4-47078 Point of Sale Security For Dummies EBook3

These materials are 2015 John Wiley & Sons, Inc.
. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Point-of-Sale
Security
Bit9 + Carbon Black Edition
by Kevin Beaver and

ChristopherStrand
These materials are 2015 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Point-of-Sale Security For Dummies, Bit9 + Carbon Black Edition

Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright 2015 by John Wiley & Sons, Inc.
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the
prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making
Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley &
Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without
written permission. Bit9, Carbon Black, and the Bit9 + Carbon Black logos are registered trademarks
of Bit9, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons,
Inc., is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE
NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES,
INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE.
NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS.
THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT
ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL
PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE
FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS
REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER
INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE
INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT
MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN
THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, or how to create a custom For Dummies
book for your business or organization, please contact our Business Development Department in the
U.S. at 877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/custompub. For
information about licensing the For Dummies brand for products or services, contact
BrandedRights&Licenses@Wiley.com.
ISBN: 978-1-119-06306-3 (pbk); ISBN: 978-1-119-06300-1 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Publishers Acknowledgments
Some of the people who helped bring this book to market include the following:
Project Editor: Carrie A. Johnson
Editorial Manager: Rev Mengle
Acquisitions Editor: Amy Fandrei
Business Development Representative:

Sue Blessing
Production Coordinator: Melissa Cossell
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Book......................................................................... 1
Icons Used inThis Book............................................................. 1
Chapter 1: Understanding Point-of-Sale

Security Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding Why Cybercrime is a Big Deal........................ 4
Getting toKnow the POS Attack Surface.................................. 5
Industries impacted......................................................... 5
How businesses become targets.................................... 6
Knowing Whats atStake............................................................ 7
Chapter 2: The State of Point-of-Sale Security . . . . . . . . 9

The Current State ofPOS Security............................................ 9
Common Types ofAttacks....................................................... 10
End ofLife and POS.................................................................. 11
POS Security Costs................................................................... 11
Methods ofProtecting POS Systems...................................... 13
Chapter 3: Advanced Threats against

Point-of-Sale Systems. . . . . . . . . . . . . . . . . . . . . . . . . . 15
Introducing Advanced Threats............................................... 15
Understanding Attacker Motivations..................................... 17
Executing Attacks in POS Environments............................... 18
Chapter 4: Recognizing Current Limitations in

Point-of-Sale Protection . . . . . . . . . . . . . . . . . . . . . . . . 21
Antivirus Software Limitations................................................ 21
Signature-based scanning.............................................. 22
Performance impact....................................................... 22
Host Intrusion Prevention....................................................... 23
Incident Response Services..................................................... 24
Limited data availability................................................ 25
Limited scope.................................................................. 25
Home-grown tools.......................................................... 26
Expertise required.......................................................... 26
Non-continuous approach............................................. 26
iv
Point-of-Sale Security For Dummies

Matching New Threats withNew Capabilities...................... 26
Responding quickly........................................................ 27
Detecting potential threats automatically................... 28
Stopping malware execution......................................... 28
Chapter 5: Solving the PCI Challenge for

Point of Sale. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
PCI DSS asa Measuring Stick................................................... 30
PCIs Shift toward Application Control.................................. 31
Merging Compliance Policy withSecurity Controls............. 32
Ensuring Ongoing PCI Compliance......................................... 32
Mirroring thePCI Prioritized Approach................................. 34
Chapter 6: Deploying Proactive

Point-of-Sale Security. . . . . . . . . . . . . . . . . . . . . . . . . . 35
Defining Your Requirements................................................... 35
Understanding theSecurity Maturity Model......................... 37
Managing Smart Policies.......................................................... 38
Integrating withother Security Products.............................. 40
Chapter 7: Ten Tips for Successful Point-of-Sale

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Introduction
elcome to Point-of-Sale Security For Dummies,

Bit9 + Carbon Black Edition. This book outlines in plain
English how to protect your point-of-sale (POS) systems and
cardholder data from malware and other advanced threats.
POS technology is being targeted by criminal hackers more and
more. You dont want to become yet another data breach victim.
About This Book

Whether youre just getting started down the path of securing
your organizations POS systems or youre already neck-deep in
the quagmire of security and compliance, theres a lot to learn
and a lot to lose. This book highlights the must have knowledge and requirements necessary for keeping your POS in check.
We help you understand the history of POS technology and
advanced threats. We also share with you the limitations of existing security controls and what you can do to ensure you have
the proper protection for minimizing your business risks and
complying with the Payment Card Industry (PCI) requirements.
If youre an administrator, manager, auditor, or anyone other
wise in charge of managing or reviewing the compliance or
information security of POS systemsthis book is for you.
Icons Used inThis Book

The following icons are used to indicate special content in
this book:

This is information youll want to commit to memory.
This is information that digs in a little deeper into the details

in case youre interested.
This is information that helps provide advice to highlight or

clarify a key concept.
Please pay attention when you see this icon! It provides

cautionary information you wont want to miss.
Chapter 1
Understanding Point-ofSale Security Risks

In This Chapter
Looking into cybercrime and its impact on business
Understanding why point-of-sale systems are under attack
Studying the areas of weakness and challenges to securing point-of-sale
systems
ybercrime is occurring at unprecedented levels. In terms

of time, money, and the resources needed to respond to
threats and minimize the risks, breaches are exacting a costly
toll on victims. These stealthy costs often dont appear as line
items on financial statements for a number of reasons.
First, the costs of security breaches are often indirect, resulting
in wasted resources and missed opportunities. Theyre difficult
to quantify. Second, organizations are incentivized to downplay
the effects of security breaches to avoid unwanted attention
from the public and media, not to mention severe penalties
from regulatory bodies. Third, many breaches go undetected
altogether. You cant secureor respond tothe security
weaknesses and incidents you dont know about.
In this chapter, we outline why cybercrime mattersespecially
as it relates to point-of-sale (POS) security. We also discuss why
POS systems are under attack as well as the threats and vulnerabilities experienced in POS environments that are contributing
to the security challenges.
Understanding Why Cybercrime

is a Big Deal
Almost every organization has some digital gold that outsiders may want to exploit. This data may include intellectual
property, sensitive personal information about customers and
employees, confidential business plans, or financial information. However, businesses with POS systems are particularly
at risk given the potential for financial gains on the part of the
criminal hackers.
The real value in POS systems is in their financial transactions
specifically the credit card numbers and other personallyidentifiable information (PII) they process and store. When
POS systems are attacked, the price tag can be enormous. The
costs associated with POS security incidents include detecting and responding to a breach, notifying victims, conducting
post-response support, and lost business. Theres also another
factor: fines from government agencies, namely the Federal
Trade Commission, as well as penalties and increased scrutiny
associated with regulatory bodies and standards, such as the
Payment Card Industry Data Security Standard (PCI DSS).

A security breach of your POS environment isnt all about you

and how your organization handles things internally. Often,
many outside parties get involved in the initial investigations
as well as any ensuing sanctions and ongoing audits that will
likely be required.
Clearly, data breaches involving POS systems are financially
burdensome on the organizations experiencing them. In addition to these financial losses, organizations also suffer from
lost time. Depending on the type of incident they experience,
organizations may lose days, weeks, or even months of time
to incident response activities. These losses are exactly what
businesses operating in the retail industry dont need, especially during heavy shopping periods such as the holiday
season. Other businesses operating in different industries
can be negatively impacted as well, especially if they lose the
capability to accept credit cards.
Chapter 1: Understanding Point-of-Sale Security Risks
Getting toKnow the

POS Attack Surface
At its core, cybercrime is a numbers game. More businesses,
networked computer systems, and security vulnerabilities
lead to greater chance of attacks. Throwing POS network complexity, lack of visibility, and even politics into the mix breeds
the ultimate playground for criminal hackers, rogue employees, and the like to carry out their attacks for ill-gotten gains.

