Interested in learning more about security?

Similar documents
How To Secure Your Small To Medium Size Microsoft Based Network: A Generic Case Study

Introduction to Business Continuity Planning

Introduction to the Microsoft Windows XP Firewall

netforensics - A Security Information Management Solution

Interested in learning more about security? Why Bother About BIOS Security? Copyright SANS Institute Author Retains Full Rights

Security Awareness Training and Privacy

2015 VORMETRIC INSIDER THREAT REPORT

Top five strategies for combating modern threats Is anti-virus dead?

Network Security & Privacy Landscape

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

Dissecting the Recent Cyber Security Breaches. Yu Cai School of Technology Michigan Technological University

White Paper: Are there Payment Threats Lurking in Your Hospital?

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Cisco Advanced Malware Protection

INDUSTRY OVERVIEW: RETAIL

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Incident Response. Proactive Incident Management. Sean Curran Director

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

How To Stop A Cybercriminal From Stealing A Credit Card Data From A Business Network

Whitepaper. Advanced Threat Hunting with Carbon Black

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

WE SECURE THE FUTURE THE PLASTIC BREACH PROTECTING THE RETAIL SECTOR

Extreme Networks Security Analytics G2 Vulnerability Manager

I ve been breached! Now what?

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Cyber Security Management

RETHINKING ORC: NRF S CYBER SECURITY EFFORTS. OMG Cross Domain Threat & Risk Information Exchange Day, March 23, 2015

TYPES, PREVALENCE, AND PREVENTION OF CYBERCRIME. Haya Fetais & Mohammed Shabana. Saint Leo University COM- 510

PAI Secure Program Guide

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Guidance Software Whitepaper. Point-of-Sale Systems Endpoint Malware Detection and Remediation

Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security

Defending against Cyber Attacks

Cyber-Security Risk in the Global Organization:

Information Technology Risk Management

V ISA SECURITY ALERT 13 November 2015

SmartLink HEARTLAND PAYMENT SYSTEMS

Cyber Security for your Connected Health Device

RETHINKING CYBER SECURITY Changing the Business Conversation

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Data Security, Fraud Prevention, and Cost Control. Mike Dorland, CPP Regional Marketing Representative Michigan Retailers Association

Advanced Threats: The New World Order

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Enterprise Cybersecurity: Building an Effective Defense

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Cybersecurity Workshop

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

INTRODUCING isheriff CLOUD SECURITY

ENABLING FAST RESPONSES THREAT MONITORING

The Four-Step Guide to Understanding Cyber Risk

How We're Getting Creamed

Critical Security Controls

High-Value Targets Retailers Under Fire

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Is the PCI Data Security Standard Enough?

Prepared testimony of W. Joseph Majka Head of Fraud Control and Investigations Visa Inc.

Franchise Data Compromise Trends and Cardholder. December, 2010

Protecting against cyber threats and security breaches

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

PREVENTING PAYMENT CARD DATA BREACHES

PROTECTION FOR SERVERS, WORKSTATIONS AND TERMINALS ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Transcription:

Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. : Executive Summary Copyright SANS Institute Author Retains Full Rights

: Executive Summary A SANS Whitepaper Written by Wes Whitteker October 2014 Sponsored by Bit9 + Carbon Black 2014 SANS Institute

