Brandon Benson is a senior security analyst at SecurityMetrics, responsible for PCI compliance assessments and security consulting services. SecurityMetrics is a leader in merchant data security and compliance.
According to the U.S. federal government, 2014 brought about an epidemic of point-of-sale (POS) malware or malicious software that affected over 1,000 merchants nationwide. In the last two years, POS malware has compromised 100 million payment cards and potentially affected up to one in three people in the U.S.
SecurityMetrics PCI forensic investigators discovered that remote access is a top avenue hackers use to gain access into merchant systems in order to install custom-tailored POS malware. Other attack vectors include eemail phishing attacks, third-party vendor compromise, insider threats, social engineering, and using vulnerable applications to compromise systems.
Common remote access tools such as RDP, LogMeIn, RemotePC, pcAnywhere, and GoToMyPC are used to allow third-party access to merchant information without physically visiting the location. These tools also allow employees to access work systems from remote locations, a common practice in today’s mobile corporate culture.
If not properly secured, remote access puts companies including merchants, vendors, service providers, and others at a severe security disadvantage by allowing attackers the opportunity to remotely gain access to POS or other systems in the payment environment.
An attacker could breach a merchant’s payment environment via remote access by:
- Scanning the Internet for vulnerable IP addresses
- Running a password-cracking tool on each IP address found
- Beginning a remote access session with cracked username/password information
Once inside the merchant system, the attacker could upload malware, copy sensitive data, and even use the compromised system to attack other computers or networks within the merchant environment. The malware will continue to steal data even after the attacker logs out and may go undetected for a long period of time.
Unfortunately, this type of attack is very easy for a hacker to execute, and is made even easier by free online password-cracking tools.
Take a multi-layered approach to security
POS malware succeeds when system vulnerabilities– cracks in the wall – are present. These cracks allow hackers into merchant systems. The best way to prevent such attacks is to discontinue remote access, but in today’s world, that’s not always a realistic option. Alternatively, by taking simple steps and encouraging a multi-layered approach to security, merchants can secure their organization against a potentially devastating compromise.
Merchants who correctly implement PCI DSS security controls can reduce the risk of malware in their environment. The PCI DSS is a multi-layered security framework that can correctly reduce merchant risk of compromise. The following best practices, if implemented correctly, will reduce the risk of attacks.
- Segregate and restrict access to sensitive systems (PCI DSS Requirement 1.2)
By identifying sensitive systems and isolating them on their own network zone, merchants can control what type of access is allowed into these zones and restrict remote access to only allow two-factor authentication. Further restricting outbound access to only authorized IP addresses would help prevent unauthorized information from leaving the restricted network.
- Change the default username (PCI DSS Requirement 2.1)
To make it more difficult for a hacker to guess your username, don’t use the username for other non-sensitive systems or in any public forums. Instead of using common terms such as “admin,” “administrator,” your company name, or a combination of these, use fictitious names or a combination of characters, symbols, and numbers that doesn’t fit the standard username mold.
- Don’t enable guest accounts and disable/change default accounts (PCI DSS Requirement 2.1)
Guest and default accounts allow anonymous computer and system access. Disabling any guest accounts on each computer protects against unauthorized users. Disabling or changing default accounts makes it difficult for attackers to research installation guides online to get the default username and password of applications and systems. Many POS systems and applications come installed with default or guest accounts and passwords that should be changed to make it more difficult for attackers to enter systems.
- Protect systems against known malware (PCI DSS Requirement 5)
Antivirus or anti-malware programs are updated on a regular basis to detect against known malware. Maintaining an up-to date anti-malware program that scans systems on a regular basis will prevent known POS malware or other malware from infecting systems.
- Establish a process to identify security vulnerabilities (PCI DSS Requirement 6.1)
Using outside sources such as the United States – Computer Emergency Readiness Team, SANS Institute, and vender/antivirus threat feeds, merchants can identify emerging malware and attacks on systems. They can then configure systems to alert and report on suspicious activity, such as new files added to known directories where malware is installed or unauthorized access attempts.
- Restrict access to sensitive systems by business need to know (PCI DSS Requirement 7)
Restrict system access to only the individuals and groups who need to know that information. Configuring dedicated administrator and user accounts prevents the use of credentials stolen from other non-sensitive systems from being used to access sensitive systems.
- Lock out hackers (PCI DSS Requirement 8.1.6)
Set your computer to lock out a user after six failed login attempts. Requiring an administrator to manually unlock accounts will prevent attackers from guessing a few passwords and coming back later to try again. If an attacker only has six chances to guess the correct password, it’s likely their attempts will fail. Once locked out, an attacker will move on to an easier target.
- Implement two-factor authentication (PCI DSS Requirement 8.3)
Two different forms of authentication should be implemented to access a remote access application. When configuring two-factor authentication, factors must contain two of three aspects:
- Something only the user knows (e.g., a username and password)
- Something only the user has (e.g., a cell phone or an RSA token)
- Something the user is (e.g., a fingerprint)
- For example, if you implemented a password and a four-digit PIN sent through SMS to your phone, an attacker would have to learn your password and have access to your cell phone to gain remote access to systems.
- Implement logging and alerting (PCI DSS Requirement 10)
Implementing logging on systems to alert on suspicious activity will allow merchants to respond to possible breach attempts including:
- New processes created
- New login events
- Shared access events
- Disconnect events
- New service installation
- File auditing
- User account created
- Failed logons
- Event log starting
- Registry value modified
- Install and monitor file integrity monitoring software (PCI DSS Requirement 11.5)
Not only should merchants review logs generated by their file integrity monitor software daily, they should also set up logs that alert system administrators in an event of suspicious activity. If a system detects suspicious activity, such as when a new software program is installed in an odd location, or if someone attempts to log in 300 times in a row, log alerting can tip off the internal IT team to begin an investigation.
- Implement vulnerability scanning (PCI DSS Requirement 11.2)
Vulnerability scans are automated tests that passively test systems and networks to identify known weaknesses. These scans generate reports that provide specific information about weaknesses specific to the entities systems and networks. These reports allow entities to find and fix vulnerabilities in a timely manner.
It is estimated that the average hacker could scan the entire internet for possible remote access vulnerabilities once every eight hours. This statistic is exactly why vulnerability scanning is crucial to merchant security. Vulnerability scanning should be an ongoing, or at least conducted quarterly to help locate vulnerabilities, including any remote access problems.
- Implement a risk-assessment process (PCI DSS Requirement 12)
Merchants that take a proactive approach to security will use internal and external resources to identify critical assets, assess vulnerability threats against those assets, and implement a plan to mitigate those threats.
The future of remote access exploitation
Remote access exploitation is a simple attack to conduct, but it is also simple to protect against such attacks by employing the aforementioned PCI DSS requirements. Attackers will continue to use vulnerable remote access applications to their advantage in 2015 and beyond until merchants shore up their businesses against these popular attacks.