Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Point of Sale Systems and Security: Executive
Summary
Copyright SANS Institute
Author Retains Full Rights
A SANS Whitepaper
Written by Wes Whitteker
October 2014
Sponsored by
Bit9 + Carbon Black
Point of Sale Systems and Security:
Executive Summary
With the Target breach as the most notable example, the last year has seen scores of point of sale (POS) systems compromised by bad actors. In many cases, these environments were PCI-DSS compliant at the time of compromise. Following recent events, it is clear that executives seeking to protect their organizations and POS systems from compromise need to look beyond PCI-DSS and adopt a proactive “offense must inform defense” approach to POS security.
It is widely recognized that “2014 will be the year of the retailer.”1 Motivated by profit,
payment card thieves are increasingly turning to compromised POS devices as a primary source for unencrypted card data that can easily be sold to “dump shops” on the black market.2 Recent reports put the estimated profit from POS-related cybercrime in Russia
at more than $2.5 billion.3
“POS attacks have a good potential to get worse. There is a vast number of vulnerable devices, random infections, targeted attacks, and a reluctance of operators to provide the necessary level of protection. The result is big leaks.”
—Ilya Sachkov, CEO Group-IB4
As countless retail organizations have fallen victim to POS-driven information security breaches targeting consumer payment card data, pressure on retail executives to take further action to protect POS devices has risen dramatically.5
PCI Compliance Is Not Enough
Although, the Target breach is the most notable breach, several other well-known organizations have fallen victim to advanced POS attacks. The victims include names such as Home Depot; Neiman Marcus; Michaels Stores; Sally Beauty Holdings, Inc.; Supervalu; Albertson’s and many more.6 Looking deeper into this list of victims, it’s
important to recognize that many of these organizations were considered PCI-DSS compliant at the time of compromise and had invested heavily in systems to meet these compliance standards.7
SANS ANALYST PROGRAM
Point of Sale Systems and Security
1
Year of the Retailer
1 Networking Concepts Podcast, www.sans.org/course/security-essentials-bootcamp-style
2 “Peek Inside a Professional Carding Shop,” http://krebsonsecurity.com/2014/06/peek-inside-a-professional-carding-shop 3 “Russian Hackers Made $2.5B Over The Last 12 Months,”
www.darkreading.com/russian-hackers-made-$25b-over-the-last-12-months-/d/d-id/1316631
4 www.darkreading.com/russian-hackers-made-$25b-over-the-last-12-months-/d/d-id/1316631
5 “Faltering Target Parts Ways With Chief,” www.nytimes.com/2014/05/06/business/target-chief-executive-resigns.html 6 “Home Depot’s payment systems hacked, 60 million shoppers reportedly affected,”
http://fox59.com/2014/09/18/home-depots-payment-systems-hacked-60-million-shoppers-reportedly-affected
7 “New Gartner findings for PCI Compliance and the StillSecure PCI Calculator,”
Year of the Retailer
(CONTINUED)
As noted in a report about big data breaches in 2014, including Home Depot and Target, “PCI is meant to protect card issuers and make sure that consumers feel safe enough to keep using credit and debit cards, therefore ensuring card issuers make a profit.”8 That
does not mean that data is absolutely safe.
While PCI-DSS provides a framework for improved payment processing, it is clear that it has been insufficient to ensure the security of modern retail POS systems. To truly improve the security posture of POS devices, organizations must take a more dynamic approach to secure POS environments moving forward—one that uses an “offense must inform defense” methodology.9
Why Payment Cards/POS Are Easy Targets
To understand why POS-driven breaches continue to occur, it is important to understand key payment card characteristics and payment card system deployment models that make this information and these devices easy and attractive targets.
First, let us look at the modern payment card. The magnetic stripe of the payment card holds the vast majority of the critical payment data and is broken up into three areas, referred to as tracks (see Figure 1).