POS systems are in the crosshairs for the same reasons that
certain operating systems and applications always seem to
be targeted by hackerstheyre in widespread use, and the
weaknesses are fairly well-known.
According to World Bank estimates, there are more than
34 million POS devices globally, nearly 10 million of which
are in the United States alone. These numbers arent staggering considering the total number of computers around the
world; however, POS systems are large targets and provide a
great opportunity for bad things to happen nonetheless!
Industries impacted
When you think of POS systems and their related security
risks, retail probably comes to mind. Given their recognition
and visibility, its no surprise that retailers find themselves the
frequent targets of adversaries. Most retailers have relatively
small IT and security staffs and find themselves struggling to
apply those resources to both meet business requirements
for 24/7 availability and simultaneously provide the level of
security needed to protect sensitive credit card information
flowing through their networks. Maintaining security and compliance can be difficult tasks in retail, as well.
POS security risks dont just impact traditional retail businesses.
Numerous industries utilize POS systems in some capacity. If
your organization transacts business in or around the following
industries, its likely affected by POS risks.

Casinos and gaming: Given the need for a paper trail, a

large number of gambling and gaming transactions take
place via credit cards.
Entertainment venues: Sports arenas, theaters, civic

centers and the like are responsible for an enormous
amount of credit card transactions each year.
Healthcare: With an increasing population becoming

dependent on the healthcare system, more and more
transactions (doctor copays and related fees) are taking
place via credit cards.
Transportation: Airlines, bus and subway systems, and

related transportation services do much of their business
via credit cards.
As society shifts away from cash and checks for payments,
countless other industries are relying more and more on POS
systems for their daily operations.
How businesses become targets

In the modern era of business, computers are found in the
darnedest places. From the reception area to the back office to
the manufacturing floor, its not unusual to find POS systems
scattered about like any other networked computer. In fact,
most POS systems are merely embedded personal computers
running specialized software and, quite often, outdated versions of the Windows operating system.
Given the pervasiveness of POS systems in any given business,
theyre routinely targeted just like any other host on the network. Once criminal hackers are able get in and confirm the
presence of POS systems, they can become the target where all
the malicious efforts are focused.
After attackers target an organization, they have many potential avenues of infiltration. While servers are likely targets,
even the lowliest endpoints sensitive information may be
targeted or the endpoint itself may provide an actor with a
toehold on the organizations network that may be further
exploited. Endpoints can then be used as entry points to get
to other targets, such as servers, which are more likely to contain larger volumes of sensitive information.
Specific vulnerabilities that are often present and subsequently
exploited on POS systems and any others in the attack
chain include
Chapter 1: Understanding Point-of-Sale Security Risks

Default, blank, or otherwise weak passwords that allow

direct system access
Missing operating system and application patches that

can be exploited for remote, and often undetectable,
administrator-level, command-prompt access
Absence of malware protection to analyze, block, and

report threats in real time
Minimal visibility into the overall network that helps

ensure IT and security staff are kept in the dark
Because of these common weaknesses, businesses are often

unable to adequately protect POS systems against advanced
threats. Just as bad, IT and security staff often dont find out
about breaches until after the damage has been done.

Attackers dont care how they get in. Be it a server, a workstation, or a mobile device, if a system is accessiblephysically
in person or logically over the networkit represents an
entry point into your POS environment. Once attackers are able
to infiltrate the network, the risks to your POS systems and
credit card information are front and centerall bets are off.
Knowing Whats atStake

Advanced attacks against POS systems are not only sophisticated, but also theyre likely to go undetectedespecially
if security controls such as traditional anti-virus software are
being relied upon. Time is money. The longer the attackers are
able to control a POS environment the more damage thats done.
Having a well thought out security program that addresses
the unique needs of your POS environment is critical to minimizing your business risks. Every detail from your security
policies, your technical controls that help enforce your policies, and the unique procedures and response plans required
by your business must be addressed on an ongoing basis.
When developing a security program, there are many costs
you must consider. In addition to the direct costs of security
controls that you want to purchase, also plan for the costs
of incident response. Investing in incident response pays
dividends by lowering the cost of security breaches. Each

time you respond to a security incident, you expend time and
money investigating the compromise, notifying customers,
and dealing with the aftermath.
While the aftereffects of a customer data breach are worrisome
in their own right, you must also grapple with how the breach
will affect ongoing compliance with key Payment Card Industry
Data Security Standard (PCI DSS) requirements. Non-compliance
can result in steep penalties as well as significant damage to
your organizations brand.
Not only is it critical to have the proper systems and processes in place, but also its equally important to have the
right people managing it all in concert. All it takes is one
piece of the POS security puzzle such as an inattentive
help desk, a disconnected compliance manager, or network
security operations team without the proper tools to miss
the big one the POS security breach that brings your
business to its knees. Even when internal audit staff and
external auditors are looking in the right areas with the
right tools and audit procedures, something unnoticed, or
seemingly benign, can turn into a real security and compliance problem.
Its one thing to build out your POS security program but
quite another to manage it well every day. Make sure every
piece is getting the attention it deserves. But most importantly, dont just do it for the sake of compliancedo it with
the longer-term goal of minimizing information risks.
Chapter 2
The State of Pointof-Sale Security

In This Chapter
Looking at the current state of security in point-of-sale environments
Understanding the common types of attacks
Considering the security costs
Protecting point-of-sale systems
oint-of-sale (POS) systems are under attack around the

world. The United States alone has numerous, high-profile
breaches of POS security at large retailers. It appears that
theres no end in sight for these types of attacks. In this chapter, we discuss the impact of advanced security threats on POS
systems and outline some specific attacks. We also cover the
costs associated with POS security along with specific solutions for making POS environments resilient and secure.
The Current State

ofPOS Security
POS systems include a range of hardware devices, such as
card readers, scales, scanners, and registers, as well as the
software needed to support them. Increasingly sophisticated
POS systems are linked to inventory management, ordering,
and customer relationship management applications. POS systems make it possible for retailers to conduct transactions
often with credit cardsquickly and easily, providing a
smooth and enjoyable customer experience.
10

The mere acceptance of credit card payments is the most
notable security concern related to POS systems, as hackers
motivated by financial gains attack retailers and other businesses in pursuit of credit card numbers and other personally
identifiable information (PII).
Given the threats combined with what there is to lose, your POS
systems should be a top security priority. The numbers dont
lie. According to the 2014 Verizon Data Breach Investigations
Report, in 2013, POS intrusions made up the highest type of
incident at food, beverage, and hospitality providers (75 percent) and retailerswhich was at 31 precent. Also, 74 percent
of attacks against accommodation, food services, and retail
companies from 2011-2013 targeted credit card information.
Common Types ofAttacks

POS systems run on a range of operating systems, such as
Windows Embedded, Windows XP, and newer versions such
as Windows 7. They also run on Linux and UNIX. These systems are vulnerable to a range of attack types that could
result in data breaches.

RAM-scraping malware is the greatest threat. This malware,

which first appeared in 2008, has been behind the recent major
retail breaches. It uses debugging software on POS systems
to extract magnetic stripe data directly out of the computers
memory. The code behind this type of attack has morphed over
the years, including the addition of bot functionality and stealth
capabilities to avoid detection, but at its heart remains the same.
Other common types of POS system security breaches include
Tampering with personal identification number (PIN)

entry devices, where a bug is planted in the device to
capture PINs and credit card numbers, or where the
entire device is replaced with a substitute
Installing electronic skimmers at a remote POS device,

such as a gas station pump, to collect credit card data
Identifying open network ports in the POS systemused

for maintenance by the system vendorand installing
software, such as a keylogger, to capture login credentials, credit card data, or other sensitive information
Chapter 2: The State of Point-of-Sale Security

11
Installing malware directly onto the system via a USB

drive
End ofLife and POS

When the operating system on a POS device is no longer supported by the vendor (for example, Microsoft), it creates significant challenges to keeping the POS secure and compliant.
Windows XP-based POS systems are some of the most widely
implemented in the world, and when Windows XPs end of life
occurred in April 2014, all POS systems that relied on it were
exposed to significant vulnerabilities.

