Point -of-Sale Security for Dummies

by Kevin Beaver and
Christopher Strand
Point-of-Sale
Security
Bit9 + Carbon Black Edition

Publisher’s Acknowledgments
Some of the people who helped bring this book to market include the following:
Point-of-Sale Security For Dummies, Bit9 + Carbon Black Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2015 by John Wiley & Sons, Inc.
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the
prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making
Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley &
Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without
written permission. Bit9, Carbon Black, and the Bit9 + Carbon Black logos are registered trademarks
of Bit9, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons,
Inc., is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE
NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETE-
NESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES,
INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE.
NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS.
THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITU-
ATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT
ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PRO-
FESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL
PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE
FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS
REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER
INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE
INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT
MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN
THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRIT-
TEN AND WHEN IT IS READ.
For general information on our other products and services, or how to create a custom For Dummies
book for your business or organization, please contact our Business Development Department in the
U.S. at 877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/custompub. For
information about licensing the For Dummies brand for products or services, contact
BrandedRights&Licenses@Wiley.com.
ISBN: 978-1-119-06306-3 (pbk); ISBN: 978-1-119-06300-1 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Project Editor: Carrie A. Johnson
Editorial Manager: Rev Mengle
Acquisitions Editor: Amy Fandrei
Business Development Representative:
Sue Blessing
Production Coordinator: Melissa Cossell

TableofContents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Book......................................................................... 1
Icons Used in This Book............................................................. 1
Chapter 1: Understanding Point-of-Sale
Security Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding Why Cybercrime is a Big Deal........................ 4
Getting to Know the POS Attack Surface.................................. 5
Industries impacted......................................................... 5
How businesses become targets.................................... 6
Knowing What’s at Stake............................................................ 7
Chapter 2: The State of Point-of-Sale Security. . . . . . . . 9
The Current State of POS Security............................................ 9
Common Types of Attacks....................................................... 10
End of Life and POS.................................................................. 11
POS Security Costs................................................................... 11
Methods of Protecting POS Systems...................................... 13
Chapter 3: Advanced Threats against
Point-of-Sale Systems. . . . . . . . . . . . . . . . . . . . . . . . . . 15
Introducing Advanced Threats............................................... 15
Understanding Attacker Motivations..................................... 17
Executing Attacks in POS Environments............................... 18
Chapter 4: Recognizing Current Limitations in
Point-of-Sale Protection. . . . . . . . . . . . . . . . . . . . . . . . 21
Antivirus Software Limitations................................................ 21
Signature-based scanning.............................................. 22
Performance impact....................................................... 22
Host Intrusion Prevention....................................................... 23
Incident Response Services..................................................... 24
Limited data availability................................................ 25
Limited scope.................................................................. 25
Home-grown tools.......................................................... 26
Expertise required.......................................................... 26
Non-continuous approach............................................. 26

Point-of-Sale Security For Dummiesiv
Matching New Threats with New Capabilities...................... 26
Responding quickly........................................................ 27
Detecting potential threats automatically................... 28
Stopping malware execution......................................... 28
Chapter 5: Solving the PCI Challenge for
Point of Sale. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
PCI DSS as a Measuring Stick................................................... 30
PCI’s Shift toward Application Control.................................. 31
Merging Compliance Policy with Security Controls............. 32
Ensuring Ongoing PCI Compliance......................................... 32
Mirroring the PCI Prioritized Approach................................. 34
Chapter 6: Deploying Proactive
Point-of-Sale Security. . . . . . . . . . . . . . . . . . . . . . . . . . 35
Defining Your Requirements................................................... 35
Understanding the Security Maturity Model......................... 37
Managing Smart Policies.......................................................... 38
Integrating with other Security Products.............................. 40
Chapter 7: Ten Tips for Successful Point-of-Sale
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Introduction
Welcome to Point-of-Sale Security For Dummies,
Bit9 + Carbon Black Edition. This book outlines in plain
English how to protect your point-of-sale (POS) systems and
cardholder data from malware and other advanced threats.
POS technology is being targeted by criminal hackers more and
more. You don’t want to become yet another data breach victim.
About This Book
Whether you’re just getting started down the path of securing
your organization’s POS systems or you’re already neck-deep in
the quagmire of security and compliance, there’s a lot to learn
and a lot to lose. This book highlights the “must have” knowl-
edge and requirements necessary for keeping your POS in check.
We help you understand the history of POS technology and
advanced threats. We also share with you the limitations of exist-
ing security controls and what you can do to ensure you have
the proper protection for minimizing your business risks and
complying with the Payment Card Industry (PCI) requirements.
If you’re an administrator, manager, auditor, or anyone other
wise in charge of managing or reviewing the compliance or
information security of POS systems — this book is for you.
Icons Used in This Book
The following icons are used to indicate special content in
this book:
This is information you’ll want to commit to memory.
This is information that digs in a little deeper into the details
in case you’re interested.

2 Point-of-Sale Security For Dummies
This is information that helps provide advice to highlight or
clarify a key concept.
Please pay attention when you see this icon! It provides
cautionary information you won’t want to miss.

Chapter 1
UnderstandingPoint-of-
SaleSecurityRisks
In This Chapter
▶ Looking into cybercrime and its impact on business
▶ Understanding why point-of-sale systems are under attack
▶ Studying the areas of weakness and challenges to securing point-of-sale
systems
Cybercrime is occurring at unprecedented levels. In terms
of time, money, and the resources needed to respond to
threats and minimize the risks, breaches are exacting a costly
toll on victims. These stealthy costs often don’t appear as line
items on financial statements for a number of reasons.
First, the costs of security breaches are often indirect, resulting
in wasted resources and missed opportunities. They’re difficult
to quantify. Second, organizations are incentivized to downplay
the effects of security breaches to avoid unwanted attention
from the public and media, not to mention severe penalties
from regulatory bodies. Third, many breaches go undetected
altogether. You can’t secure — or respond to — the security
weaknesses and incidents you don’t know about.
In this chapter, we outline why cybercrime matters — especially
as it relates to point-of-sale (POS) security. We also discuss why
POS systems are under attack as well as the threats and vulner-
abilities experienced in POS environments that are contributing
to the security challenges.

Point-of-Sale Security For Dummies4
Understanding Why Cybercrime
is a Big Deal
Almost every organization has some “digital gold” that outsid-
ers may want to exploit. This data may include intellectual
property, sensitive personal information about customers and
employees, confidential business plans, or financial informa-
tion. However, businesses with POS systems are particularly
at risk given the potential for financial gains on the part of the
criminal hackers.
The real value in POS systems is in their financial transactions —
specifically the credit card numbers and other personally-
identifiable information (PII) they process and store. When
POS systems are attacked, the price tag can be enormous. The
costs associated with POS security incidents include detect-
ing and responding to a breach, notifying victims, conducting
post-response support, and lost business. There’s also another
factor: fines from government agencies, namely the Federal
Trade Commission, as well as penalties and increased scrutiny
associated with regulatory bodies and standards, such as the
Payment Card Industry Data Security Standard (PCI DSS).
A security breach of your POS environment isn’t all about you
and how your organization handles things internally. Often,
many outside parties get involved in the initial investigations
as well as any ensuing sanctions and ongoing audits that will
likely be required.
Clearly, data breaches involving POS systems are financially
burdensome on the organizations experiencing them. In addi-
tion to these financial losses, organizations also suffer from
lost time. Depending on the type of incident they experience,
organizations may lose days, weeks, or even months of time
to incident response activities. These losses are exactly what
businesses operating in the retail industry don’t need, espe-
cially during heavy shopping periods such as the holiday
season. Other businesses operating in different industries
can be negatively impacted as well, especially if they lose the
capability to accept credit cards.

