POS Security That Pays Its Own Way

Transcription

1 POS Security That Pays Its Own Way The rising costs of POS system management and security

2 Table of Contents A Pain Point for Retailers Is an Opportunity for POS Vendors...3 The Solution: McAfee Integrity Control...3 Three Streams of System Management and Support Cost Reduction....4 Analysis 1: Fast Return on Incremental Costs....4 Analysis 2: Total Reduction in Lifecycle Management Costs...7 The Bottom Line: McAfee Integrity Control Makes Your POS Solution a Better Investment....8 POS Security That Pays Its Own Way 2

3 Retailers are experiencing runaway spending on securing and managing their POS systems, in large part because organized criminals around the world have discovered that point-of-sale (POS) systems are low-risk, high-reward targets that are often poorly defended. The 2012 Verizon Data Breach Investigations Report, which analyzed 855 breaches and 174 million records stolen during 2011, concluded that Internet-facing POS systems, physically exposed ATMs, automated gas pumps, and other self-serve terminals have repeatedly exposed hundreds or thousands of victims to relatively simple sting operations. The report notes that criminals are increasingly targeting smaller organizations with fewer IT resources where POS systems are often poorly configured and inadequately defended. Widespread vulnerabilities include default passwords and remote access software installed to allow off-site management by third-party service providers. Automated port scans are used to identify POS systems with remote access support followed by automated password cracking and automated spyware installation to capture and export payment card information. Between 2009 and 2011, a group of four foreign nationals used this technique to compromise more than 146,000 payment accounts, creating more than $10 million in losses for retailers and payment processors. A Pain Point for Retailers Is an Opportunity for POS Vendors Taken together, the dual challenges of POS security, management, and PCI compliance are a giant headache for retailers and a perfect opportunity for POS vendors. Those that can integrate security controls into their product offerings that demonstrably reduce their vulnerability to compromise, decrease the costs of management, and streamline regulatory compliance will gain a significant competitive advantage in the marketplace. From the retailer s perspective, an airtight business case for such controls can be made solely on the basis of lower system management and support costs, provided that the control set in question is a small-footprint solution that effectively locks down the POS system to prevent intrusion or unauthorized change without imposing significant overhead on the system itself, the network, or the IT staff. The Solution: McAfee Integrity Control This description fits McAfee Integrity Control part of the Intel Security product offering. It s an application-independent security solution that provides lifetime deploy-and-forget protection for retail POS systems, kiosks, ATMs, and other embedded systems. This tightly integrated bundle of McAfee Application Control, McAfee Change Control, and McAfee epolicy Orchestrator (McAfee epo ) software turns a potentially vulnerable system built on commercial operating systems (OS) software into an impenetrable black box. Intruders and malicious application code see only an apparently closed system built on a proprietary operating system. McAfee Integrity Control accomplishes this through three types of functional lockdown capabilities. Execution control: McAfee Integrity Control imposes dynamic application whitelisting on all access to system execution resources, ensuring that only authorized program code is allowed to run. Any program not on the whitelist including any malware that might penetrate upstream security is automatically designated unauthorized. Execution access is systematically denied and every attempt is logged by default. POS Security That Pays Its Own Way 3