Year of the Retailer With the Target breach as the most notable example, the last year has seen scores of point of sale (POS) systems compromised by bad actors. In many cases, these environments were PCI-DSS compliant at the time of compromise. Following recent events, it is clear that executives seeking to protect their organizations and POS systems from compromise need to look beyond PCI-DSS and adopt a proactive offense must inform defense approach to POS security. It is widely recognized that 2014 will be the year of the retailer. 1 Motivated by profit, payment card thieves are increasingly turning to compromised POS devices as a primary source for unencrypted card data that can easily be sold to dump shops on the black market. 2 Recent reports put the estimated profit from POS-related cybercrime in Russia at more than $2.5 billion. 3 POS attacks have a good potential to get worse. There is a vast number of vulnerable devices, random infections, targeted attacks, and a reluctance of operators to provide the necessary level of protection. The result is big leaks. Ilya Sachkov, CEO Group-IB 4 As countless retail organizations have fallen victim to POS-driven information security breaches targeting consumer payment card data, pressure on retail executives to take further action to protect POS devices has risen dramatically. 5 PCI Compliance Is Not Enough Although, the Target breach is the most notable breach, several other well-known organizations have fallen victim to advanced POS attacks. The victims include names such as Home Depot; Neiman Marcus; Michaels Stores; Sally Beauty Holdings, Inc.; Supervalu; Albertson s and many more. 6 Looking deeper into this list of victims, it s important to recognize that many of these organizations were considered PCI-DSS compliant at the time of compromise and had invested heavily in systems to meet these compliance standards. 7 1 Networking Concepts Podcast, www.sans.org/course/security-essentials-bootcamp-style 2 Peek Inside a Professional Carding Shop, http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop 3 Russian Hackers Made $2.5B Over The Last 12 Months, www.darkreading.com/russian-hackers-made-$25b-over-the-last-12-months-/d/d-id/1316631 4 www.darkreading.com/russian-hackers-made-$25b-over-the-last-12-months-/d/d-id/1316631 5 Faltering Target Parts Ways With Chief, www.nytimes.com/2014/05/06/business/target-chief-executive-resigns.html 6 Home Depot s payment systems hacked, 60 million shoppers reportedly affected, http://fox59.com/2014/09/18/home-depots-payment-systems-hacked-60-million-shoppers-reportedly-affected 7 New Gartner findings for PCI Compliance and the StillSecure PCI Calculator, www.thesecuritysamurai.com/2011/07/06/new-gartner-findings-for-pci-compliance-and-the-stillsecure-pci-calculator 1

Year of the Retailer (CONTINUED) As noted in a report about big data breaches in 2014, including Home Depot and Target, PCI is meant to protect card issuers and make sure that consumers feel safe enough to keep using credit and debit cards, therefore ensuring card issuers make a profit. 8 That does not mean that data is absolutely safe. While PCI-DSS provides a framework for improved payment processing, it is clear that it has been insufficient to ensure the security of modern retail POS systems. To truly improve the security posture of POS devices, organizations must take a more dynamic approach to secure POS environments moving forward one that uses an offense must inform defense methodology. 9 To truly improve the security posture of POS devices, organizations must take a more dynamic approach to secure POS environments moving forward one that uses an offense must inform defense methodology. Why Payment Cards/POS Are Easy Targets To understand why POS-driven breaches continue to occur, it is important to understand key payment card characteristics and payment card system deployment models that make this information and these devices easy and attractive targets. First, let us look at the modern payment card. The magnetic stripe of the payment card holds the vast majority of the critical payment data and is broken up into three areas, referred to as tracks (see Figure 1). Figure 1. Payment Card Physical Structure, Back Side 8 PCI Compliance Under Scrutiny Following Big Data Breaches, www.cio.com/article/2836035/data-breach/pci-compliance-under-scrutiny-following-big-data-breaches.html 9 The United States Cyber Challenge, www.whitehouse.gov/files/documents/cyber/the%20united%20states%20cyber%20challenge%201.1%20%28updated%205-8-09%29.pdf 2

