on the business by the regula-tors as it pertains to security auditing.

    Figure2-1 shows the impact a security breach can have on your business.

    Figure2-1: The impact a POS-related data breach can have on your organization.

    You need to consider all costs related to security breaches when budgeting and planning for the security solutions of your POS systems. A positive result of this analysis is that you can use the

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 2: The State of Point-of-Sale Security 13information to help build the case for a best-of-breed solution that solves your POS security challenges once and for all.

    The return on your POS security investment may be difficult to quantify, but its real. Consider the reduced risk and the avoidance of costs associated with data breaches such as penalties, lost revenues, reputational damage, legal fees, and more. Given that recent breaches have cost retailers tens of millions of dollars, properly securing your POS systems is clearly worth the investment.

    Methods ofProtecting POS Systems

    Businesses relying on POS systems can defend them against RAM-scraping malware, Trojan horses, and other types of attacks using a number of tools and techniques including

    Secure card readers/point-to-point encryption (P2PE): Data is encrypted at the point of swipe, and the encryp-tion is maintained as the data is transmitted to the pay-ment processor.

    Application whitelisting: Only approved applications are allowed to run on POS devices, making it impossible for malware to execute even if its introduced to the environment.

    Firewalls: A security perimeter is built around networks and endpoints.

    Breach detection systems: Security teams are alerted when a breach is detected, based on a complex analysis (not to be confused with intrusion detection systems, which typically rely on signatures to detect illicit activity).

    Disabled remote access: Connectivity by POS vendors and other parties is disallowed.

    Updated and patched POS software: Vulnerabilities found in earlier versions of the software are avoided.

    Mitigating controls for operating systems beyond end-of-life (for example, Windows XP): Counter the impact of unpatched systems.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 14 Point-of-Sale Security For Dummies

    Restricted POS systems Internet access: Malware from sources such as illicit websites and email applications is prevented.

    File integrity monitoring: System administrators are notified when system components are changed.

    Anti-virus software: Nuisance malware with known sig-natures is blocked.

    Vulnerability scanner: Potential vulnerabilities intro-duced to the network and applications are identified for research and remediation.

    DLP software: Confidential data is detected, monitored, and protected in a variety of ways, depending on whether its in use (endpoint), in motion (network), or at rest (storage).

    Physical access policies: Access to POS terminals is restricted to authorized personnel only.

    Routing cardholder data deletion: Stored data is rou-tinely removed from the POS device.

    A closer look at application whitelistingApplication whitelisting refers to a highly effective method of stopping malware-based attacks that works by allowing only trusted software to execute in the computing envi-ronment. Like a bouncer at a party, you determine the software allowed to execute in your environment and the whitelisting tool stops everything else from running.

    A whitelist, in its simplest form, is a list of applications allowed to run in an environment. As a program attempts to execute, the whitelist-ing tool compares it to the approved list typically looking at hash values to ensure authenticityand

    either permits the application to run or blocks it from executing.

    Because of the administrative over-head associated with maintaining a whitelist, leading products have adopted policy-driven approaches to application whitelisting where dynamic policies are used to iden-tify and simplify the management of trusted software. Common policy techniques include the use of cloud-delivered trust ratings, internal trusted software directories, and the use of trusted publishers. This approach allows all software published and signed by a trusted author to be auto-matically added to the whitelist.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 3

    Advanced Threats against Point-of-Sale Systems

    In This Chapter Getting to know advanced threats

    Understanding attacker motivations

    Looking at the various stages of attacks against POS systems

    T oday more than ever, cybercriminals are targeting your point-of-sale (POS) systems using a new breed of advanced threats in order to steal and exploit your customers personal and financial information. Retailers understand these security challenges, but many remain unable to adequately protect these systems due to a continued reliance on legacy antivirus solutions, which we discuss in more detail in Chapter4.

    Introducing Advanced ThreatsAdvanced threats are organized, well-resourced, and deter-mined to achieve the objectives set out by their leadership. Unlike the script kiddie or casual hacker of decades past, the advanced threatoften a government or organized crime-funded entityis a formidable adversary seeking out a spe-cific target for exploitation.

    You can implement what might be considered solid security controls, but your POS systems still wont be impervious to advanced threats using zero-day malware. If they want in badly enough, theyll do what it takes to find a way to pen-etrate your network.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 16 Point-of-Sale Security For Dummies

    As an IT or security professional, you should have a strong knowledge of the characteristics of advanced threats. By under-standing the motivations, tools, and objectives of your adver-sary, you can better prepare your defense-in-depth approach to securing your organizations digital goldnamely the sensitive information involved with credit card transactions on your POS systems. The defining characteristics of the advanced threat include

    Range of technical tools: Advanced threats make use of a wide variety of technical tools. Instead of having a single piece of malware, the advanced threat often devel-ops its own exploits. The code used by advanced attack-ers often makes use of otherwise undisclosed zero-day attacks for which the target (for example, POS systems) may have no defense.

    Tactical sophistication: Advanced threats have experi-ence on their side. Often well-funded, they have had time to develop a playbook for breaking into organizations. Out of their expansive toolset they use the least sophisti-cated assets necessary to achieve success and still have the ability to adjust to the victims defensive posture.