Unsupported operating systems such as Windows XP arent

only vulnerable to attack, but also they can compromise your
organizations compliance with PCI DSS.
Windows Server 2003s end of life (July 2015) also represents
a significant security risk, much like Windows XP, with a
significant number of businesses relying on it to run critical
applications. Windows Server 2003 creates an issue thats
directly tied to the security of POS systems because many
such systems rely on server processing and storage to process
transactions. If the server system is damaged or the integrity
is broken, the entire systems security and compliance could
be compromised.
POS Security Costs

An organizations ongoing security posture, its ability to keep
its POS systems in a compliant state, and the controls used
to measure both certainly influence the cost of maintaining
its POS environment. However, the security costs associated
with protecting POS systems are insignificant compared to the
costs associated with a breach of credit card data or PII.
Costs related to POS system compromise include the following:

Board-level and legal costs: The fallout from a security

incident on POS systems should be a key concern for
directors and legal counsel and can have negative effects
on the board.
12
Executive office costs: Indirect costs, including firings

and forced resignations, can be felt at the executive level.
These costs have been associated with high-profile credit
card breaches.
Stock price: A security incident can have a direct impact

on the stock price of publicly-held companies through
distrust and an ultimate decline in shareholder value.
Reputation and brand damage: Customers will move to

what they perceive as safer businesses in the event of a
highly-publicized incident.
Legal costs and penalties: The investigation, reporting,

and litigation costs associated with a security incident
can be huge.
Compliance and regulatory costs: Aside from fines, after

a security incident, theres often mandatory increased
focus and scrutiny placed on the business by the regulators as it pertains to security auditing.
Figure2-1 shows the impact a security breach can have on
your business.
Figure2-1: T he impact a POS-related data breach can have on your

organization.
You need to consider all costs related to security breaches when

budgeting and planning for the security solutions of your POS
systems. A positive result of this analysis is that you can use the
Chapter 2: The State of Point-of-Sale Security
13
information to help build the case for a best-of-breed solution

that solves your POS security challenges once and for all.

The return on your POS security investment may be difficult

to quantify, but its real. Consider the reduced risk and the
avoidance of costs associated with data breaches such as
penalties, lost revenues, reputational damage, legal fees, and
more. Given that recent breaches have cost retailers tens of
millions of dollars, properly securing your POS systems is
clearly worth the investment.
Methods ofProtecting
POS Systems
Businesses relying on POS systems can defend them against
RAM-scraping malware, Trojan horses, and other types of
attacks using a number of tools and techniques including

Secure card readers/point-to-point encryption (P2PE):

Data is encrypted at the point of swipe, and the encryption is maintained as the data is transmitted to the payment processor.
Application whitelisting: Only approved applications

are allowed to run on POS devices, making it impossible
for malware to execute even if its introduced to the
environment.
Firewalls: A security perimeter is built around networks

and endpoints.
Breach detection systems: Security teams are alerted

when a breach is detected, based on a complex analysis
(not to be confused with intrusion detection systems,
which typically rely on signatures to detect illicit activity).
Disabled remote access: Connectivity by POS vendors

and other parties is disallowed.
Updated and patched POS software: Vulnerabilities

found in earlier versions of the software are avoided.
Mitigating controls for operating systems beyond endof-life (for example, Windows XP): Counter the impact
of unpatched systems.
14
Restricted POS systems Internet access: Malware from

sources such as illicit websites and email applications is
prevented.
File integrity monitoring: System administrators are

notified when system components are changed.
Anti-virus software: Nuisance malware with known signatures is blocked.
Vulnerability scanner: Potential vulnerabilities introduced to the network and applications are identified for
research and remediation.
DLP software: Confidential data is detected, monitored,

and protected in a variety of ways, depending on whether
its in use (endpoint), in motion (network), or at rest
(storage).
Physical access policies: Access to POS terminals is

restricted to authorized personnel only.
Routing cardholder data deletion: Stored data is routinely removed from the POS device.
A closer look at application whitelisting

Application whitelisting refers to a
highly effective method of stopping
malware-based attacks that works
by allowing only trusted software
to execute in the computing environment. Like a bouncer at a party,
you determine the software allowed
to execute in your environment and
the whitelisting tool stops everything
else from running.
A whitelist, in its simplest form, is
a list of applications allowed to run
in an environment. As a program
attempts to execute, the whitelisting tool compares it to the approved
list typically looking at hash
values to ensure authenticityand
either permits the application to run

or blocks it from executing.
Because of the administrative overhead associated with maintaining
a whitelist, leading products have
adopted policy-driven approaches
to application whitelisting where
dynamic policies are used to identify and simplify the management of
trusted software. Common policy
techniques include the use of clouddelivered trust ratings, internal trusted
software directories, and the use of
trusted publishers. This approach
allows all software published and
signed by a trusted author to be automatically added to the whitelist.
Chapter 3
Advanced Threats against

Point-of-Sale Systems
In This Chapter
Getting to know advanced threats
Understanding attacker motivations
Looking at the various stages of attacks against POS systems
oday more than ever, cybercriminals are targeting your

point-of-sale (POS) systems using a new breed of advanced
threats in order to steal and exploit your customers personal
and financial information. Retailers understand these security
challenges, but many remain unable to adequately protect
these systems due to a continued reliance on legacy antivirus
solutions, which we discuss in more detail in Chapter4.
Introducing Advanced Threats

Advanced threats are organized, well-resourced, and determined to achieve the objectives set out by their leadership.
Unlike the script kiddie or casual hacker of decades past, the
advanced threatoften a government or organized crimefunded entityis a formidable adversary seeking out a specific target for exploitation.

You can implement what might be considered solid security

controls, but your POS systems still wont be impervious
to advanced threats using zero-day malware. If they want in
badly enough, theyll do what it takes to find a way to penetrate your network.
16

As an IT or security professional, you should have a strong
knowledge of the characteristics of advanced threats. By understanding the motivations, tools, and objectives of your adversary, you can better prepare your defense-in-depth approach to
securing your organizations digital goldnamely the sensitive
information involved with credit card transactions on your POS
systems. The defining characteristics of the advanced threat
include
Range of technical tools: Advanced threats make use

of a wide variety of technical tools. Instead of having a
single piece of malware, the advanced threat often develops its own exploits. The code used by advanced attackers often makes use of otherwise undisclosed zero-day
attacks for which the target (for example, POS systems)
may have no defense.
Tactical sophistication: Advanced threats have experience on their side. Often well-funded, they have had time
to develop a playbook for breaking into organizations.
Out of their expansive toolset they use the least sophisticated assets necessary to achieve success and still have
the ability to adjust to the victims defensive posture.
Integration with human threats: Advanced threats dont

limit their domain to technically sophisticated exploits.
They understand and integrate the use of social threats
as well, often leveraging phishing, social engineering, and
traditional intelligence-gathering activities to amplify the
effectiveness of their technical tools. The key here is that
its a human on the other end. You need to make tactical
decisions, be creative in the face of a roadblock, and so
on. Given the complexity of POS environments, the level
of risk is increased.
Targeted at specific objectives: The targets of advanced

threats are carefully determined and align with the objectives of their sponsors. They arent opportunistic but,
instead, seek out the systems or individuals that are very
likely to contribute to their objectives. Advanced threats
conduct targeting analysis and understand their adversary before engaging in an attack.
When most people think about the objectives of advanced

threats, they naturally think about the military and political objectives of nations and think that they dont have
resources that fit these objectives. Remember, however,
Chapter 3: Advanced Threats against Point-of-Sale Systems
17
that organized crime and political activists are also

advanced threat sponsors. Simply having a public-facing
website can make you a legitimate target. If you have POS
systems, the criminal payoff and ensuing risks can be
even greater.

