detech-remoteBy: Laura Combs, CISSP

During the last several months, I’ve seen several stories show up in the news about retail chains and restaurants experiencing malware attacks on their point of sale (POS) systems, which in turn impacted a massive number of customers. The latest round of stories discussing the recent breach at Wendy’s restaurants is now saying the original breach discovered at 300 of the restaurant’s locations earlier this year is expected to extend far beyond what was originally discovered. Several of those articles include a short explanation of how the malware came to be on the POS terminals (the “card-swipe” machines). Apparently, attackers gained access to an unnamed third party vendor’s network and were able to use that vendor’s remote access credentials to access Wendy’s POS terminals and drop the malware there. Once the malware was installed, it was designed to remotely collect credit card data for all cards swiped at the terminal and provide that data to the attackers. That data was then posted for sale to groups or individuals who specialize in credit card fraud.

Reading about the way POS attacks in general – and the Wendy’s attack specifically – are usually carried out made me think about the risks associated with remote network access in other industries as well. Frequently, when I’m talking about remote access to organizations’ production networks, I find myself echoing Gandalf when he implores Frodo to “Keep it secret, keep it safe!” No, I’m not talking about a ring that provides invisibility to those who wear it (although when you think about it, it would be pretty helpful in avoiding cyberattacks); I’m talking about protecting the critical assets on your network. Critical assets mean different things to different organizations. For some, a critical asset might be their mail server that includes sensitive customer information; for others, it might be their POS system server or a core banking application. However, regardless of what you have determined your critical assets are, it’s important to limit the number of employees and vendors who have the ability to log in to your network remotely and access those assets.
In addition to limiting the number of people with remote access, there are several other steps you can take to lower the risk of attacks through that remote access:
  • Ensure your firewall is current and has the most updated firmware version installed.
  • Turn off all unnecessary services and ports on the firewall.
  • Implement an IDS/IPS solution both at the network level and at the host level for critical devices.
  • Download and install updates and patches routinely.
  • Change all default admin passwords when installing new hardware or appliances.
  • Require multi-factor authentication for configuration changes and regular maintenance changes.
  • Restrict service account privileges to only those required for the service account function. Don’t grant service accounts administrative privileges unless it’s absolutely necessary for the function of the account.
  • Invest in file integrity and monitoring software for critical servers and files.
Smaller organizations may not want to invest a lot of money in a few of the steps listed above, but there are lots of options to fit all budget sizes, and no one wants to be the next Wendy’s or the “unnamed third party.”
***
Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.