    Integration with human threats: Advanced threats dont limit their domain to technically sophisticated exploits. They understand and integrate the use of social threats as well, often leveraging phishing, social engineering, and traditional intelligence-gathering activities to amplify the effectiveness of their technical tools. The key here is that its a human on the other end. You need to make tactical decisions, be creative in the face of a roadblock, and so on. Given the complexity of POS environments, the level of risk is increased.

    Targeted at specific objectives: The targets of advanced threats are carefully determined and align with the objec-tives of their sponsors. They arent opportunistic but, instead, seek out the systems or individuals that are very likely to contribute to their objectives. Advanced threats conduct targeting analysis and understand their adver-sary before engaging in an attack.

    When most people think about the objectives of advanced threats, they naturally think about the military and politi-cal objectives of nations and think that they dont have resources that fit these objectives. Remember, however,

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 3: Advanced Threats against Point-of-Sale Systems 17that organized crime and political activists are also advanced threat sponsors. Simply having a public-facing website can make you a legitimate target. If you have POS systems, the criminal payoff and ensuing risks can be even greater.

    Well-resourced: Governments, organized crime, ter-rorist groups, and other well-funded organizations are behind advanced threats. The sponsors of these groups provide them with financial means, technical talent, and intelligence-gathering capabilities that enable their success.

    High degree of organization: Advanced threats operate more like military units than hacking clubs. They have well-defined leadership structures and operate very effi-ciently. Theyre organized around their mission.

    The advanced threat is unlike any risk faced by previous generations of IT and security professionals. Organizations, individuals, and POS systems targeted by advanced threats are at the receiving end of a formidable attack, and you must organize your defenses accordingly.

    Understanding Attacker Motivations

    Many different types of advanced threat actors exist, and each one has different motivations. The common driving forces behind advanced attacks include the following:

    Cybercrime: Many advanced attackers simply seek finan-cial gain. They seek to steal money, obtain information, or hijack computing resources in an attempt to achieve a windfall.

    Hacktivism: Other advanced attackers seek to use their hacking skills to advance a political agenda. They typically engage in denial of service attacks and website deface-ments designed to embarrass or disrupt their target.

    Cyberespionage: Attackers in this category seek to steal information to gain a political, economic, or military advantage, which can often be funded and directed by nation-state governments.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 18 Point-of-Sale Security For Dummies

    Malicious insiders: Advanced attackers arent necessarily limited to outsiders. For example, consider a disgruntled employee looking to steal information and sell it to a com-petitor or perform some type of sabotage.

    The types of attackers targeting a specific organization depend on that organizations mission and its global reputation.

    Executing Attacks in POS Environments

    Advanced attacks can be carried out against POS systems in numerous ways. Given the network, application, and other corporate complexities involved in POS environments, the potential attack vectors are virtually endless. However, all attacks do have some common themes, shown in Figure3-1, that you need to be aware of.

    Figure3-1: How cybercriminals launch advanced attacks against POS systems.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 3: Advanced Threats against Point-of-Sale Systems 19These themes include the following descriptions:

    Vulnerability: Advanced malware attacks often start with something as basic as weak passwords, missing software patches, and the general gullible tendencies of users.

    Method: Advanced malware injects itself into memory, collects desired information (for example, credit card track data), exfiltrates the data to another system, and uses a command control (C&C) system for further actions as needed.

    Involvement of additional systems: In most cases, the cap-tured data is exfiltrated from the POS system to another system within the targeted environment for aggregation and then uploaded to a remote system, which reduces the chances of detection.

    Opportunistic: POS malware families are very targeted and opportunistic and in many cases arent detectable with traditional antivirus detection. Advanced malware families continue to evolve as evasion techniques improve with several versions of each family in existence. This evolution helps to explain the continued difficulties in detecting and preventing this malware using traditional security controls.

    The latest POS malware to make the news is being referred to as Backoff. Backoff is a family of retail-focused malware that has been witnessed recently in multiple forensic inves-tigations, including those in the high-profile retail breaches. The malware typically consists of RAM scraping, keylogging, command and control, and process injection. A Backoff malware attack is what is often referred to as a stage-two attack. In this context, this means that Backoff is leveraged after attackers force their way in through remote desktop applicationstypically via a weak Windows operating system password. After the attackers have accessed the remote desktop, they begin reconnaissance for any POS devices and attempt to install Backoff or similar POS mal-ware on those systems. Even though attackers can take control of every other application in the attack chain, your POS system can be made safe and malware-free by putting the proper security controls in place such as the positive security model technologies that Bit9 + Carbon Black offers.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 20 Point-of-Sale Security For Dummies

    Can Chip & PIN prevent advanced attacks?

    One of the security controls being suggested as a solution to the POS security problem is EMV, or Chip & PIN, technology. EMV, which stands for Europay, MasterCard, and VISA, is a decades-old global standard for integrated circuit cards with embed-ded microprocessor chips that store and protect cardholder data con-tained within a metallic square on the card. EMV Chip & PIN has yet to be adopted in the United States, although that is expected to change in 2015.