Well-resourced: Governments, organized crime, terrorist groups, and other well-funded organizations are
behind advanced threats. The sponsors of these groups
provide them with financial means, technical talent,
and intelligence-gathering capabilities that enable their
success.
High degree of organization: Advanced threats operate

more like military units than hacking clubs. They have
well-defined leadership structures and operate very efficiently. Theyre organized around their mission.
The advanced threat is unlike any risk faced by previous

generations of IT and security professionals. Organizations,
individuals, and POS systems targeted by advanced threats
are at the receiving end of a formidable attack, and you must
organize your defenses accordingly.
Understanding Attacker
Motivations
Many different types of advanced threat actors exist, and each
one has different motivations. The common driving forces
behind advanced attacks include the following:

Cybercrime: Many advanced attackers simply seek financial gain. They seek to steal money, obtain information,
or hijack computing resources in an attempt to achieve a
windfall.
Hacktivism: Other advanced attackers seek to use their

hacking skills to advance a political agenda. They typically
engage in denial of service attacks and website defacements designed to embarrass or disrupt their target.
Cyberespionage: Attackers in this category seek to steal

information to gain a political, economic, or military
advantage, which can often be funded and directed by
nation-state governments.
18


Malicious insiders: Advanced attackers arent necessarily
limited to outsiders. For example, consider a disgruntled
employee looking to steal information and sell it to a competitor or perform some type of sabotage.
The types of attackers targeting a specific organization depend
on that organizations mission and its global reputation.
Executing Attacks in
POS Environments
Advanced attacks can be carried out against POS systems in
numerous ways. Given the network, application, and other
corporate complexities involved in POS environments, the
potential attack vectors are virtually endless. However, all
attacks do have some common themes, shown in Figure3-1,
that you need to be aware of.
Figure3-1: H
ow cybercriminals launch advanced
attacks against POS systems.
Chapter 3: Advanced Threats against Point-of-Sale Systems
19
These themes include the following descriptions:

Vulnerability: Advanced malware attacks often start with

something as basic as weak passwords, missing software
patches, and the general gullible tendencies of users.
Method: Advanced malware injects itself into memory,

collects desired information (for example, credit card
track data), exfiltrates the data to another system, and
uses a command control (C&C) system for further actions
as needed.
Involvement of additional systems: In most cases, the captured data is exfiltrated from the POS system to another
system within the targeted environment for aggregation
and then uploaded to a remote system, which reduces the
chances of detection.
Opportunistic: POS malware families are very targeted and

opportunistic and in many cases arent detectable with
traditional antivirus detection. Advanced malware families
continue to evolve as evasion techniques improve with
several versions of each family in existence. This evolution
helps to explain the continued difficulties in detecting and
preventing this malware using traditional security controls.
The latest POS malware to make the news is being referred

to as Backoff. Backoff is a family of retail-focused malware
that has been witnessed recently in multiple forensic investigations, including those in the high-profile retail breaches.
The malware typically consists of RAM scraping, keylogging,
command and control, and process injection. A Backoff
malware attack is what is often referred to as a stage-two
attack. In this context, this means that Backoff is leveraged
after attackers force their way in through remote desktop
applicationstypically via a weak Windows operating
system password. After the attackers have accessed the
remote desktop, they begin reconnaissance for any POS
devices and attempt to install Backoff or similar POS malware on those systems. Even though attackers can take
control of every other application in the attack chain, your
POS system can be made safe and malware-free by putting
the proper security controls in place such as the positive
security model technologies that Bit9 + Carbon Black offers.
20
Can Chip & PIN prevent

advanced attacks?
One of the security controls being
suggested as a solution to the POS
security problem is EMV, or Chip &
PIN, technology. EMV, which stands
for Europay, MasterCard, and VISA,
is a decades-old global standard for
integrated circuit cards with embedded microprocessor chips that store
and protect cardholder data contained within a metallic square on
the card. EMV Chip & PIN has yet
to be adopted in the United States,
although that is expected to change
in 2015.
EMV technology helps protect
the card data thats collected by
POS systems, which will be locked
up tight, deterring criminals from
attempting to use physical card
readers and skimmers. However, its
not a silver bullet in the effort to protect sensitive data from compromise
and to solve the POS problem completely. Other areas within the typical
payment systems expose both card
and customer data.
Many of the well-publicized largescale POS system breaches targeted
the software that was responsible
for processing the credit card transactions as well as collecting customer information such as user IDs
and personally-identifiable information. Many organizations still house a
treasure trove of this information on
their back-end processing systems

and servers that will still be prime
targets. This information can even
end up in log files, data backups, and
on poorly-secured workstations and
other endpoints, creating unnecessary risks.
Criminals may also turn to other
techniques to use the technology
shift to their advantage, such as the
recent surge of replay attacks.
In these attacks, criminal hackers
were using recently stolen credit
card information to spoof transactions on the credit card networks as
chip-enabled transactions. Even in
the European marketplace, where
Chip & PIN has been in place for
years, the tone regarding POS security is no different. The threat of data
compromise on POS systems and the
risk to sensitive data is taken just as
seriously.
Having additional locks on the door
(like EMV/Chip & PIN) is a great addition to your arsenal of protection,
but you also need to make sure you
have a real-time perspective on your
systems. You need to take control of
the data where its processed and
resides but you also need the ability to take proactive measures in the
event a security breach happens in
your POS environment.
Chapter 4
Recognizing Current
Limitations in Pointof-Sale Protection
In This Chapter
Understanding the limitations of traditional antivirus
Looking at the considerations for host intrusion prevention
Responding to threats quickly to stop malware outbreaks
he major retail security breaches have brought the traditional point-of-sale (POS) security model into the spotlight. Simply putit doesnt work. Criminal hackers have the
upper hand with their advanced malware attacks. Many of
the existing antivirus controls are ineffective at best. Incident
response times are getting longerthe very scenario you
dont need when your POS systems come under attack.
In this chapter, we discuss the limitations of current POS security
controls, outline how to match the new threats with new security
capabilities, and show you how you can respond to advanced
malware attacks more efficiently to produce the results you desire
and to minimize the security risks in your POS environment.
Antivirus Software Limitations

Antivirus software, first introduced in the mid-1980s, is used to
detect, prevent, and remove malicious software (malware) such
as viruses, worms, spyware, and Trojan horses. This traditional
security controlstill in widespread use todaywas pretty
22

good at detecting and blocking known malware. Antivirus
software simply matched questionable threats to a signature
database of known malware andvoila!the threats were
blocked. The problem with a signature-based approach is that it
doesnt provide an effective defense against advanced malware
where the threats are unknown and often targeted to specific
types of computers and applications such as those in POS
environments.
Heavy dependence on POS systems combined with advanced

malware that can evade traditional antivirus controls creates
the perfect storm for network compromise.
Signature-based scanning
Antivirus softwares major weakness is that it depends on
signature-based scanning. Because antivirus software relies
on identifying signatures in the files it scans, it is not an
effective tool when confronted with unknown malware. If
the antivirus software doesnt yet have a signature for a file
thats found its way onto the system, that malware wont be
detected and will be able to run freely.

