Tech Insight: Defending Point-Of-Sale SystemsUS-CERT publishes advice on defending POS systems against attacks like those against Target, Neiman Marcus
Major hacks at retailers that include Target and Neiman Marcus have put a new spotlight on the security of point-of-sale (POS) systems. What may come as a surprise to some is that the memory-scraping malware attacks were nothing new. Last year, Visa published two "Visa Data Security Alerts" warning merchants of an increase in attacks targeting credit card data with specific references to memory-scraping malware.
The alerts were published in April (PDF) and August (PDF). The first stated that Visa has seen an increase in network intrusions involving grocery merchants since January 2013. August's update used nearly the same verbiage, but mentioned retail instead of grocery. The part that's of particular interest is how the attackers were carrying out the attacks.
"Once inside the merchant's network, the hacker will install memory parser malware on the Windows-based cash register system in each lane or on Back-of-the-House (BOH) servers to extract full magnetic stripe data in random access memory (RAM)."
With two notices earlier in the year, retailers breached in the fourth quarter had early notification that attacks specifically targeting POS systems had been on the rise. The alerts from Visa even included details on how to protect POS and related PCI systems from the types of attacks being carried out. So how is it that companies that were considered PCI-compliant had their POS devices and PCI environment compromised?
From a penetration tester's perspective, it is all too common to find merchants considered compliant as not necessarily secure. As an industry, we've been saying for years that compliance does not equal security, and these big data breaches are classic examples. It is easy to fill out a form that shows certain controls are in place, but the harsh reality is that rarely are those controls actually tested thoroughly to ensure their effectiveness at protecting cardholder data.
US CERT, part of the Department of Homeland Security, issued Alert TA14-002A on Jan. 2, 2014, titled "Malware Targeting Point of Sale Systems." The document discusses hardware and software attacks against POS systems and includes specific recommendations on protecting them. Unlike the Visa Alerts, US CERT has put together guidance that focuses specifically on security best practices without mentioning specialized hardware and software (i.e., EMV-enabled PIN-entry, SRED-enabled devices, and PA-DSS compliant payment applications).
Alert TA14-002A targets six areas that POS administrators should follow:
Use Strong Passwords: During the installation of POS systems, installers often use the default passwords for simplicity on initial setup. Unfortunately, the default passwords can be easily obtained online by cybercriminals. It is highly recommended that business owners change passwords to their POS systems on a regular basis, using unique account names and complex passwords.
Default passwords are the low-hanging fruit that penetration testers tend to go for first. It's amazing how often network devices and application servers are set up on a network with default passwords in place. Whether it's an administration interface for Apache Tomcat or something like HSRP for Cisco routers, it's difficult to find a network that doesn't have at least one system with a default password. A vulnerability scanner such as Nessus or NeXpose can help with finding these default passwords, but manual verification should be done also because vulnerability scanners don't have the default passwords for every device.
Update POS Software Applications: Ensure that POS software applications are using the latest updated software applications and software application patches. Like computers, POS systems are vulnerable to malware attacks when required updates are not downloaded and installed on a timely basis.
Keeping POS applications updated should be part of the patch management strategy for every merchant. The common hurdle is that new versions generally cost money, which causes companies to avoid upgrades until technical problems arise. While the risks to POS software can sometimes be mitigated through other security controls, such as host intrusion prevention software (HIPS) and firewalls, it's important for merchants to remember that new versions also bring security and bug fixes that can help keep cardholder data safe -- they'll need to bite the bullet eventually and upgrade.
Install A Firewall: Firewalls should be used to protect POS systems from outside attacks. A firewall can prevent unauthorized access to, or from, a private network by screening out traffic from hackers, viruses, worms, or other types of malware specifically designed to compromise a POS system.
A key tenet of the PCI DSS is that network segmentation and firewalls are essential. Host- and network-based firewalls should be used as part of a layered security approach. Traffic to and from the POS to systems should only be allowed if it is similarly hardened against attack. Where possible, the traffic should also be monitored by an intrusion detection/prevention system to detect and/or prevent attacks.
Use Antivirus: Antivirus programs work to recognize software that fits its current definition of being malicious and attempts to restrict that malware's access to the systems. It is important to continually update the antivirus programs for them to be effective on a POS network.
US-CERT is on target with its advice to use updated antivirus, but anti-malware protections should not stop there. Merchants should consider implementing a full endpoint protection suite that includes antivirus, HIPS, firewall, traffic inspection, and application whitelisting. While these solutions are not foolproof, they raise the bar for exploitation considerably.
Restrict Access To Internet: Restrict access to POS system computers or terminals to prevent users from accidentally exposing the POS system to security threats existing on the Internet. POS systems should only be used online to conduct POS-related activities and not for general Internet use.
Unless the POS application specifically needs Internet access, it should be completely firewalled off from the Internet. In the situation that the POS software does need to communicate with systems on the Internet, firewalls should be used to strictly block all traffic except that to authorized systems. Application proxies should be used to proxy and inspect traffic to and from the Internet.
Disallow Remote Access: Remote access allows a user to log into a system as an authorized user without being physically present. Cybercriminals can exploit remote access configurations on POS systems to gain access to these networks. To prevent unauthorized access, it is important to disallow remote access to the POS network at all times.
This is the only area of advice from US-CERT that might be considered overkill because it's going to make authorized remote management impossible. With proper firewall configurations restricting access only to authorized management workstations and multifactor authentication, remote access is perfectly acceptable. Of course, this is where companies get in trouble because they aren't always diligent in ensuring firewalls configurations are correct and the machines accessing them are secured.
POS systems are not difficult to secure if merchants would simply follow the advice that has been put out by Visa and the US-CERT. Most of the advice is based on security best practices that have been around for years. Unfortunately, it often takes a data breach for companies to have their eyes opened to the impact their negligence can have on their customers and their brands. Will Target, Neiman Marcus, and other retailers' recent troubles be the impetus companies need to secure their systems -- or will they have to experience a data breach firsthand?
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.