Give Vendors Access to the Data They Need NOT Access to Your Network Acumera AirGap Architecture By the year 2020 just five years from now it is estimated that 25 billion devices will be connected to the Internet of Things. While each of these Things transmits valuable data and information that can help businesses reduce costs, improve operations and enhance marketing programs, they also introduce new security challenges to the C-store environment. One important Thing found in many C-Stores is an Automated Tank Gauge (ATG). It gathers and provides operational data such as inventory levels to enable better, more accurate business and operational decisions. Another important Thing that provides key operational functions are the Point of Sale (POS) systems. In order for vendors and stakeholders to access and utilize the data generated by the devices and equipment in C-stores, these Things need to be connected to the Internet. Once the devices are connected, vendors can remotely manage their devices and gather the information they need to do their jobs. However, giving vendors access to devices that are connected to a C-store s network can quickly open the door to malicious activity. By 2020, as many as 25 billion devices will be connected to the Internet of Things. Even large, highly sophisticated retailers have proven vulnerable to breaches associated with connecting devices to the Internet of Things. One of the important things many of the highest profile network security breaches have in common is that intruders gained access to the retailers networks through security holes in their vendors networks. According to KrebsOnSecurity.com, some of the largest retail breaches over the past year started with a hacked vendor. In several cases, thieves used a vendor s username and password to enter the network and remotely access the company s point-of-sale devices, opening the door to the theft of credit card numbers and other personal information from millions of customers. Even though many of the retailers were certified to be compliant with the Payment Card Industry Data Security Standard (PCI DSS), they were not immune to this type of threat. So, how can this type of vulnerability be mitigated? Giving vendors access to devices that are connected to a C-store s network can quickly open the door to malicious activity. By: Tom Yemington, Vice President of Sales and Marketing tom.yemington@acumera.net Be PCI Compliant AND Be Secure It is important to understand that PCI compliance is only part of the security equation. The PCI Data Security Standard provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. Unfortunately, because threats are continuously evolving and compliance is evaluated periodically, not
Use network segmentation to isolate the part of your network that contains cardholder data so that even if other areas of the network are compromised, it does not impact the security of the cardholder data in your network. continuously, compliance doesn t necessarily equate to security. PCI Compliance PCI compliance is evaluated on an annual basis with different levels of requirements according to the volume of credit card transactions processed by a merchant each year. However, a vulnerability scan or PCI DSS assessment is only a snapshot in time. Security efforts are non-stop and must get stronger every day, which is why PCI DSS compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Network Security Best Practices Beyond rigorously maintaining PCI compliance, Acumera recommends C-stores follow network security best practices to protect themselves against security breaches, including: 1. AGGRESSIVELY SEGMENT YOUR NETWORK Many merchants are already aware of the benefits of segmentation, or putting different components in different network segments. As a baseline, isolate the part of a network that contains cardholder data and put it in a separate network segment so that even if other areas of the network are compromised, it does not impact the security of the cardholder data in the network. In light of the recent, highly publicized network breaches that exposed millions of people s credit card data, one large regional C-store operator now has a network segment for each vendor. There is even a segment named HVAC in each of their stores. Network segmentation can be achieved through a number of means, such as properly configured internal network firewalls, routers with strong access control lists, segmenting networks switches, or other technologies that restrict access to a particular segment of a network. Many merchants have been reluctant to segment their in-store networks because of a belief that segmentation is difficult, complex, or expensive, but there are many simple, cost-effective options available today. 2. CONDUCT EXTENSIVE PENETRATION TESTING Internal and external penetration testing is required for all merchants, regardless of size, according to the PCI DSS. The objective of penetration testing is to identify areas of potential weakness in an environment by simulating the methods performed by an attacker. Don t just do the minimum of testing penetration from the outside or inter-segment penetration: come up with new and creative ingress paths to test such as trying to penetrate sensitive data from a user account that is specifically denied access to that data. Because penetration testing is a manual process, it can be expensive, especially if there are many different or non-standard store configurations to be penetration-tested. So, the new pen-test requirement is a big motivation for merchants to do something that is a good idea anyway - to standardize the configuration across multiple stores. This requirement, as well as the recent highly publicized breaches of networks that Conduct penetration testing on your network before someone else does.
