Description
ATM and POS Security Guide
Standard security regulations for Embedded devices tend to cover only antivirus based security or system hardening, which is not enough. A purely antivirus approach is of limited effectiveness against current Embedded systems threats, as has been amply demonstrated in recent attacks. Now is the time to apply well-proven technologies like Device Control and Default Deny, with an additional Antivirus module applied to critical systems where required.
Concerns
Obsolete software is a very common problem, and it’s not just consumer operating systems that are affected. it’s a well-known fact that some still-functioning space satellites are running on decades-old hardware and software. Industrial control systems, too, have a problem with very old operating systems and very long renewal cycles. The same is true for banking systems, and not just endpoints – internal automated banking systems often aren’t updated for years. In terms of the ATMs themselves, 80% of smaller banks prefer to wait for the next end-of-cycle (which may take 5-10 years, or even more), then purchase new machines with fresh software already installed, rather than updating as new versions become available.
Windows XP families are still the most popular operating systems for ATMs and POS devices. The ending of support for this operating system has affected vast numbers of businesses and government bodies. The banking and retail sectors, where so many ATMs worldwide run on Windows XP Professional for Embedded Systems, have been particularly impacted. The fact is, though, that this system actually ceased to be supported back in April 2014, along with consumer versions of Windows XP.
The overall replacement of ATM and POS systems software is a long, expensive, and painful process. Besides which, replacing software often means also having to replace still-functional, if technically obsolete, hardware.
The Threat Landscape
ATMs, operating outside the bank’s physical security perimeter and containing actual cash, and POS systems, capturing verified personal data and credit card details, are inevitably both high on the cyber-criminal’s hit-list.
Since 2009, which saw the first serious attack on ATMs with the activities of Skimer malware, the quantity and quality of attacks has increased dramatically year on year. 2015 has seen attacks on ATM and POS systems reaching a new high, with malware including Ploutus, Tyupkin, Carbanak, CardStealer, vSkimmer, Chewbacca, POSeydon and FindPOS.
Conventional antivirus software cannot fully protect against all these threats, and the limitations of ATM and POS systems – weak channels, low-end hardware and obsolete software – make its installation and deployment challenging and often impractical. As a result, these viruses continue to succeed in penetrating the ATM and POS systems of major financial institutions and retailers on a daily basis.
Meanwhile, increasing volumes of highly targeted ATM and POS malware are being created by professional developers, themselves supported by the very latest and most powerful systems and hardware.
A simple ATM attack is a fast and easy way to obtain ready money. But ATM infections can also be part of a wider attack scenario. We have seen how Advanced Persistent Threat Attacks, like Carbanak in 2015, can result in financial losses totaling more than 1 Billion US Dollars worldwide.
POS Based Threats
A specific area of vulnerability for Point of Sale systems is the middleware they depend on. This middleware tends to be created by small third-party vendors or in-house. Functionality may well take precedence over security as a design consideration and, as with ATMs, easy access to USB ports and CD/DVD drives may be seen as a convenience, rather than a security weakness.
Most POS systems operate with credit/debit cards so are, like ATMs, subject to PCI DSS regulation. All without exception work with personal customer data, the protection of which is the responsibility of the POS systems owner. And all are connected to an intranet, making the POS a useful entry point for a Targeted Attack.
Kaspersky Embedded Systems Security
Kaspersky Lab has created a security solution specifically for organizations operating ATM and POS systems and the threat environment they face, reflecting their unique functionality and OS, channel and hardware requirements, while fully supporting the Windows XP family.
Kaspersky Embedded Systems Security mitigates the security risks inherent in embedded systems. The solution has been designed specifically for ATM and POS systems, protecting the attack surfaces unique to these architectures while respecting related hardware and efficiency considerations. A single intuitive console gives the control and visibility you need to manage effective multi-layered security for your endpoints, your critical systems and your whole IT infrastructure.
Implementing Default Deny for Applications, Drivers and Libraries, boosted by Device Control functionality, is the only approach which can ensure the safety of technically ‘obsolete’ systems in continuing use.
Kaspersky Embedded Systems Security offers a ‘Default Deny only’ operational mode, with system requirements starting from 256Mb of RAM and 50Mb HDD space – ideal for Windows XP based systems running on low-end hardware. On-demand scanning is supplied through an optional Antivirus module powered by the Kaspersky Security Network, which also provides Patch Management facilities as required.
So this single solution meets three key objectives:
• Efficiently securing ‘difficult to manage’ systems
• Compliance with PCI DSS requirements 5.1, 5.1.1, 5.2, 5.3 and 6.2
• Enabling a soft timeline for obsolete systems and hardware replacement.
Reviews
There are no reviews yet.