Year of the Retailer (CONTINUED) Tracks 1 and 2, which are stored in an unencrypted format, are the focus for payment card usage. It is this unencrypted track data that thieves are most often attempting to steal when compromising POS devices because it contains the information necessary to create counterfeit cards or make fraudulent online purchases. Second, let us examine the modern POS system architectures most commonly deployed. Most retailers today rely on one of five POS deployment architectures to process instore transactions and not all are created equal: Store Electronic Payment System (EPS) Deployment Model, the POS EPS Deployment Model, the Hybrid/POS Store Deployment Model, the Gas Station Payment System, and Mobile Payments [near-field communication (NFC) and non-nfc]. The key point to understand with the various deployment models is that the payment data is more vulnerable in certain architectures because it touches more systems while in an unencrypted format. 10 With the preceding information in mind (unencrypted data, data exposure during system processing, etc.), it is no surprise that payment card information is an easy target. When processed in memory, payment data is nearly impossible to defend if a POS system is compromised. As such, memory scraping has become a popular choice among bad actors. Scraper malware is very opportunistic, and it can be easily modified to target specific patterns of data (track data) in any operating system, enabling it to bypass traditional endpoint defenses, such as antivirus software. 10 Gomzin, Slava, 2014. Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions. Hoboken, NJ: John Wiley and Sons. 3

Year of the Retailer (CONTINUED) Overview of Today s POS Attack The basic POS breach phases include infiltration, propagation, exfiltration and aggregation. The infiltration phase is where the attacker gains access to the target environment. After accessing the target environment, the propagation phase takes place, where the bad actor spreads malware to the target systems (POS systems), which is often done via resources in the target environment (for example, domain controllers, remote administration tools, etc.). Once propagated, the malware injects itself into memory, where it collects the desired information (track data) and then exfiltrates the data to another system (aggregation) in the target environment. From the aggregation point, the data is uploaded to a system outside the target environment, thus reducing the chances of detection, as shown in Figure 2. Figure 2. Cybercriminals Access Through POS Systems It s important to note that POS malware continues to evolve as evasion techniques improve. These constant improvements make detection by traditional antivirus detection very difficult, and in some cases not possible. 11,12,13 11 http://digitaltransactions.net/news/story/retailer-confidence-in-detecting-data-security-breaches-abounds_-but-is-it-warranted_ 12 Report Puts PoS Malware Under the Microscope, www.securityweek.com/report-puts-pos-malware-under-microscope 13 www.itweb.co.za/index.php?option=com_content&view=article&id=65151:trustwave-intros-siem-enterprise&catid=250 4

Recommendations Organizations worried about the security of their POS devices and looking to move beyond compliance-based security frameworks, such as PCI-DSS, should start by closely examining the Council on Cyber Security s 20 Critical Security Controls (CSCs). 14 Developed in partnership with the NSA, international agencies and private industry, the controls use an offense informs defense approach to generate a prioritized list of actions designed to have the greatest impact on improving an organization s risk posture against real-world threats. For organizations with limited resources, or those looking to rapidly reduce the attack surface of POS devices, the following five Quick Win CSCs should be prioritized to most effectively address the need for greater breach protection: 1. Application whitelisting (CSC 2) 2. Use of standard, secure system configurations (CSC 3) 3. Patch application software within 48 hours (CSC 4) 4. Patch system software within 48 hours (CSC 4) 5. Reduced number of users with administrative privileges (CSC 3 and CSC 12) Focused first on prioritizing security functions that are effective against the latest advanced targeted threats, such as the RAM-scraping malware currently targeting retail systems, these controls place a strong emphasis on security controls where products, processes, architectures and services are in use that have demonstrated real-world effectiveness. The controls have proven effectiveness, are easy to understand and provide a solid starting point for any organization looking to adopt an offense must inform defense approach. However, the controls should be considered only as a first step for any organization seeking to develop a robust POS security program. 14 Critical Security Controls for Effective Cyber Defense, www.sans.org/critical-security-controls/control/19 5