Chapter 1: Understanding Point-of-Sale Security Risks 5
Getting to Know the
POS Attack Surface
At its core, cybercrime is a numbers game. More businesses,
networked computer systems, and security vulnerabilities
lead to greater chance of attacks. Throwing POS network com-
plexity, lack of visibility, and even politics into the mix breeds
the ultimate playground for criminal hackers, rogue employ-
ees, and the like to carry out their attacks for ill-gotten gains.
POS systems are in the crosshairs for the same reasons that
certain operating systems and applications always seem to
be targeted by hackers — they’re in widespread use, and the
weaknesses are fairly well-known.
According to World Bank estimates, there are more than
34 million POS devices globally, nearly 10 million of which
are in the United States alone. These numbers aren’t stagger-
ing considering the total number of computers around the
world; however, POS systems are large targets and provide a
great opportunity for bad things to happen nonetheless!
Industries impacted
When you think of POS systems and their related security
risks, retail probably comes to mind. Given their recognition
and visibility, it’s no surprise that retailers find themselves the
frequent targets of adversaries. Most retailers have relatively
small IT and security staffs and find themselves struggling to
apply those resources to both meet business requirements
for 24/7 availability and simultaneously provide the level of
security needed to protect sensitive credit card information
flowing through their networks. Maintaining security and com-
pliance can be difficult tasks in retail, as well.
POS security risks don’t just impact traditional retail businesses.
Numerous industries utilize POS systems in some capacity. If
your organization transacts business in or around the following
industries, it’s likely affected by POS risks.
✓ Casinos and gaming: Given the need for a paper trail, a
large number of gambling and gaming transactions take
place via credit cards.

✓ Entertainment venues: Sports arenas, theaters, civic
centers and the like are responsible for an enormous
amount of credit card transactions each year.
✓ Healthcare: With an increasing population becoming
dependent on the healthcare system, more and more
transactions (doctor copays and related fees) are taking
place via credit cards.
✓ Transportation: Airlines, bus and subway systems, and
related transportation services do much of their business
via credit cards.
As society shifts away from cash and checks for payments,
countless other industries are relying more and more on POS
systems for their daily operations.
How businesses become targets
In the modern era of business, computers are found in the
darnedest places. From the reception area to the back office to
the manufacturing floor, it’s not unusual to find POS systems
scattered about like any other networked computer. In fact,
most POS systems are merely embedded personal computers
running specialized software and, quite often, outdated ver-
sions of the Windows operating system.
Given the pervasiveness of POS systems in any given business,
they’re routinely targeted just like any other host on the net-
work. Once criminal hackers are able get in and confirm the
presence of POS systems, they can become the target where all
the malicious efforts are focused.
After attackers target an organization, they have many poten-
tial avenues of infiltration. While servers are likely targets,
even the lowliest endpoint’s sensitive information may be
targeted or the endpoint itself may provide an actor with a
toehold on the organization’s network that may be further
exploited. Endpoints can then be used as entry points to get
to other targets, such as servers, which are more likely to con-
tain larger volumes of sensitive information.
Specific vulnerabilities that are often present and subsequently
exploited on POS systems — and any others in the attack
chain — include

Chapter 1: Understanding Point-of-Sale Security Risks 7
✓ Default, blank, or otherwise weak passwords that allow
direct system access
✓ Missing operating system and application patches that
can be exploited for remote, and often undetectable,
administrator-level, command-prompt access
✓ Absence of malware protection to analyze, block, and
report threats in real time
✓ Minimal visibility into the overall network that helps
ensure IT and security staff are kept in the dark
Because of these common weaknesses, businesses are often
unable to adequately protect POS systems against advanced
threats. Just as bad, IT and security staff often don’t find out
about breaches until after the damage has been done.
Attackers don’t care how they get in. Be it a server, a worksta-
tion, or a mobile device, if a system is accessible — physically
in person or logically over the network — it represents an
entry point into your POS environment. Once attackers are able
to infiltrate the network, the risks to your POS systems and
credit card information are front and center — all bets are off.
Knowing What’s at Stake
Advanced attacks against POS systems are not only sophis-
ticated, but also they’re likely to go undetected — especially
if security controls such as traditional anti-virus software are
being relied upon. Time is money. The longer the attackers are
able to control a POS environment the more damage that’s done.
Having a well thought out security program that addresses
the unique needs of your POS environment is critical to mini-
mizing your business risks. Every detail from your security
policies, your technical controls that help enforce your poli-
cies, and the unique procedures and response plans required
by your business must be addressed on an ongoing basis.
When developing a security program, there are many costs
you must consider. In addition to the direct costs of security
controls that you want to purchase, also plan for the costs
of incident response. Investing in incident response pays
dividends by lowering the cost of security breaches. Each

time you respond to a security incident, you expend time and
money investigating the compromise, notifying customers,
and dealing with the aftermath.
While the aftereffects of a customer data breach are worrisome
in their own right, you must also grapple with how the breach
will affect ongoing compliance with key Payment Card Industry
Data Security Standard (PCI DSS) requirements. Non-compliance
can result in steep penalties as well as significant damage to
your organization’s brand.
Not only is it critical to have the proper systems and pro-
cesses in place, but also it’s equally important to have the
right people managing it all in concert. All it takes is one
piece of the POS security puzzle such as an inattentive
help desk, a disconnected compliance manager, or network
security operations team without the proper tools to miss
the big one — the POS security breach that brings your
business to its knees. Even when internal audit staff and
external auditors are looking in the right areas with the
right tools and audit procedures, something unnoticed, or
seemingly benign, can turn into a real security and compli-
ance problem.
It’s one thing to build out your POS security program but
quite another to manage it well every day. Make sure every
piece is getting the attention it deserves. But most impor-
tantly, don’t just do it for the sake of compliance — do it with
the longer-term goal of minimizing information risks.

Chapter 2
TheStateofPoint-
of-SaleSecurity
In This Chapter
▶ Looking at the current state of security in point-of-sale environments
▶ Understanding the common types of attacks
▶ Considering the security costs
▶ Protecting point-of-sale systems
Point-of-sale (POS) systems are under attack around the
world. The United States alone has numerous, high-profile
breaches of POS security at large retailers. It appears that
there’s no end in sight for these types of attacks. In this chap-
ter, we discuss the impact of advanced security threats on POS
systems and outline some specific attacks. We also cover the
costs associated with POS security along with specific solu-
tions for making POS environments resilient and secure.
The Current State
of POS Security
POS systems include a range of hardware devices, such as
card readers, scales, scanners, and registers, as well as the
software needed to support them. Increasingly sophisticated
POS systems are linked to inventory management, ordering,
and customer relationship management applications. POS sys-
tems make it possible for retailers to conduct transactions —
often with credit cards — quickly and easily, providing a
smooth and enjoyable customer experience.

The mere acceptance of credit card payments is the most
notable security concern related to POS systems, as hackers
motivated by financial gains attack retailers and other busi-
nesses in pursuit of credit card numbers and other personally
identifiable information (PII).
Given the threats combined with what there is to lose, your POS
systems should be a top security priority. The numbers don’t
lie. According to the 2014 Verizon Data Breach Investigations
Report, in 2013, POS intrusions made up the highest type of
incident at food, beverage, and hospitality providers (75 per-
cent) and retailers — which was at 31 precent. Also, 74 percent
of attacks against accommodation, food services, and retail
companies from 2011-2013 targeted credit card information.
Common Types of Attacks
POS systems run on a range of operating systems, such as
Windows Embedded, Windows XP, and newer versions such
as Windows 7. They also run on Linux and UNIX. These sys-
tems are vulnerable to a range of attack types that could
result in data breaches.
RAM-scraping malware is the greatest threat. This malware,
which first appeared in 2008, has been behind the recent major
retail breaches. It uses debugging software on POS systems
to extract magnetic stripe data directly out of the computer’s
memory. The code behind this type of attack has morphed over
the years, including the addition of bot functionality and stealth
capabilities to avoid detection, but at its heart remains the same.
Other common types of POS system security breaches include
✓ Tampering with personal identification number (PIN)
entry devices, where a bug is planted in the device to
capture PINs and credit card numbers, or where the
entire device is replaced with a substitute
✓ Installing electronic skimmers at a remote POS device,
such as a gas station pump, to collect credit card data
✓ Identifying open network ports in the POS system — used
for maintenance by the system vendor — and installing
software, such as a keylogger, to capture login creden-
tials, credit card data, or other sensitive information

