Don’t let a sloppy job ruin your business security.
|By: Brand Barney|
Why is this so important?
My colleague in forensic investigations recently investigated a case where a sloppy POS installation was to blame for 28 independent restaurant breaches.
Here’s how it was discovered.
A waitress began to enter in a customer purchase at a POS terminal when she saw the cursor moving by itself on the screen. She told her manager who, very astutely, pulled the network cable and called his processing bank to let them know he believed their systems had been breached.
Here's how it happened.
Turns out, 28 restaurants in the same regional area were breached in a similar timeframe with the only commonality being their POS vendor. There were a variety of POS vendor errors in this particular case, but the one that enabled the attacker to compromise 28 other restaurants was an abandoned installation file containing a partial client list, their IP addresses, and credentials. Why this was included in the installation files, I have no idea. Talk about poor security practices.
SEE ALSO: Plug and Play POS, Can It Ever Be Secure?
Here’s the lesson. Some POS vendors don’t understand security basics. When you consider hiring companies to set up a POS environment, there should be an interview process.
Here are 7 simple questions to ask your POS vendors.Hopefully these questions will help you distinguish the POS disasters from the vendors who truly care about your security.
1) Can I set my own username and password?If a vendor provides POS credentials and won’t allow you to change them, there’s your first red flag. If I were gambling here (which I wouldn’t advise you to do with your sensitive data and systems), it likely means he’s using those same credentials at every other client’s business too.
Setting up universal credentials simplifies their job when performing maintenance, but also leaves your business in danger. They might try to convince you it’s because their credentials are more secure than if you set them up for yourself. That’s a bunch of bologna.
If the installer was really concerned about your security, he should allow you to choose your own password, but should encourage you to follow industry best practices for implementing your password (e.g., your password must be 10 characters long, have at least 4 special characters, and have 2 numbers).
2) How often do you require credentials to be changed?POS vendors will often make the argument that the more times a password is changed, the harder it is for them to maintain your systems. If he can’t maintain a simple list of his customer’s current credentials to keep passwords straight, he’s probably not managing his environments very well. A POS vendor concerned with security should have a set time frame for passwords to be changed (e.g., every 90 days).
A POS vendor’s job isn’t just to install the software/hardware in a one-and-done event. He should constantly be maintaining those systems by installing updates on both operating systems and POS software. Another great question to ask is, “How long does it take you to install software patches?” Anything under 2 days is great. If he takes longer than 2 days to install a patch, move on to the next company.
3) How often do you conduct routine maintenance?
4) Do you use unique remote access credentials for each POS system?If your POS vendor uses the same credentials to access your store as another, their breach might soon become your breach. Just like in the example I shared at the beginning, if an attacker discovers a vendor’s remote access password, he now has ready-made credentials to get into any other system using the same credentials. It could be yours. Make sure your vendor uses unique credentials to access your environment.
You should also ask how long your vendor needs remote access to your systems. It is not uncommon for a vendor to gain access remotely and then never disconnect. This is a very poor security practice and should be prohibited. You should keep your vendors access to a minimum and monitor it regularly.
5) Do you maintain our anti-virus?Depending on your relationship with your POS vendor, they may or may not maintain your scanning. If your POS vendor does maintain your anti-virus, does he regularly check the security logs, or only after a breach? An anti-virus program keeps an eye on your system. It’s pretty independent, but when it finds a problem it needs someone to give it direction. Do you want to delete it, ignore it, or quarantine it? Until someone tells it to do something with that problem, it just sits back and waits. That’s why regular scanning maintenance is so important. If your vendor is not in handling your anti-virus, it’s time to make sure you have it, its up-to-date, and its scanning regularly.
6) Will you set me up with a hardware firewall?Some POS vendors set their clients up with a hardware firewall as part of the POS installation, but not all. So many small merchants have no security surrounding their POS system. A hardware firewall will help set rules for your system so it won’t get bogus incoming traffic from foreign or suspicious IP addresses. If your POS vendor isn’t planning on setting you up with a hardware firewall, contract with another IT vendor to get one installed immediately.
7) Do you set the POS system up as an application on my back office computer?Lots of POS vendors just dump your POS system on your back office computer, along with everything else on that computer. That’s a serious problem! You use that computer to order uniforms, track payroll, and email your staff via the Internet. And as we know, the Internet is full of malicious links, software, and downloads ready to compromise your business.
A good POS vendor recognizes the importance of segmenting your POS environment. The best solution is to set up two computers in your back office. On one, you conduct all your business (ordering uniforms, etc.). The other is only for your POS, segmented from the other back office server by a firewall.
If you liked this post, please share!
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.