    EMV technology helps protect the card data thats collected by POS systems, which will be locked up tight, deterring criminals from attempting to use physical card readers and skimmers. However, its not a silver bullet in the effort to pro-tect sensitive data from compromise and to solve the POS problem com-pletely. Other areas within the typical payment systems expose both card and customer data.

    Many of the well-publicized large-scale POS system breaches targeted the software that was responsible for processing the credit card trans-actions as well as collecting cus-tomer information such as user IDs and personally-identifiable informa-tion. Many organizations still house a treasure trove of this information on

    their back-end processing systems and servers that will still be prime targets. This information can even end up in log files, data backups, and on poorly-secured workstations and other endpoints, creating unneces-sary risks.

    Criminals may also turn to other techniques to use the technology shift to their advantage, such as the recent surge of replay attacks. In these attacks, criminal hackers were using recently stolen credit card information to spoof transac-tions on the credit card networks as chip-enabled transactions. Even in the European marketplace, where Chip & PIN has been in place for years, the tone regarding POS secu-rity is no different. The threat of data compromise on POS systems and the risk to sensitive data is taken just as seriously.

    Having additional locks on the door (like EMV/Chip & PIN) is a great addi-tion to your arsenal of protection, but you also need to make sure you have a real-time perspective on your systems. You need to take control of the data where its processed and resides but you also need the abil-ity to take proactive measures in the event a security breach happens in your POS environment.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 4

    Recognizing Current Limitations in Point-of-Sale Protection

    In This Chapter Understanding the limitations of traditional antivirus

    Looking at the considerations for host intrusion prevention

    Responding to threats quickly to stop malware outbreaks

    T he major retail security breaches have brought the tra-ditional point-of-sale (POS) security model into the spot-light. Simply putit doesnt work. Criminal hackers have the upper hand with their advanced malware attacks. Many of the existing antivirus controls are ineffective at best. Incident response times are getting longerthe very scenario you dont need when your POS systems come under attack.

    In this chapter, we discuss the limitations of current POS security controls, outline how to match the new threats with new security capabilities, and show you how you can respond to advanced malware attacks more efficiently to produce the results you desire and to minimize the security risks in your POS environment.

    Antivirus Software LimitationsAntivirus software, first introduced in the mid-1980s, is used to detect, prevent, and remove malicious software (malware) such as viruses, worms, spyware, and Trojan horses. This traditional security controlstill in widespread use todaywas pretty

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 22 Point-of-Sale Security For Dummies

    good at detecting and blocking known malware. Antivirus software simply matched questionable threats to a signature database of known malware andvoila!the threats were blocked. The problem with a signature-based approach is that it doesnt provide an effective defense against advanced malware where the threats are unknown and often targeted to specific types of computers and applications such as those in POS environments.

    Heavy dependence on POS systems combined with advanced malware that can evade traditional antivirus controls creates the perfect storm for network compromise.

    Signature-based scanningAntivirus softwares major weakness is that it depends on signature-based scanning. Because antivirus software relies on identifying signatures in the files it scans, it is not an effective tool when confronted with unknown malware. If the antivirus software doesnt yet have a signature for a file thats found its way onto the system, that malware wont be detected and will be able to run freely.

    In light of the rapidly-morphing malware landscape, keeping blacklist signature databases updated has become unsustain-able for traditional antivirus software providers.

    In a POS environment, antivirus software scans the systems for the presence of these malware signatures. Any file suspected to contain malware may be deleted, quarantined, or repaired to prevent system infection. The issue with this approach is that advanced attackers often leverage zero-day attacks for which theres no signature available. Attacks that are previ-ously unknown to the security community will be able to slip right past a signature-based detection system. Additionally, malware authors can make very minor changes to their code that prevents it from matching existing signatures, rendering it undetectable by signature engines.

    Performance impactAntivirus software must analyze each and every bit stored on a systems storage devices and in its memory, looking for the presence of malware signatures. Given how quickly signature

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 4: Recognizing Current Limitations in POS Protection 23databases are growing, this scanning is resource-intensive, requiring the use of disk bandwidth, memory, and CPU capac-ity. When a malware scan runs on a system, the scanning software may have a noticeable performance impact on user activityan undesirable side effect on POS systems.

    Specifically, scanners must check every file on the system, not just those that are likely to be threats. The scanner must check the entire contents of each file, looking for signs of malware. In a retail setting, store system administrators can schedule scans during idle periods, but that leaves large chunks of time when no scanning is taking place. If scheduled scans occur during operating hours, they could result in unacceptable dis-ruptions to customer service. When users experience these issues, theyre more likely to attempt to disable or circumvent the security control thats interfering with their work.

    Point-in-time scanning can be bad for business. Due to the performance impact of antivirus software conducting full system scans, these scans are usually scheduled to occur daily or weekly. These scans are often during evening hours when the scans wont impact normal user activity due to CPU, hard drive, and memory utilization. Even with POS systems running with the most advanced processors, solid state drives, and more memory than you can shake a stick at, system performance is still impacted by full antivirus scans. Not only are performance issues detrimental to POS transac-tions, but also such point-in-time scanning provides a threat window where malware can run uninhibited between scans.