Conclusion The PCI Security Standards Council has made great progress in improving the security posture of retailers and payment card processors, but the standards have been unable to keep pace with the latest threat landscape. As such, until PCI-DSS can keep pace with the actual threat landscape, payment card data exposures will continue to take place. Thus, those organizations that consider PCI-DSS information security standards sufficient will remain at high risk for a payment data breach. The crux of the issue is that organizations need to broaden their security policies and procedures beyond an annual PCI-DSS compliance stamp and adopt proactive offense must inform defense approaches to payment card security. Review the complete whitepaper this Executive Summary introduces at www.sans.org/reading-room/whitepapers/bestprac/point-sale-pos-systems-security-35357. 6

About the Author Wes Whitteker is a SANS Technology Institute graduate student. Sponsor SANS would like to thank this paper s sponsor: 7

Last Updated: June 22nd, 2016 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Salt Lake City 2016 Salt Lake City, UTUS Jun 27, 2016 - Jul 02, 2016 Live Event SANS Cyber Defence Canberra 2016 Canberra, AU Jun 27, 2016 - Jul 09, 2016 Live Event MGT433 at SANS London Summer 2016 London, GB Jul 07, 2016 - Jul 08, 2016 Live Event SANS London Summer 2016 London, GB Jul 09, 2016 - Jul 18, 2016 Live Event SANS Rocky Mountain 2016 Denver, COUS Jul 11, 2016 - Jul 16, 2016 Live Event SANS Delhi 2016 Delhi, IN Jul 18, 2016 - Jul 30, 2016 Live Event SANS San Antonio 2016 San Antonio, TXUS Jul 18, 2016 - Jul 23, 2016 Live Event SANS Minneapolis 2016 Minneapolis, MNUS Jul 18, 2016 - Jul 23, 2016 Live Event SANS San Jose 2016 San Jose, CAUS Jul 25, 2016 - Jul 30, 2016 Live Event Industrial Control Systems Security Training Houston, TXUS Jul 25, 2016 - Jul 30, 2016 Live Event SANS Vienna Vienna, AT Aug 01, 2016 - Aug 06, 2016 Live Event SANS Boston 2016 Boston, MAUS Aug 01, 2016 - Aug 06, 2016 Live Event Security Awareness Summit & Training San Francisco, CAUS Aug 01, 2016 - Aug 10, 2016 Live Event DEV531: Defending Mobile Apps San Francisco, CAUS Aug 08, 2016 - Aug 09, 2016 Live Event SANS Portland 2016 Portland, ORUS Aug 08, 2016 - Aug 13, 2016 Live Event SANS Dallas 2016 Dallas, TXUS Aug 08, 2016 - Aug 13, 2016 Live Event DEV534: Secure DevOps San Francisco, CAUS Aug 10, 2016 - Aug 11, 2016 Live Event Data Breach Summit Chicago, ILUS Aug 18, 2016 - Aug 18, 2016 Live Event SANS Alaska 2016 Anchorage, AKUS Aug 22, 2016 - Aug 27, 2016 Live Event SANS Bangalore 2016 Bangalore, IN Aug 22, 2016 - Sep 03, 2016 Live Event SANS Chicago 2016 Chicago, ILUS Aug 22, 2016 - Aug 27, 2016 Live Event SANS Virginia Beach 2016 Virginia Beach, VAUS Aug 22, 2016 - Sep 02, 2016 Live Event SANS Brussels Autumn 2016 Brussels, BE Sep 05, 2016 - Sep 10, 2016 Live Event SANS Adelaide 2016 Adelaide, AU Sep 05, 2016 - Sep 10, 2016 Live Event SANS Northern Virginia - Crystal City 2016 Crystal City, VAUS Sep 06, 2016 - Sep 11, 2016 Live Event SANS Network Security 2016 Las Vegas, NVUS Sep 10, 2016 - Sep 19, 2016 Live Event SANS London Autumn London, GB Sep 19, 2016 - Sep 24, 2016 Live Event SANS ICS London 2016 London, GB Sep 19, 2016 - Sep 25, 2016 Live Event Digital Forensics & Incident Response Summit OnlineTXUS Jun 23, 2016 - Jun 30, 2016 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information