Figure 1. Payment Card Physical Structure, Back Side
8 “PCI Compliance Under Scrutiny Following Big Data Breaches,”
www.cio.com/article/2836035/data-breach/pci-compliance-under-scrutiny-following-big-data-breaches.html
9 “The United States Cyber Challenge,”
www.whitehouse.gov/files/documents/cyber/The%20United%20States%20Cyber%20Challenge%201.1%20%28updated%205-8-09%29.pdf
To truly improve
the security posture
of POS devices,
organizations must
take a more dynamic
approach to secure
POS environments
moving forward—one
that uses an “offense
must inform defense”
Year of the Retailer
(CONTINUED)
SANS ANALYST PROGRAM
Point of Sale Systems and Security
3
Tracks 1 and 2, which are stored in an unencrypted format, are the focus for payment card usage. It is this unencrypted track data that thieves are most often attempting to steal when compromising POS devices because it contains the information necessary to create counterfeit cards or make fraudulent online purchases.
Second, let us examine the modern POS system architectures most commonly deployed. Most retailers today rely on one of five POS deployment architectures to process in-store transactions and not all are created equal: Store Electronic Payment System (EPS) Deployment Model, the POS EPS Deployment Model, the Hybrid/POS Store Deployment Model, the Gas Station Payment System, and Mobile Payments [near-field communication (NFC) and non-NFC]. The key point to understand with the various deployment models is that the payment data is more vulnerable in certain architectures because it touches more systems while in an unencrypted format.10
With the preceding information in mind (unencrypted data, data exposure during system processing, etc.), it is no surprise that payment card information is an easy target. When processed in memory, payment data is nearly impossible to defend if a POS system is compromised. As such, memory scraping has become a popular choice among bad actors. Scraper malware is very opportunistic, and it can be easily modified to target specific patterns of data (track data) in any operating system, enabling it to bypass traditional endpoint defenses, such as antivirus software.
Year of the Retailer
(CONTINUED)
Overview of Today’s POS Attack
The basic POS breach phases include infiltration, propagation, exfiltration and aggregation. The infiltration phase is where the attacker gains access to the target
environment. After accessing the target environment, the propagation phase takes place, where the bad actor spreads malware to the target systems (POS systems), which is often done via resources in the target environment (for example, domain controllers, remote administration tools, etc.). Once propagated, the malware injects itself into memory, where it collects the desired information (track data) and then exfiltrates the data to another system (aggregation) in the target environment. From the aggregation point, the data is uploaded to a system outside the target environment, thus reducing the chances of detection, as shown in Figure 2.
Figure 2. Cybercriminals’ Access Through POS Systems
It’s important to note that POS malware continues to evolve as evasion techniques improve. These constant improvements make detection by traditional antivirus detection very difficult, and in some cases not possible.11,12,13
11 http://digitaltransactions.net/news/story/Retailer-Confidence-in-Detecting-Data-Security-Breaches-Abounds_-But-Is-It-Warranted_ 12 “Report Puts PoS Malware Under the Microscope,” www.securityweek.com/report-puts-pos-malware-under-microscope 13 www.itweb.co.za/index.php?option=com_content&view=article&id=65151:Trustwave-intros-SIEM-Enterprise&catid=250
Recommendations
SANS ANALYST PROGRAM
Point of Sale Systems and Security
5
Organizations worried about the security of their POS devices and looking to move beyond compliance-based security frameworks, such as PCI-DSS, should start by closely examining the Council on Cyber Security’s 20 Critical Security Controls (CSCs).14
Developed in partnership with the NSA, international agencies and private industry, the controls use an “offense informs defense” approach to generate a prioritized list of actions designed to have the greatest impact on improving an organization’s risk posture against real-world threats.
For organizations with limited resources, or those looking to rapidly reduce the attack surface of POS devices, the following five “Quick Win” CSCs should be prioritized to most effectively address the need for greater breach protection:
1. Application whitelisting (CSC 2)
2. Use of standard, secure system configurations (CSC 3) 3. Patch application software within 48 hours (CSC 4) 4. Patch system software within 48 hours (CSC 4)
5. Reduced number of users with administrative privileges (CSC 3 and CSC 12) Focused first on prioritizing security functions that are effective against the latest advanced targeted threats, such as the RAM-scraping malware currently targeting retail systems, these controls place a strong emphasis on security controls where products, processes, architectures and services are in use that have demonstrated real-world effectiveness. The controls have proven effectiveness, are easy to understand and provide a solid starting point for any organization looking to adopt an “offense must inform defense” approach. However, the controls should be considered only as a first step for any organization seeking to develop a robust POS security program.