    Host Intrusion PreventionCertain IT administrators and security managers rely on host intrusion prevention systems to supplement the protection provided by antivirus software. These packages, also known as behavioral host intrusion prevention systems (BHIPS), monitor activity on a system for malicious actions on the part of executable files. Unlike antivirus software, BHIPS dont rely on a database of known malicious software. Instead they monitor POS systems over time, develop a model of normal activity and then flag deviations from normal behavior for administrator review.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 24 Point-of-Sale Security For Dummies

    In theory, BHIPS are the ideal supplement to antivirus soft-ware in POS environments because they have the potential to detectand blockadvanced threats in real time. However, in practice these systems require an excessive investment of time and effort to fine-tune and maintain. They also have very high false-positive rates, triggering alerts on non-malicious activity. The combination of these two limitations often results in administrators and users disabling BHIPS capabili-ties because of the time spent maintaining them and respond-ing to false alarms.

    The last thing you need in your POS environment is a secu-rity control such as BHIPS creating false alarms and blocking legitimate business transactions.

    Furthermore, the information provided by BHIPS is often too shallow for useful analysis. It doesnt tell where unknown executable files were spawned and often doesnt provide his-torical data that facilitates the time-based analysis required by security analysts. The model used by behavioral systems is also not capable of incorporating external information containing the latest threat intelligence. Furthermore, stand-alone host-based systems cant assess network effects or cor-relate multiple reports received from systems across the POS environment.

    Incident Response ServicesWhen organizations find that theyve fallen victim to a sophis-ticated cyberattack, they often retain the services of a firm that specializes in security incident response. These firms bring together teams of experts in a variety of security disci-plines to quickly assess the incident, contain the damage, and restore the organization to secure working order as quickly as possible.

    While these services are often invaluable when responding to a security incident, theyre also quite expensive and avail-able only for a limited duration of time. After the incident is resolved, the expert team leaves, and maintaining system security is once again incumbent on the organizations IT and security staff. You need to be careful in your approach to malware attacks and not rely completely on these response services.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 4: Recognizing Current Limitations in POS Protection 25

    Limited data availabilityInformation systems generate massive amounts of data and are capable of logging extremely detailed records about their activity. These logs often contain critical information necessary to reconstruct the events that took place during a security incident. Responders depend on the availability of a detailed audit trail to identify how an intruder gained access to a network, the scope of their activities, and the data that they may have stolen.

    You know your network environment better than anyone else. When a breach impacts your POS systems, you cant just hand over the reins to a third-party. You need to be prepared to be intimately involved in the response process: to ask questions of the incident response team, to answer their questions, and to ensure everything is being addressed in the best interests of your organization.

    One of the major limitations of incident response services is that its more than just collecting dataits about collect-ing the right data and having a suite of tools available that allows you to understand it in context. When an incident occurs, the response is hampered by the lack of visibility into system events that took place while the attack was under way. Responders want to be able to quickly understand the relation-ships between systems and trace the spread of malicious files within the enterprise. Without purpose-specific tools in place before a breach, gathering all the data necessary for an effective incident response could take weeks or months.

    Limited scopeWhen an incident response team arrives at an organization, they have a clearly defined scope of services. This is normally limited to identifying the circumstances surrounding a partic-ular security incident and remediating the vulnerabilities that contributed to that incident.

    Incident response teams often use sophisticated forensics analysis and response tools that are licensed to the incident response firm. They dont leave these tools behind for you to use on an ongoing basis. In cases where the tools are open

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 26 Point-of-Sale Security For Dummies

    source or the organization opts to purchase a license, the incident response firm wouldnt normally integrate them into your normal IT and security operations.

    Home-grown toolsMany companies, and even some incident response firms, rely on the use of custom-developed tools that have been handed down through the ranks of incident responders. While they may be effective, theyre the IT equivalent of duct tape and chicken wire. Theres rarely any documentation or knowledge transfer on how to use such tools outside of one or two people.

    Expertise requiredIncident response is a specialty skill and experienced profes-sionals are highly sought after and very well compensated. Only the largest organizations are able to maintain a full-time incident response staff, making it difficult to maintain incident response tools on an ongoing basis.

    Non-continuous approachTraditional incident response activities are targeted at a very specific activity instead of designing the type of continuous monitoring program thats essential to maintaining security in the age of advanced attacks. The alternativeand the only proven approachis to implement a solution that allows for real-time continuous recording of POS systems activity.

    Matching New Threats withNew Capabilities

    Organizations seeking to maintain secure POS operations in this risk-laden environment must maintain a set of security controls designed to meet todays threats instead of those that were deemed adequate in years past. A new way of think-ing is required and some important security decisions need to be made.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 4: Recognizing Current Limitations in POS Protection 27

    Responding quicklyConventional security defenses are too slow. No matter how dedicated and talented they are, IT and security staff simply cant keep up with the volume of data flowing through the enterpriseespecially in complex POS environments. Security systems such as intrusion prevention systems, fire-walls, security information and event management (SIEM) systems, and antivirus software generate massive amounts of information that adds to the overload. Many businesses expe-rience hundreds, or even thousands, of alerts each day and simply dont have the staff to respond to them all or to triage them to a manageable level.

