POS vulnerabilities via Dexter malware

Security researchers have identified a new malware called Dexter that specifically targets Point of Sale (POS) systems such as cash registers and scanning stations to obtain credit card numbers.  As of December 12, 2012, Dexter had infected systems in 40 different countries with the majority of infected systems residing in North America and the United Kingdom.  The malware infected machines a few months ago, just in time to steal data from many of the holiday shoppers.

Dexter steals credit card data by recording downloaded files from the POS device and retrieving information from memory.  More specifically, it looks for Track 1 or Track 2 data which is read by most POS devices and contains the account holder name, account number and security code for a credit card.  The malware stores the data and sends it in batches every five minutes to the malware operator who can then use it to make false purchases or clone credit cards.

Malware researchers are still trying to determine how Dexter is infecting POS systems but POS owners are not defenseless.  They can protect themselves from the malware by using devices that encrypt the credit card data from the point at which the card is scanned through the processing stage in what is known as Point-to-Point Encryption (P2PE).  P2PE encrypts the data before it is placed in memory and Dexter is currently unable to decrypt the data so P2PE effectively stops Dexter from harvesting credit card numbers on the POS device.

Essential tools of the security trade: DLP and SIEM

Data Loss Prevention (DLP) can greatly help organizations understand and control the data that is used, stored and transmitted and it is seeing increasing use in PCI-DSS compliance.  Another technology, Security Information and Event Management (SIEM), collects and analyzes data in real time from multiple sources including server logs, network devices, firewalls and intrusion detection systems.  In this article, I will enumerate how the combination of SIEM and DLP can improve the security and compliance of a corporation.  Taken together SIEM and DLP can work so that data flow within a corporation is transparent, therefore, affording more control to the corporation and less ability to misuse that information.

What are DLP and SIEM

As stated earlier, DLP is a conscious effort to prevent the loss of data due to undesirable individuals, groups, or circumstances.  DLP systems figure out which pieces of information are more important than others, therefore, creating a prioritized list.  DLP is a comprehensive set of methodologies and technologies that can look at more information across departments, better than localized isolated searches.  SIEM is technology that can take and interpret information coming in from network security devices and server logs allowing greater visibility into the use, transmission and storage of data.  SIEM allows a company to consolidate security information from many different areas so that the organization can better understand and prioritize how it will protect its data.

Protecting the companyÔÇÖs data is a primary responsibility in information security.┬á With increased complexity and interoperability of systems, this task becomes much more difficult, especially on a localized basis.┬á With the help of DLP, the job of protecting information becomes much more clear.┬á Using SIEM in conjunction with DLP can further ease the job of the information security department in protecting organizational data, preventing breaches and in meeting regulatory requirements.

The correlation between real threats in real time and how and where the most sensitive pieces of information are stored and dealt with falls squarely within the realm of SIEM and DLP.  Furthermore, allowing a combination of DLP and SIEM, a company can see its security in one program, not several, thus making the process more efficient.  Efficiency is a key part of making a good business great.  This sentiment can be translated into the world of protecting documents.  SIEM can be tuned to focus on where the data is found, thus helping the DLP team protect the information at the source, in transit, and at its destination.  Also, SIEM can refine the way that DLP identifies sensitive information, alerts DLP to new resources, and new threats to organizational information.

Combining these two methods of protection, DLP and SIEM, can give the organization more insight on where additional security controls should be placed and it allows for faster incident response.  This allows for a more effective strategy against potential threats.  DLP can prevent malicious or accidental users from abusing the system by only allowing authorized access into certain accounts, as well as, informing the company when these documents have been retrieved.  Simultaneously, SIEM is working to sharpen controls by monitoring the retrieval of the information ,thus making the retrieval alerts as streamlined, efficient, and quick as possible.  These two devices provide what information security offices need, visibility and control.

 

Examples

Internal Threats

Companies sometimes have information but cannot act on it because it is buried in a server log or a database.  For example, in 2008 Verizon Business had breach information on 82% of cases but they were unable to use this information.  DLP and SIEM could have enabled Verizon to better understand and prevent these breaches.

The reality of the world is employees often change positions.  Without proper employee termination procedures and security controls, terminated employees could transfer customer documents or steal intellectual property and other sensitive information.  The use of DLP and SIEM provides real time information in data access and can flag inappropriate or out of the norm activity.  This is something I have dealt with many times in my forensic work and I help companies protect against it in my information security consulting practice.

