Guidance Software Whitepaper. Point-of-Sale Systems Endpoint Malware Detection and Remediation

Transcription

1 Guidance Software Whitepaper Point-of-Sale Systems Endpoint Malware Detection and Remediation

2 Executive Summary Point-of-Sale (POS) device vulnerabilities and fraud at storefront and retail sites have made merchants of every size nervous about controls over devices and data. The fact is that the entire connected world is vulnerable to cyber-attack, but a rash of recent data breaches in the retail sector clearly demonstrates heightened and more financially intensive risks associated with POS systems. High-profile breaches at Target last December and more recently with Home Depot are the result of compromised POS systems. Hackers stole card numbers from Target and Home Depot using malware that scraped unencrypted data from the memory of their payment systems prior to its encryption for transmission to credit-card payment processors. Gartner asserts that effectively dealing with advanced threats that bypass traditional signature-based approaches will require monitoring, detection and response capabilities at endpoints. 1 This paper sheds some light on the POS-device threat landscape and how to overcome those issues and mitigate threats through proactive endpoint detection and response. EnCase products provide capabilities to effectively manage both the detection of active malware processes and the protection of personally identifiable information (PII). This paper addresses the root of the problem and focuses on malware. An actual user scenario illustrates how EnCase Cybersecurity is used to expose, detect and remediate malware threats on POS systems. Previous papers, such as the recently published whitepaper Locating and Wiping Credit Card Data from Unauthorized Locations with EnCase Cybersecurity, specifically address the data, while others, such as Endpoint Security Analytics with EnCase Analytics, focus on proactive threat hunting. Introduction Over the past few years, the news has featured a seemingly unending parade of data breaches, virtually all of which began on compromised endpoints. It s understandable why attackers have set their sights on POS system endpoints. They fulfill the specialized purpose of processing and transmitting payment transactions, through which a massive volume of credit card data and other personally identifiable information (PII) passes, creating a lucrative opportunity to mine a rich field of valuable data from a system with three inherent vulnerabilities. It is a daunting task to enforce policies and best practices on each of those POS endpoints, and even more difficult to see patterns that indicate potential issues. There are three vulnerabilities and corresponding challenges in accomplishing POS security and management and PCI compliance: 1. An essential business requirement for POS systems is a network connection in order to communicate with corporate systems and/or external credit card processors. 2. Though purpose-built, most POS terminals use embedded versions of Windows or Linux making them vulnerable to malware. 3. POS systems are difficult to secure and manage due to their role and exposed remote locations. 1 Market Guide for Endpoint Detection and Response Solutions, Gartner, 2014 The key differentiator with EnCase products is the in-depth visibility into the endpoint, which is essential to addressing these particular issues. With EnCase Cybersecurity, security analysts and incident responders can view open ports, compare them to known healthy states, and easily determine which are unauthorized activities and processes. They can also centrally manage endpoints and easily narrow down the list of running processes, open ports, open files, and hashes that are uniquely present on a potentially compromised endpoint. Guidance Software WP Endpoint Malware Detection and Remediation

3 Problem Statement as Defined by Analysts POS endpoints are vulnerable and threats are mounting. As Enterprise Strategy Group (ESG) acknowledged in a recent brief, POS systems in particular represent a mounting and much more lucrative target for cyber criminals, and the majority of security professionals agree that the malware threat landscape is growing increasingly dangerous each year. 2 The past several Data Breach Investigation Reports (DBIR) published by Verizon have addressed POS intrusions and the general threat landscape for POS systems. The most common malware types used were RAM scrapers, followed by Trojan horses like Zeus. The top ten POS threat action varieties cited by Verizon are shown in Figure 1: 3 Figure 1: Excerpt from Verizon 2014 DBIR report indicating top malware threats to POS devices. Interestingly, the top three actions illustrated in Figure 1 are all related. The perpetrators scan the Internet for open remote-access ports and, if the script identifies a device as a POS terminal, issue likely credentials (Brute force) to access a device. They then install malware (RAM scraper) to collect and exfiltrate (export data) payment-card information. Malware Detection and Remediation Malware often finds its way onto POS endpoints through non-pos specific applications. It is generally standard operating procedure to restrict the installation and use of unapproved applications on POS devices, but clearly it is still occurring with alarming frequency. Audits often uncover browsers, office-productivity applications, user-created documents, and games. EnCase products simplify these audits as well as the restoration of systems to a state of compliance. Unlike applications, however, malware is deceptive and disguises itself , ESG Brief Guidance Software Can Enhance Incident Detection and Response for POS Systems. Anti-malware technologies block known malware scripts and macros, and administrators can create policies to block specific applications, but there are no guarantees that even known applications will be blocked. Signature-based systems identify known threats, but unknown processes commonly escape detection. Unknown applications and processes pose yet another threat, and remediation adds a further level of complexity. Exacerbating the problem, there can be hundreds of processes running on thousands of machines in the enterprise, and malware tends to spread stealthily from machine to machine , Verizon Data Breach Investigations Report. Guidance Software WP Endpoint Malware Detection and Remediation

