Hospitality's Hidden Threat: POS
Whether restaurant, hotel or resort, the hospitality industry is intensely focused on creating a pleasurable experience for guests. Unfortunately, hospitality has become an increasingly attractive industry for cybersecurity threats, according to the 2016 Trustwave Global Security Report. The report notes that the hospitality industry accounted for 14 percent of all breaches, second only to the retail industry. Among the more prominent breaches in the last two years are those at Hyatt (August 2014 – December 2015), Hilton (July – August 2015) and Hard Rock CafÉ (September 2014 – April 2015).
These attacks focused heavily on the hospitality organization’s Point-of-Sale (POS) systems. POS breaches remain one of the most difficult to protect against based on historic vulnerabilities at the device end-points, the inability to apply additional security measures such as encryption to transaction data, POS-laced macro threats, and the increased use of the TOR network, a host for the Darknet and Black Marketplace, to easily facilitate the sale of stolen information. In this article, Attivo Networks discusses how POS attacks happen and what the hospitality industry can do to prevent them.
How POS Attacks Happen
In a POS attack, the attacker spends the vast majority of time inside the network in the “post infection” phase, which occurs after the system has been compromised. During this period, the attacker finds computer systems that host payment processing applications and plants the malware for either timed or remote activations from the attacker’s Command-and-Control servers.
There are three significant problems here. First, traditional prevention security solutions are not designed for post infection detection nor to pick up lateral movement or actions leading up to an attacker dropping a RAM scraper. Second, once the attacker is inside the network, he can move “low and slow” to mount his attack and remain undetected. This approach affords the attacker as much time as he needs to compromise a key asset (such as an Active Directory server or a patch management server). Once the attacker has penetrated the target, he will deploy malware through the patch-management software and then compromise the payment processing application.
Lastly, many of today’s POS deployments continue to sit on Windows XP or even DOS-based systems. Microsoft is not patching XP vulnerabilities anymore, so new vulnerabilities can be easily exploited. That said, hospitality organization IT and security teams can take the following steps to protect against being breached.
Take an assumed breach security posture and take measures to gain visibility to know what threats are hiding in your network. Add continuous visibility for misconfigurations and exposed credentials that could provide access to servers and that can cause widespread infection of POS terminals. Utilize real-time detection technology to give an organization the “eyes and ears” needed to detect the lateral movement of threats.
It starts with real-time visibility to detect threats that are within the organization’s network. This should include insight into network, user and credential vulnerabilities, and should be able to show and analyze the lateral movement of any form of new or old threats that enter the network and threaten the POS installations. Information security teams must be able to identify known and unknown threats without the need for signatures or the time to tune for pattern matching. Additionally, the capability should not generate false positive alerts or stream endless amounts of uncorrelated information to already overburdened security analysts.
Deception-based detection is an increasingly popular solution for hospitality organizations. These solutions set traps and lures at the end-point and within the network and lead an attacker into revealing himself. Deception platforms provide visibility into attack path vulnerabilities and other attack visualization to help an enterprise harden its infrastructure. They also offer automation for attack incident correlation, forensic reporting and integrations that will automatically block, quarantine and threat hunt infected systems. Analyst firms, such as Gartner, Inc., 451 Research, and Frost and Sullivan recognize that deception is rapidly growing in customer adoption and acknowledge the technology as the most efficient method for detecting advanced threats.
Loss of customer data, financial ramifications to their company, and the resulting loss of reputation in a major breach are avoidable for companies that take the right measures for attack prevention and detection. Efficient detection for advanced threats is definitely worth a look.
These attacks focused heavily on the hospitality organization’s Point-of-Sale (POS) systems. POS breaches remain one of the most difficult to protect against based on historic vulnerabilities at the device end-points, the inability to apply additional security measures such as encryption to transaction data, POS-laced macro threats, and the increased use of the TOR network, a host for the Darknet and Black Marketplace, to easily facilitate the sale of stolen information. In this article, Attivo Networks discusses how POS attacks happen and what the hospitality industry can do to prevent them.
How POS Attacks Happen
In a POS attack, the attacker spends the vast majority of time inside the network in the “post infection” phase, which occurs after the system has been compromised. During this period, the attacker finds computer systems that host payment processing applications and plants the malware for either timed or remote activations from the attacker’s Command-and-Control servers.
There are three significant problems here. First, traditional prevention security solutions are not designed for post infection detection nor to pick up lateral movement or actions leading up to an attacker dropping a RAM scraper. Second, once the attacker is inside the network, he can move “low and slow” to mount his attack and remain undetected. This approach affords the attacker as much time as he needs to compromise a key asset (such as an Active Directory server or a patch management server). Once the attacker has penetrated the target, he will deploy malware through the patch-management software and then compromise the payment processing application.
Lastly, many of today’s POS deployments continue to sit on Windows XP or even DOS-based systems. Microsoft is not patching XP vulnerabilities anymore, so new vulnerabilities can be easily exploited. That said, hospitality organization IT and security teams can take the following steps to protect against being breached.
Take an assumed breach security posture and take measures to gain visibility to know what threats are hiding in your network. Add continuous visibility for misconfigurations and exposed credentials that could provide access to servers and that can cause widespread infection of POS terminals. Utilize real-time detection technology to give an organization the “eyes and ears” needed to detect the lateral movement of threats.
It starts with real-time visibility to detect threats that are within the organization’s network. This should include insight into network, user and credential vulnerabilities, and should be able to show and analyze the lateral movement of any form of new or old threats that enter the network and threaten the POS installations. Information security teams must be able to identify known and unknown threats without the need for signatures or the time to tune for pattern matching. Additionally, the capability should not generate false positive alerts or stream endless amounts of uncorrelated information to already overburdened security analysts.
Deception-based detection is an increasingly popular solution for hospitality organizations. These solutions set traps and lures at the end-point and within the network and lead an attacker into revealing himself. Deception platforms provide visibility into attack path vulnerabilities and other attack visualization to help an enterprise harden its infrastructure. They also offer automation for attack incident correlation, forensic reporting and integrations that will automatically block, quarantine and threat hunt infected systems. Analyst firms, such as Gartner, Inc., 451 Research, and Frost and Sullivan recognize that deception is rapidly growing in customer adoption and acknowledge the technology as the most efficient method for detecting advanced threats.
Loss of customer data, financial ramifications to their company, and the resulting loss of reputation in a major breach are avoidable for companies that take the right measures for attack prevention and detection. Efficient detection for advanced threats is definitely worth a look.