    Not only must you find a way to respond to this information overload, but also you must do so in a rapid manner. Its true that a cybercriminal may take months to identify targets, develop specialized malware that exploits specific vulner-abilities in targeted systems, and install command-and-control capabilities on targeted systems. Despite this, most advanced attacks arent detected or stopped in time to prevent theft or damage.

    Youve heard the saying When seconds count, the police are only minutes away. The same goes for security threats against your POS environment. Time is of the essence. Without good information, its hard to respond efficiently to advanced attacks.

    After an attacker successfully infiltrates a system, the actual theft of data can take place rapidly. Massive amounts of information can be stolen in mere minutes or seconds. Security systems must be capable of quickly identifying an attack in progress and taking automated action to prevent damage.

    In addition to reducing the delay in initiating a response, security systems should increase the efficiency of response staff. In some cases, enterprises implementing next genera-tion security tools have been able to achieve significant time savings. With the new technology, one guy in one hour can do what it used to take ten guys ten days to do.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 28 Point-of-Sale Security For Dummies

    Detecting potential threats automaticallyThe modern threat operates faster than any incident response team can analyze and react to information. Security technolo-gies that are configured to require administrator intervention before a response occurs are ineffective because the time taken by the administrator to analyze the attack may be longer than the short duration of the attack itself. Given the cardholder data thats at risk, this time window is especially crucial for attacks against POS systems.

    Effective security controls must be capable of autonomous operation. This doesnt mean that you dont need trained security staff; it simply means that they should be spending their time installing, maintaining, and monitoring automated response controls instead of conducting security response manually. Even the best security tools must be custom-tailored to the unique operating environment of your organization and thats where well-trained IT and security professionals can lend valuable expertise.

    Stopping malware executionEmbedding automated detection techniques in your environ-ment is the first barrier to advanced threats, but successfully protecting your organizations security requires actually blocking and preventing suspicious software execution until the issue is resolved on the affected POS systems. Unless and until you have the proper means for stopping the actual execution of malware, theres work to be done.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 5

    Solving the PCI Challenge for Point of Sale

    In This Chapter Using PCI compliance as a baseline for POS security

    Shifting toward proactive security control

    Looking at PCIs prioritized approach for POS security

    T he Payment Card Industry Data Security Standard (PCI DSS) was created to set a standard for controls that protect credit card data used in transactions, stored in databases, and trans-mitted over systemsall of which are included as functionality on most point-of-sale (POS) devices. This coverage means that the majority, if not all POS systems, are covered under the PCI DSS compliance requirements.

    Not only do you have to ensure that your POS systems are continually compliant with PCI but also that security controls are in use and actively protecting the credit card data they process and/or store.

    In this chapter, we discuss the benefits of utilizing PCI DSS as a continuous measuring stick to gauge the effectiveness of POS security. We also outline how the theme shift of the recent version of PCI DSSversion 3.0can have a positive influence on the goal of ensuring a continuous security mea-sure for POS systems.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 30 Point-of-Sale Security For Dummies

    PCI DSS asa Measuring StickThe threats to sensitive data on POS systems have been grow-ing rapidly ever since PCI DSS was put into action. With that growth, theres been a tendency among businesses and audi-tors to measure POS security effectiveness directly against the requirements within the PCI standard note for note.

    The end goal for POS systems should be the most effective security program to protect sensitive data rather than a com-pliance check mark. Compliant doesnt always mean secure, and a mere checklist of requirements does not get your POS systems to a final state of security.

    The just get by approach is being called out, so to speak. When aligning POS security with the current PCI require-ments, consider the industry-accepted recommendations:

    Dont underestimate the effort involved. PCI compliance requires time, money, and executive sponsorship. It needs to be part of everybodys jobapplication developers, system administrators, executives, and even staff in shops and call centersnot just left to the IT security team.

    Make compliance sustainable. An organization must complete thousands of tasks throughout the year to stay compliant. To be sustainable, compliance needs to be embedded in business as usual as an ongoing process.

    Think of compliance in a wider context. The best thing you can do to simplify your PCI compliance workload and achieve real security is to put your compliance pro-gram within your wider governance, risk, and compliance (GRC) strategy.

    Leverage compliance as an opportunity. Done properly, PCI compliance can drive process improvements, identify opportunities to consolidate infrastructure, and gener-ate additional equity. Think of it as an opportunity rather than a burden.

    The task at hand may seem daunting when you consider all the variables that need to be considered for POS systems in the current threat landscape. However, if you step back and take a look at the new requirements in PCI DSS 3.0 from a prioritized

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 5: Solving the PCI Challenge for Point of Sale 31perspective, figure out what controls you need to address first, and address the ones that have the greatest effect on your crit-ical business processes, its not as complicated as it may seem.

    After you have the critical controls in place, think about how to prove that the controls are actually doing what they are supposed to be doing. You will have the answers to the com-pliance questions that come up during audits, and you will put your POS systems in a better state of security.

    PCIs Shift toward Application Control

    One of the biggest changes in the PCI DSS 3.0 standard is the move toward being more proactive when it comes to measur-ing your security controls. For POS systems, this involves ensuring that the information used to measure both the com-pliance and security status is as close to real time as possible while focusing the analysis on a smaller subset of data.

