Tech Guest Viewpoint: POS - Point of Weakness: Five Security Steps

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.chainstoreage.com/article/tech-guest-viewpoint-pos-point-weakness-five-security-steps

Retailers and hospitality enterprises have a weak point unique to their
business – the point of sale (POS) device. Despite significant investment
in security, it’s still too easy for cybercriminals to access corporate
networks via POS.

POS devices handle most of the payment card transactions around the world
for retailers, restaurants, hotels, grocers, and gas stations. Because
these systems are highly interconnected and accessed by numerous employees
and other devices, they remain a highly lucrative target for organized
cybercrime.

Compromised POS systems were the source of recent, major data breaches at
Target, Hilton Worldwide, Trump Hotels, Neiman Marcus, Subway and many
others. Experts speculate these systems are targeted because they are often
outdated and unpatched. Third-party vendors using default and shared
passwords, poor enforcement of corporate password policies, and phishing
attacks are often to blame for providing bad actors with initial access
points.

Once inside a retailer’s corporate network, lax internal controls and
configuration errors mean cyber criminals often have unfettered access to
every cash register, allowing them to remotely install POS-specific malware
that collects customer credit card information and transmits it straight to
black market crime rings.

It’s past time for businesses to examine and enhance POS security
capabilities. Taking the following five steps can mitigate your risk of a
compromised POS, while preserving the powerful business benefits of these
systems.

*1. Take a Hard Look at Your Baseline Security Practices and Act on
Critical Gaps*
POS security breaches typically start with a breach of the corporate
network. The first step in protecting POS devices is to ensure baseline
security practices are being followed. Are your users creating strong
passwords? Are they changing them regularly? Are your network connections
protected by a firewall? Is your network traffic filtered for malware? Are
your employees’ BYODs screened before coming onto your network?

While these read like standard operating procedures, buttoning them down
will substantially reduce your risks. During installation, POS vendors
often use system default passwords for simplicity but fail to change them
later. It’s a simple matter for hackers to find these passwords online.

*2. Enforce Your Security Standards with Outside Vendors*
Your security is only as good as the weakest link – and that may be your
outside vendors who have access to your network. Are they adhering to your
security standards? How do you know? Target’s record-breaking data breach
came through a the hacked credentials of a Target refrigeration vendor –
resulting in 110 million compromised customer records, lost business, class
action lawsuits, government investigations, and the resignation of the CEO.

*3. Implement all POS-specific Security Measures*
Today’s POS devices are mission-critical, sophisticated business devices.
Every POS implementation should have a robust, modern security solution. It
should leverage the power of the cloud, continuously update in real time to
keep pace with dynamic POS-specific malware, and guard against today’s
multi-layered threats. It should not shut down the POS – and shut down
sales – through too many “false positives” or limit the POS’s functionality
– and its value to your operations – by handcuffing its use.

*4. Develop Patch Protocol: Update POS Applications Regularly*
POS systems are function-specific computers and, like any desktop or
notebook PC, they are vulnerable to attacks when software updates and
patches are not downloaded and installed. Application vendors spend
considerable time bug-fixing and addressing critical security fixes. Make
sure that good work makes it onto your POS devices as soon as possible.

*5. Raise Awareness: Continuous Training Strengthens Front Line Defenses*
Even the best laid plans still rely on people to execute them. Despite all
the publicity about the risks of infected emails and websites, over 23% of
recipients open phishing emails, and 11% click on phishing attachments.
Nearly 70% of attacks involve inadvertent download of a malicious file from
an infected website.

Employees need to be kept informed of risks, trained in proper security
precautions, and retrained regularly to ensure the messages stick. Regular
emails to your team and online training can make this a much more
streamlined and effective process.

Taking these five steps will ensure your organization realizes the benefits
of its POS investment to maximize sales and productivity, while still
maintaining control over POS security. As we approach 2016, the very real
business, legal and regulatory risks of a data breach can no longer be
ignored. Securing your POS systems is a critical first step in
strengthening your entire organization from the inside out.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!