4 How EnCase Cybersecurity Works in the POS Environment With EnCase Cybersecurity, organizations can overcome these issues and mitigate the financial risks through endpoint enforcement. In addition, with EnCase Cybersecurity, organizations can confirm the compromise, assess the scope of impact, kill malicious processes, and wipe offending files remotely with no disruption to business operations. Figure 2: EnCase Cybersecurity process diagram for assessing anomalous activities on POS devices. Sony called on Guidance Software to help investigate the data breaches that compromised the user account information of more than 100 million of its customers in the infamous Playtstion hack.. Use Case Recently, a well-publicized polymorphic (constantly evolving) worm tunneled its way through one POS endpoint deep into the home offices of a large retail company and began spreading from there to other POS endpoints throughout the network. The malware was designed to expose vulnerabilities and enable exfiltration of credit-card and other sensitive information from endpoints through remote connections. IT considered monitoring traffic with intrusion detection, identifying suspicious systems, sending an administrator to each machine, diagnosing the ports and processes used and creating a custom signature for each instance of the malware. Then, they would wipe and reimage each infected system. This slow and expensive option would leave the company chasing an ever-elusive worm, but would also necessitate downtime that the company couldn t accept. With dozens of subnets, each with hundreds of hosts scattered at sites across the country, there was little hope of complete remediation. EnCase Cybersecurity in Action EnCase Cybersecurity is deployed and managed centrally. Servlets are pushed out to run complete scans of all endpoints. There are thousands of endpoints on 45 subnets, so the InfoSec team elects to run scans and analyze one subnet at a time to simplify the task. Scans average about 30 minutes per subnet. The Incident Response team anticipated only a few errant processes that they would be able to identify as malware. In actuality, the scans identified 271 suspicious processes on 150 terminals across the network. Reports provided the team with valuable information including host, process and instance names, executable hash, and a host of other information that can be added to blacklists and other preventive mechanisms. An example of the report is shown in Figure 3. Guidance Software WP Endpoint Malware Detection and Remediation

5 Figure 3: Snapshot feature allows incident response teams to identify suspicious DLLs, ports, processes, and other pertinent data on each endpoint. This was far more complex than originally expected, which prompted further analysis. Through EnCase Cybersecurity, the team securely contained the processes, collected logical evidence from the running files and processes to fully characterize the actions of the worm for future reference, and then fully remediated all instances of the worm by hash throughout the network without any downtime. Through EnCase Cybersecurity, the Incident Response team: a. Detected the source and any unauthorized processes resulting from the infection b. Detected any errant outbound data connections resulting from the infection c. Remediated all suspicious processes d. Restored all infected POS devices without disrupting operations e. Securely wiped all instances of errant sensitive data. With EnCase Cybersecurity, processes were quickly and effectively remediated. Figure 4: EnCase Cybersecurity Remediate Job capability enables quick termination of threats. Users have the option to kill the process only or remediate the file with which the process is associated and kill the process. Guidance Software WP Endpoint Malware Detection and Remediation

6 Summary POS devices are a popular, abundant and vulnerable target, and organizations are encumbered with logistical difficulties protecting these data rich systems. The only way to effectively mitigate the cost of downtime and reimaging, and the risk of loss of sensitive data in remote locations, is to go to the sources the endpoints. EnCase technology built on the foundational light, passive servlet component on the endpoint is the proven solution for threat -hunting, remediation, sensitive data discovery, and secure removal. EnCase products are proven inside more than 70 percent of the Fortune 100, and in national and local government agencies worldwide. EnCase products reduce the time it takes to locate sensitive data, prepare for impending litigation, and to enforce regulatory and policy compliance. With EnCase Cybersecurity and EnCase Analytics, organizations can reduce the time and cost associated with data discovery processes that don t easily scale and for which policies tend to be difficult to enforce. Regular system integrity assessments and data audits substantially shrink the chance of data loss, and EnCase products enable organizations to effectively accomplish these otherwise excessively difficult tasks. The forensic-grade features offered by EnCase Cybersecurity enable security teams to establish defensible, repeatable policy-enforcement processes, including follow-up audits that provide proof of compliance. In addition, the scheduling capability facilitates automation with web-based reviewing for remote monitoring. The EnCase servlet enables security teams to maintain productivity during detection and remediation because it requires no business interruption. EnCase products save on costs associated with traditional remediation downtime, operating in the background to achieve maximum results. Sensitive data can be located and wiped, including documents, , and attachments, anywhere on any network endpoint. Tools that can detect which endpoints contain regulated data, such as personally identifiable information (PII), are particularly important. 4 The customer featured in this use case knows that information security breaches are inevitable, which is why they adopted a proactive posture based on this assumption. As a result, they can now contain the risk of data loss and shrink the attack surface. For additional information on EnCase Cybersecurity, or for details, additional case studies, videos, webinars, and statistics on detection and remediation of sensitive data, visit com/cybersecurity SANS Report, The Case for Endpoint Visibility Guidance Software WP Endpoint Malware Detection and Remediation

7 Our Customers Guidance Software customers are corporations and government agencies in a wide variety of industries, such as financial and insurance services, technology, defense contracting, pharmaceutical, manufacturing and retail. Representative customers include Allstate, Chevron, FBI, Ford, General Electric, Honeywell, NATO, Northrop Grumman, Pfizer, SEC, UnitedHealth Group, and Viacom. About Guidance Software (NASDAQ: GUID) Guidance Software is recognized worldwide as the industry leader in endpoint investigation solutions for security incident response and forensic analysis. Its EnCase Enterprise platform, deployed on an estimated 20 million endpoints, is used by more than 70 percent of the Fortune 100 and more than 50 percent of the Fortune 500, and numerous government agencies, to conduct digital investigations of servers, laptops, desktops and mobile devices. Built on the EnCase Enterprise platform are market-leading cyber security and electronic discovery solutions, EnCase Cybersecurity, EnCase Analytics, and EnCase ediscovery. They empower organizations to conduct speedy and thorough security incident response, reveal previously hidden advanced persistent threats or malicious insider activity, perform sensitive data discovery for compliance purposes, and respond to litigation discovery requests. For more information about Guidance Software, visit This paper is provided as an informational resource only. The information contained in this document should not be considered or relied upon legal counsel or advice. EnCase, EnScript, FastBloc, EnCE, EnCEP, Guidance Software and Tableau are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks and copyrights referenced in this press release are the property of their respective owners.