    The first validation shift that can help to enable compliance and improve security posture is a move from negative to posi-tive security. With this model, rather than blocking the attacks that are known to be bad, you allow the transactions that are known to be good. This shift provides continuous compliance and full protection while enabling real-time visibility of your in-scope PCI assets. Youll get a better hold on measuring risk, verifying controls, and continuously monitoring security. The addition of approval trust-based security positioning will enable merchants with POS systems to reduce the administra-tive costs of normal pre- and post- compliance analysis, free up endpoint system processing power, and protect systems after critical patch support has ended.

    Moving POS endpoints into a positive security posture helps to lower administrative effort, reduces scope, and enhances performance. It allows focus on the known good rather than a list of things that are bad, and eliminates the need to constantly scan the POS endpoint to detect malware. Positive security easily exposes and enforces the adherence to com-pliance while protecting POS systems by placing them in a default-deny state, where anything thats not part of the trust-policy cannot execute.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 32 Point-of-Sale Security For Dummies

    Merging Compliance Policy withSecurity Controls

    The convergence of security controls with compliance policies has been gradual. It hasnt always been a natural synergy for security and compliance to work together in this way. When it comes to measuring the true security posture of POS systems, there are many benefits to using PCI DSS as a guide to imple-menting such controls. The ideal outcome is a convergence ofcompliance and security providing active intelligence providing answers on the enforcement of the audit controls and also on the current security posture and risk.

    Many PCI controls can be used to help synchronize the com-pliance evidence with the security metrics. For POS systems, a positive solution must

    Require very few system resources

    Proactively drive a security policy to the endpoints by allowing only trusted applications to run

    Detect, identify, rank, eliminate, and block malicious software

    In addition, a positive security solution can

    Provide visibility into whats happening on all IT assets

    Categorize the risks, without relying on signatures

    Verify and scrutinize the security controls

    Perform continuous monitoring of these controls

    Provide reports that enable IT to take proactive, correc-tive actions and/or prove compliance

    Ensuring Ongoing PCI ComplianceBy placing POS systems into a positive security posture, mea-sured against a trust-policy (only the software you trust can run on your enterprise systems) you will be able to continu-ously monitor and record all activity on your POS systems and other corporate endpoints for real-time detection and

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 5: Solving the PCI Challenge for Point of Sale 33denial of unauthorized software. You will be able to monitor the state of compliance at any given point within the assess-ment process to ensure that compliance really does equal the true state of security.

    There are other benefits to a trust-based application control environment that can bring you closer to continuous PCI com-pliance. You will be able to

    Build intelligence around all of your file assets, including their prevalence, trust rating, and inherited vulnerabilities

    Report on any asset for an audit, a pre-compliance assessment, or security intelligence gathering

    Meet file integrity monitoring, control, and audit trail rules with continuous, real-time file monitoring

    Protect your critical configuration files from unauthor-ized changes

    Enforce your trust policies whether your systems are online or offline

    Focus only on those events that are relevant to your busi-ness and lower the cost of obtaining compliance data against a smaller dataset

    PCI DSS 3 .0s effect on POS securityPCI DSS 3.0 has had a substantial effect on the security of POS sys-tems. Under this latest version of the PCI standard, POS systems are scru-tinized much more than in the past. When assessing POS systems for security and compliance, keep these three main theme changes in mind:

    You must be able to identify, detect, and alert on any change to critical data.

    You must ensure protection and PCI compliance at all integration points with the POS systems.

    You must protect POS systems from threats, including those systems that havent traditionally been affected by malware.

    PCI DSS is very clear in whats required of organizations when securing the POS environment. Every situation is unique. However, POS systems that store or process cardholder data likely fall within the scope of compliance requirements.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 34 Point-of-Sale Security For Dummies

    Mirroring thePCI Prioritized Approach

    The PCI DSS Prioritized Approach is a culmination of all the individual PCI requirements divided into six key milestones for businesses to consider. It provides guidance on how to focus on PCI DSS implementation and helps to reduce risk to the cardholder data environment as early on as possible within the compliance process.

    Multiple benefits exist with mirroring the PCI Prioritized Approach when addressing security controls on POS. Table5-1 shows four of the concentration areas you can benefit from.

    Table5-1 Benefits of the PCI DSS Prioritized ApproachPCI DSS Priority Area The Positive Security FitProtect systems and networks Protection: Anti-malware and

    stopping advanced persistent threats (prevention)

    Secure payment card applications

    Risk measure: Measure PCI and security risk and assess vulner-abilities (detection, visibility, prevention)

    Monitor and control access Monitoring critical systems (visibility, response)

    Ensure all compliance controls are in place

    Enforcement: Prove security policies and device control (visibility)

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 6

    Deploying Proactive Point-of-Sale Security

    In This Chapter Defining your unique requirements

    Understanding the Security Maturity Model

    Managing your smart policies

    Working with other security products

    N ows the time for the rubber to meet the road. You have some decisions to make, systems to set up, and processes to manage so you can stay ahead of the advanced malware curve on your point-of-sale (POS) systems.

    In this chapter, we discuss defining your unique requirements, assessing how the Security Maturity Model fits in, managing your ongoing smart policies, and ensuring your POS security controls work well with other security products on your network.

