Bridging the Security Gap for IP Payment Networks

Transcription

1 WHITE PAPER 1 Bridging the Security Gap for IP Payment Networks

2 2 WHITE PAPER Contents 1 Contents 2 Executive Summary 3 Are You Prepared for the Risks of IP Network Migration? 4 Problems with IP-Based Transaction Networks 5 Distributed Denial of Service Attack 6 Understanding the Risks 7 Securing IP-Based Transaction Infrastructure 9 It Comes Down to a Focus on Security 10 Learn More, About TNS

3 2 Executive Summary Moving your card payment transaction network from the walled garden of X.25, frame relay and dial networks to an open IP network and the public Internet reduces costs, simplifies your business, and helps create new business opportunities to generate revenue. But does a cheaper communication path also expose your business to more risk? Or, are the risks involved in moving to an Internet-based transaction infrastructure, such as the impacts of breaches and lost customer goodwill, too great to even consider? But a cheaper Internet-based communication path can also expose your business to more risk. How will your business be impacted if this increased exposure results in a serious data breach or a significant disruption in service? With the right infrastructure, people, and equipment, payment service providers can take advantage of the public Internet and enjoy significant savings over closed or guarded X.25, frame relay, and dial solutions. By moving to IP, you can consolidate networks, simplify topologies, and save money. But, to take advantage of IP for transaction networks, several steps must be taken to ensure your network, equipment, people, and processes are up to the challenge. Secure Sockets Layer (SSL) encryption is only the first of many requirements for payment service providers to build a payment solution that exceeds the level of security of legacy systems and delivers on the availability, cost savings, and openness of Internet-based infrastructures. In particular, special care must be given to the choice of network provider, as solutions to many of the challenges with Internet-based transactions rely on leveraging the power and security of cloud-based approaches to keep your business up and operational during a hacking attack.

4 3 Are you prepared for the risks of IP network migration? IP makes sense. If you are not leveraging IP as the primary mode of transport for your payment transactions today, you will be in the future. And the reasons are obvious: IP is simple, ubiquitous, resilient and very easy to deploy. The same network that you use to carry , voice, and to surf the Internet can be used to carry your financial/transaction data as well. This results in fewer networks to manage and less networking costs for your business. However, as payment processors and service providers move from early trials and pilots to carrying the majority of their payment transaction traffic over IP, many are not taking advantage of the latest technologies and approaches to build a network that is as stable and reliable as their proprietary networks of the past. In fact, many commercially deployed IP-based networks today are simply not up to the challenge of global large-scale deployments over the Internet. And, as these legacy solutions begin to handle more and more of your transaction traffic, the exposure to your business in terms of risk increases exponentially. To add to the challenge, the risks these networks face continue to evolve. An acknowledged standard approach of today may become the security risk of tomorrow. This evolutionary state of threats necessitates constant vigilance with your IP security infrastructure, and the need to create a culture of security that can continually adapt to meet the challenges of the ongoing threats. If you are relying on dated security measures, you are placing your network at risk. In this paper, we review the best practices for Payment Service Providers (PSPs) and Payment Processors to build reliable, highly secure transaction networks on an IP-based network infrastructure. When your network was based on X.25 or frame relay, you didn t have many network security problems. In fact, these closed systems provided security from what one might be exposed to by using the public Internet. First, the proprietary nature of legacy transaction networks provided a gate that kept people with few resources and capabilities out of the network. These closed networks required proprietary equipment to enter them creating, in essence, a firewall that kept potential criminals out. Second, a specialized network only carrying transaction traffic with proprietary systems was fundamentally more expensive to attack and therefore less attractive to hackers. Hacking into a proprietary network took them to only a few places; the barriers to entry were high, and the payoffs were low. Businesses for years relied on these closed networks to make transactions fast for their customers, to consolidate their transactions back to corporate offices, and to make the deployment of large-scale interconnections cost effective. But many of these same businesses did not realize that they were also relying on their closed systems to provide security against the general threats that exist against all types of networks. All of these proprietary, expensive technologies and specialized systems provided powerful security against criminals. Was your legacy network more secure than your new one? Doing business on the Internet exposes your network to a whole host of new criminal threats. PSPs and payment processors in particular are key targets of these criminals, as they carry key cardholder data and provide access to large sums of money via the payment transactions that cross their networks every day.

