We have been getting calls all week from clients that are in the retail business. We have been working on a shim that may prevent some (but not all) of these leaks or the potential for these leaks. Of the POS systems we have recently examined over 90% of them have no firewall configured or if it is configured it setup in such a manner as to allow pretty much anything to communicate. One of the easiest methods to stop malware would be application whitelisting. On POS systems there is usually the base operating system, additional software installed by the vendor and the POS system itself.
One of the defenses that a business could implement is application whitelisting whereas only the POS system and any security software is authorized to executed on these systems. We understand that testing such a system is time consuming but it would eliminate or minimize the likelihood that malware introduced to the system could be executed.
By configuring a known list of authorized software and installing an OS and Network Shim you can monitor what attempts to run and quickly identify if you have been a target of a breach.
Some recommendations for POS system vendors:
1. Do NOT utilize big box bundles OS installations on your POS systems
2. Ensure that you have application white listing enabled and only allow your POS software to run
3. Disable any services not required by your application
4. Turn off MS Network protocols if not needed (we are seeing Microsoft networks propagating malware on local networks in our lab on POS machines)
5. Configure your firewall to only allow point to point communications to systems that are required for operation and explicitly block everything else
6. Remove unused Windows or Linux based utilities that are not needed
7. Configure your devices on a separate network that your other devices. POS systems should be on a segregated and closed network
8. Secure the POS network with ACL's on routers and switches and ensure that only authorized destinations are authorized. We are seeing many organizations with ANY/ANY and that's just plain stupid for many reasons.
9. Centralize your logging so you can detect if something tries to execute on your OS/Network Shim solution and alert administrators to any attempts to run non whitelisted software.
Normally we do not recommend whitelisting software but in the POS world it just makes sense. If the malware is not authorized to run it can't harm your systems. If your networks are properly configured they cannot be attacked with MITM attacks and even if a POS system get's infected they won't be able to reach out to the attackers systems because your network devices are providing another layer of protection.
If you need assistance in securing your POS systems feel free to contact SLC Security Services LLC or visit our website at www.slcsecurity.com.
No comments:
Post a Comment