We all heard about recent successes of cyber criminals at some of the popular retailers. What was not picked up by the news that well is why this happened and what can be done to prevent these Point of System terminals (PoS) from being compromised.
First of all, why PoS systems is a sweet spot for authors of POSRAM and ChewBacca malware?
There are a handful of reasons behind it.
- Usually the risk of compromising PoS systems is underestimated. Companies tend to focus their time and IT budget on protecting critical servers and establishing perimeter security but not on workstations of their own employees and PoS terminals.
- PoS system is the end device that actually swipe your card and thus either processes or stores critical payment card data which was the goal of the attack.
- PoS systems have to be exposed to the Internet to be able to process payment transactions with the online payment systems such as VISA.
- PoS systems are usually installed in locations without dedicated IT (store branches, restaurants, service agencies). IT in this case is usually outsourced to a 3rd party which needs remote access to managed systems creating a security risk.
- PoS systems are usually connected to workstations which employees have a temptation to misuse for browsing internet when customer traffic is low.
Now what can be done to prevent consumer credit card data from being stolen?
What really helps is the autopsy of the affected systems performed by US-CERT in their recent warning to retailers.
Let’s take a closer look and see how this could have been detected and even prevented in the first place.
The US-CERT alert states that the malware used by criminals “parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data”.
Usually memory dumps are saved on a file system as system protected files. What if you could track access to those files after they were created? Who would normally need access to this cryptic data?
The official alert further states that “malicious actors could be taking advantage of default credentials to access the systems remotely” and that malware“exploits default and most likely weak credentials accessible over Remote Desktop”.
So, now if we could track remote logons under default credentials to PoS systems we’d be much better equipped!
And finally the news articles suggest that the technique used in the attacks is known as “advanced persistent threat” which is no more than a methodical attack targeting multiple systems and stretching out in time.
Can the counter measure be as simple as alerting on attempts to guess the password of privileged accounts like Administrators across all of your PoS terminals and connected workstations?
Having seen mentions of “security attack” and “advanced persistent threat” one might think that this is all what expensive and cumbersome SIEM solutions are for. In fact, simple to use and yet effective log management tools like Dell InTrust that are proved to work on PoS systems will give you a much faster jump start and even integrate with SIEM solution of your choice if you opt to do so.
What sets InTrust apart is its nimble agent that can be deployed to tens of thousands of workstations and PoS terminals to do what you should be doing to battle the POSRAM like attacks. So, from tracking access to critical system files and alerting on attempts to brute force passwords of default accounts to monitoring the use of removable media and tracking details of every session of the remotely logged in user, InTrust will get you covered.
Check out this InTrust for Workstations datasheet to know about other capabilities and how they can keep your PoS systems protected.
Originally published here
Tags: APT, attack, intrust, POS, security, SIEM, US-C, US-CERT
GoCloudy Blog 
Leave a Reply