Chapter 2: The State of Point-of-Sale Security 11
✓ Installing malware directly onto the system via a USB
drive
End of Life and POS
When the operating system on a POS device is no longer sup-
ported by the vendor (for example, Microsoft), it creates sig-
nificant challenges to keeping the POS secure and compliant.
Windows XP-based POS systems are some of the most widely
implemented in the world, and when Windows XP’s end of life
occurred in April 2014, all POS systems that relied on it were
exposed to significant vulnerabilities.
Unsupported operating systems such as Windows XP aren’t
only vulnerable to attack, but also they can compromise your
organization’s compliance with PCI DSS.
Windows Server 2003’s end of life (July 2015) also represents
a significant security risk, much like Windows XP, with a
significant number of businesses relying on it to run critical
applications. Windows Server 2003 creates an issue that’s
directly tied to the security of POS systems because many
such systems rely on server processing and storage to process
transactions. If the server system is damaged or the integrity
is broken, the entire system’s security and compliance could
be compromised.
POS Security Costs
An organization’s ongoing security posture, its ability to keep
its POS systems in a compliant state, and the controls used
to measure both certainly influence the cost of maintaining
its POS environment. However, the security costs associated
with protecting POS systems are insignificant compared to the
costs associated with a breach of credit card data or PII.
Costs related to POS system compromise include the following:
✓ Board-level and legal costs: The fallout from a security
incident on POS systems should be a key concern for
directors and legal counsel and can have negative effects
on the board.

✓ Executive office costs: Indirect costs, including firings
and forced resignations, can be felt at the executive level.
These costs have been associated with high-profile credit
card breaches.
✓ Stock price: A security incident can have a direct impact
on the stock price of publicly-held companies through
distrust and an ultimate decline in shareholder value.
✓ Reputation and brand damage: Customers will move to
what they perceive as safer businesses in the event of a
highly-publicized incident.
✓ Legal costs and penalties: The investigation, reporting,
and litigation costs associated with a security incident
can be huge.
✓ Compliance and regulatory costs: Aside from fines, after
a security incident, there’s often mandatory increased
focus and scrutiny placed on the business by the regula-
tors as it pertains to security auditing.
Figure 2-1 shows the impact a security breach can have on
your business.
Figure 2-1: The impact a POS-related data breach can have on your
organization.
You need to consider all costs related to security breaches when
budgeting and planning for the security solutions of your POS
systems. A positive result of this analysis is that you can use the
These materials are © 2015 John Wiley Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 2: The State of Point-of-Sale Security 13
information to help build the case for a best-of-breed solution
that solves your POS security challenges once and for all.
The return on your POS security investment may be difficult
to quantify, but it’s real. Consider the reduced risk and the
avoidance of costs associated with data breaches such as
penalties, lost revenues, reputational damage, legal fees, and
more. Given that recent breaches have cost retailers tens of
millions of dollars, properly securing your POS systems is
clearly worth the investment.
Methods of Protecting
POS Systems
Businesses relying on POS systems can defend them against
RAM-scraping malware, Trojan horses, and other types of
attacks using a number of tools and techniques including
✓ Secure card readers/point-to-point encryption (P2PE):
Data is encrypted at the point of swipe, and the encryp-
tion is maintained as the data is transmitted to the pay-
ment processor.
✓ Application whitelisting: Only approved applications
are allowed to run on POS devices, making it impossible
for malware to execute even if it’s introduced to the
environment.
✓ Firewalls: A security perimeter is built around networks
and endpoints.
✓ Breach detection systems: Security teams are alerted
when a breach is detected, based on a complex analysis
(not to be confused with intrusion detection systems,
which typically rely on signatures to detect illicit activity).
✓ Disabled remote access: Connectivity by POS vendors
and other parties is disallowed.
✓ Updated and patched POS software: Vulnerabilities
found in earlier versions of the software are avoided.
✓ Mitigating controls for operating systems beyond end-
of-life (for example, Windows XP): Counter the impact
of unpatched systems.

✓ Restricted POS systems’ Internet access: Malware from
sources such as illicit websites and email applications is
prevented.
✓ File integrity monitoring: System administrators are
notified when system components are changed.
✓ Anti-virus software: “Nuisance” malware with known sig-
natures is blocked.
✓ Vulnerability scanner: Potential vulnerabilities intro-
duced to the network and applications are identified for
research and remediation.
✓ DLP software: Confidential data is detected, monitored,
and protected in a variety of ways, depending on whether
it’s in use (endpoint), in motion (network), or at rest
(storage).
✓ Physical access policies: Access to POS terminals is
restricted to authorized personnel only.
✓ Routing cardholder data deletion: Stored data is rou-
tinely removed from the POS device.
A closer look at application whitelisting
Application whitelisting refers to a
highly effective method of stopping
malware-based attacks that works
by allowing only trusted software
to execute in the computing envi-
ronment. Like a bouncer at a party,
you determine the software allowed
to execute in your environment and
the whitelisting tool stops everything
else from running.
A whitelist, in its simplest form, is
a list of applications allowed to run
in an environment. As a program
attempts to execute, the whitelist-
ing tool compares it to the approved
list — typically looking at hash
values to ensure authenticity — and
either permits the application to run
or blocks it from executing.
Because of the administrative over-
head associated with maintaining
a whitelist, leading products have
adopted policy-driven approaches
to application whitelisting where
dynamic policies are used to iden-
tify and simplify the management of
trusted software. Common policy
techniques include the use of cloud-
deliveredtrustratings,internaltrusted
software directories, and the use of
trusted publishers. This approach
allows all software published and
signed by a trusted author to be auto-
matically added to the whitelist.

Chapter 3
AdvancedThreatsagainst
Point-of-SaleSystems
In This Chapter
▶ Getting to know advanced threats
▶ Understanding attacker motivations
▶ Looking at the various stages of attacks against POS systems
Today more than ever, cybercriminals are targeting your
point-of-sale (POS) systems using a new breed of advanced
threats in order to steal and exploit your customers’ personal
and financial information. Retailers understand these security
challenges, but many remain unable to adequately protect
these systems due to a continued reliance on legacy antivirus
solutions, which we discuss in more detail in Chapter 4.
Introducing Advanced Threats
Advanced threats are organized, well-resourced, and deter-
mined to achieve the objectives set out by their leadership.
Unlike the script kiddie or casual hacker of decades past, the
advanced threat — often a government or organized crime-
funded entity — is a formidable adversary seeking out a spe-
cific target for exploitation.
You can implement what might be considered solid security
controls, but your POS systems still won’t be impervious
to advanced threats using zero-day malware. If they want in
badly enough, they’ll do what it takes to find a way to pen-
etrate your network.

