Case Study: Fast Food Security Breach (Multiple Locations)



Similar documents
Five PCI Security Deficiencies of Restaurants

Five PCI Security Deficiencies of Retail Merchants and Restaurants

Cloud Computing in a Restaurant Environment

Five PCI Security Deficiencies of Restaurants

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Wireless Services. The Top Questions to Help You Choose the Right Wireless Solution for Your Business.

$ Drive awareness and increase participation. National account program. Flexible managed Security Solutions for hospitality

PCI Data Security Standards (DSS)

PCI DSS 3.1 and the Impact on Wi-Fi Security

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Closing Wireless Loopholes for PCI Compliance and Security

PCI Compliance. Top 10 Questions & Answers

Beef O Brady's. Security Review. Powered by

The PCI Dilemma. COPYRIGHT TecForte

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Franchise Data Compromise Trends and Cardholder. December, 2010

Connect With Axiom

How To Protect Your Data From Being Stolen

Frequently Asked Questions

PCI Compliance Top 10 Questions and Answers

Frequently Asked Questions about PCI Compliance

Data Security for the Hospitality

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

Project Title slide Project: PCI. Are You At Risk?

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

WHITE PAPER. How to simplify and control the cardholder security environment

Conquering PCI DSS Compliance

Give Vendors Access to the Data They Need NOT Access to Your Network

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Failure to follow the following procedures may subject the state to significant losses, including:

Global Partner Management Notice

Accounting and Administrative Manual Section 100: Accounting and Finance

Recent Developments in PCI DSS. PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2

PCI DSS COMPLIANCE DATA

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI Compliance in Multi-Site Retail Environments

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

How To Control Credit Card And Debit Card Payments In Wisconsin

V ISA SECURITY ALERT 13 November 2015

PAI Secure Program Guide

Two Approaches to PCI-DSS Compliance

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Network & Information Security Policy

Please note that in VISA s vernacular this security program for merchants is sometimes called CISP (cardholder information security program).

Payment Card Industry Data Security Standard

Protect Data. Secure Business.

End-user Security Analytics Strengthens Protection with ArcSight

How To Secure Your Store Data With Fortinet

PCI v2.0 Compliance for Wireless LAN

Critical Security Controls

GFI White Paper PCI-DSS compliance and GFI Software products

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Target Security Breach

PCI Solution for Retail: Addressing Compliance and Security Best Practices

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Overcoming PCI Compliance Challenges

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

March

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

NACS/PCATS WeCare Data Security Program Overview

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

PCI: It Never Ends. Why?

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

The Business Case for Security Information Management

Kim Decarolis Compliance and Security Specialist (248) Mark Wayne Vice President Compliance and Security Specialist

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

74% 96 Action Items. Compliance

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Achieving PCI-Compliance through Cyberoam

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

PCI DSS Compliance White Paper

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

PCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett

PCI Compliance for Cloud Applications

Becoming PCI Compliant

Stable and Secure Network Infrastructure Benchmarks

You Can Survive a PCI-DSS Assessment

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Transcription:

CASE STUDY Fast Food Security Breach (Multiple Locations) Case Study: Fast Food Security Breach (Multiple Locations) By Brad Cyprus, SSCP - Senior Security Architect, Netsurion

Details Profile Case Study for a Fast Food Franchise Company profile: - The business is a franchisee of a national hamburger chain in the southern United States. - As of August, 2008 they had 8 locations. - Internal IT and resources and expenditures have been dedicated to maintaining their Point of Sale (POS) system. Little consideration was given for network maintenance (aside from supporting the POS installation), external security, or policy and procedures. - Their POS system is a sophisticated application that allows for centralized management, financial and operational reporting as well as high speed Internet credit card processing. - As a convenience, their customers were provided an Internet Hotspot that shared the high speed connection in use by the POS system. Insecure Remote Access Without Two Factor Authentication This franchise relied upon the POS software reseller to be their de facto IT department. The reseller performed a standard installation of the POS software and associated hardware at each location. At some point, the environment was breached; malicious software, also known as malware, was installed on their network. Malware is designed to either to cause damage or steal information from a system, or both. As a result of the original configuration, at least 2 of the 8 locations had credit card data stolen from the systems electronically. The malware was discovered at the locations where the security breaches occurred. Further analysis of the system uncovered that the shared Wi-Fi hotspots were not properly segregated, so direct access to the servers that processed credit cards was possible. It is likely that the Wi-Fi network played a role in the compromise of this customer s data by being a portal of entry for the discovered malware.

