Week 5 CYBR 650 Blog



Will Harry and Mae’s Diner Ever Listen to their Paid Consultants?


This week in class we are working through the familiar (at least for Bellevue Cybersecurity students) Harry and Mae’s case study. This examines a franchise of diners, and depending on the class you are in, you examine it through the lens required…it could be risk management, secure network design, or threat analysis. One item I got to thinking about this week is the individual franchises under a company like this, and how much leeway they have when deciding how to run their own infrastructure. This is especially important when the headquarters policies dictate an insecure implementation of the IT equipment, such as is the case with Harry and Mae's. In my specific experience with them, this will be the third time I have recommended basic security configurations without any visible action on their part.





Point of Sale Security


Certainly, a hot-topic over the last few years, point of sale devices are critical pieces of the infrastructure. Just this year Applebee's, Forever 21, and Hard Rock Hotel and Casino discovered malware on the Point of Sale devices. Nobody knows who else has been infected without knowing it, or managed to keep it out of the press. The problem many of these franchise locations have is that they rely on others to perform this service, along with many other important services. Just looking at Harry and Mae’s, their franchises receive two Point of Sale computers with an insecure software implementation, and they outsource their credit card payment processing by transmitting it in a poorly secured link to the corporate headquarters. How many other organizations operate in this fashion, and what responsibility do they have to identify and address these vulnerabilities?


There are Options…Maybe

If HQ says you have to use their standardized equipment, you can at least understand where it might be vulnerable. PoS systems are a computer like any other, however they are intended to only perform one function: process and store transactions. If users can perform other functions on the system then it is probably very open to attack as it is not locked down at all, as is the case with Harry and Mae’s. If you can browse the Internet on a browser from your PoS computer you are asking for trouble. On the same point, if your HQ requires you to send them your credit card data using older technology, such as PPTP, then it might be time to search for a new provider, regardless of the discount they are offering you.

Another crippling vulnerability is connecting that device to a publicly accessible network. It is common these days for restaurants to provide Wi-Fi, in fact it is expected. Wireless security on a public network is another topic, but in no way should any production systems be on that same network segment. Franchise managers should ensure the network is segmented so that no traffic could possibly ever get from one to the other.

Even doing those simple steps might not be enough. Everyone should enforce strong password security and maintaining patches and firmware across their systems. Do you think these large companies weren’t following basic PoS security? Maybe they were, and maybe they weren’t. One thing’s for sure though is that PoS are becoming an inviting target, attracting more sophisticated attackers. A recent attack by the FIN6 hacking group  showed this evolution as they implanted malware into a PoS system’s running memory, probably using stolen or compromised credentials. These kinds of attacks take a more matured defense posture to thwart, often requiring advanced software to conduct real-time process and application monitoring and endpoint protection.

The bottom line is that retailers need to understand how these things work, how attackers could potentially exploit vulnerabilities in them, and finally, learning from how others have been compromised. This takes keeping your ears tuned not just to the news, but trusted cybersecurity outlets who report these kinds of breaches, with details, shortly after they occur.  If they outsource PoS, they need to ensure that their provider details the security methodology, and that they actually follow through to the level required per the agreement.

Comments

Post a Comment

Popular posts from this blog

Week 7 CYBR 650 Blog

Week 7 Blog Its National Cybersecurity Awareness Month! October is designated as Cybersecurity Awareness Month , generally a time of the year for the Government to post some helpful guidelines for everyday people to read about how cyber security could impact their lives. Typically, these involve a good exposure of common threats and vulnerabilities to personnel without much direct cybersecurity knowledge. This year there are four themes for the four weeks of the month: Cybersecurity at home, careers in cybersecurity, workplace cybersecurity, and critical infrastructure cybersecurity.   More specifically, week 4, Oct. 22–26 will be about safeguarding the Nation’s Critical Infrastructure. When most read this they correctly assume this means energy, financial, and emergency systems or maybe centralized communications and transportation. Those are all considered critical infrastructure, and afforded enhanced protection resources through that designation. One item that many ma...
Read more

Finally Here!

Hello all, welcome to my blog covering the final course in the Bellevue Cybersecurity Master's program. This has been quite a journey, starting back in the Winter of 2014. I am fully aware that four years is kind of excessive to complete 12 classes, but I went through at a pace that allowed me to enjoy life and accomplish other goals at the same time. My original goal was to complete my MS degree before retiring from the Air Force. Well, I hit that retirement button yesterday, requesting a retirement date of next year. So pending the results of this course (and the concurrent Risk Management course), mission accomplished! A bit about me. I am 37 years old and currently residing in Anchorage, AK. I married my high school sweetheart 18 years ago, and we have three wonderful children. We love Alaska, and all of the amazing things that you can only do here. I have about a year left to enjoy it, before we retire and transition to civilian life in Colorado, my hometown. I love fishing,...
Read more