Cisco: POS Systems Key Vulnerability in Security Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.eweek.com/security/cisco-pos-systems-key-vulnerability-in-security-breaches.html

The personal data on the magnetic stripe of payment cards continues to be a
prime target for cyber-thieves, whose job is made significantly easier by
the vulnerabilities in the point-of-sale machines being used by retailers
such as Target, according to security officials at Cisco Systems.

The company's Threat Research, Analysis and Communications (TRAC) team took
a look at recent high-profile security breaches at Target and Neiman Marcus
and noted that as long as the United States continues to use such magnetic
stripe payment cards in everyday transactions, retailers in the country and
their customers will be at risk.
In a lengthy post on the Cisco blog site, Levi Gundert, technical lead for
TRAC, said the United States is one of few remaining first-world countries
that continue to use such cards, which makes U.S. businesses an easy target
for cyber-attackers. There are no more efficient ways for thieves to steal
"track data" from the stripes on these cards and many times the associated
PINs, Gundert wrote. The point-of-sale (POS) machines found in businesses
like Target are vulnerable to attacks because they use third-party software
that's installed in the systems.

"The problem is that the payment card data is susceptible to interception
in memory before the encryption process and transmission across the
network," he wrote.

To reduce the instance and damage from future POS attacks, businesses need
to consider hardware encryption devices at the point of sale.

"If POS hardware encryption remains an unjustifiable business expense,
companies should re-examine security policies to ensure that payment card
data is included in the critical data category," Gundert wrote. "This is
data that must receive a logical and operational moat to ensure absolute
detection of unauthorized access and irregular movement. There are too many
ways to initially compromise the network; rather it is the internal
critical data that must be identified, segmented, and monitored."

Target acknowledged Dec. 19 that a data breach into its U.S. retail stores
had affected 40 million customer credit and debit card accounts (it later
updated that number to 70 million). Exact details of the breach have not
been released, but Target officials said Dec. 27 that the customer PIN data
was encrypted using the Triple Data Encryption Standard (DES). Neiman
Marcus confirmed Jan. 10 that hackers also had stolen credit card
information of its customers.

In his blog post, Gundert outlines methods hackers will use to work their
way into large retail operations like Target and Neiman Marcus, and what
they'll do and look for once inside the network. He also outlined some
steps and tool sets network security professionals can use to better
protect the business from hackers and intruders.

"The most useful indicator of compromise (IOC) chain to focus on for future
detection is the importation of a tool set, a new process running on the
POS terminal, and finally the exfiltration of compressed files with uniform
size and frequency," Gundert wrote. "Create an operational play (and
playbook if needed) specific to alerting on this chain of events or any
specific event that can be effectively tuned to dispel the typical noise.
There are plenty of tool sets to accomplish the play."

In addition, businesses should leverage application and process change
detection on all payment card processing systems, he said.

"Any change on the end point or multiple end points should be cause for
immediate analysis," Gundert wrote. "Also, while most protocols tend to use
compression for efficiency and speed gains, the compression tools
themselves should be limited to an approved list."

Businesses that use POS machines need to take steps to better protect
customer data because those systems will continue to be at risk.

"The attacks on payment card data will continue to focus on POS systems,
but well thought out detection plays, and/or the implementation of hardware
encryption can dramatically help prevent future negative headlines," he
wrote.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.