Protecting Point of Sale Devices from Targeted Attacks

Transcription

1 Prtecting Pint f Sale Devices frm Targeted Attacks 1-Apr-14 Versin 1.0 Final Prepared by Sean Finnegan, Cybersecurity Directr Michael Hward, Principal Cybersecurity Architect

2 MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Cmplying with all applicable cpyright laws is the respnsibility f the user. Withut limiting the rights under cpyright, n part f this dcument may be reprduced, stred in r intrduced int a retrieval system, r transmitted in any frm r by any means (electrnic, mechanical, phtcpying, recrding, r therwise), r fr any purpse, withut the express written permissin f Micrsft Crpratin. Micrsft may have patents, patent applicatins, trademarks, cpyrights, r ther intellectual prperty rights cvering subject matter in this dcument. Except as expressly prvided in any written license agreement frm Micrsft, ur prvisin f this dcument des nt give yu any license t these patents, trademarks, cpyrights, r ther intellectual prperty. The descriptins f ther cmpanies prducts in this dcument, if any, are prvided nly as a cnvenience t yu. Any such references shuld nt be cnsidered an endrsement r supprt by Micrsft. Micrsft cannt guarantee their accuracy, and the prducts may change ver time. Als, the descriptins are intended as brief highlights t aid understanding, rather than as thrugh cverage. Fr authritative descriptins f these prducts, please cnsult their respective manufacturers Micrsft Crpratin. All rights reserved. Any use r distributin f these materials withut express authrizatin f Micrsft Crp. is strictly prhibited. Micrsft and Windws are either registered trademarks r trademarks f Micrsft Crpratin in the United States and/r ther cuntries. The names f actual cmpanies and prducts mentined herein may be the trademarks f their respective wners.

3 Table f Cntents 1 Intrductin Hardening the Pint f Sale Device Prtecting Data At the Endpint Mitigating Lateral Traversal t Devices... 6 Active Directry... 7 Shared Service Accunts... 7 Shared Lcal Administratrs... 9 Other Shared Lcal Accunts Cnclusin iii

4 1 Intrductin Recent attacks n majr retailers have resulted in an increased fcus n the security f Pint f Sale (POS) devices. These devices are typically the frnt line fr prcessing bth custmer payment data as well as lyalty prgrams that can include custmer Persnally Identifiable Infrmatin (PII). As a result any cmprmise f these devices at scale can yield an attacker nt just credit card infrmatin but als a wealth f ther custmer infrmatin t include names, phne numbers, , and physical addresses. While the mtivatin fr these attacks appears t be financial gain many f the techniques used share similarities with targeted attacks designed t steal intellectual prperty. Like Advanced Persistent Threat r APT attacks the retail breaches have invlved lateral mvement t get brad access t backend systems, implanting custm malware, and exfiltrating data. As a result, many f the same recmmendatins that the Micrsft Cybersecurity Team regularly prvides t custmers when respnding t an APT attack can als be applied t POS devices. This paper will fcus slely n majr attack vectrs designed t prvide wide-scale access t POS devices. A related whitepaper, titled A Systematic Methd t Understand Security Risks in a Retail Envirnment, lks mre bradly at retail systems using the STRIDE methdlgy t encmpass backend systems such as retail ERP and e-cmmerce systems. 2 Hardening the Pint f Sale Device While the Pint Of Sale terminal is a fixed purpse device it still has an underlying perating system and applicatins that a wuld-be attacker culd try t explit t gain access t the system. Many f the same recmmendatins that apply t desktp and server systems apply equally t pint f sale devices and the relative unifrmity, in the applicatin f these recmmendatins, shuld make sme mitigatins easier t manage. First, yu shuld keep the sftware and perating system n yur POS device up t date. This includes applying critical sftware updates fr bth the OS and applicatins in a timely fashin as well as running the mst mdern versin f the perating system available fr yur POS device. As we will discuss belw the updating mechanism must be deplyed s as nt t intrduce its wn lateral traversal threat. With each successive release f the Windws perating system Micrsft has nt nly wrked t eliminate vulnerabilities but t add additinal prtectins designed t make it mre difficult t explit new vulnerabilities. This includes memry prtectins such as DEP, ASLR, HTOC, and Page 4