As an IT or security professional, you should have a strong
knowledge of the characteristics of advanced threats. By under-
standing the motivations, tools, and objectives of your adver-
sary, you can better prepare your defense-in-depth approach to
securing your organization’s digital gold — namely the sensitive
information involved with credit card transactions on your POS
systems. The defining characteristics of the advanced threat
include
✓ Range of technical tools: Advanced threats make use
of a wide variety of technical tools. Instead of having a
single piece of malware, the advanced threat often devel-
ops its own exploits. The code used by advanced attack-
ers often makes use of otherwise undisclosed zero-day
attacks for which the target (for example, POS systems)
may have no defense.
✓ Tactical sophistication: Advanced threats have experi-
ence on their side. Often well-funded, they have had time
to develop a playbook for breaking into organizations.
Out of their expansive toolset they use the least sophisti-
cated assets necessary to achieve success and still have
the ability to adjust to the victim’s defensive posture.
✓ Integration with human threats: Advanced threats don’t
limit their domain to technically sophisticated exploits.
They understand and integrate the use of social threats
as well, often leveraging phishing, social engineering, and
traditional intelligence-gathering activities to amplify the
effectiveness of their technical tools. The key here is that
it’s a human on the other end. You need to make tactical
decisions, be creative in the face of a roadblock, and so
on. Given the complexity of POS environments, the level
of risk is increased.
✓ Targeted at specific objectives: The targets of advanced
threats are carefully determined and align with the objec-
tives of their sponsors. They aren’t opportunistic but,
instead, seek out the systems or individuals that are very
likely to contribute to their objectives. Advanced threats
conduct targeting analysis and understand their adver-
sary before engaging in an attack.
When most people think about the objectives of advanced
threats, they naturally think about the military and politi-
cal objectives of nations and think that they don’t have
resources that fit these objectives. Remember, however,

Chapter 3: Advanced Threats against Point-of-Sale Systems 17
that organized crime and political activists are also
advanced threat sponsors. Simply having a public-facing
website can make you a legitimate target. If you have POS
systems, the criminal payoff and ensuing risks can be
even greater.
✓ Well-resourced: Governments, organized crime, ter-
rorist groups, and other well-funded organizations are
behind advanced threats. The sponsors of these groups
provide them with financial means, technical talent,
and intelligence-gathering capabilities that enable their
success.
✓ High degree of organization: Advanced threats operate
more like military units than hacking clubs. They have
well-defined leadership structures and operate very effi-
ciently. They’re organized around their mission.
The advanced threat is unlike any risk faced by previous
generations of IT and security professionals. Organizations,
individuals, and POS systems targeted by advanced threats
are at the receiving end of a formidable attack, and you must
organize your defenses accordingly.
Understanding Attacker
Motivations
Many different types of advanced threat actors exist, and each
one has different motivations. The common driving forces
behind advanced attacks include the following:
✓ Cybercrime: Many advanced attackers simply seek finan-
cial gain. They seek to steal money, obtain information,
or hijack computing resources in an attempt to achieve a
windfall.
✓ Hacktivism: Other advanced attackers seek to use their
hacking skills to advance a political agenda. They typically
engage in denial of service attacks and website deface-
ments designed to embarrass or disrupt their target.
✓ Cyberespionage: Attackers in this category seek to steal
information to gain a political, economic, or military
advantage, which can often be funded and directed by
nation-state governments.

✓ Malicious insiders: Advanced attackers aren’t necessarily
limited to outsiders. For example, consider a disgruntled
employee looking to steal information and sell it to a com-
petitor or perform some type of sabotage.
The types of attackers targeting a specific organization depend
on that organization’s mission and its global reputation.
Executing Attacks in
POS Environments
Advanced attacks can be carried out against POS systems in
numerous ways. Given the network, application, and other
corporate complexities involved in POS environments, the
potential attack vectors are virtually endless. However, all
attacks do have some common themes, shown in Figure 3-1,
that you need to be aware of.
Figure 3-1: How cybercriminals launch advanced
attacks against POS systems.

Chapter 3: Advanced Threats against Point-of-Sale Systems 19
These themes include the following descriptions:
✓ Vulnerability: Advanced malware attacks often start with
something as basic as weak passwords, missing software
patches, and the general gullible tendencies of users.
✓ Method: Advanced malware injects itself into memory,
collects desired information (for example, credit card
track data), exfiltrates the data to another system, and
uses a command control (CC) system for further actions
as needed.
✓ Involvement of additional systems: In most cases, the cap-
tured data is exfiltrated from the POS system to another
system within the targeted environment for aggregation
and then uploaded to a remote system, which reduces the
chances of detection.
✓ Opportunistic: POS malware families are very targeted and
opportunistic and in many cases aren’t detectable with
traditional antivirus detection. Advanced malware families
continue to evolve as evasion techniques improve with
several versions of each family in existence. This evolution
helps to explain the continued difficulties in detecting and
preventing this malware using traditional security controls.
The latest POS malware to make the news is being referred
to as Backoff. Backoff is a family of retail-focused malware
that has been witnessed recently in multiple forensic inves-
tigations, including those in the high-profile retail breaches.
The malware typically consists of RAM scraping, keylogging,
command and control, and process injection. A Backoff
malware attack is what is often referred to as a stage-two
attack. In this context, this means that Backoff is leveraged
after attackers force their way in through remote desktop
applications — typically via a weak Windows operating
system password. After the attackers have accessed the
remote desktop, they begin reconnaissance for any POS
devices and attempt to install Backoff or similar POS mal-
ware on those systems. Even though attackers can take
control of every other application in the attack chain, your
POS system can be made safe and malware-free by putting
the proper security controls in place such as the positive
security model technologies that Bit9 + Carbon Black offers.

Can Chip PIN prevent
advanced attacks?
One of the security controls being
suggested as a solution to the POS
security problem is EMV, or Chip
PIN, technology. EMV, which stands
for Europay, MasterCard, and VISA,
is a decades-old global standard for
integrated circuit cards with embed-
ded microprocessor chips that store
and protect cardholder data con-
tained within a metallic square on
the card. EMV Chip PIN has yet
to be adopted in the United States,
although that is expected to change
in 2015.
EMV technology helps protect
the card data that’s collected by
POS systems, which will be locked
up tight, deterring criminals from
attempting to use physical card
readers and skimmers. However, it’s
not a silver bullet in the effort to pro-
tect sensitive data from compromise
and to solve the POS problem com-
pletely. Other areas within the typical
payment systems expose both card
and customer data.
Many of the well-publicized large-
scale POS system breaches targeted
the software that was responsible
for processing the credit card trans-
actions as well as collecting cus-
tomer information such as user IDs
and personally-identifiable informa-
tion. Many organizations still house a
treasure trove of this information on
their back-end processing systems
and servers that will still be prime
targets. This information can even
end up in log files, data backups, and
on poorly-secured workstations and
other endpoints, creating unneces-
sary risks.
Criminals may also turn to other
techniques to use the technology
shift to their advantage, such as the
recent surge of “replay” attacks.
In these attacks, criminal hackers
were using recently stolen credit
card information to spoof transac-
tions on the credit card networks as
chip-enabled transactions. Even in
the European marketplace, where
Chip PIN has been in place for
years, the tone regarding POS secu-
rity is no different. The threat of data
compromise on POS systems and the
risk to sensitive data is taken just as
seriously.
Having additional locks on the door
(like EMV/Chip PIN) is a great addi-
tion to your arsenal of protection,
but you also need to make sure you
have a real-time perspective on your
systems. You need to take control of
the data where it’s processed and
resides but you also need the abil-
ity to take proactive measures in the
event a security breach happens in
your POS environment.