5 4 Problems with IP-Based Transaction Networks A transaction network based on IP is the opposite of a closed or proprietary system. IP-based transaction networks use common, off-the-shelf equipment, common transport, and standard protocols (SSL and IP). Moreover, the network is connected to an ISP network, and all the ISP networks are connected together. This design enables access to the public Internet, with its ability to lower costs. However, this type of infrastructure removes virtually all of the security by obscurity payment processors enjoy in proprietary transaction network systems. Payment processors and PSPs building IP-based transaction networks need to replace the security benefits that were inherent in the legacy infrastructure with new solutions designed for IP-based networks. And they must try to do this without significantly increasing costs. How does a payment processor know it is secure? The Payment Card Industry Data Security Standard (PCI DSS) gives end users and PSPs guidelines on how to secure and maintain the security of their infrastructure. But, the now tri-annual update process of the PCI DSS provides a guideline that may not be able to stay up to speed with the constantly evolving threats. PCI DSS sets a standard for compliance it does not define the best you can do to protect your network. For payment processors and PSPs, the PCI DSS does not cover many of the issues they must address. PCI does not cover issues such as DDoS, hijacking, man-in-the-middle attacks, and does not provide any guidance to many of the specific issues that they face. These organizations are exposed to significant threats if they are relying on the standard capabilities of off-the-shelf equipment to provide their overall transaction security. Often, these products are secured simply with SSL and are built on top of open source or other commonly available operating systems, with little concern to hardening their security or providing additional threat countermeasures. Many systems used in production environments by PSPs and payment processors were built in-house and were originally designed and deployed as trials or prototypes. They were built quickly, inexpensively and without the rigorous testing required to ensure they are as secure as possible. Of particular concern are the components of this type of equipment that can also be easily and inexpensively acquired by criminals. This gives criminals easy access to a test environment they can use to design effective attacks against existing production systems. Relying on your equipments security and open standards to protect your payment infrastructure is clearly not a complete solution. Hackers do not have to succeed to be successful Without adequate protections, a hacker leveraging bandwidth alone can bring your network down. If the criminal s goal is to disrupt your business, this can be accomplished without actually breaching your network; they can simply flood your network with bad data requests. Without adequate protections, you will not be able to process transactions, and, as all payment processors and PSPs know, any processor or service provider that cannot process transactions will not be in business for long. Protecting against Denial of Service attacks is an area where legacy networks shined. Legacy dial networks are inherently denial of service safe. It was virtually impossible to be denied a transaction over dial networks, because if a port is down, the network simply dials to the next one. But with IP, a hacker focused on damage, not simply financial reward does not actually have to be successful to cause significant damage. The move to IP-based networks reduces the cost and level of effort required by criminals to attempt to hack your network. For example, a botnet that can be used to implement a distributed denial of service (DDoS) attack against a chosen target on the Internet can be rented for a few hundred dollars a day. Computing power and bandwidth can literally be had for pennies, making it easier than in the past to crunch the data necessary to break encryption keys. And criminals from all over the world can communicate, share information, and help each other with techniques that make your business more exposed than ever before.

6 5 Distributed Denial of Service (DDoS) Attack As mentioned earlier, many off-the-shelf IP solutions to this problem are inadequate. Your ISP may advertise Distributed Denial of Service (DDoS) protection as a selling feature to your business. But, once you look under the covers, you typically find that the DDoS capabilities of ISPs are designed solely to keep their core ISP network up. The ISP s focus is to prevent themselves from being adversely impacted, not specifically keeping you and your business up and running. So if you are depending on your ISP s DDoS system to protect your network (with techniques such as black hole filtering or null-routing), all of the traffic destined to your IP address may be discarded during an attack both the bad traffic and the good transaction traffic from your legitimate paying customers. The reality is that the Internet is a big front door and a criminal does not have to actually come in; they just need to knock a lot to disrupt your business dramatically. One breach can literally mean the end of your business The uncomfortable truth is the direct costs and the reputational damage from an attack to a business can be devastating. And while every business is different, consider the implications to your business if you could not process transactions from 10 a.m. to 3 p.m. tomorrow. What would the financial impacts be? Do you have service level agreements in place with your merchants? And what about your merchants? Would they move to other providers? And most importantly, what is the long term impact to your business reputation should you be breached or your service becomes unavailable? Payment security is big news, and when a corporation has a breach or service disruption, it often gets spread all over the news, not only exposing the flaw, but also damaging the reputation of the business. For example, a recent article in the Washington Post discussed a bank s loss of four hours of processing time because the DNS records from their site were hijacked. An article on wired.com, discussed how one of the biggest credit card companies and their tens of thousands of merchants lost business while the credit card processor recovered from a DDoS attack. Ultimately, news on even the small breaches and attacks get printed. The costs of a breach can be devastating to your business not only the transactional costs, but also the loss of goodwill and reputation. Given this fact, the overall importance of ensuring the security of your IP-based transaction network simply cannot be overemphasized. Even if you have only IP-enabled a single payment application with low volumes, the door from the public Internet to your payment systems is now open, putting your entire business at increased risk.