    Defining Your RequirementsNot only does every organization have unique security require-ments, but so does every POS environment. As you move toward selecting a POS threat detection, response, and preven-tion product, you should identify the requirements that are most important to your business and meet your specific needs.

    If you choose to conduct a request for proposal (RFP), you need to define these requirements well to solicit useful pro-posals from prospective vendors. Even if you dont go the

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 36 Point-of-Sale Security For Dummies

    RFP route, its helpful to know what youre seeking before you begin evaluating products. Otherwise, you may find yourself in a you dont know what you dont know situation that you dont want to be in. As you set out on the path to selecting a POS security product, consider these key requirements:

    Visibility: Choose a product that allows you to record your environment continuously in real time. This real-time visibility fuels detection, response, and prevention. The more items of relevancememory operations, parent processes, registry accessthe better.

    Detonation capabilities: Choose a product that doesnt lock you in to a single vendor. If you want to integrate with an existing detonation (the ability to execute sus-pect malware in an isolated virtual machine) or next-generation firewall product, make sure that the threat protection vendor has experience with that integration. Look for products that both take in information from det-onators and can also push data out to those detonators.

    Enforcement capabilities: Your POS protection solution should provide you with a wide range of possible responses to a threat, including banning files by name or hash value and/or extracting suspect files from the system.

    Lightweight agent: Users dont want a heavy agent installed on their POS systems. Your goal should be to find a product with a lightweight agent that helps you identify security threats and respond to them appropri-ately. Defense without business/productivity disruption is a fundamental goal.

    Phased approach to default deny: Flexible threat detec-tion, response, and prevention solutions allow you to work your way toward a default deny approach (blocking everything from the get-go) in a manner consistent with the culture and operating environment of your organiza-tion by allowing

    Your other chosen strategies to naturally impart trust

    You to see how far that gets you in terms of measur-ing risk and assessing operational impact

    You to target low-hanging fruit that gets you one step closer

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 6: Deploying Proactive Point-of-Sale Security 37 Signature-less detection: Your chosen solution should

    use a wide variety of data sources and detection approaches when evaluating suspicious files. You want to avoid signature-based approaches that are vulner-able to zero-day attacks. Ideally the product has a rules engine or API that lets you and your staff participate in the creation of new detection mechanisms. A vendor may even enable the sharing of security knowledge within its customer base and make that information available in the form of rules and policies.

    Efficient, high-value reporting and administration: The solution should provide you with standard templates and practices for getting information and actionable items and allow you to build out your own approaches as well.

    Professional services with proven expertise in deploy-ing protection: Most deployments of POS security soft-ware take place with a professional services engagement. Make sure you choose a product backed by a team of professionals with experience deploying security soft-ware in organizations similar to yours.

    By spending the time and effort thinking about what you really need on the front end, you can maximize the value of your POS security software deployment management for years to come.

    Understanding theSecurity Maturity Model

    As you prepare to select and deploy proactive POS security protection, its a good opportunity to assess the current state of your organizations information security. The following four areas help you determine the maturity level of your program:





    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 38 Point-of-Sale Security For Dummies

    For each area, you answer a series of questions that are com-piled into functional area ratings and then overall ratings for each category. The maturity of your organization on each dimension is then assigned one of the following ratings:

    Nonexistent (0)

    Ad hoc (1)

    Repeatable (2)

    Defined (3)

    Measured (4)

    Optimized (5)

    Performing this self-assessment provides you with an idea of the current state of your security controls and can assist you in defining the requirements for your POS threat detection, response, and prevention program. The products and vendors you choose should be able to work within your technical envi-ronment and culture, bringing you value regardless of where your organization lies on this spectrum.

    Managing Smart PoliciesSignature-based detection is simply not effective against advanced threats for POS systems. While some people say that the alternativewhitelisting or application controlis too hard, theyre not correct. These people think of whitelist-ing as a long list of appropriate files, but its biggerand betterthan that.

    Smart policies arent plain old lists. Theyre covering mechanisms that catalog metadata, patterns, and system information to help detect nefarious behavior. They then impart trust to each of those items. Simply put, smart policies are a short list of observations and actions that describe a system state as positive, negative, or neutral. Smart policies distill application control and attack detec-tion into an understandable and manageable task. Thats why theyre so valuable!

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 6: Deploying Proactive Point-of-Sale Security 39Do you trust all of the applications contained within your main software repository? If so, you can express that trust using a single smart policy. Do you automatically mistrust anything downloaded within a web browser? You can express that distrust in a smart policy as well. If you receive threat intelligence reports that rate a given binary file as middling and requiring further investigation, a smart policy can also handle that situation.

    Smart policies can overlap, which means that multiple smart polices can apply to a single file. POS security systems allow this to occur and come to conclusions about a suspect piece of malware by taking all of the trust ratings into account. Next generation security products allow you to express policies as imparting trust on a spectrum.

    Dont take deployment flexibility lightlyWhen it comes to enterprise secu-rity, one size does not fit all. Your operations may be more staff-centric or more automation-centric or some-where in the middle. Your software deployment strategy may depend upon trusted repositories and con-figuration agents, or be nonexistent altogether.