The franchise was notified by Visa U.S.A, Inc. and the U.S. Secret Service of the credit card theft, and now, a technical security audit will be required to validate the security and business practices at the compromised locations. The results of these audits and the extent of the theft will determine what type of fines and future requirements this business owner will face, assuming the franchises are permitted to continue to accept credit cards. The franchise owner realized that the future of his business, in part, rested on how the security of the locations was improved. The franchise owner also became aware that the credit card industry had already created the guidelines to protect a merchant environment. The standard developed by six of the largest credit card brands is known as the Payment Card Industry Data Security Standard (PCI-DSS), and the theory behind it is that merchants who follow it will be less likely to be breached. The challenge was finding a way to quickly adopt the standard which has 226 requirements; many small businesses have found this challenging to implement given their typical technical skill set. On the other hand, it is the only yardstick by which the major credit card brands measure the security compliance of a merchant. To become compliant, the franchise owner sought outside assistance to quickly achieve PCI-DSS compliance. He wanted a solution that provided unbeaten security that required minimal effort on his part, that had little to no impact on his business operations, and that fit a tight budget. Technical Situation The franchise owner had recently validated the security of his POS software to include the version number, so no upgrade was necessary to achieve PCI-DSS compliance. Each location has a computer network which included the terminals or workstations where orders are entered and the server which stored and processed credit cards. In addition, each location also has a wireless access point that was disabled once the vulnerability of the devices was discovered. Lastly, the customer relied on a Digital Video Recorder (DVR) system to record the activities of restaurants. The primary goal of the franchise owner was to protect this network in such a way that would enable him to operate his business while still satisfying the requirements of PCI-DSS. To be successful, any additions to the restaurants had to be able to protect the systems against the threats posed by the Internet and malware. Customers would have to also be able to access the Internet wirelessly without compromising the integrity of the card holder data environment. Furthermore, a successful solution must include a remote access module so that the franchise owner, restaurant store managers and their POS reseller could access the locations from off-site computers in order to monitor DVR sessions, review operating reports in real time and provide ongoing technical support While remote communication was critical to the customer, PCI-DSS has strict guidelines concerning the type of remote activity that is permissible and the logging that must accompany this type of communication. Additionally, the franchise owner wanted to alleviate a technical issue associated with broadband failure. In the event any of the locations suffer an Internet outage, credit card authorizations cannot be processed in real time. The system stores the data and holds it until the Internet communication is restored. If a credit card, processed in this off-line mode, is denied, then the business cannot collect on the debt and potentially loses the money associated with the charge.

The Netsurion Solution Turnkey security solution designed specifically for credit card merchants: VST Global Security Mesh (Firewall with Integrated Services): - Best in Class Firewall - Mitigates Internet based threats and protects the credit card environment. Both incoming and outgoing data is examined and managed before it is allowed to reach its final destination. - IP DataBlocker Stop malware or individuals with access to the network from sending data to prohibited Internet locations from within the customer environment. - Rogue Device Manager Detection and reaction in the event that an unauthorized computer system is physically added to a customer network. This will inform management of a potential issue by alerting them to the possibility that someone added a network device to their environment. - Real Time Monitoring 24 x 7 x 365 monitoring of traffic and error logs associated with communications and access. This allows the franchise owner to get a snapshot of the health of his network and to ask questions about potential issues. - Secure Remote Access Gateway Remote portal that allows secure access to system protected by the VST Security Mesh. For PCI-DSS, it includes two factor authentication. - Forced Configuration Manager Automated access controller that validates the configuration of a remote system before a allowing remote access. The franchise owner wanted validation on active anti-virus and active anti-spyware. - Automatic Broadband Failover Detects when the primary Internet connection fails and responds by initiating a redundant Internet connection. The redundant interface can be a second high speed Internet feed (cable modem) provided by the franchise owner, or as in this case, a dial-up modem connection provided as part of the managed service from Netsurion. Hot Spot Plus (Managed Wireless with Integrated Firewall): - Managed Wireless Environment Provides wireless hotspot for patrons to use without jeopardizing the cardholder environment, clearly separating public vs. private network access. - Family Friendly Internet Browsing Content engine associated with the wireless environment so that prohibited websites are inaccessible from within the franchise owner s location. The franchise owner selected the categories of excluded sites to include porn, violence, and hate. The list of permissible sites is maintained by SurfControl, Inc. and updated automatically on a daily basis. TrustVault Certificate (Mitigates the Cost Associated with a Breach) - $50,000.00 Guarantee Against Data Breach and Credit Card Theft Netsurion offers protection against future fines and assessment in the event of a breach. While this does not improve security by itself, it gives the franchise owner the assurance that if our system is penetrated as was the case for his previous environment, we will help him with paying direct breach related expenses.

Profile The franchise owner purchased the Netsurion solution and had it installed at every location in less than two weeks. By using this managed solution, the franchise owner reduced the required effort to become PCI-DSS compliant simply because this solution includes the necessary security and documentation that many small businesses find challenging. The bottom line is that the PCI-DSS evaluation was completed in less than 30 days after initial contact with Netsurion. Now, the franchise owner has much greater security at every location that includes monitoring and protected remote access. Upon termination, the remote access privileges of an employee can be revoked immediately from the centrally managed infrastructure. This ensures that a disgruntled worker is unable to cause havoc or threaten the card holder environment from the Internet. In addition, the franchise owner has the wireless access they need for both internal use and public convenience, and a partner willing to guarantee their solution for $50,000.00 at each location. Since the system was deployed, several unauthorized remote access attempts have been blocked and internal threats have been thwarted. The system reports errors in real time, and the Netsurion staff monitors the traffic to help prevent further credit card issues. When broadband failures occur, the monitoring center records the outage while automatically restoring Internet communication using a dial-up connection. Netsurion then works with the Internet provider of the customer to remedy the communication issues. The Netsurion solution solved both the security and business process issues experienced by this customer. Deployment Time Line About Netsurion Netsurion is a leading provider of cloud-managed IT security services that protect smalland medium-sized businesses information, payment systems, and on-premise public and private Wi-Fi networks from data breaches and other risks posed by hackers. Netsurion s patented remote installation technology and PCI compliant cloud-based solutions simplify the implementation process and ongoing support. Any sized branch or remote office, franchise, or sole proprietor operation can use Netsurion without the costs of onsite support. The company serves the retail, hospitality, healthcare, legal, and insurance sectors. 7324 Southwest Freeway Suite 1700, Arena Tower II Houston, Texas 77074 P: 713.929.0200 F: 713.541.1065

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information