auditing archives: the case of the file sharing franchisee
DESCRIPTION
An unfortunate franchisee with hundreds of restaurant locations hired an IT company with little security skills to configure their restaurant POS systems across multiple locations. By allowing every restaurant access to the same programs and files back at corporate HQ, it promoted process consistency across each restaurant management system, making information exchange easy, but also opening security holes.TRANSCRIPT
Auditing Archives SeriesThe Case of the File-Sharing Franchisee
Business background
Successful franchisee owns over 100 well-known restaurants in the Midwest.
Business background
Shared files with restaurant management across states via a server at the corporate location.
Business background
Used a third party IT company to configure system hardware and software for all restaurant locations.
How hackers could get inThe corporate back office server that shared files across restaurant servers used an always-on, insecure, virtual private network (VPN) connection.
IT staff configured the corporate office remote access insecurely, which provided access to the ‘flat’ internal network structure.
What is remote access?Remote access is the ability to access a computer or server from a remote location. It is often used in mid-large organizations among employees who need access to shared files and company networks.
Unfortunately, it’s very common for remote access to be set up insecurely.
How hackers could get inA hacker could break into the insecure remote access at corporate headquarters by cracking an easily-guessable password, and find the file server connected to 100+ other restaurants via the always-on VPN connection.
How hackers could get inOnce in the file server he could guess the in-store POS system password.
One by one, he could download malware into each restaurant’s POS system and gain sensitive payment card data.
What the business did wrong
Third party IT group configured all restaurant systems identically and with an easily guessable password.
What makes a good password?
A password should not be found in a dictionary in any language. It should contain at least 8 upper and lower case letters, numbers, and special characters.
Passwords should be changed every 90 days.
What they should have done
This problem could have been prevented through more secure remote access at the corporate location.
Specifically, requiring two-factor authentication for each login (e.g., a password and a one time code) and individual complex system passwords for each restaurant location.
SecurityMetricsWe Protect Business
ServicesPCI, HIPAA, & data security solutions for businesses of all sizes
QualificationsGlobal provider of ASV, QSA, PFI, PA QSA, P2PE services
ExperienceAssisted over 1 million organizations with compliance needs