    At the same time, your company cul-ture may be open and permissive or more traditional and controlled. On top of that, you may want to focus more on detectionfinding the bad guysor more on prevention and the default deny strategy. Only you will know how these things work in your environment.

    One things for sure you dont want a vendor or specific product that tells you what to do and how to do it. Instead, you want one that looks at your requirements and envi-ronment and then works with you to develop the right approach.

    You need to be able to fit multiple solutions into the various parts of your ecosystem, and you need prod-uct knobs and dials that custom- configure each one. And depending on how daunting this sounds, you need a services partner that can guide you efficiently and effectively. This stuff really does matter!

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 40 Point-of-Sale Security For Dummies

    Integrating withother Security Products

    Many organizations use Security Information and Event Management (SIEM) systems to correlate the many sources of security information across the enterprise, looking for signs of attack. When choosing components of your security infra-structure, you should select products that fully integrate with your SIEM and allow the use of correlation rules.

    Of course, every organization is unique, so the correlation rules that you use must be specific to your data sources and should include POS security information. A correlation rule that works with events from a Snort intrusion detection system may or may not be effective with information gathered from a similar NetWitness product. When designing correla-tion rules, organizations should ask these questions:

    What types of threats do we want to monitor?

    What are the typical attack patterns for such threats?

    What are the sources and types of events currently being tracked within the SIEM?

    Which of these events are used most often in monitoring for potential threats?

    How often do investigations resulting from those events result in false positives?

    When investigating an event, what types of additional information does the analyst need?

    Are we collecting the right data to make incident response quick and conclusive?

    Using these questions to guide event correlation across a vari-ety of security products enhances your security capabilities in many ways. It can reduce the time it takes to prioritize alerts and investigate incidents from days to minutes. Investigations are further expedited by locating every instance of a suspi-cious file across your POS systems. You can then analyze filesboth automatically and on-demandthat arrive on your POS systems to quickly determine their risk. Finally, you can ensure remediation by enforcing security policies that help in stopping an attack and preventing it from happening again.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 7

    Ten Tips for Successful Point-of-Sale Security

    In This Chapter Ensuring optimal defenses by using proven security controls

    Making sure your point-of-sale risks are minimized

    C ybercriminals are getting increasingly sophisticated, and theres no end in sight. The threats, risks, and com-pliance requirements associated with point-of-sale (POS) systems have become so challenging that IT administrators, security managers, and compliance officers are scrambling to find reasonable ways to get their arms around it all.

    In this chapter, we give you ten ways you can more easily reach your POS security and compliance goals:

    Minimize the customer data you collect and store. Acquire and keep only the data required for legitimate business purposes and only for as long as necessary. When data is no longer of business value or relevant to security compliance, properly dispose of it. Shred paper documents and remove hard drives from your POS sys-tems and related computers. You can even take your security efforts a step further by encrypting the sensitive data you collect on laptops, mobile devices, flash drives, and backup tapes. Encryption makes it more difficult for unauthorized parties to read in the event of loss or theft.

    Manage the costs and administrative burden of the PCI compliance validation process. Try segmenting your infrastructure among multiple teams to minimize the complexity and scope of compliance. Having full visibility

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • 42 Point-of-Sale Security For Dummies

    into all enterprise assets beyond your POS systems (for example, network hosts, applications, and databases) along with the necessary templates to determine PCI-relevant data gives you a snapshot of the corporate assets that are affected and helps minimize the compli-ance pains.

    Maintain PCI compliance throughout the checkout process to guard data against all the possible points of compromise. If youre able to detect transactional data point infractions in real time and stop anything intro-duced into your infrastructure thats outside of known software (such as advanced threats), you can ensure that transactional data (such as credit card numbers) are pro-tected at every step along the way.

    Develop a strategy to protect your infrastructure onmultiple levels. Eliminate every opportunity for cybercriminals to exploit your POS terminals, kiosks, workstations, and servers. The ability to collect end-point information in real time provides you with the information to properly assess the risks. Monitor traffic and create a central log of security-related information to alert you to suspicious activity on your network.

    Maintain real-time inventory and actionable intelligence on all network systems, and control the overall security of your infrastructure to maintain PCI compliance. Employ multiple layers of security technology to stymie sophisticated hackers. Establish a baseline for the soft-ware that should reside on your POS and related systems. Schedule security patches on your own timetable and elim-inate the need for constant profile scanning that can nega-tively impact the performance of your POS environment.

    Extend the life of your systems to keep them compli-ant. Often you cant upgrade for extended support after an operating systems end of life. By implementing a positive security model, you can stay compliant in any end-of-life situation and get protection from zero-day and other attacks against your POS systems. This approach will keep you in-the-knowat all timeswhats run-ning on every in-scope system across your organization. Rather than guessing whats compliant and whats not, you can determine on a real-time basis if you have any vulnerabilities and whether any in-scope systems have fallen out of compliance.

    These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

  • Chapter 7: Ten Tips for Successful Point-of-Sale Security 43 Use real-time sensors to test your security system regu-

    larly. By maintaining continuous, real-time file integrity monitoring and control, you can protect critical configura-tion files from unauthorized changes and meet file integrity monitoring and audit trail rules associated with your POS systems. Youll be able to identify all suspected vulnerabili-ties across your POS environment and