External Threats

Take a company that deals with the regular transfer of credit card information and is Payment Card Industry (PCI) Data Security Standard (PCI DSS) compliant.  PCI-DSS compliance can help protect the organization and mitigate a variety of attacks but DLP and SIEM can give the organization knowledge on where attacks might be focused.  Fingerprinting and other prerequisite external threats can herald the onset of a larger attack and DLP and SIEM would highlight these prerequisites so that the organization could respond and protect itself and its data.

 

DLP and SIEM in a distributed mobile world

DLP and SIEM are especially valuable to organizations that are increasingly mobile.  More and more workers access corporate data from mobile devices or machines connected to a VPN.  Protecting information was already difficult when it was limited to one network and a few select locations.  However, that time is well in the past.  New facets of modern employment widen the gap that information security needs to cover.  With the help of DLP, threats can be prioritized according to importance and with SIEM the data transfer and storage will be transparent, easing the burden on the information technology and security department in protecting a larger set of assets.

The use of DLP and SIEM can greatly enhance the capabilities of information security departments.  SIEM allows a company to make the access, transfer, and reception of data within the company more apparent and can further improve DLP initiatives in protecting and controlling data within the organization.  The advantage of using both DLP and SIEM within an individual company streamlines the process of protecting vital information and makes the company more efficient.  For more information on DLP, see my previous article.

 

For more information

Gartner Report: Critical Capabilities for SIEM

DLP opportunities seen in compliance push

 

PCI-DSS compliance primer

Our last two articles have focused on compliance.  Last time I looked at HIPAA and the ramifications of that bill on healthcare providers and business associates.  Today the spotlight will fall on the Payment Card Industry Data Security Standard (PCI-DSS).  Following a who, what, how approach, this article presents the characteristics of entities that would benefit from or are required to follow the PCI-DSS standards.  It then addresses what the PCI-DSS requirements are and concludes by describing how the compliance process works.

Who cares?

PCI-DSS applies to a wide range of corporations and companies that deal with credit card transactions and it can be a useful tool for other organizations as well.  The PCI-DSS specification was created by credit card companies such as Discover, American Express, Visa, and MasterCard to protect the individual from credit card fraud and identity theft through standardization of security controls surrounding the protection of credit card information.  Similar to ISO standards, PCI-DSS is not a government regulation full of fines for non-compliance.  Rather, the standard thrives under positive reinforcement by allowing companies to demonstrate that they have achieved a level of information assurance suitable to protect customer credit card information.  However, it should be mentioned that there can be fines if an organization has a loss of credit card information and they are not PCI-DSS compliant.

Compliance is recommended for all companies that process, store or transmit credit card data.┬á Some ask why they should expend the time and resources to become compliant if the process is voluntary. ┬áFirstly, PCI-DSS compliance can give customers more confidence in your ability to protect their data.┬á Second, a company that is compliant with PCI-DSS will be better equipped to comply with other regulations and standards such as HIPAA, COBIT, or ITIL since many of the requirements overlap. Thirdly, the recommendations in PCI-DSS are reasonable and practical for many companies who take information security seriously and they can bring significant benefit to the organizationÔÇÖs ability to safeguard systems and data.

WhatÔÇÖs required?

The PCI-DSS requirements are comprised of six categories called control objectives.

Control Objectives

PCI-DSS Requirements

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

Excerpt from the PCI-DSS 1.2 standard

 

How does one become certified?

For many companies, the compliance process is a somewhat ambiguous and what little is known of the process is often representative of the outliers rather than the norm.  Compliance seminars and information security speakers often talk of the penalties for non-compliance or the immense costs of compliance initiatives and this can make the activity seem quite frightening.  However, the PCI-DSS process is relatively straight-forward.

After implementing controls to satisfy the objectives above, a company then must complete periodical reports outlining their compliance with PCI-DSS.  Small companies can complete a self-assessment and then pass a vulnerability scan performed by an approved scanning vendor.  Larger companies go through an audit by qualified security assessors.  An annual audit is required to maintain your PCI-DSS standing.

 

Where to next?

This entry regarding PCI-DSS covered who needs to comply with it, what is required, and how the process works.  As you can see, the process is not as complex as some believe and organizations can improve the security of handling credit card information and provide an increased level of assurance to customers that their credit card information is being protected.  Seriously consider the PCI-DSS control objectives if you handle credit cards and contact a professional to learn how to most effectively implement PCI-DSS in your organization.

