How can companies protect themselves from Point of Sale (POS) malware?

When we talk about point of sale (POS) systems, security concerns are now often at the forefront of the conversation.

In March, Cisco discovered a new breed of POS malware, dubbed "PoSeidon," which infects machines to scrape memory for credit card information then exfiltrates that data to servers located elsewhere in the world.

Security researchers claim it is more advanced and harder to detect than previous malware, demonstrating that attackers are continuing to develop more sophisticated attacks on POS systems. As criminals become more innovative in their methods, and malware is harder to detect, more emphasis needs to be put on protecting the access to systems through which the malware is deployed.

A common theme across breached retailers is that their POS systems were supported by a third-party provider that used remote access tools to manage, update and troubleshoot systems. Unfortunately, many of these vendors often use the same passwords or easily-guessed access and authentication credentials across various customer accounts. Once a cybercriminal compromises those credentials, they can upload malware, like PoSeidon, to multiple victims’ POS systems.

For security professionals, the temptation to completely eliminate remote access can be high. Eliminating these access points also eliminates the possibility of them being compromised.

However, for IT departments and third-party service providers that need to manage, update and troubleshoot these systems across tens or even hundreds of locations, remote access is an essential tool. The issue isn't the technology itself; it’s more a case of poor management of the technology, if it is managed at all.

With the proper implementation, management and governance, remote access can be secure. One reason attacks are successful is that there is often a lack of consistency around how remote access is managed, particularly for third parties, even though 88 per cent of companies say they have at least one third party with access to their IT networks, according to research by Ovum.

Therefore, IT departments need to ask themselves, “are the right policies in place when allowing both internal employees and third-party providers access to our network and systems? How do we ensure that everyone is following these policies so there are no unnecessary or easily compromised backdoors open on our network?”

Prevention techniques

To improve PoS security, protecting against unauthorised remote access is essential. First, centralise remote access so all authorised access to your network can be managed and monitored from a single solution. Once everyone is on the same, approved remote access solution, all unsanctioned tools can be blocked. This means that they can’t be used to access PoS devices in the first place.

Each individual that is authorised to use remote access should be required to use a unique login credential. Too often, IT teams or vendors share generic login names and passwords, making them vulnerable to a brute force attack. Not only does sharing passwords undermine security, it makes it impossible to audit who is doing what on a company’s systems.

It also puts a company at higher risk of being breached by a former staff member or a vendor’s former employee who still remembers the access credentials. When setting passwords, think about complexity, password length and enforcing regular changes, which all help to decrease the risk of an attack. Better yet, require multi-factor authentication for all remote access.

Next, employ the rule of least privilege to ensure users only have access to the systems and devices they need, particularly third parties. Also ask, does everyone needs access all the time? If not, limit access rights to only the specific timeframes required.

For example, maybe a certain vendor only needs access during the length of a project or shouldn’t be logging into your systems outside of normal business hours. For abnormal situations where someone needs access to systems outside of their normal responsibilities, set up approval notifications and workflows that allow you to keep people productive while also keeping systems secure.

Finally, it’s essential to capture a full audit trail of all remote access activity. This should be stored in a central, tamper-proof location and not on the desktop of the employee or outsourcer conducting the remote access session. This way all access can easily be reviewed. This includes looking at what actions were taken by which technician and when, which can then quickly identify any abnormal activity.

With this centralisation and audit approach in place, it is much more difficult for remote access compromises to be successful. Taking away the ability for remote access to be used by hackers can hinder many POS malware activities.

Security is a complex issue and no one solution ensures complete protection from a data breach. Ensuring the initial entry pathway is harder to attack through stronger access tools and management can significantly improve the protection of POS devices.

Boatner Blankenstin is senior director of solutions engineering at Bomgar.