did not employ good segmentation and isolation techniques, is motivating progressive merchants not only to segment their networks, but also to eliminate as many persistent connections to vendors as possible. 3. DEVELOP AND MAINTAIN CONSISTENT POLICIES AND PROCEDURES It is important that security practices and policies be developed and maintained throughout the year, not just for the purposes of PCI compliance. Continuously maintain dataflow diagrams and network inventories to ensure no part of an environment is overlooked to become a breach vector, especially as changes are made over time. Create specific access rules and user guidelines to prevent outside personnel from unintentionally becoming the source of a breach. Keep internal users informed about potential threats and trends, such as social hacks, which leverage impersonation or manipulation tactics to gain access. Implementing a disciplined system of change-management that tracks modification of devices, connections and users strengthens and preserves the integrity of information security. 4. USE TWO-FACTOR AUTHENTICATION AND REQUIRE YOUR VENDORS TO USE TWO-FACTOR AUTHENTICATION According to the Verizon 2014 Data Breach Investigations Report, Stronger passwords would cut out a huge chunk of the problem, but larger organizations should also consider multiple factors to authenticate third-party and internal users. The use of two-factor authentication has two primary benefits. First, brute-force password guessing and dictionary attacks (looking for simple passwords that are in list of passwords stolen in previous breaches) are increasingly common. Second, two-factor authentication reduces the threat posed by phishing and social hacks (where a user is tricked into disclosing their credentials) because second factor techniques depend on something you have such as a mobile phone or authentication token that isn t easily stolen, replicated, or transferable even if a password has been electronically stolen. 5. DE-VALUE YOUR DATA Encrypting data reduces the value of your data to cyber-criminals. If they can t sell it, they are less likely to want to steal it. Section 3 and 4 of the PCI:DSS give clear requirements regarding using encryption to protect stored and transmitted cardholder data. Why not apply these same standards to other sensitive or proprietary data? Use the strongest encryption methods available to encrypt data Have and enforce robust policy procedures for cryptographic key access and management 6. LIMIT NETWORK ACCESS GRANTED TO VENDORS AND SERVICE PROVIDERS It is important to keep in mind that your network security is only as strong as your weakest measure. Your company carefully selects vendors and service providers to maximize the value those partners provide. In today s environment it would be nearly impossible to develop all hardware and services in house. QUICK REFERENCE: Network Security Best Practices 1. Aggressively segment your network 2. Conduct extensive penetration testing 3. Develop and maintain consistent policies and procedures 4. Use two-factor authentication and require your vendors to use two-factor authentication 5. De-value your data 6. Limit network access granted to vendors and service providers
Imagine running a large C-store chain with no accounting system, fuel inventory management system, or POS hardware and support. Even if you have mostly internal/proprietary systems, vendors and stakeholders are going to be most valuable when they have access to- and can get the data generated by- the devices and equipment in C-stores; these Things need to be connected to the Internet. But, you can t possibly manage your vendor s security or their adherence to the best practices outlined above unless you strictly reduce their access to unnecessary parts of your network. Isolate Your Store Network In network security, an air gap is the idea that a secure network is most safe from attack when it is physically separate and isolated from unsecure networks. Having absolutely no connection is the maximum level of protection between two or more systems. Essentially, an air gap creates a closed system for highly sensitive information or equipment, so that it is completely inaccessible to outside threats. Military and government systems and networks with sensitive data are often airgapped. Other examples include: financial and banking systems, such as stock exchanges, nuclear power plant controls, computerized medical equipment, and flight and aircraft control systems. Minimize third-party access One of the major benefits of creating an air gap in a network is to prevent direct network access by outside sources that may be trusted to do business with a company, but are not necessarily trustworthy when it comes to network security. Many third-party vendors aren t required to follow the same stringent security policies as retailers because, on the surface, they aren t dealing directly with sensitive information, such as credit card or social security numbers. However, if a vendor has direct access to any device that is operating on your network, your network (and the sensitive information on it) can become vulnerable to an attack made on that vendor. Ask all of your vendors about their security and compliance practices to get a better understanding of the potential risks to your network. Avoid Persistent Connections Another benefit of creating an isolated network is that it limits the threat surface that must be monitored for attacks and intrusion. A persistent connection to your network creates a larger and quite likely un-knowable scope for attack. In addition, persistent connections leave the door open to potential intruders around the clock. By enabling and allowing access only when it is required you are reducing the time during which the network is vulnerable to attack. Questions to Ask Your Vendors and Service Providers Are your services PCI DSS compliant? What do you do to protect your systems from malware and other security breaches? How often do you check your systems for malicious activity? Do you access my infrastructure over the network connections that you use for other C-store operators/ competitors? Is it necessary to have a persistent connection to my sites to provide systems support/ business intelligence? What are you doing to limit the time of support or data transfer connections? What are you doing to validate that only authorized employees from your company are accessing my data or my systems? Are you using strong passwords and two-factor authentication, and logging support and access events? Do you really need access to my network at all, or do you just need data from the site?