7 6 Understanding the Risks So, given the risks, what are the problems that must be managed in the IP context? Distributed denial of service (DDoS) A distributed denial of service attack is an attempt by a hacker to prevent legitimate users of the service from using the service. In practice, it s a relatively simple thing to accomplish. Criminals get a number of compromised computers, known as bots, join them together to form a botnet, and send traffic to one IP address all at the same time. Botnets are available for rent online starting at a few hundred dollars. A person with a small amount of knowledge and money, could create a large amount of damage with ease. In 2009, attacks greater than 1 gigabyte per second were occurring every 26 minutes. In some cases, peak rate attacks approached nearly 50 gigabits in size 1. PSPs, payment processors, and financial institutions can experience multiday outages from a sustained attack. And as discussed, asking your ISP to solve the problem may result in them simply shutting your entire service off not the best way to maintain high service quality and availability for your customers. Gateway spoofing A type of man-in-the-middle attack, these attacks redirect users through a third-party to steal or sniff transaction information. These types of attacks can go undetected for days, weeks or months, exposing potentially millions of transactions and cardholders to the criminal. In many situations, the only indication that a problem has occurred with these sorts of attacks is a few milliseconds of latency in the network. While less common than DDoS attacks, man-in-the-middle and gateway spoofing attacks pose one of the greatest risks to payment processors and PSPs since they can occur and exist without easy detection. Denial of service, hacking and misuse attacks Denial of service is a concentrated attempt to impact service by disrupting processing on the system. The goal with denial of service attacks is to max out processors, trigger unrecoverable errors, crash systems, or install malware on systems, potentially disrupting network services for a period of days or weeks. How do Breaches Occur? Who is Behind Data Breaches? 74% 20% 32% 39% resulted from external sources (+1%) were caused by insiders (+2%) implicated business partners (-7%) involved multiple parties (+9%) Most data breaches continue to originate from external sources. Though still only one third of our sample, breaches linked to business partners fell for the first time. The median size of breaches caused by insiders is still the highest but the predominace of total records lost was attributed to outsiders. 91 percent of all compromised records were linked to organized criminal groups. Source: 2009 Data Breach Investigations Report conducted by the Verizon Business RISK Team 1 the Arbor Networks Worldwide Infrastructure Security Report 67% 64% 38% 22% 9% were aided by significant errors (< >) resulted from hacking (+5%) utilized malware (+7%) involved privilege misuse (+7%) occured via physical attacks (+7%) In the more successful breaches, attackers exploited a victim and installed malware to collect data. 98 percent of all records breached included at least one of these attributes. Unauthorized access via default credentials (usually third-party remote access) and SQL injection (against web applications) were the top types of hacking. The percentage of customized malware used in these attacks more than doubled in Privilege misuse was fairly common, but not many breaches from physical attacks were observed in 2008.

8 7 Denial of service attacks are especially troubling for payment processors and PSPs who have built their own proprietary gateways. Often these gateways are built on top of common, open-source tools, and rely only on those open-source components or commonly available components for their security compliance. If you think about how common problems are on the PC, it is scary to think about a transaction network being susceptible to the same problems. But, the fact is most machines that are hacked are built on the same core operating systems used on most desktops and servers. This is particularly true for payment gateways built in-house these systems leverage commonly available components without significant modification and hardening that are necessary for higher security. For processors, the risks of denial of service attacks are clear: 1. A compromised transaction network that cannot process transactions due to equipment failures. 2. The network is null-routed out of availability by the Internet service provider to keep the ISP network from being affected. 3. A compromised transaction network that leaks confidential information, increasing business liability. In all cases, denial of service attacks and hacking attacks must be addressed in any transaction network deployment. Securing IP-Based Transaction Infrastructure As a payment processor, there are three main areas to address when securing your IP-based infrastructure: 1. Your network how does it function, what capabilities does it provide, and how is it built? 2. Your people what is their expertise, what procedures do you have in place? 3. Your equipment how is it maintained, how well is it shielded from threats? Your network equipment is important, but equipment alone is not the magic bullet. Many things need to be involved in the overall solution from the client devices to the transaction gateways to the network in between. Everything needs to be managed as one cohesive unit to ensure maximum security. 1. Your network The network connection between terminals and payment gateways is the most likely entry point for a hacker. Therefore, your network infrastructure needs to be up to the task of helping you manage, defend and protect your network from criminals. While there are several issues to consider, there are a number of best practices payment processors and PSPs should leverage when upgrading to an IP-based transaction infrastructure.