Chapter 4
RecognizingCurrent
LimitationsinPoint-
of-SaleProtection
In This Chapter
▶ Understanding the limitations of traditional antivirus
▶ Looking at the considerations for host intrusion prevention
▶ Responding to threats quickly to stop malware outbreaks
The major retail security breaches have brought the tra-
ditional point-of-sale (POS) security model into the spot-
light. Simply put — it doesn’t work. Criminal hackers have the
upper hand with their advanced malware attacks. Many of
the existing antivirus controls are ineffective at best. Incident
response times are getting longer — the very scenario you
don’t need when your POS systems come under attack.
In this chapter, we discuss the limitations of current POS security
controls, outline how to match the new threats with new security
capabilities, and show you how you can respond to advanced
malware attacks more efficiently to produce the results you desire
and to minimize the security risks in your POS environment.
Antivirus Software Limitations
Antivirus software, first introduced in the mid-1980s, is used to
detect, prevent, and remove malicious software (malware) such
as viruses, worms, spyware, and Trojan horses. This traditional
security control — still in widespread use today — was pretty

good at detecting and blocking known malware. Antivirus
software simply matched questionable threats to a signature
database of known malware and — voila! — the threats were
blocked. The problem with a signature-based approach is that it
doesn’t provide an effective defense against advanced malware
where the threats are unknown and often targeted to specific
types of computers and applications such as those in POS
environments.
Heavy dependence on POS systems combined with advanced
malware that can evade traditional antivirus controls creates
the perfect storm for network compromise.
Signature-based scanning
Antivirus software’s major weakness is that it depends on
signature-based scanning. Because antivirus software relies
on identifying signatures in the files it scans, it is not an
effective tool when confronted with unknown malware. If
the antivirus software doesn’t yet have a signature for a file
that’s found its way onto the system, that malware won’t be
detected and will be able to run freely.
In light of the rapidly-morphing malware landscape, keeping
blacklist signature databases updated has become unsustain-
able for traditional antivirus software providers.
In a POS environment, antivirus software scans the systems for
the presence of these malware signatures. Any file suspected
to contain malware may be deleted, quarantined, or repaired
to prevent system infection. The issue with this approach is
that advanced attackers often leverage zero-day attacks for
which there’s no signature available. Attacks that are previ-
ously unknown to the security community will be able to slip
right past a signature-based detection system. Additionally,
malware authors can make very minor changes to their code
that prevents it from matching existing signatures, rendering it
undetectable by signature engines.
Performance impact
Antivirus software must analyze each and every bit stored on
a system’s storage devices and in its memory, looking for the
presence of malware signatures. Given how quickly signature

Chapter 4: Recognizing Current Limitations in POS Protection 23
databases are growing, this scanning is resource-intensive,
requiring the use of disk bandwidth, memory, and CPU capac-
ity. When a malware scan runs on a system, the scanning
software may have a noticeable performance impact on user
activity — an undesirable side effect on POS systems.
Specifically, scanners must check every file on the system, not
just those that are likely to be threats. The scanner must check
the entire contents of each file, looking for signs of malware.
In a retail setting, store system administrators can schedule
scans during idle periods, but that leaves large chunks of time
when no scanning is taking place. If scheduled scans occur
during operating hours, they could result in unacceptable dis-
ruptions to customer service. When users experience these
issues, they’re more likely to attempt to disable or circumvent
the security control that’s interfering with their work.
Point-in-time scanning can be bad for business. Due to the
performance impact of antivirus software conducting full
system scans, these scans are usually scheduled to occur
daily or weekly. These scans are often during evening hours
when the scans won’t impact normal user activity due to
CPU, hard drive, and memory utilization. Even with POS
systems running with the most advanced processors, solid
state drives, and more memory than you can shake a stick at,
system performance is still impacted by full antivirus scans.
Not only are performance issues detrimental to POS transac-
tions, but also such point-in-time scanning provides a threat
window where malware can run uninhibited between scans.
Host Intrusion Prevention
Certain IT administrators and security managers rely on host
intrusion prevention systems to supplement the protection
provided by antivirus software. These packages, also known
as behavioral host intrusion prevention systems (BHIPS),
monitor activity on a system for malicious actions on the
part of executable files. Unlike antivirus software, BHIPS don’t
rely on a database of known malicious software. Instead they
monitor POS systems over time, develop a model of normal
activity and then flag deviations from normal behavior for
administrator review.

In theory, BHIPS are the ideal supplement to antivirus soft-
ware in POS environments because they have the potential to
detect — and block — advanced threats in real time. However,
in practice these systems require an excessive investment of
time and effort to fine-tune and maintain. They also have very
high false-positive rates, triggering alerts on non-malicious
activity. The combination of these two limitations often
results in administrators and users disabling BHIPS capabili-
ties because of the time spent maintaining them and respond-
ing to false alarms.
The last thing you need in your POS environment is a secu-
rity control such as BHIPS creating false alarms and blocking
legitimate business transactions.
Furthermore, the information provided by BHIPS is often too
shallow for useful analysis. It doesn’t tell where unknown
executable files were spawned and often doesn’t provide his-
torical data that facilitates the time-based analysis required
by security analysts. The model used by behavioral systems
is also not capable of incorporating external information
containing the latest threat intelligence. Furthermore, stand-
alone host-based systems can’t assess network effects or cor-
relate multiple reports received from systems across the POS
environment.
Incident Response Services
When organizations find that they’ve fallen victim to a sophis-
ticated cyberattack, they often retain the services of a firm
that specializes in security incident response. These firms
bring together teams of experts in a variety of security disci-
plines to quickly assess the incident, contain the damage, and
restore the organization to secure working order as quickly as
possible.
While these services are often invaluable when responding
to a security incident, they’re also quite expensive and avail-
able only for a limited duration of time. After the incident is
resolved, the expert team leaves, and maintaining system
security is once again incumbent on the organization’s IT
and security staff. You need to be careful in your approach to
malware attacks and not rely completely on these response
services.

Limited data availability
Information systems generate massive amounts of data and
are capable of logging extremely detailed records about
their activity. These logs often contain critical information
necessary to reconstruct the events that took place during a
security incident. Responders depend on the availability of a
detailed audit trail to identify how an intruder gained access
to a network, the scope of their activities, and the data that
they may have stolen.
You know your network environment better than anyone else.
When a breach impacts your POS systems, you can’t just hand
over the reins to a third-party. You need to be prepared to be
intimately involved in the response process: to ask questions
of the incident response team, to answer their questions, and
to ensure everything is being addressed in the best interests
of your organization.
One of the major limitations of incident response services is
that it’s more than just collecting data — it’s about collect-
ing the right data and having a suite of tools available that
allows you to understand it in context. When an incident
occurs, the response is hampered by the lack of visibility into
system events that took place while the attack was under way.
Responders want to be able to quickly understand the relation-
ships between systems and trace the spread of malicious files
within the enterprise. Without purpose-specific tools in place
before a breach, gathering all the data necessary for an effective
incident response could take weeks or months.
Limited scope
When an incident response team arrives at an organization,
they have a clearly defined scope of services. This is normally
limited to identifying the circumstances surrounding a partic-
ular security incident and remediating the vulnerabilities that
contributed to that incident.
Incident response teams often use sophisticated forensics
analysis and response tools that are licensed to the incident
response firm. They don’t leave these tools behind for you
to use on an ongoing basis. In cases where the tools are open

source or the organization opts to purchase a license, the
incident response firm wouldn’t normally integrate them into
your normal IT and security operations.
Home-grown tools
Many companies, and even some incident response firms, rely
on the use of custom-developed tools that have been handed
down through the ranks of incident responders. While they
may be effective, they’re the IT equivalent of duct tape and
chicken wire. There’s rarely any documentation or knowledge
transfer on how to use such tools outside of one or two people.
Expertise required
Incident response is a specialty skill and experienced profes-
sionals are highly sought after and very well compensated.
Only the largest organizations are able to maintain a full-time
incident response staff, making it difficult to maintain incident
response tools on an ongoing basis.
Non-continuous approach
Traditional incident response activities are targeted at a very
specific activity instead of designing the type of continuous
monitoring program that’s essential to maintaining security in
the age of advanced attacks. The alternative — and the only
proven approach — is to implement a solution that allows for
real-time continuous recording of POS systems activity.
Matching New Threats
with New Capabilities
Organizations seeking to maintain secure POS operations in
this risk-laden environment must maintain a set of security
controls designed to meet today’s threats instead of those
that were deemed adequate in years past. A new way of think-
ing is required and some important security decisions need to
be made.