In light of the rapidly-morphing malware landscape, keeping

blacklist signature databases updated has become unsustainable for traditional antivirus software providers.
In a POS environment, antivirus software scans the systems for
the presence of these malware signatures. Any file suspected
to contain malware may be deleted, quarantined, or repaired
to prevent system infection. The issue with this approach is
that advanced attackers often leverage zero-day attacks for
which theres no signature available. Attacks that are previously unknown to the security community will be able to slip
right past a signature-based detection system. Additionally,
malware authors can make very minor changes to their code
that prevents it from matching existing signatures, rendering it
undetectable by signature engines.
Performance impact
Antivirus software must analyze each and every bit stored on
a systems storage devices and in its memory, looking for the
presence of malware signatures. Given how quickly signature
Chapter 4: Recognizing Current Limitations in POS Protection
23
databases are growing, this scanning is resource-intensive,

requiring the use of disk bandwidth, memory, and CPU capacity. When a malware scan runs on a system, the scanning
software may have a noticeable performance impact on user
activityan undesirable side effect on POS systems.
Specifically, scanners must check every file on the system, not
just those that are likely to be threats. The scanner must check
the entire contents of each file, looking for signs of malware.
In a retail setting, store system administrators can schedule
scans during idle periods, but that leaves large chunks of time
when no scanning is taking place. If scheduled scans occur
during operating hours, they could result in unacceptable disruptions to customer service. When users experience these
issues, theyre more likely to attempt to disable or circumvent
the security control thats interfering with their work.

Point-in-time scanning can be bad for business. Due to the

performance impact of antivirus software conducting full
system scans, these scans are usually scheduled to occur
daily or weekly. These scans are often during evening hours
when the scans wont impact normal user activity due to
CPU, hard drive, and memory utilization. Even with POS
systems running with the most advanced processors, solid
state drives, and more memory than you can shake a stick at,
system performance is still impacted by full antivirus scans.
Not only are performance issues detrimental to POS transactions, but also such point-in-time scanning provides a threat
window where malware can run uninhibited between scans.
Host Intrusion Prevention

Certain IT administrators and security managers rely on host
intrusion prevention systems to supplement the protection
provided by antivirus software. These packages, also known
as behavioral host intrusion prevention systems (BHIPS),
monitor activity on a system for malicious actions on the
part of executable files. Unlike antivirus software, BHIPS dont
rely on a database of known malicious software. Instead they
monitor POS systems over time, develop a model of normal
activity and then flag deviations from normal behavior for
administrator review.
24

In theory, BHIPS are the ideal supplement to antivirus software in POS environments because they have the potential to
detectand blockadvanced threats in real time. However,
in practice these systems require an excessive investment of
time and effort to fine-tune and maintain. They also have very
high false-positive rates, triggering alerts on non-malicious
activity. The combination of these two limitations often
results in administrators and users disabling BHIPS capabilities because of the time spent maintaining them and responding to false alarms.
The last thing you need in your POS environment is a security control such as BHIPS creating false alarms and blocking
legitimate business transactions.
Furthermore, the information provided by BHIPS is often too
shallow for useful analysis. It doesnt tell where unknown
executable files were spawned and often doesnt provide historical data that facilitates the time-based analysis required
by security analysts. The model used by behavioral systems
is also not capable of incorporating external information
containing the latest threat intelligence. Furthermore, standalone host-based systems cant assess network effects or correlate multiple reports received from systems across the POS
environment.
Incident Response Services

When organizations find that theyve fallen victim to a sophisticated cyberattack, they often retain the services of a firm
that specializes in security incident response. These firms
bring together teams of experts in a variety of security disciplines to quickly assess the incident, contain the damage, and
restore the organization to secure working order as quickly as
possible.
While these services are often invaluable when responding
to a security incident, theyre also quite expensive and available only for a limited duration of time. After the incident is
resolved, the expert team leaves, and maintaining system
security is once again incumbent on the organizations IT
and security staff. You need to be careful in your approach to
malware attacks and not rely completely on these response
services.
25
Limited data availability

Information systems generate massive amounts of data and
are capable of logging extremely detailed records about
their activity. These logs often contain critical information
necessary to reconstruct the events that took place during a
security incident. Responders depend on the availability of a
detailed audit trail to identify how an intruder gained access
to a network, the scope of their activities, and the data that
they may have stolen.

You know your network environment better than anyone else.

When a breach impacts your POS systems, you cant just hand
over the reins to a third-party. You need to be prepared to be
intimately involved in the response process: to ask questions
of the incident response team, to answer their questions, and
to ensure everything is being addressed in the best interests
of your organization.
One of the major limitations of incident response services is
that its more than just collecting dataits about collecting the right data and having a suite of tools available that
allows you to understand it in context. When an incident
occurs, the response is hampered by the lack of visibility into
system events that took place while the attack was under way.
Responders want to be able to quickly understand the relationships between systems and trace the spread of malicious files
within the enterprise. Without purpose-specific tools in place
before a breach, gathering all the data necessary for an effective
incident response could take weeks or months.
Limited scope
When an incident response team arrives at an organization,
they have a clearly defined scope of services. This is normally
limited to identifying the circumstances surrounding a particular security incident and remediating the vulnerabilities that
contributed to that incident.
Incident response teams often use sophisticated forensics
analysis and response tools that are licensed to the incident
response firm. They dont leave these tools behind for you
to use on an ongoing basis. In cases where the tools are open
26

source or the organization opts to purchase a license, the
incident response firm wouldnt normally integrate them into
your normal IT and security operations.
Home-grown tools
Many companies, and even some incident response firms, rely
on the use of custom-developed tools that have been handed
down through the ranks of incident responders. While they
may be effective, theyre the IT equivalent of duct tape and
chicken wire. Theres rarely any documentation or knowledge
transfer on how to use such tools outside of one or two people.
Expertise required
Incident response is a specialty skill and experienced professionals are highly sought after and very well compensated.
Only the largest organizations are able to maintain a full-time
incident response staff, making it difficult to maintain incident
response tools on an ongoing basis.
Non-continuous approach
Traditional incident response activities are targeted at a very
specific activity instead of designing the type of continuous
monitoring program thats essential to maintaining security in
the age of advanced attacks. The alternativeand the only
proven approachis to implement a solution that allows for
real-time continuous recording of POS systems activity.
Matching New Threats

withNew Capabilities
Organizations seeking to maintain secure POS operations in
this risk-laden environment must maintain a set of security
controls designed to meet todays threats instead of those
that were deemed adequate in years past. A new way of thinking is required and some important security decisions need to
be made.
27
Responding quickly
Conventional security defenses are too slow. No matter how
dedicated and talented they are, IT and security staff simply
cant keep up with the volume of data flowing through the
enterpriseespecially in complex POS environments.
Security systems such as intrusion prevention systems, firewalls, security information and event management (SIEM)
systems, and antivirus software generate massive amounts of
information that adds to the overload. Many businesses experience hundreds, or even thousands, of alerts each day and
simply dont have the staff to respond to them all or to triage
them to a manageable level.
Not only must you find a way to respond to this information
overload, but also you must do so in a rapid manner. Its true
that a cybercriminal may take months to identify targets,
develop specialized malware that exploits specific vulnerabilities in targeted systems, and install command-and-control
capabilities on targeted systems. Despite this, most advanced
attacks arent detected or stopped in time to prevent theft or
damage.