5 SEHOP 1, as well as techniques such as running select applicatins in lw rights mde. Running the mst recent versin f the OS available fr yur device ensures yu have these additinal prtectins against cmprmise. In additin, each POS device shuld have a frm f anti-malware running n it and the signatures shuld be kept up t date. Many POS vendrs will ffer a recmmended AV slutin as part f their slutin and depending n the versin f Windws running n the POS device it may already include Windws Defender. Fr POS devices that d nt currently have AV sftware Micrsft als ffers the Systems Center Endpint Prtectin anti-malware that can be applied t mst types f Windws POS devices. As fixed purpse devices POS terminals are excellent candidates fr applicatin whitelisting slutins. An applicatin whitelisting slutin is able t detect when a prgram is being launched and then determine whether r nt is shuld be allwed based n a predefined list. There are multiple 3 rd party whitelisting slutins as well as the Micrsft AppLcker r Sftware Restrictin Plicies that are built in t Windws. While it will likely require sme testing t verify it des nt impact the peratins f the POS device a whitelisting slutin will restrict the device t just running the desired Pint f Sale applicatin. Finally, given that the POS device has a fixed purpse and a fixed cnfiguratin, cnsider using a technlgy t regularly reset the device cnfiguratin back t a knwn trusted state. One slutin wuld be the use f the Windws Enhanced Write Filter (EWF) that is available n Windws Embedded and POSReady platfrms. The EWF is a file system filter that redirects any attempted writes t the prtected disk partitin int vlatile memry but makes the write appear t have succeeded t the requesting applicatin. As a result, an applicatin including malware r an attacker that attempts t permanently change the cnfiguratin f the device wuld appear t succeed but at next rebt thse changes wuld disappear. Hwever, if the attacker r malware is EWF aware and has sufficient privileged access t the OS it is pssible t disable this as well as ther prtectins. In summary, the fllwing are suggested measures t prtect the POS device frm cmprmise: 1. Keep the POS perating system and applicatin up t date with security patches. 2. Run the mst current POS perating system yu are able. 3. Use an applicatin whitelisting slutin t restrict applicatins. 4. Deply a frm f anti-virus t the POS device and keep the signatures up t date. 5. Use a technlgy t prevent unwanted changes t the POS device such as the Enhanced Write Filter r netwrk bt. 1 Page 5

6 3 Prtecting Data At the Endpint It is difficult t prtect sensitive data n a device where the attacker has cmplete cntrl f the perating system. Hwever, dedicated hardware devices that never expse unencrypted data t the terminal can prvide a safeguard prvided that the encryptin key is never shared with the terminal. Thrugh the use f encrypting card reader hardware r cards that have a built in cryptgraphic prcessr the card data can be encrypted s that it is inaccessible t attacker malware running n the POS device. This assumes that n custmer PII is visible t the terminal either in the initial card swipe, r in the authrizatin data returned t the POS terminal frm the payment system. In additin, many retailers have separate lyalty prgrams that may cntain custmer PII althugh typically nt credit card data. While this may be f less interest t an attacker this data still culd be stlen by malware n the POS device and as a result just encrypting the credit card data at the swipe is nt a panacea t preventing the theft f custmer PII. 4 Mitigating Lateral Traversal t Devices Sme attackers may chse t attack ne r mre POS devices ver the netwrk using explits r even using a physical attack 2 n a device in a stre. Hwever, it is difficult t cmprmise hundreds r thusands f devices using these methds and in the recent retail attacks it is likely that the attacker leveraged sme srt f lateral traversal using stlen but legitimate privileged credentials t cmprmise a large number f devices. Micrsft has extensive experience in cuntering these types f attacks as they are ften used by APT grups t quickly gain access t infrmatin thrughut the enterprise after cmprmising a small number f systems. Micrsft has previusly published general guidance n cuntering these threats in the white paper Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques 3. In this sectin will we fcus n sme specific scenaris likely t allw the brad cmprmise f POS devices. 2 The discussin f prtectin against physical attacks n POS devices is ut f scpe fr this paper. 3 Page 6