Responding quickly
Conventional security defenses are too slow. No matter how
dedicated and talented they are, IT and security staff simply
can’t keep up with the volume of data flowing through the
enterprise — especially in complex POS environments.
Security systems such as intrusion prevention systems, fire-
walls, security information and event management (SIEM)
systems, and antivirus software generate massive amounts of
information that adds to the overload. Many businesses expe-
rience hundreds, or even thousands, of alerts each day and
simply don’t have the staff to respond to them all or to triage
them to a manageable level.
Not only must you find a way to respond to this information
overload, but also you must do so in a rapid manner. It’s true
that a cybercriminal may take months to identify targets,
develop specialized malware that exploits specific vulner-
abilities in targeted systems, and install command-and-control
capabilities on targeted systems. Despite this, most advanced
attacks aren’t detected or stopped in time to prevent theft or
damage.
You’ve heard the saying “When seconds count, the police
are only minutes away.” The same goes for security threats
against your POS environment. Time is of the essence.
Without good information, it’s hard to respond efficiently to
advanced attacks.
After an attacker successfully infiltrates a system, the
actual theft of data can take place rapidly. Massive amounts
of information can be stolen in mere minutes or seconds.
Security systems must be capable of quickly identifying an
attack in progress and taking automated action to prevent
damage.
In addition to reducing the delay in initiating a response,
security systems should increase the efficiency of response
staff. In some cases, enterprises implementing next genera-
tion security tools have been able to achieve significant time
savings. With the new technology, one guy in one hour can do
what it used to take ten guys ten days to do.

Detecting potential threats
automatically
The modern threat operates faster than any incident response
team can analyze and react to information. Security technolo-
gies that are configured to require administrator intervention
before a response occurs are ineffective because the time taken
by the administrator to analyze the attack may be longer than
the short duration of the attack itself. Given the cardholder
data that’s at risk, this time window is especially crucial for
attacks against POS systems.
Effective security controls must be capable of autonomous
operation. This doesn’t mean that you don’t need trained
security staff; it simply means that they should be spending
their time installing, maintaining, and monitoring automated
response controls instead of conducting security response
manually. Even the best security tools must be custom-tailored
to the unique operating environment of your organization and
that’s where well-trained IT and security professionals can
lend valuable expertise.
Stopping malware execution
Embedding automated detection techniques in your environ-
ment is the first barrier to advanced threats, but successfully
protecting your organization’s security requires actually
blocking and preventing suspicious software execution until
the issue is resolved on the affected POS systems. Unless
and until you have the proper means for stopping the actual
execution of malware, there’s work to be done.

Chapter 5
SolvingthePCIChallenge
forPointofSale
In This Chapter
▶ Using PCI compliance as a baseline for POS security
▶ Shifting toward proactive security control
▶ Looking at PCI’s prioritized approach for POS security
The Payment Card Industry Data Security Standard (PCI DSS)
was created to set a standard for controls that protect credit
card data used in transactions, stored in databases, and trans-
mitted over systems — all of which are included as functionality
on most point-of-sale (POS) devices. This coverage means that
the majority, if not all POS systems, are covered under the PCI
DSS compliance requirements.
Not only do you have to ensure that your POS systems are
continually compliant with PCI but also that security controls
are in use and actively protecting the credit card data they
process and/or store.
In this chapter, we discuss the benefits of utilizing PCI DSS
as a continuous measuring stick to gauge the effectiveness
of POS security. We also outline how the theme shift of the
recent version of PCI DSS — version 3.0 — can have a positive
influence on the goal of ensuring a continuous security mea-
sure for POS systems.

PCI DSS as a Measuring Stick
The threats to sensitive data on POS systems have been grow-
ing rapidly ever since PCI DSS was put into action. With that
growth, there’s been a tendency among businesses and audi-
tors to measure POS security effectiveness directly against
the requirements within the PCI standard note for note.
The end goal for POS systems should be the most effective
security program to protect sensitive data rather than a com-
pliance check mark. Compliant doesn’t always mean secure,
and a mere checklist of requirements does not get your POS
systems to a “final” state of security.
The “just get by” approach is being called out, so to speak.
When aligning POS security with the current PCI require-
ments, consider the industry-accepted recommendations:
✓ Don’t underestimate the effort involved. PCI compliance
requires time, money, and executive sponsorship. It needs
to be part of everybody’s job — application developers,
system administrators, executives, and even staff in shops
and call centers — not just left to the IT security team.
✓ Make compliance sustainable. An organization must
complete thousands of tasks throughout the year to stay
compliant. To be sustainable, compliance needs to be
embedded in “business as usual” as an ongoing process.
✓ Think of compliance in a wider context. The best thing
you can do to simplify your PCI compliance workload
and achieve real security is to put your compliance pro-
gram within your wider governance, risk, and compliance
(GRC) strategy.
✓ Leverage compliance as an opportunity. Done properly,
PCI compliance can drive process improvements, identify
opportunities to consolidate infrastructure, and gener-
ate additional equity. Think of it as an opportunity rather
than a burden.
The task at hand may seem daunting when you consider all the
variables that need to be considered for POS systems in the
current threat landscape. However, if you step back and take a
look at the new requirements in PCI DSS 3.0 from a prioritized

Chapter 5: Solving the PCI Challenge for Point of Sale 31
perspective, figure out what controls you need to address first,
and address the ones that have the greatest effect on your crit-
ical business processes, it’s not as complicated as it may seem.
After you have the critical controls in place, think about how
to prove that the controls are actually doing what they are
supposed to be doing. You will have the answers to the com-
pliance questions that come up during audits, and you will
put your POS systems in a better state of security.
PCI’s Shift toward Application
Control
One of the biggest changes in the PCI DSS 3.0 standard is the
move toward being more proactive when it comes to measur-
ing your security controls. For POS systems, this involves
ensuring that the information used to measure both the com-
pliance and security status is as close to real time as possible
while focusing the analysis on a smaller subset of data.
The first validation shift that can help to enable compliance
and improve security posture is a move from negative to posi-
tive security. With this model, rather than blocking the attacks
that are known to be bad, you allow the transactions that are
known to be good. This shift provides continuous compliance
and full protection while enabling real-time visibility of your
in-scope PCI assets. You’ll get a better hold on measuring
risk, verifying controls, and continuously monitoring security.
The addition of approval trust-based security positioning will
enable merchants with POS systems to reduce the administra-
tive costs of normal pre- and post- compliance analysis, free
up endpoint system processing power, and protect systems
after critical patch support has ended.
Moving POS endpoints into a positive security posture helps
to lower administrative effort, reduces scope, and enhances
performance. It allows focus on the “known good” rather
than a list of things that are bad, and eliminates the need to
constantly scan the POS endpoint to detect malware. Positive
security easily exposes and enforces the adherence to com-
pliance while protecting POS systems by placing them in a
default-deny state, where anything that’s not part of the trust-
policy cannot execute.

Merging Compliance Policy
with Security Controls
The convergence of security controls with compliance policies
has been gradual. It hasn’t always been a natural synergy for
security and compliance to work together in this way. When it
comes to measuring the true security posture of POS systems,
there are many benefits to using PCI DSS as a guide to imple-
menting such controls. The ideal outcome is a convergence
of compliance and security providing active intelligence —
providing answers on the enforcement of the audit controls
and also on the current security posture and risk.
Many PCI controls can be used to help synchronize the com-
pliance evidence with the security metrics. For POS systems,
a positive solution must
✓ Require very few system resources
✓ Proactively drive a security policy to the endpoints by
allowing only trusted applications to run
✓ Detect, identify, rank, eliminate, and block malicious
software
In addition, a positive security solution can
✓ Provide visibility into what’s happening on all IT assets
✓ Categorize the risks, without relying on signatures
✓ Verify and scrutinize the security controls
✓ Perform continuous monitoring of these controls
✓ Provide reports that enable IT to take proactive, correc-
tive actions and/or prove compliance
Ensuring Ongoing PCI Compliance
By placing POS systems into a positive security posture, mea-
sured against a trust-policy (only the software you trust can
run on your enterprise systems) you will be able to continu-
ously monitor and record all activity on your POS systems
and other corporate endpoints for real-time detection and