Youve heard the saying When seconds count, the police

are only minutes away. The same goes for security threats
against your POS environment. Time is of the essence.
Without good information, its hard to respond efficiently to
advanced attacks.
After an attacker successfully infiltrates a system, the
actual theft of data can take place rapidly. Massive amounts
of information can be stolen in mere minutes or seconds.
Security systems must be capable of quickly identifying an
attack in progress and taking automated action to prevent
damage.
In addition to reducing the delay in initiating a response,

security systems should increase the efficiency of response
staff. In some cases, enterprises implementing next generation security tools have been able to achieve significant time
savings. With the new technology, one guy in one hour can do
what it used to take ten guys ten days to do.
28
Detecting potential threats

automatically
The modern threat operates faster than any incident response
team can analyze and react to information. Security technologies that are configured to require administrator intervention
before a response occurs are ineffective because the time taken
by the administrator to analyze the attack may be longer than
the short duration of the attack itself. Given the cardholder
data thats at risk, this time window is especially crucial for
attacks against POS systems.
Effective security controls must be capable of autonomous
operation. This doesnt mean that you dont need trained
security staff; it simply means that they should be spending
their time installing, maintaining, and monitoring automated
response controls instead of conducting security response
manually. Even the best security tools must be custom-tailored
to the unique operating environment of your organization and
thats where well-trained IT and security professionals can
lend valuable expertise.
Stopping malware execution

Embedding automated detection techniques in your environment is the first barrier to advanced threats, but successfully
protecting your organizations security requires actually
blocking and preventing suspicious software execution until
the issue is resolved on the affected POS systems. Unless
and until you have the proper means for stopping the actual
execution of malware, theres work to be done.
Chapter 5
Solving the PCI Challenge

for Point of Sale
In This Chapter
Using PCI compliance as a baseline for POS security
Shifting toward proactive security control
Looking at PCIs prioritized approach for POS security
he Payment Card Industry Data Security Standard (PCI DSS)

was created to set a standard for controls that protect credit
card data used in transactions, stored in databases, and transmitted over systemsall of which are included as functionality
on most point-of-sale (POS) devices. This coverage means that
the majority, if not all POS systems, are covered under the PCI
DSS compliance requirements.
Not only do you have to ensure that your POS systems are
continually compliant with PCI but also that security controls
are in use and actively protecting the credit card data they
process and/or store.
In this chapter, we discuss the benefits of utilizing PCI DSS
as a continuous measuring stick to gauge the effectiveness
of POS security. We also outline how the theme shift of the
recent version of PCI DSSversion 3.0can have a positive
influence on the goal of ensuring a continuous security measure for POS systems.
30
PCI DSS asa Measuring Stick

The threats to sensitive data on POS systems have been growing rapidly ever since PCI DSS was put into action. With that
growth, theres been a tendency among businesses and auditors to measure POS security effectiveness directly against
the requirements within the PCI standard note for note.
The end goal for POS systems should be the most effective
security program to protect sensitive data rather than a compliance check mark. Compliant doesnt always mean secure,
and a mere checklist of requirements does not get your POS
systems to a final state of security.
The just get by approach is being called out, so to speak.
When aligning POS security with the current PCI requirements, consider the industry-accepted recommendations:

Dont underestimate the effort involved. PCI compliance

requires time, money, and executive sponsorship. It needs
to be part of everybodys jobapplication developers,
system administrators, executives, and even staff in shops
and call centersnot just left to the IT security team.
Make compliance sustainable. An organization must

complete thousands of tasks throughout the year to stay
compliant. To be sustainable, compliance needs to be
embedded in business as usual as an ongoing process.
Think of compliance in a wider context. The best thing

you can do to simplify your PCI compliance workload
and achieve real security is to put your compliance program within your wider governance, risk, and compliance
(GRC) strategy.
Leverage compliance as an opportunity. Done properly,

PCI compliance can drive process improvements, identify
opportunities to consolidate infrastructure, and generate additional equity. Think of it as an opportunity rather
than a burden.
The task at hand may seem daunting when you consider all the
variables that need to be considered for POS systems in the
current threat landscape. However, if you step back and take a
look at the new requirements in PCI DSS 3.0 from a prioritized
Chapter 5: Solving the PCI Challenge for Point of Sale
31
perspective, figure out what controls you need to address first,

and address the ones that have the greatest effect on your critical business processes, its not as complicated as it may seem.
After you have the critical controls in place, think about how
to prove that the controls are actually doing what they are
supposed to be doing. You will have the answers to the compliance questions that come up during audits, and you will
put your POS systems in a better state of security.
PCIs Shift toward Application

Control
One of the biggest changes in the PCI DSS 3.0 standard is the
move toward being more proactive when it comes to measuring your security controls. For POS systems, this involves
ensuring that the information used to measure both the compliance and security status is as close to real time as possible
while focusing the analysis on a smaller subset of data.
The first validation shift that can help to enable compliance
and improve security posture is a move from negative to positive security. With this model, rather than blocking the attacks
that are known to be bad, you allow the transactions that are
known to be good. This shift provides continuous compliance
and full protection while enabling real-time visibility of your
in-scope PCI assets. Youll get a better hold on measuring
risk, verifying controls, and continuously monitoring security.
The addition of approval trust-based security positioning will
enable merchants with POS systems to reduce the administrative costs of normal pre- and post- compliance analysis, free
up endpoint system processing power, and protect systems
after critical patch support has ended.

Moving POS endpoints into a positive security posture helps

to lower administrative effort, reduces scope, and enhances
performance. It allows focus on the known good rather
than a list of things that are bad, and eliminates the need to
constantly scan the POS endpoint to detect malware. Positive
security easily exposes and enforces the adherence to compliance while protecting POS systems by placing them in a
default-deny state, where anything thats not part of the trustpolicy cannot execute.
32
Merging Compliance Policy

withSecurity Controls
The convergence of security controls with compliance policies
has been gradual. It hasnt always been a natural synergy for
security and compliance to work together in this way. When it
comes to measuring the true security posture of POS systems,
there are many benefits to using PCI DSS as a guide to implementing such controls. The ideal outcome is a convergence
ofcompliance and security providing active intelligence
providing answers on the enforcement of the audit controls
and also on the current security posture and risk.
Many PCI controls can be used to help synchronize the compliance evidence with the security metrics. For POS systems,
a positive solution must

Require very few system resources
Proactively drive a security policy to the endpoints by

allowing only trusted applications to run
Detect, identify, rank, eliminate, and block malicious

software
In addition, a positive security solution can
Provide visibility into whats happening on all IT assets
Categorize the risks, without relying on signatures
Verify and scrutinize the security controls
Perform continuous monitoring of these controls
Provide reports that enable IT to take proactive, corrective actions and/or prove compliance
Ensuring Ongoing PCI Compliance

By placing POS systems into a positive security posture, measured against a trust-policy (only the software you trust can
run on your enterprise systems) you will be able to continuously monitor and record all activity on your POS systems
and other corporate endpoints for real-time detection and
Chapter 5: Solving the PCI Challenge for Point of Sale
33
denial of unauthorized software. You will be able to monitor

the state of compliance at any given point within the assessment process to ensure that compliance really does equal the
true state of security.
There are other benefits to a trust-based application control
environment that can bring you closer to continuous PCI compliance. You will be able to

Build intelligence around all of your file assets, including

their prevalence, trust rating, and inherited vulnerabilities
Report on any asset for an audit, a pre-compliance

assessment, or security intelligence gathering
Meet file integrity monitoring, control, and audit trail

rules with continuous, real-time file monitoring
Protect your critical configuration files from unauthorized changes
Enforce your trust policies whether your systems are

online or offline
Focus only on those events that are relevant to your business and lower the cost of obtaining compliance data
against a smaller dataset
PCI DSS 3.0s effect on POS security

PCI DSS 3.0 has had a substantial
effect on the security of POS systems. Under this latest version of the
PCI standard, POS systems are scrutinized much more than in the past.
When assessing POS systems for
security and compliance, keep these
three main theme changes in mind:
You must be able to identify,
detect, and alert on any change
to critical data.
You must protect POS systems

from threats, including those
systems that havent traditionally
been affected by malware.
PCI DSS is very clear in whats
required of organizations when
securing the POS environment.
Every situation is unique. However,
POS systems that store or process
cardholder data likely fall within the
scope of compliance requirements.
You must ensure protection and

PCI compliance at all integration
points with the POS systems.
34
Mirroring thePCI Prioritized

Approach
The PCI DSS Prioritized Approach is a culmination of all the
individual PCI requirements divided into six key milestones
for businesses to consider. It provides guidance on how to
focus on PCI DSS implementation and helps to reduce risk
to the cardholder data environment as early on as possible
within the compliance process.
Multiple benefits exist with mirroring the PCI Prioritized
Approach when addressing security controls on POS. Table5-1
shows four of the concentration areas you can benefit from.
Table5-1