7 Active Directry Many retailers jin their Windws POS devices t an Active Directry (AD) in rder t gain the many benefits such as centralized cnfiguratin management, accunt management, and easy authenticatin t netwrk resurces. While this is smething that we cntinue t recmmend, custmers shuld als be aware that a cmprmised Active Directry wuld als becme an avenue fr an attacker t spread malware thrughut the enterprise including t POS devices. If an attacker gets privileged access t Active Directry such as thrugh the theft f Dman Admin r Enterprise Admin credentials he r she has almst limitless access t systems jined t that AD frest. This includes being able t push prgrams t run n systems, change security settings n systems, and mdify the membership f lcal grups n systems such as the lcal administratrs grup. Frtunately, the methds by which an Active Directry are typically cmprmised are well understd and cnsist primarily f very flat AD designs and administrative practices that put credentials at risk. The previusly mentined PtH white paper describes these attacks and mitigatins in great detail and we encurage custmers t implement thse recmmendatins t secure nt just their POS devices but their entire netwrk. Anther cnsideratin is whether POS devices shuld be part f retailer s prductin Active Directry frest r jined t a dmain in a separate frest. In Active Directry a separate frest prvides a security bundary between systems. This wuld prevent a cmprmise f AD in ne frest frm als cmprmising resurces in the ther frest 4. Crss-frest trust relatinships can be established between the frests t allw cntrlled access t resurces acrss the frest bundaries. This allws similar functinality t a single frest while prviding better cntainment in the event f a cmprmise. Shared Service Accunts In Windws a service is a prcess that is autmatically started by the perating system and runs in the backgrund t prvide a desired functin. Many parts f the perating system functin as services as well as applicatins that need t stay running even when n user is active n the system. On POS devices this can include applicatins such as security scanners, systems management sftware, and even part f the POS applicatin itself. When a service is created it 4 Shared userid and passwrds in bth frests culd still allw a cmprmise acrss frest bundaries. Page 7

8 must be set t run as sme user accunt that can include the machine 5 accunt, a lcal user, r a dmain user accunt. In sme cases a service will be installed acrss POS devices using the same Active Directry accunt r using a cmmn lcal accunt created n each system. This is typically dne t simplify access t netwrk resurces r fr the server side f an applicatin t authenticate t the POS device. If this service accunt is als cnfigured n nn-pos systems - such as when the same systems management service accunt is cnfigured n desktp, servers, and POS systems - the result is a single credential that if cmprmised has brad access t the netwrk. Unless using the machine accunt, the userid and passwrd fr this service must be entered and stred encrypted by the perating system fr use at system startup. It is imprtant t recgnize that while a regular user cannt btain these lgn credentials a lcal administratr r an attacker wh has btained lcal administratr access can thrugh the use f cmmn attacker tls. As a result, the cmprmise f a single system cnfigured with this service accunt can expse credentials that are valid fr access acrss a large number f devices. Furthermre, in many cases these accunts are members f the lcal administratrs grup acrss devices in rder t facilitate privileged access. Retailers shuld review their POS devices fr services that are running as accunts ther than LcalSystem, NetwrkService, and LcalService. Where pssible, recnfigure these services t use ne f these machine accunts. Bth LcalSystem and NetwrkService can access netwrk resurces as the machine accunt in Active Directry but are unique t each device. If a cmmn dmain r lcal user accunt must still be used cnsider limiting its usage t just POS devices r better yet using multiple accunts with a different accunt fr varius POS device cmmunities (e.g. per stre, per regin, per business). This will nt nly limit the expsure f the accunt t attackers but als limit the usefulness t a subset f systems shuld the accunt becme cmprmised. Als, try t limit the privileges assigned t the service accunt n POS devices in rder t make it less useful t an attacker. 5 There are actually multiple frms this machine accunt can take including the Lcal System, Lcal Service, and Netwrk Service. Mre infrmatin is available at Page 8