For more information

PCI Security Standard

Beyond the Audit: Maintaining a PCI-Compliant Environment

How to determine if you are in a regulated security space

This entry is part of a series of information security compliance articles. In subsequent articles I will discuss the specific regulations and their precise applications, at length. These regulations include HIPAA or the Health Insurance Portability and Accountability Act, The Sarbanes Oxley Act, Federal Information Security Management Act of 2002 (FISMA), Family Educational Rights and Privacy Act (FERPA), Payment Card Industry Data Security Standard (PCI-DSS), and the Gramm Leach Bliley Act (GLBA) among other acts and regulations.

Information security is often feared as an amorphous issue that only the IT department has to deal with. The reality is that companies need to be concerned with complying with information security from top to bottom. Regulations are in place that can help a company improve information security while non-compliance can result in severe fines. It may be difficult for a company to understand which laws apply and which ones do not because many different sets of laws can apply to one company and not another.

Many major companies within the United States are subject to some type of security regulation.  Regulations that contain information security requirements are intended to improve the information security level of organizations within that industry and many organizations would welcome such information.  The difficulty comes in determining which regulations apply and in interpreting the requirements of the regulation.  The regulations are not written in a way that is easily understood by the average business person so many times a security professional is needed to understand the requirements and how to best implement them.  Professionals have experience implementing systems, policies, and procedures to satisfy the requirements of the regulation and enhance the security of your organization and some have obtained credentials such as the HISP (Holistic Information Security Practitioner) that signify their understanding of the regulations.  Often the requirements are given in general terms leaving the company to determine how to best satisfy the requirements.

First, companies need to assess which of the laws and acts apply to them. Then they need to organize their information security to address the boundaries put in place by the acts. This requires a set plan that outlines a consistent and effective way of alerting and dealing with threats.

But how do I assess which laws apply to which company

Talking about the particular bills and which companies they apply to is slightly vague. Therefore, take for example your local hospital. This local hospital is publicly traded and not a federal agency, therefore, it is not subject to the FISMA bill. However, since the company deals with healthcare patients it is subject to HIPAA. Now it must look carefully at what sort of protections it must offer patients and place safeguards in affect in order to prevent a breach of security. On the ground level it cannot give away patient information without the express consent of the patient. From a more technological perspective, the hospital cannot allow any system that handles patient information to be compromised.  This means that controls need to be in place for those systems and the equipment that allows access to the systems. Policies and procedures need to be in place to govern the activities of persons who interact with the systems and training needs to take place so that users of the systems perform their duties properly and do not intentionally or unintentionally misuse the system.

Some companies may have to comply with multiple regulations.  In such cases it is best to outline all the regulations that impact the company first and then a determination can be made for which security controls to implement that satisfy the requirements of all the regulations they need to comply with.  This process can reduce the amount of money the organization spends on compliance efforts because it reduces duplication of effort and the likelihood that competing systems would be put in place to satisfy the same regulatory requirement.

This table shows the different regulations and which corporations would be subject to the scope of the act.

 

The ACT

What it regulates

Company affected

HIPAA (Health Insurance Portability and Accountability Act) This act is a two part billTitle I: protects the health care of people who are transitioning between jobs or are laid offTitle II: meant to simplify the healthcare process by shifting to electronic data. Also it protects the privacy of individual patients. The sort of company affected by this bill is any company or office that deals with healthcare. That includes but is not limited to doctorÔÇÖs offices, insurance companies, and employers.
Sarbanes Oxley Act This act requires companies to maintain financial records for seven years. It was implemented to prevent another Enron scandal. U.S. public company boards,Management and public accounting firms
Federal Information Security Management Act of 2002 (FISMA) This act recognized the information security as matters of national security. Thus, it mandates that all federal agencies develop a method of protecting the information systems. All Federal agencies fall under the range of this bill.
Gramm Leach Bliley Act (GLBA) This act allowed insurance companies, commercial banks, and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers This act defines ÔÇ£financial institutionsÔÇØ as: “ÔǪcompanies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.”
Family Educational Rights and Privacy Act (FERPA) Section 3.1 of the act is concerned with protecting student educational records. Any postsecondary institution including universities, academies, colleges, seminaries, technical schools, and vocational schools.
Payment Card Industry Data Security Standard (PCI-DSS)  A set of 12 regulations designed to reduce fraud and protect customer credit card information.  Companies handling credit card information.

There is an abundance of laws and bills on the books designed to protect information. However, it is not always clear to the average business decision maker which regulations apply to their company. That is where a security professional can greatly help a business make sense of such an area that grows more complex with each new regulation.  Compliance is critical and it begins by understanding which regulations affect your company and then outlining the steps to bring you into compliance.