Benefits of the PCI DSS

Prioritized Approach
PCI DSS Priority Area
The Positive Security Fit
Protect systems and networks
Protection: Anti-malware and

stopping advanced persistent
threats (prevention)
Secure payment card

applications
Risk measure: Measure PCI and

security risk and assess vulnerabilities (detection, visibility,
prevention)
Monitor and control access
Monitoring critical systems

(visibility, response)
Ensure all compliance controls

are in place
Enforcement: Prove security

policies and device control
(visibility)
Chapter 6
Deploying Proactive
Point-of-Sale Security
In This Chapter
Defining your unique requirements
Understanding the Security Maturity Model
Managing your smart policies
Working with other security products
ows the time for the rubber to meet the road. You have
some decisions to make, systems to set up, and processes
to manage so you can stay ahead of the advanced malware
curve on your point-of-sale (POS) systems.
In this chapter, we discuss defining your unique requirements,
assessing how the Security Maturity Model fits in, managing
your ongoing smart policies, and ensuring your POS security
controls work well with other security products on your
network.
Defining Your Requirements

Not only does every organization have unique security requirements, but so does every POS environment. As you move
toward selecting a POS threat detection, response, and prevention product, you should identify the requirements that are
most important to your business and meet your specific needs.
If you choose to conduct a request for proposal (RFP), you
need to define these requirements well to solicit useful proposals from prospective vendors. Even if you dont go the
36

RFP route, its helpful to know what youre seeking before you
begin evaluating products. Otherwise, you may find yourself
in a you dont know what you dont know situation that you
dont want to be in. As you set out on the path to selecting a
POS security product, consider these key requirements:
Visibility: Choose a product that allows you to record

your environment continuously in real time. This realtime visibility fuels detection, response, and prevention.
The more items of relevancememory operations,
parent processes, registry accessthe better.
Detonation capabilities: Choose a product that doesnt

lock you in to a single vendor. If you want to integrate
with an existing detonation (the ability to execute suspect malware in an isolated virtual machine) or nextgeneration firewall product, make sure that the threat
protection vendor has experience with that integration.
Look for products that both take in information from detonators and can also push data out to those detonators.
Enforcement capabilities: Your POS protection solution

should provide you with a wide range of possible responses
to a threat, including banning files by name or hash value
and/or extracting suspect files from the system.
Lightweight agent: Users dont want a heavy agent

installed on their POS systems. Your goal should be to
find a product with a lightweight agent that helps you
identify security threats and respond to them appropriately. Defense without business/productivity disruption
is a fundamental goal.
Phased approach to default deny: Flexible threat detection, response, and prevention solutions allow you to
work your way toward a default deny approach (blocking
everything from the get-go) in a manner consistent with
the culture and operating environment of your organization by allowing
Your other chosen strategies to naturally impart

trust
You to see how far that gets you in terms of measuring risk and assessing operational impact
You to target low-hanging fruit that gets you one

step closer
Chapter 6: Deploying Proactive Point-of-Sale Security
37
Signature-less detection: Your chosen solution should

use a wide variety of data sources and detection
approaches when evaluating suspicious files. You want
to avoid signature-based approaches that are vulnerable to zero-day attacks. Ideally the product has a rules
engine or API that lets you and your staff participate in
the creation of new detection mechanisms. A vendor may
even enable the sharing of security knowledge within its
customer base and make that information available in the
form of rules and policies.
Efficient, high-value reporting and administration: The

solution should provide you with standard templates and
practices for getting information and actionable items
and allow you to build out your own approaches as well.
Professional services with proven expertise in deploying protection: Most deployments of POS security software take place with a professional services engagement.
Make sure you choose a product backed by a team of
professionals with experience deploying security software in organizations similar to yours.
By spending the time and effort thinking about what you
really need on the front end, you can maximize the value of
your POS security software deployment management for
years to come.
Understanding theSecurity
Maturity Model
As you prepare to select and deploy proactive POS security
protection, its a good opportunity to assess the current state
of your organizations information security. The following
four areas help you determine the maturity level of your
program:

Oversight
Technology
Process
People
38

For each area, you answer a series of questions that are compiled into functional area ratings and then overall ratings for
each category. The maturity of your organization on each
dimension is then assigned one of the following ratings:
Nonexistent (0)
Ad hoc (1)
Repeatable (2)
Defined (3)
Measured (4)
Optimized (5)
Performing this self-assessment provides you with an idea of
the current state of your security controls and can assist you
in defining the requirements for your POS threat detection,
response, and prevention program. The products and vendors
you choose should be able to work within your technical environment and culture, bringing you value regardless of where
your organization lies on this spectrum.
Managing Smart Policies

Signature-based detection is simply not effective against
advanced threats for POS systems. While some people say
that the alternativewhitelisting or application controlis
too hard, theyre not correct. These people think of whitelisting as a long list of appropriate files, but its biggerand
betterthan that.
Smart policies arent plain old lists. Theyre covering
mechanisms that catalog metadata, patterns, and system
information to help detect nefarious behavior. They then
impart trust to each of those items. Simply put, smart
policies are a short list of observations and actions that
describe a system state as positive, negative, or neutral.
Smart policies distill application control and attack detection into an understandable and manageable task. Thats
why theyre so valuable!
Chapter 6: Deploying Proactive Point-of-Sale Security
39
Do you trust all of the applications contained within your

main software repository? If so, you can express that trust
using a single smart policy. Do you automatically mistrust
anything downloaded within a web browser? You can express
that distrust in a smart policy as well. If you receive threat
intelligence reports that rate a given binary file as middling
and requiring further investigation, a smart policy can also
handle that situation.

Smart policies can overlap, which means that multiple smart

polices can apply to a single file. POS security systems allow
this to occur and come to conclusions about a suspect piece
of malware by taking all of the trust ratings into account. Next
generation security products allow you to express policies as
imparting trust on a spectrum.
Dont take deployment flexibility lightly

When it comes to enterprise security, one size does not fit all. Your
operations may be more staff-centric
or more automation-centric or somewhere in the middle. Your software
deployment strategy may depend
upon trusted repositories and configuration agents, or be nonexistent
altogether.
At the same time, your company culture may be open and permissive or
more traditional and controlled. On
top of that, you may want to focus
more on detectionfinding the bad
guysor more on prevention and
the default deny strategy. Only you
will know how these things work in
your environment.
One things for sure you dont

want a vendor or specific product
that tells you what to do and how
to do it. Instead, you want one that
looks at your requirements and environment and then works with you to
develop the right approach.
You need to be able to fit multiple
solutions into the various parts of
your ecosystem, and you need product knobs and dials that customconfigure each one. And depending
on how daunting this sounds, you
need a services partner that can
guide you efficiently and effectively.
This stuff really does matter!
40
Integrating withother
Security Products
Many organizations use Security Information and Event
Management (SIEM) systems to correlate the many sources of
security information across the enterprise, looking for signs
of attack. When choosing components of your security infrastructure, you should select products that fully integrate with
your SIEM and allow the use of correlation rules.
Of course, every organization is unique, so the correlation
rules that you use must be specific to your data sources
and should include POS security information. A correlation
rule that works with events from a Snort intrusion detection
system may or may not be effective with information gathered
from a similar NetWitness product. When designing correlation rules, organizations should ask these questions:

What types of threats do we want to monitor?
What are the typical attack patterns for such threats?
What are the sources and types of events currently being

tracked within the SIEM?
Which of these events are used most often in monitoring

for potential threats?
How often do investigations resulting from those events

result in false positives?
When investigating an event, what types of additional

information does the analyst need?
Are we collecting the right data to make incident

response quick and conclusive?
Using these questions to guide event correlation across a variety of security products enhances your security capabilities in
many ways. It can reduce the time it takes to prioritize alerts
and investigate incidents from days to minutes. Investigations
are further expedited by locating every instance of a suspicious file across your POS systems. You can then analyze
filesboth automatically and on-demandthat arrive on
your POS systems to quickly determine their risk. Finally, you
can ensure remediation by enforcing security policies that help
in stopping an attack and preventing it from happening again.
Chapter 7
Ten Tips for Successful

Point-of-Sale Security
In This Chapter
Ensuring optimal defenses by using proven security controls
Making sure your point-of-sale risks are minimized
ybercriminals are getting increasingly sophisticated,

and theres no end in sight. The threats, risks, and compliance requirements associated with point-of-sale (POS)
systems have become so challenging that IT administrators,
security managers, and compliance officers are scrambling to
find reasonable ways to get their arms around it all.
In this chapter, we give you ten ways you can more easily
reach your POS security and compliance goals:
Minimize the customer data you collect and store.