9 This includes nt making the accunt a member f the lcal administratrs grup but als avid granting the accunt unnecessary and sensitive user rights such as: Allw lg n lcally Access this cmputer frm the netwrk Allw lgn thrugh Remte Desktp Services Act as part f the perating system Backup files and directries Restre files and directries The gal is t limit bth hw widely a single stlen accunt can be used acrss devices as well as t limit the amunt f damage an attacker can d t a device with the accunt. Mst f the current POS malware require administratr r sensitive user rights t steal custmer PII. Shared Lcal Administratrs Previusly we mentined hw shared lcal accunts will smetimes be created t supprt a shared service acrss systems. We als discussed hw administratr r privileged accunts are ften necessary fr attackers t succeed in stealing custmer PII frm POS devices. In additin t these scenaris, we need t cnsider lcal accunts that are created as part f the OS installatin as well as fr the terminal peratr. During installatin f the perating system at least ne lcal administratr is always created and it is cmmn during scripted deplyments t use the same passwrd fr this accunt n all deplyed systems. Like with service accunts an attacker that has btained privileged r admin access t a device can btain the passwrds fr lcal accunts. This cmprmise f the userid and passwrd fr a shared accunt n ne system can then be used t lgn t any ther system that uses the same userid and passwrd. Micrsft recmmends that custmers use unique randm passwrds fr lcal administratr accunts, disable thse accunts, r at a minimum restrict hw thse accunts can be used in netwrk cnnectins. Details n these mitigatins and hw t implement them are prvided in the referenced Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques white paper. Other Shared Lcal Accunts It is cmmn in retail envirnments t use shared lcal user accunts t lgn t POS devices even thugh these devices are jined t an Active Directry dmain. This is t ensure that the peratr can access the terminal even if there is a netwrk cnnectin issue and is als because Page 9

10 it is nt cnsidered practical t create and maintain user accunts fr retail assciates where there are a very large number f users and high persnnel turnver. Such trade-ffs need t be made fr business reasns but care shuld als be taken t limit the ptential fr abuse f these shared lcal accunts. First, these accunts shuld nly be given the privilege t lg n lcally and nt as a service, via the netwrk, r via Remte Desktp Services. These accunts shuld als never be lcal administratr accunts r given sensitive user privileges such as the belw. Allw lg n as a service Access this cmputer frm the netwrk Allw lgn thrugh Remte Desktp Services Act as part f the perating system Backup files and directries Restre files and directries Where pssible, different passwrds shuld be used in rder t limit the systems n which this shared accunt is valid. 5 Cnclusin Pint Of Sales devices are prime targets fr attackers because they are the frnt line fr cllecting infrmatin frm custmers and are ften less well prtected than backend systems. Recent large scale cmprmises have required the ability t cmprmise these systems at scale and ften use the same techniques used in targeted attacks designed t steal intellectual prperty. As a result, applying the same techniques f limiting the ability fr attackers t mve laterally in a cmprmise can dramatically reduce the damage frm an attack. In additin, there are a number f measures yu can take t specifically prtect POS devices frm cmprmise as well as securing custmer credit card data as it is cllected. We strngly encurage all retail custmers t review and implement the measures in this paper as a first step twards mitigating the risk f the wide scale theft f custmer infrmatin. In additin, we recmmend custmers read the whitepaper A Systematic Methd t Understand Security Risks in a Retail Envirnment t lk at ther threats t yur retail infrastructure. This paper will utline a typical retail threat mdel and shw hw t use this as a structured apprach t implementing mitigatins t ther systems in yur envirnment such as e- cmmerce platfrms and back f the huse systems. Page 10