For more information:

Seven Steps to Information Security Compliance

Data retention policies reduce the risk of data breach

What if I told you that you could reduce risk and costs at the same time? Skeptical? I would be. It sounds like some cheesy marketing ploy chuck full of hidden costs or high upfront costs with low ROI. No, I am not pitching a product or trying to sell you a solution. I am however trying to get your attention. I am talking about data minimization.

Companies collect millions of gigabytes of information, all of which has to be stored, maintained, and secured. There is a general fear of removing data lest it be needed some day but this practice is quickly becoming a problem that creates privacy and compliance risk. Some call it “data hoarding” and I am here to help you clean your closet of unnecessary bits and bytes.

 

Risk and Costs

The news is full of examples of companies losing data. These companies incur significant cost to shore up their information security and their reputations. In a study by the Ponemon Institute, the estimated cost per record for a data breach in 2009 was $204. Based on this, losing 100,000 records would cost a company over twenty million dollars. It is no wonder that companies are concerned. Those that are not in the news are spending a great deal of money to protect the information they collect.

So why are I collecting this information in the first place? Like abstinence campaigns, the best way to avoid a data breach is to not store the data in the first place. This is where data minimization steps in to reduce such risk. As part of the data minimization effort, organizations need to ask themselves three questions:

 

  1. Do I really need to keep this data?
  2. Would a part of the data be as useful as the whole for my purposes?
  3. Could less sensitive data be used in place of this data?

 

Do I really need to keep this data?

The first data minimization question to ask is: do I really need to keep this data? Some data is transitive in nature. It is needed in the moment but it is not needed in the long-term. Transitive data should not be stored or archived. It can simply be removed as soon as the transaction is complete. Optimally, this data should not be stored on the hard disk, but rather be kept in memory while processing the transaction and then flushed to avoid risk of storing this data where it could be later obtained by an unauthorized entity.

Other information such as buying preferences or survey data is collected to be used in aggregation and reporting. The individual responses may not be needed once the data has been aggregated so it should be purged. When analyzing business workflows, it is worth considering implementing a purge process following the aggregation and reporting process.

Effort should be made to periodically remove any records that are no longer relevant. After all, information has a shelf life, an expiration date if you will. The plain fact is that information that is no longer useful to the organization should be removed. This removes the privacy, compliance, eDiscovery or other risk associated with the data and allows organizational resources to be spent elsewhere.

Another instance where you should ask if you really need to keep data is when you have a copy of the data elsewhere. In this case, you do not need to keep the data because it is a duplicate. I understand the need for redundancy but build that into a centralized database system. In this way you can protect a single area but still provide high availability. If you absolutely need distributed systems, consider segmenting the database so that distributed systems only contain the portion of the data you need.

 

Would a part of the data be as useful as the whole for my purposes?

The second data minimization question to ask is: would a part of the data be as useful as the whole for my purposes? Sometimes a part of the data can be as useful as the whole. Take a Social Security Number (SSN) for example. Storing the last fmy digits of the social may be as useful as storing the entire number and the damage associated with the disclosure of just those digits is minimal compared to the entire SSN. Similarly, a company could store just the last few digits of a credit card number rather than the entire thing.

This area of data minimization is extremely important when working with credit cards and PCI compliance as places where numbers are stored need to be in full compliance with the regulation. This is a risk that compliance officers are eager to mitigate.

 

Could less sensitive data be used in place of this data?

The third┬ádata minimization┬áquestion you should ask is: could less sensitive data be used in place of this data? Instead of storing a value that is global in nature, like a driver’s license number or SSN, consider storing a customer ID that is only used by your company. This will allow you to identify the customer without needing to store personal information and be greatly helpful in reducing compliance costs for securing data such as PHI (Personal Health Information) in HIPAA or credit card information in PCI-DSS.

Another option would be to store a security question such as a place of birth or mother’s maiden name instead of a password. If passwords must be stored, make sure they are stored as a hash value rather than plain text. Passwords should never be stored as plain text.

To sum it all up, data minimization can reduce the amount of data you need to protect and store, reducing IT costs and information security costs and risk. Three questions can aid in determining what data to prune. Ask yourself (1) Do I really need to keep this data? (2) Would a part of the data be as useful as the whole for my purposes? And (3) Could less sensitive data be used in place of this data?

For further reading

Time for a Data Diet? Deciding What Customer Information to Keep — and What to Toss┬á

Ponemon Study Shows the Cost of a Data Breach Continues to Increase

Security special report: The internal threat

Less Data, More Security