The PCI Security Standards Council has made great progress in improving the security posture of retailers and payment card processors, but the standards have been unable to keep pace with the latest threat landscape. As such, until PCI-DSS can keep pace with the actual threat landscape, payment card data exposures will continue to take place. Thus, those organizations that consider PCI-DSS information security standards sufficient will remain at high risk for a payment data breach. The crux of the issue is that organizations need to broaden their security policies and procedures beyond an annual PCI-DSS compliance stamp and adopt proactive “offense must inform defense” approaches to payment card security.
Review the complete Point of Sale Systems and Security whitepaper this Executive Summary introduces at www.sans.org/reading-room/whitepapers/bestprac/point-sale-pos-systems-security-35357.
SANS ANALYST PROGRAM
Point of Sale Systems and Security
7
About the Author
Sponsor
Wes Whitteker is a SANS Technology Institute graduate student.
Last Updated: June 22nd, 2016
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
SANS Salt Lake City 2016 Salt Lake City, UTUS Jun 27, 2016 - Jul 02, 2016 Live Event
SANS Cyber Defence Canberra 2016 Canberra, AU Jun 27, 2016 - Jul 09, 2016 Live Event
MGT433 at SANS London Summer 2016 London, GB Jul 07, 2016 - Jul 08, 2016 Live Event
SANS London Summer 2016 London, GB Jul 09, 2016 - Jul 18, 2016 Live Event
SANS Rocky Mountain 2016 Denver, COUS Jul 11, 2016 - Jul 16, 2016 Live Event
SANS Delhi 2016 Delhi, IN Jul 18, 2016 - Jul 30, 2016 Live Event
SANS San Antonio 2016 San Antonio, TXUS Jul 18, 2016 - Jul 23, 2016 Live Event
SANS Minneapolis 2016 Minneapolis, MNUS Jul 18, 2016 - Jul 23, 2016 Live Event
SANS San Jose 2016 San Jose, CAUS Jul 25, 2016 - Jul 30, 2016 Live Event
Industrial Control Systems Security Training Houston, TXUS Jul 25, 2016 - Jul 30, 2016 Live Event
SANS Vienna Vienna, AT Aug 01, 2016 - Aug 06, 2016 Live Event
SANS Boston 2016 Boston, MAUS Aug 01, 2016 - Aug 06, 2016 Live Event
Security Awareness Summit & Training San Francisco, CAUS Aug 01, 2016 - Aug 10, 2016 Live Event
DEV531: Defending Mobile Apps San Francisco, CAUS Aug 08, 2016 - Aug 09, 2016 Live Event
SANS Portland 2016 Portland, ORUS Aug 08, 2016 - Aug 13, 2016 Live Event
SANS Dallas 2016 Dallas, TXUS Aug 08, 2016 - Aug 13, 2016 Live Event
DEV534: Secure DevOps San Francisco, CAUS Aug 10, 2016 - Aug 11, 2016 Live Event
Data Breach Summit Chicago, ILUS Aug 18, 2016 - Aug 18, 2016 Live Event
SANS Alaska 2016 Anchorage, AKUS Aug 22, 2016 - Aug 27, 2016 Live Event
SANS Bangalore 2016 Bangalore, IN Aug 22, 2016 - Sep 03, 2016 Live Event
SANS Chicago 2016 Chicago, ILUS Aug 22, 2016 - Aug 27, 2016 Live Event
SANS Virginia Beach 2016 Virginia Beach, VAUS Aug 22, 2016 - Sep 02, 2016 Live Event
SANS Brussels Autumn 2016 Brussels, BE Sep 05, 2016 - Sep 10, 2016 Live Event
SANS Adelaide 2016 Adelaide, AU Sep 05, 2016 - Sep 10, 2016 Live Event
SANS Northern Virginia - Crystal City 2016 Crystal City, VAUS Sep 06, 2016 - Sep 11, 2016 Live Event
SANS Network Security 2016 Las Vegas, NVUS Sep 10, 2016 - Sep 19, 2016 Live Event
SANS London Autumn London, GB Sep 19, 2016 - Sep 24, 2016 Live Event
SANS ICS London 2016 London, GB Sep 19, 2016 - Sep 25, 2016 Live Event
Digital Forensics & Incident Response Summit OnlineTXUS Jun 23, 2016 - Jun 30, 2016 Live Event