9 8 Use a cloud-based DDoS mitigation solution that is transaction-ready and independent of your ISP The goal of your DDoS, Intrusion Detection System (IDS) and firewall solutions should be to protect your network, while letting the good transactions through. This requires specialized expertise and specialized configurations not the same, run-of-the-mill IDS and firewall solutions used by corporations for securing baseline data networks. A cloud-based DDoS mitigation solution should be transaction aware and shut down distributed denial of service attacks while keeping your transactions processing and your merchants happy. A solution must not only understand obvious threats, but also make intelligent, policy-based determinations about whether each and every packet is a good one or a bad one, with the focus of keeping transactions up and operational. Test your network regularly through the use of ethical hacking Is your network regularly tested? Do you have dedicated people on your staff tasked with finding new ways into your network? Ethical hacking on your own internal systems helps you find ways to make your network more secure. Ethical hacking also helps keep your security team on guard as the network is constantly under attack. Use 24x7x365 trending and monitoring solutions that are security focused Many times, the biggest problems are not obvious but occur gradually over time. It s a 24x7x365 world, and hacking attempts occur literally every minute from all points around the globe. Therefore, it is important to have your network monitored 24x7x365 not only for uptime and bandwidth, but also for security concerns and trends. By integrating security monitoring into your overall network monitoring, you are always on watch for trouble. And, should anything start to occur, it can be caught early before it becomes critical. Use partners that continually perform integration testing on all new software releases. Every software upgrade potentially exposes your network to more risk. While one patch may solve one security problem, it may expose another. More importantly, this exposure might not be in the piece of equipment that had its software updated. Making sure that every piece of equipment, with every software update on any piece of equipment does not expose an exploitable hole in your security is an important part of providing transaction networks. This continual integration testing is essential to ensuring your network is as secure as possible.

10 9 2. Your people Many times, hacking attempts start with people, not machines. It is important your people are up to the task of maintaining a highly secure, highly available and reliable transaction network for your business. There are three areas you should focus on in terms of your personnel: expertise, training and procedures. Expertise Networking expertise is an obvious component of building a transaction network. You need to have personnel that understand how scalable and reliable networks are built. Security expertise needs to be an important skill of your people. Do you have personnel that focus exclusively on making sure your network is secure? Hacking expertise, often missing within payment teams, is the opposite of security expertise. While a security expert focuses on policies and procedures to help make your network more secure, the hacking expert focuses on understanding how exploits can be used to hack into your systems. Hacking expertise is a required skill in any large-scale transaction network deployment. Training Your staff needs to be trained against social engineering attacks so they understand how to secure and maintain things as simple as passwords in order to keep people out of sensitive areas. Procedures Your personnel need to use defined, standard operating procedures every time. Items such as how to manage software rollouts, how to conduct rigorous testing, and things as simple as password management should all be part of the procedures your personnel use everyday to manage your transaction network. 3. Your equipment Networking equipment is the foundation of transaction networks, and while many pieces are interchangeable, it is important to consider the security requirements needed to maximize the security of your network before making equipment choices. First, equipment should be proven by results, and not simply insured against financial risk. If there is anything to be learned from disasters like the US Gulf oil spill, it is there is a difference between proven by results and insured against financial risk. Just because you have some amount of insurance against risk, does not mean that a breach won t occur. The equipment you use should be proven to be reliable, specifically within secured transaction-oriented networks. Transaction networks are different to traditional IP traffic, and have very special requirements. The best equipment for streaming video on the Internet might not be the best choice for your critical credit and debit card transactions. Second, your equipment should have the appropriate certifications for use in transaction networks. While standards such as FIPS play a major part in helping choose the best equipment, it is up to networking equipment suppliers and your organization to choose equipment with the appropriate reliability and performance certifications. When building an IP-based transaction network that is planned to carry the majority of your transactions, care should be taken in terms of your network, equipment and people to ensure that every part of your infrastructure lives up to your expectations for performance, reliability, and most importantly security. It Comes Down To a Focus on Security Are you prepared to risk your entire business on your existing infrastructure or on your current plans for your IP-based transaction network? Ultimately, the answer to that question should drive your decisions about which equipment and partners to use to help you build an IP network you can rely on in the future. An IP-based transaction network can save you money and provide added benefits to your business. If designed and operated correctly you can enjoy these benefits, without taking on unnecessary risks. The key is to focus on making sure that every piece of the solution can live up to the challenges and high expectations of securely managing transaction data.

11 10 Learn More TNS has been partnering with leading Payment Processors, Acquirers, and PSPs around the globe for over 20 years, providing solutions designed to ensure that their payment infrastructures remain secure, resilient, and scalable. To learn more about how TNS can help you better secure your payment host or gateways, contact us by calling or ing About TNS (TNS) is a leading global provider of data communications and security solutions. TNS offers a broad range of networks and innovative valueadded services which enable transactions and the secure exchange of information in diverse industries such as retail, banking, payment processing, telecommunications and the financial markets. Founded in 1990 in the United States, TNS has grown steadily and now provides services in over 40 countries across the Americas, Europe and the Asia Pacific region, with our reach extending to many more. TNS has designed and implemented multiple data networks which support a variety of widely accepted communications protocols and are designed to be scalable and accessible by multiple methods. Visit us at: for more information. October 2010