According to the recently released 2014 Verizon Data Breach Investigations Report, 92 percent of the incidents analyzed over the past decade can be attributed to nine basic patterns—one of which is point-of-sale intrusions. There have been a series of high profile breaches making headlines in recent months to underscore the damage that can occur from these attacks.
Within POS attacks, Verizon found that the shared vector for major scenarios is third-party remote access software. It’s not just free tools or legacy products contributing to this problem. The report specifically named modern providers PCAnywhere and LogMeIn as examples of products that hackers are utilizing to infiltrate corporate networks. The frequency with which these solutions are leveraged for attack does not necessarily mean that they are insecure in nature. Rather, as Verizon states, “it just happens that we often find them implemented in a very insecure manner.”
So what exactly does this mean, and what should retailers do to ensure their remote access tools do not inadvertently open the door for hackers?
There are a few key considerations, but enforcing password policies is a good place to start. Companies should ensure that all passwords used for remotely accessing POS systems are not factory defaults or easily guessable. This same level of oversight should also extend to any third parties that are remotely accessing the system. For example, verifying that external groups do not share passwords to access different customers’ systems. This scenario was behind one of the biggest attacks studied in the Verizon report—a POS vendor used the same password to access the systems of all the companies it managed. As the study states:
“Once it was stolen, it essentially became a default password and the attackers also gained knowledge of the customer base. Armed with this information, the familiar modus operandi of installing malicious code that captured and transmitted the desired data began.”
In addition to enforcing password policies internally and externally, retailers should continually monitor access to the POS network. In 99 percent of the POS attacks analyzed in the Verizon report, the organization learned of the data breach from an external source rather than spotting it themselves. Identifying unusual spikes in traffic can help retailers catch an attack, but it’s not enough to truly ensure security in today’s heightened environment. Companies need to know exactly who is accessing the system, when, and what functions they are performing.
Not only does this help companies better investigate suspicious activity in real-time, it also allows organizations to trace any unauthorized access down to the individual employee level. While external groups seeking financial gain perpetrate the majority of attacks in the retail industry, insider misuse is still a security concern. Verizon found that remote access is also a popular vector for these internal attacks, accounting for 21 percent of the incidents attributed to employees. Ensuring that every individual who accesses the network uses unique credentials and two-factor authentication adds an extra layer of security.
No system can ever be entirely protected from the threat of data breaches. However, examining the remote access environment in light of the considerations above can help retailers ensure that their solutions are not inadvertently making them vulnerable.
I’ll elaborate on the security challenges facing today’s retailers in more detail in my next post. If you have any thoughts on how best to protect the POS environment, however, I’d love to hear them below.