Chapter 5: Solving the PCI Challenge for Point of Sale 33
denial of unauthorized software. You will be able to monitor
the state of compliance at any given point within the assess-
ment process to ensure that compliance really does equal the
true state of security.
There are other benefits to a trust-based application control
environment that can bring you closer to continuous PCI com-
pliance. You will be able to
✓ Build intelligence around all of your file assets, including
their prevalence, trust rating, and inherited vulnerabilities
✓ Report on any asset for an audit, a pre-compliance
assessment, or security intelligence gathering
✓ Meet file integrity monitoring, control, and audit trail
rules with continuous, real-time file monitoring
✓ Protect your critical configuration files from unauthor-
ized changes
✓ Enforce your trust policies whether your systems are
online or offline
✓ Focus only on those events that are relevant to your busi-
ness and lower the cost of obtaining compliance data
against a smaller dataset
PCI DSS 3.0’s effect on POS security
PCI DSS 3.0 has had a substantial
effect on the security of POS sys-
tems. Under this latest version of the
PCI standard, POS systems are scru-
tinized much more than in the past.
When assessing POS systems for
security and compliance, keep these
three main theme changes in mind:
✓ You must be able to identify,
detect, and alert on any change
to critical data.
✓ You must ensure protection and
PCI compliance at all integration
points with the POS systems.
✓ You must protect POS systems
from threats, including those
systems that haven’t traditionally
been affected by malware.
PCI DSS is very clear in what’s
required of organizations when
securing the POS environment.
Every situation is unique. However,
POS systems that store or process
cardholder data likely fall within the
scope of compliance requirements.

Mirroring the PCI Prioritized
Approach
The PCI DSS Prioritized Approach is a culmination of all the
individual PCI requirements divided into six key milestones
for businesses to consider. It provides guidance on how to
focus on PCI DSS implementation and helps to reduce risk
to the cardholder data environment as early on as possible
within the compliance process.
Multiple benefits exist with mirroring the PCI Prioritized
Approach when addressing security controls on POS. Table 5-1
shows four of the concentration areas you can benefit from.
Table 5-1 Benefits of the PCI DSS
Prioritized Approach
PCI DSS Priority Area The Positive Security Fit
Protect systems and networks Protection: Anti-malware and
stopping advanced persistent
threats (prevention)
Secure payment card
applications
Risk measure: Measure PCI and
security risk and assess vulner-
abilities (detection, visibility,
prevention)
Monitor and control access Monitoring critical systems
(visibility, response)
Ensure all compliance controls
are in place
Enforcement: Prove security
policies and device control
(visibility)

Chapter 6
DeployingProactive
Point-of-SaleSecurity
In This Chapter
▶ Defining your unique requirements
▶ Understanding the Security Maturity Model
▶ Managing your smart policies
▶ Working with other security products
Now’s the time for the rubber to meet the road. You have
some decisions to make, systems to set up, and processes
to manage so you can stay ahead of the advanced malware
curve on your point-of-sale (POS) systems.
In this chapter, we discuss defining your unique requirements,
assessing how the Security Maturity Model fits in, managing
your ongoing smart policies, and ensuring your POS security
controls work well with other security products on your
network.
Defining Your Requirements
Not only does every organization have unique security require-
ments, but so does every POS environment. As you move
toward selecting a POS threat detection, response, and preven-
tion product, you should identify the requirements that are
most important to your business and meet your specific needs.
If you choose to conduct a request for proposal (RFP), you
need to define these requirements well to solicit useful pro-
posals from prospective vendors. Even if you don’t go the

RFP route, it’s helpful to know what you’re seeking before you
begin evaluating products. Otherwise, you may find yourself
in a “you don’t know what you don’t know” situation that you
don’t want to be in. As you set out on the path to selecting a
POS security product, consider these key requirements:
✓ Visibility: Choose a product that allows you to record
your environment continuously in real time. This real-
time visibility fuels detection, response, and prevention.
The more items of relevance — memory operations,
parent processes, registry access — the better.
✓ Detonation capabilities: Choose a product that doesn’t
lock you in to a single vendor. If you want to integrate
with an existing detonation (the ability to execute sus-
pect malware in an isolated virtual machine) or next-
generation firewall product, make sure that the threat
protection vendor has experience with that integration.
Look for products that both take in information from det-
onators and can also push data out to those detonators.
✓ Enforcement capabilities: Your POS protection solution
should provide you with a wide range of possible responses
to a threat, including banning files by name or hash value
and/or extracting suspect files from the system.
✓ Lightweight agent: Users don’t want a heavy agent
installed on their POS systems. Your goal should be to
find a product with a lightweight agent that helps you
identify security threats and respond to them appropri-
ately. Defense without business/productivity disruption
is a fundamental goal.
✓ Phased approach to default deny: Flexible threat detec-
tion, response, and prevention solutions allow you to
work your way toward a default deny approach (blocking
everything from the get-go) in a manner consistent with
the culture and operating environment of your organiza-
tion by allowing
• Your other chosen strategies to naturally impart
trust
• You to see how far that gets you in terms of measur-
ing risk and assessing operational impact
• You to target low-hanging fruit that gets you one
step closer

Chapter 6: Deploying Proactive Point-of-Sale Security 37
✓ Signature-less detection: Your chosen solution should
use a wide variety of data sources and detection
approaches when evaluating suspicious files. You want
to avoid signature-based approaches that are vulner-
able to zero-day attacks. Ideally the product has a rules
engine or API that lets you and your staff participate in
the creation of new detection mechanisms. A vendor may
even enable the sharing of security knowledge within its
customer base and make that information available in the
form of rules and policies.
✓ Efficient, high-value reporting and administration: The
solution should provide you with standard templates and
practices for getting information and actionable items
and allow you to build out your own approaches as well.
✓ Professional services with proven expertise in deploy-
ing protection: Most deployments of POS security soft-
ware take place with a professional services engagement.
Make sure you choose a product backed by a team of
professionals with experience deploying security soft-
ware in organizations similar to yours.
By spending the time and effort thinking about what you
really need on the front end, you can maximize the value of
your POS security software deployment management for
years to come.
Understanding the Security
Maturity Model
As you prepare to select and deploy proactive POS security
protection, it’s a good opportunity to assess the current state
of your organization’s information security. The following
four areas help you determine the “maturity” level of your
program:
✓ Oversight
✓ Technology
✓ Process
✓ People

For each area, you answer a series of questions that are com-
piled into functional area ratings and then overall ratings for
each category. The maturity of your organization on each
dimension is then assigned one of the following ratings:
✓ Nonexistent (0)
✓ Ad hoc (1)
✓ Repeatable (2)
✓ Defined (3)
✓ Measured (4)
✓ Optimized (5)
Performing this self-assessment provides you with an idea of
the current state of your security controls and can assist you
in defining the requirements for your POS threat detection,
response, and prevention program. The products and vendors
you choose should be able to work within your technical envi-
ronment and culture, bringing you value regardless of where
your organization lies on this spectrum.
Managing Smart Policies
Signature-based detection is simply not effective against
advanced threats for POS systems. While some people say
that the alternative — whitelisting or application control — is
too hard, they’re not correct. These people think of whitelist-
ing as a long list of appropriate files, but it’s bigger — and
better — than that.
Smart policies aren’t plain old “lists.” They’re covering
mechanisms that catalog metadata, patterns, and system
information to help detect nefarious behavior. They then
impart trust to each of those items. Simply put, smart
policies are a short list of observations and actions that
describe a system state as positive, negative, or neutral.
Smart policies distill application control and attack detec-
tion into an understandable and manageable task. That’s
why they’re so valuable!