The Acumera AirGap Architecture The more isolated a network is the more secure it is. On the other hand, the more isolated a network, the less useful the data and Things connected to it. In practice, a completely air-gapped solution is impractical so Acumera developed a highly secure system for providing access to data while virtually eliminating persistent access. The Acumera AirGap Architecture provides the benefits of an isolated network while getting vendors and service providers the data and access they need to help you run your business. PDI WEX Telapoint Intellifuel POS MG 'Things' Stores Internet Acumera AirGap Architecture: How It Works The Acumera AirGap Architecture enables in-store devices to communicate and share data with analysts, operations professionals and third-party service providers, without giving third-parties access to the store s network. Instead, valuable information from devices, such as automatic tank gauges, is collected and sent to a secure location in the cloud, where it can then be picked up, used and stored by the vendor. Unlike the traditional model, the Acumera AirGap Architecture does not create a linear, persistent connection between in-store devices and third parties, keeping the store network and sensitive customer information (such as cardholder data) isolated from potential breaches. This highly secure design reduces the scope of requirements for PCI compliance and mitigates the threat of C-stores falling victim to the types of breaches that are affecting major retail chains today. Convenience stores can give vendors access to the data they need and reap the benefits of being connected to the Internet of Things, without sacrificing network security and customer information. The Acumera AirGap Architecture Minimizes Persistent Connections Acumera uses the AirGap architecture for our own management systems. Acumera has no persistent access to the Acumera Merchant Gateways (MGs) at our customer sites, inverting the typical network monitoring model for enhanced security and reliability. Frequently, network monitoring tools use SNMP, ping, or some other tool to centrally check remote network device status, which creates network traffic and potential vulnerabilities. So, Acumera flips the flow of site data so that the site initiates contact. The Acumera MG frequently checks the status of connected site systems and pushes site status
to secure cloud storage. The site status and enterprise reports can be displayed in a browser without any direct connection to the site. Only when Acumera s network operations group needs to check an Acumera MG or upgrade MG firmware does Acumera make a direct, limited time connection to the Acumera MG. The access and changes are logged in a PCI compliant fashion, and access is terminated when the support or upgrade is complete. Acumera s Acumera Apps for Your Network services and Acumera management tools can help satisfy PCI DSS control 12.3.8 with respect to minimizing persistent connections: 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity Secure Networks AcuVigil Dashboard Visibility and Management Merchant Gateway Reliable Operational Data Apps for Your Network Services 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use When it is absolutely necessary to allow vendors direct access to store networks, such as when a POS vendor needs to access a POS to provide updates or support, Acumera Apps for Your Network services and Acumera management tools have controls that require administrators to actively grant access. To reduce and minimize the vulnerability, access is automatically cut off after a specific time period and access must be re-granted. Summary From maintaining PCI compliance to keeping up with best practices, such as segmentation, penetration testing and security policies and procedures, there s a lot to consider when it comes to network security. It is important not to overlook the role that vendors and service providers play in your security equation. Protect your business by avoiding the use of persistent connections and isolating your network from vendor access. In the end, you will not only preserve your reputation, you will keep your customers data safe from harm s way. About Acumera Founded in 2002, Acumera provides Trusted Connection Services to multisite merchants, specializing in the reduction of headaches caused by network management and security issues. Customers are free to focus on running their businesses because Acumera actively manages their networks and provides unparalleled visibility and remote management capability. Acumera gets customers stores, network clients and devices securely connected and keeps them connected. In addition to network status, merchants have real-time insight into key operational measures, such as fuel inventory levels and environmental and food safety temperatures. As a result, Acumera customers say they love their network. Further Reading www.krebsonsecurity.com 2015 Verifone Data Breach Investigations Report Payment Card Industry Digital Security Standard (Version 3.0)
Critical Services for Convenience Stores Broadband Qualification, Provisioning & Support Secure Network Development & Management Network/Device Monitoring & Alert Messaging Apps for C-store Operations (ATG, Temperature Monitoring, etc.) Virtual Private Network Management PCI Tools & Support Whitepapers Available from Acumera Improving C-Store Operations with Network Automation A New Era of Security in Convenience Stores Advantages and Benefits of Running PDI/Enterprise on an Acumera Managed Network Improving Store Support and Revenue with Proactive Support Methodology Business Considerations for Leveraging Wi-Fi at C-Stores Technicial Considerations for Implementing Wi-Fi in C-Stores Getting Your C-Store Connected Improving Network Uptime PCI-DSS Compliance Support Our goal is to reduce the headaches our customers experience maintaining their Payment Card Industry Data Security Standard (PCI DSS) compliance. To that end, we are constantly improving our systems and services to provide the most secure networks and to support our customers compliance audits. Acumera is a fully PCI compliant service provider, which means we have taken the steps to complete our own PCI compliance assessment and obtain an annual Report on Compliance (ROC). Acumera is fully compliant with ALL applicable requirements and controls. Uniquely, we won t promote that our compliance will ensure our customers compliance because it can t. There is no 3rd party service that completely removes merchant responsibility for PCI DSS compliance. Tom Yemington Vice President of Sales and Marketing 512.658.2532 thomas.yemington@acumera.net Nick Franco Senior Director of Sales (512) 687-7412 nick.franco@acumera.net Dennis Jensen Senior Director of Sales (952) 368-0018 dennis.jensen@acumera.net