4 Memory control: McAfee Integrity Control protects all authorized processes from memory-based hijack attempts. Unauthorized code injected into a running process is trapped, halted, and logged to block buffer overflow, heap overflow, stack execution, and other related exploit strategies. Change control: McAfee Integrity Control enables change enforcement in the system environment by providing real-time change policy management, detection, notification, validation, and tamper-proof event logging. With McAfee Integrity Control, all of these granular control capabilities are delivered through a software agent deployed directly on each POS system. Centralized management, monitoring, and reporting are provided through McAfee epo software, which is bundled with McAfee Integrity Control and runs on a dedicated management server in the customer s data center. Three Streams of System Management and Support Cost Reduction By building McAfee Integrity Control into your POS product s software stack, you provide your retail customers with significantly higher levels of system security, stability, visibility, and data protection that dramatically reduce management and support costs throughout the system s entire service life. Because any attempt to change the system configuration, run unauthorized software, or manipulate system memory are effectively blocked, logged, and reported in real time, management and support workloads can be reduced in specific ways, with quantifiable cost reductions: Operating system patch cycles can be reduced from quarterly to semi-annual intervals, reducing the administrative time devoted to testing and deploying OS updates. During PCI audits, QSA auditors can sample fewer POS devices to document system and security control state. The time required to produce PCI audit reports is dramatically reduced through automation and the availability of pre-defined report formats. Let s examine how just these three reductions in administrative labor and compliance expense can quickly repay the incremental cost of adding McAfee Integrity Control to a POS system and how they can reduce a customer s overall costs for securing and managing a 100-device POS environment. Analysis 1: Fast Return on Incremental Costs First, let s look at the costs of adding McAfee Integrity Control to a 100-device POS deployment. Based on our assessment of total capital and operating expense over a five-year ownership lifecycle, the principal cost components are as follows. Software license fees: The initial product license fee for McAfee Integrity Control is a one-time charge of $ per endpoint, or $17,095.00, for the 100 devices in our sample environment. Software maintenance and support costs: These costs, which include subscription fees for operating system and application updates, come to $42.74 per device per year, for a five-year total of $21, for 100 devices. Management server capital costs: Deploying McAfee epo software to monitor and manage the POS security solution requires a dedicated server platform; the cost would be approximately $2, So the total five-year cost of adding McAfee Integrity Control to a 100-device POS environment is $40,465. POS Security That Pays Its Own Way 4

5 Now let s look at the reductions in management and compliance expense that a retailer can achieve as a result of better security, stability, and manageability of a POS system, with McAfee Integrity Control deployed as part of the OEM solution stack. Savings from reduced patch interval frequency: Because McAfee Integrity Control locks down the POS environment to prevent malware access to execution resources, memory-based hijacking of authorized processes, and unauthorized changes in system configuration, deployment intervals for operating system and application vulnerability patches can be extended without compromising system security. A shift from quarterly to semi-annual patch distributions is prudent and reduces the administrative workload associated with testing and deployment by half. Based on the InformationWeek Analytics 2010 Survey, 1 which found that POS patch management typically consumes one-third the annual capacity of one full-time IT administrator (633 hours/year), and assuming an average hourly labor rate of $75.00, we calculate an annual management cost reduction of (633 x 0.5 x $75) or $23, PCI compliance savings from reduced POS sampling: When a QSA auditor finds that reliable security controls have been deployed throughout a POS environment, most will reduce the number of devices sampled to confirm compliance with security policy and data-handling standards. With no such controls in place, an auditor will commonly sample as many as 15% of the devices in an environment. With controls, a sample of just 2% is often considered sufficient. Based on this reduction (15 devices to two devices), a typical labor requirement of 30 minutes per device, and a typical labor rate of $175 per hour, we calculate an annual audit cost reduction of $1, Savings from PCI reporting automation: The quarterly reporting required for PCI compliance can take up to 25 hours per cycle if the data collection, aggregation, and report preparation are performed manually. McAfee epo software automates the data collection process and ships with standard templates for a wide range of PCI reports, including: Change agent detail and summary. PCI file integrity detail and summary. PCI file integrity detail and summary. User report detail and summary. Server reboot log summary. POS Security That Pays Its Own Way 5

6 Figure 1. Pre-configured PCI compliance reports in McAfee epo software. These standard PCI reports are preconfigured in McAfee epo software, and other customized reports are easily created using the information accessible through the McAfee epo server. This reduces the compliance reporting workload to as little as one hour per cycle. Using this 25-to-one reduction and a typical IT labor rate of $75 per hour, we calculate an annual savings (24 hours x 4 reporting cycles x $75) of $6, The total annual savings in POS management and compliance costs due to the greater security, stability, visibility, and manageability enabled by McAfee Integrity Control is $31,115.00, which will recover all the incremental costs of adding McAfee Integrity Control to the POS solution in just under 16 (15.6) months of operation. POS Security That Pays Its Own Way 6