Acquire and keep only the data required for legitimate
business purposes and only for as long as necessary.
When data is no longer of business value or relevant to
security compliance, properly dispose of it. Shred paper
documents and remove hard drives from your POS systems and related computers. You can even take your
security efforts a step further by encrypting the sensitive
data you collect on laptops, mobile devices, flash drives,
and backup tapes. Encryption makes it more difficult for
unauthorized parties to read in the event of loss or theft.
Manage the costs and administrative burden of the PCI

compliance validation process. Try segmenting your
infrastructure among multiple teams to minimize the
complexity and scope of compliance. Having full visibility
42

into all enterprise assets beyond your POS systems (for
example, network hosts, applications, and databases)
along with the necessary templates to determine PCIrelevant data gives you a snapshot of the corporate
assets that are affected and helps minimize the compliance pains.
Maintain PCI compliance throughout the checkout

process to guard data against all the possible points of
compromise. If youre able to detect transactional data
point infractions in real time and stop anything introduced into your infrastructure thats outside of known
software (such as advanced threats), you can ensure that
transactional data (such as credit card numbers) are protected at every step along the way.
Develop a strategy to protect your infrastructure

onmultiple levels. Eliminate every opportunity for
cybercriminals to exploit your POS terminals, kiosks,
workstations, and servers. The ability to collect endpoint information in real time provides you with the
information to properly assess the risks. Monitor traffic
and create a central log of security-related information
to alert you to suspicious activity on your network.
Maintain real-time inventory and actionable intelligence

on all network systems, and control the overall security
of your infrastructure to maintain PCI compliance.
Employ multiple layers of security technology to stymie
sophisticated hackers. Establish a baseline for the software that should reside on your POS and related systems.
Schedule security patches on your own timetable and eliminate the need for constant profile scanning that can negatively impact the performance of your POS environment.
Extend the life of your systems to keep them compliant. Often you cant upgrade for extended support after
an operating systems end of life. By implementing a
positive security model, you can stay compliant in any
end-of-life situation and get protection from zero-day and
other attacks against your POS systems. This approach
will keep you in-the-knowat all timeswhats running on every in-scope system across your organization.
Rather than guessing whats compliant and whats not,
you can determine on a real-time basis if you have any
vulnerabilities and whether any in-scope systems have
fallen out of compliance.
Chapter 7: Ten Tips for Successful Point-of-Sale Security
43
Use real-time sensors to test your security system regularly. By maintaining continuous, real-time file integrity
monitoring and control, you can protect critical configuration files from unauthorized changes and meet file integrity
monitoring and audit trail rules associated with your POS
systems. Youll be able to identify all suspected vulnerabilities across your POS environment and proactively take
action against specific types of files based on your organizations policies. You can achieve complete visibility into
all changes and vulnerabilities that software updates may
introduce by giving employees file rights and approvals
into your organizations trust metrics. This increased visibility provides a wealth of information for penetration testing and will expose all known and potential vulnerabilities
prior to those exercises. It will also help you determine
which penetration tests to run because the coordinates
can be created against a set of known possibilities rather
than a negative set of data that can be difficult to decipher.
Build measurable business intelligence around your business assets. By having good visibility into real-time file asset
inventory information, you can build intelligence around
all your file assets, including their prevalence, trust rating,
threat, and inherited vulnerabilities. Having such a high
level of visibility enhances your ability to report on any
asset at audit time or during pre-compliance assessments
and security intelligence-gathering exercises, enabling you
to take a proactive stance against anything running within
your enterprise thats deemed untrustworthy.
Conduct regular audits of security measures, especially

connections commonly used as gateways for attacks,
and make appropriate adjustments. A full audit of all significant PCI data and the surrounding events associated
with an attempted file alteration is necessary for auditors
to quickly assess your compliance stance and produce
the necessary reporting for PCI compliance validation.
Educate employees about their role in data security.

Inform all employees of the potential threats to customer data and the legal requirements for securing it.
This should include designating an employee to serve as
information security coordinator who is responsible for
overseeing all security efforts. Having a clear security
policy in place helps set expectations and guide employees on the proper use of data, creating a more secure
environment.
44
WILEY END USER LICENSE

AGREEMENT
Go to www.wiley.com/go/eula to access Wileys
ebook EULA.

4-47078 Point of Sale Security For Dummies EBook3

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

4-47078 Point of Sale Security For Dummies EBook3

Transféré par

Droits d'auteur :

Formats disponibles

These materials are 2015 John Wiley & Sons, Inc.

. Any dissemination, distribution, or unauthorized use is strictly prohibited.

by Kevin Beaver and

Point-of-Sale Security For Dummies, Bit9 + Carbon Black Edition

Business Development Representative:

Chapter 1: Understanding Point-of-Sale

Chapter 2: The State of Point-of-Sale Security . . . . . . . . 9

Chapter 3: Advanced Threats against

Chapter 4: Recognizing Current Limitations in

Point-of-Sale Security For Dummies

Chapter 5: Solving the PCI Challenge for

Chapter 6: Deploying Proactive

Chapter 7: Ten Tips for Successful Point-of-Sale

elcome to Point-of-Sale Security For Dummies,

About This Book

Icons Used inThis Book

This is information youll want to commit to memory.

This is information that digs in a little deeper into the details

Point-of-Sale Security For Dummies

This is information that helps provide advice to highlight or

Please pay attention when you see this icon! It provides

Understanding Point-ofSale Security Risks

ybercrime is occurring at unprecedented levels. In terms

Point-of-Sale Security For Dummies

Understanding Why Cybercrime

A security breach of your POS environment isnt all about you

Chapter 1: Understanding Point-of-Sale Security Risks

Getting toKnow the

Casinos and gaming: Given the need for a paper trail, a

Point-of-Sale Security For Dummies

Entertainment venues: Sports arenas, theaters, civic

Healthcare: With an increasing population becoming

Transportation: Airlines, bus and subway systems, and

How businesses become targets

Chapter 1: Understanding Point-of-Sale Security Risks

Default, blank, or otherwise weak passwords that allow

Missing operating system and application patches that

Absence of malware protection to analyze, block, and

Minimal visibility into the overall network that helps

Because of these common weaknesses, businesses are often

Knowing Whats atStake

Point-of-Sale Security For Dummies

The State of Pointof-Sale Security

oint-of-sale (POS) systems are under attack around the

The Current State

Point-of-Sale Security For Dummies

Common Types ofAttacks

RAM-scraping malware is the greatest threat. This malware,

Tampering with personal identification number (PIN)

Installing electronic skimmers at a remote POS device,

Identifying open network ports in the POS systemused

Chapter 2: The State of Point-of-Sale Security

Installing malware directly onto the system via a USB

End ofLife and POS

Unsupported operating systems such as Windows XP arent

POS Security Costs

Board-level and legal costs: The fallout from a security

Point-of-Sale Security For Dummies

Executive office costs: Indirect costs, including firings

Stock price: A security incident can have a direct impact

Reputation and brand damage: Customers will move to

Legal costs and penalties: The investigation, reporting,

Compliance and regulatory costs: Aside from fines, after

Figure2-1: T he impact a POS-related data breach can have on your