Chapter 6: Deploying Proactive Point-of-Sale Security 39
Do you trust all of the applications contained within your
main software repository? If so, you can express that trust
using a single smart policy. Do you automatically mistrust
anything downloaded within a web browser? You can express
that distrust in a smart policy as well. If you receive threat
intelligence reports that rate a given binary file as “middling”
and requiring further investigation, a smart policy can also
handle that situation.
Smart policies can overlap, which means that multiple smart
polices can apply to a single file. POS security systems allow
this to occur and come to conclusions about a suspect piece
of malware by taking all of the trust ratings into account. Next
generation security products allow you to express policies as
imparting trust on a spectrum.
Don’t take deployment flexibility lightly
When it comes to enterprise secu-
rity, one size does not fit all. Your
operations may be more staff-centric
or more automation-centric or some-
where in the middle. Your software
deployment strategy may depend
upon trusted repositories and con-
figuration agents, or be nonexistent
altogether.
At the same time, your company cul-
ture may be open and permissive or
more traditional and controlled. On
top of that, you may want to focus
more on detection — finding the bad
guys — or more on prevention and
the default deny strategy. Only you
will know how these things work in
your environment.
One thing’s for sure — you don’t
want a vendor or specific product
that tells you what to do and how
to do it. Instead, you want one that
looks at your requirements and envi-
ronment and then works with you to
develop the right approach.
You need to be able to fit multiple
solutions into the various parts of
your ecosystem, and you need prod-
uct knobs and dials that custom-
configure each one. And depending
on how daunting this sounds, you
need a services partner that can
guide you efficiently and effectively.
This stuff really does matter!

Integrating with other
Security Products
Many organizations use Security Information and Event
Management (SIEM) systems to correlate the many sources of
security information across the enterprise, looking for signs
of attack. When choosing components of your security infra-
structure, you should select products that fully integrate with
your SIEM and allow the use of correlation rules.
Of course, every organization is unique, so the correlation
rules that you use must be specific to your data sources
and should include POS security information. A correlation
rule that works with events from a Snort intrusion detection
system may or may not be effective with information gathered
from a similar NetWitness product. When designing correla-
tion rules, organizations should ask these questions:
✓ What types of threats do we want to monitor?
✓ What are the typical attack patterns for such threats?
✓ What are the sources and types of events currently being
tracked within the SIEM?
✓ Which of these events are used most often in monitoring
for potential threats?
✓ How often do investigations resulting from those events
result in false positives?
✓ When investigating an event, what types of additional
information does the analyst need?
✓ Are we collecting the right data to make incident
response quick and conclusive?
Using these questions to guide event correlation across a vari-
ety of security products enhances your security capabilities in
many ways. It can reduce the time it takes to prioritize alerts
and investigate incidents from days to minutes. Investigations
are further expedited by locating every instance of a suspi-
cious file across your POS systems. You can then analyze
files — both automatically and on-demand — that arrive on
your POS systems to quickly determine their risk. Finally, you
can ensure remediation by enforcing security policies that help
in stopping an attack and preventing it from happening again.

Chapter 7
TenTipsforSuccessful
Point-of-SaleSecurity
In This Chapter
▶ Ensuring optimal defenses by using proven security controls
▶ Making sure your point-of-sale risks are minimized
Cybercriminals are getting increasingly sophisticated,
and there’s no end in sight. The threats, risks, and com-
pliance requirements associated with point-of-sale (POS)
systems have become so challenging that IT administrators,
security managers, and compliance officers are scrambling to
find reasonable ways to get their arms around it all.
In this chapter, we give you ten ways you can more easily
reach your POS security and compliance goals:
✓ Minimize the customer data you collect and store.
Acquire and keep only the data required for legitimate
business purposes and only for as long as necessary.
When data is no longer of business value or relevant to
security compliance, properly dispose of it. Shred paper
documents and remove hard drives from your POS sys-
tems and related computers. You can even take your
security efforts a step further by encrypting the sensitive
data you collect on laptops, mobile devices, flash drives,
and backup tapes. Encryption makes it more difficult for
unauthorized parties to read in the event of loss or theft.
✓ Manage the costs and administrative burden of the PCI
compliance validation process. Try segmenting your
infrastructure among multiple teams to minimize the
complexity and scope of compliance. Having full visibility

into all enterprise assets beyond your POS systems (for
example, network hosts, applications, and databases)
along with the necessary templates to determine PCI-
relevant data gives you a snapshot of the corporate
assets that are affected and helps minimize the compli-
ance pains.
✓ Maintain PCI compliance throughout the checkout
process to guard data against all the possible points of
compromise. If you’re able to detect transactional data
point infractions in real time and stop anything intro-
duced into your infrastructure that’s outside of known
software (such as advanced threats), you can ensure that
transactional data (such as credit card numbers) are pro-
tected at every step along the way.
✓ Develop a strategy to protect your infrastructure
on multiple levels. Eliminate every opportunity for
cybercriminals to exploit your POS terminals, kiosks,
workstations, and servers. The ability to collect end-
point information in real time provides you with the
information to properly assess the risks. Monitor traffic
and create a central log of security-related information
to alert you to suspicious activity on your network.
✓ Maintain real-time inventory and actionable intelligence
on all network systems, and control the overall security
of your infrastructure to maintain PCI compliance.
Employ multiple layers of security technology to stymie
sophisticated hackers. Establish a baseline for the soft-
ware that should reside on your POS and related systems.
Schedule security patches on your own timetable and elim-
inate the need for constant profile scanning that can nega-
tively impact the performance of your POS environment.
✓ Extend the life of your systems to keep them compli-
ant. Often you can’t upgrade for extended support after
an operating systems’ end of life. By implementing a
positive security model, you can stay compliant in any
end-of-life situation and get protection from zero-day and
other attacks against your POS systems. This approach
will keep you in-the-know — at all times — what’s run-
ning on every in-scope system across your organization.
Rather than guessing what’s compliant and what’s not,
you can determine on a real-time basis if you have any
vulnerabilities and whether any in-scope systems have
fallen out of compliance.

Chapter 7: Ten Tips for Successful Point-of-Sale Security 43
✓ Use real-time sensors to test your security system regu-
larly. By maintaining continuous, real-time file integrity
monitoring and control, you can protect critical configura-
tion files from unauthorized changes and meet file integrity
monitoring and audit trail rules associated with your POS
systems. You’ll be able to identify all suspected vulnerabili-
ties across your POS environment and proactively take
action against specific types of files based on your organi-
zation’s policies. You can achieve complete visibility into
all changes and vulnerabilities that software updates may
introduce by giving employees’ file rights and approvals
into your organization’s trust metrics. This increased visi-
bility provides a wealth of information for penetration test-
ing and will expose all known and potential vulnerabilities
prior to those exercises. It will also help you determine
which penetration tests to run because the coordinates
can be created against a set of known possibilities rather
than a negative set of data that can be difficult to decipher.
✓ Build measurable business intelligence around your busi-
ness assets. By having good visibility into real-time file asset
inventory information, you can build intelligence around
all your file assets, including their prevalence, trust rating,
threat, and inherited vulnerabilities. Having such a high
level of visibility enhances your ability to report on any
asset at audit time or during pre-compliance assessments
and security intelligence-gathering exercises, enabling you
to take a proactive stance against anything running within
your enterprise that’s deemed untrustworthy.
✓ Conduct regular audits of security measures, especially
connections commonly used as gateways for attacks,
and make appropriate adjustments. A full audit of all sig-
nificant PCI data and the surrounding events associated
with an attempted file alteration is necessary for auditors
to quickly assess your compliance stance and produce
the necessary reporting for PCI compliance validation.
✓ Educate employees about their role in data security.
Inform all employees of the potential threats to cus-
tomer data and the legal requirements for securing it.
This should include designating an employee to serve as
information security coordinator who is responsible for
overseeing all security efforts. Having a clear security
policy in place helps set expectations and guide employ-
ees on the proper use of data, creating a more secure
environment.

WILEY END USER LICENSE
AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s
ebook EULA.

Point -of-Sale Security for Dummies

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (7)

Similaire à Point -of-Sale Security for Dummies

Similaire à Point -of-Sale Security for Dummies (20)

Plus de Liberteks

Plus de Liberteks (20)

Dernier

Dernier (20)

Point -of-Sale Security for Dummies