7 Analysis 2: Total Reduction in Lifecycle Management Costs Next, let s look at the overall impact of McAfee Integrity Control on a retailer s annualized costs to secure and manage the same 100-device POS environment. We will assume that in the absence of a full-function security solution like McAfee Integrity Control, a commercial antivirus product will be deployed to provide basic malware protection. We will compare the costs of one environment secured by McAfee Integrity Control with another secured by McAfee VirusScan Enterprise software alone, looking at the same drivers of management and compliance costs as our first analysis. Annualized license and maintenance costs: These are predictably higher for McAfee Integrity Control than for McAfee VirusScan Enterprise: $7,693 versus $2,400 for our 100-device environment. Operating system patch management costs: As in our ROI analysis, we assume that the administrators of a system secured with a comprehensive solution such as McAfee Integrity Control could prudently reduce OS patching intervals from quarterly to semiannually. For a system with only antivirus security, no such reduction could be advised. If we use the same annual labor requirements from our previous example (633 hours for quarterly POS patching, half that for semi-annual), and the same hourly labor cost ($75), we calculate total annual patch management costs for an environment secured by McAfee Integrity Control, based on a semi-annual patch cycle, at $23, For the environment secured by antivirus software alone, the total cost for quarterly patch testing and distribution would be $47,475. PCI audit sampling costs: As in our previous analysis we assume that a QSA auditor would employ the lowest endpoint sampling frequency (2% of the total device population) in evaluating a POS environment with McAfee Integrity Control s combination of execution control, memory control, and change control deployed end to end. In contrast, an environment secured by antivirus alone would undoubtedly be subject to the maximum 15% sampling rate. Using a per-device labor requirement of 30 minutes and a typical hourly rate of $175, we calculate a sampling cost of $1, for the antivirus-only system and $ for the system with McAfee Integrity Control. PCI reporting costs: Because antivirus alone provides no functionality for reporting security events that occur on a POS device, nor any centralized capability for automating system-wide reporting, the task of compiling quarterly PCI reports remains completely manual. McAfee Integrity Control delivers both a wide range of local event logging capabilities and, in McAfee epo software, a central reporting service. So an environment secured with McAfee Integrity Control delivers fully automated reporting of all device configuration parameters and event metrics required for PCI compliance. Using the same administrative labor requirements cited in our first analysis (25 hours for manual reporting, one for an automated process), the same hourly labor cost ($75), and the same quarterly reporting frequency, we calculate total reporting costs of $7,500 with antivirus security alone versus $300 with McAfee Integrity Control. A dedicated server for McAfee epo software: This $2,000 expense applies, as we discussed earlier, only to the McAfee Integrity Control-secured environment. Total annual POS maintenance and compliance costs: Antivirus only $58, McAfee Integrity Control $31, Total savings with McAfee Integrity Control $26, POS Security That Pays Its Own Way 7

8 The Bottom Line: McAfee Integrity Control Makes Your POS Solution a Better Investment Adding McAfee Integrity Control to your POS solution simply makes your offering more appealing to your retailer customers. It not only secures their POS infrastructure and data, it significantly reduces POS management and compliance costs, pays for the entire incremental cost in just under 16 months, and continues to add bottom line value throughout the entire system lifecycle. For more information visit 1. InformationWeek Analytics 2010 Strategic Security Survey: Global Threat, Local Pain, April 2010 McAfee. Part of Intel Security Mission College Boulevard Santa Clara, CA Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee, the McAfee logo, epolicy Orchestrator, McAfee epo, and VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2013 McAfee, Inc wp_integ-retail-roi_0213B_fnl_ETMG