make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

High-Profile Breaches Underscore the Need for Better Security Controls

05/02/2017  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

“April showers bring May flowers” is an old adage said by people who want to keep focus on the positive outcomes of an otherwise often dreary month. For three major brands, however, April has delivered a storm of information security trouble right into May, and the immediate forecast calls for post-breach incident response and analysis, and perhaps a security controls overhaul.

In recent weeks, Shoney’s, a casual restaurant chain operating primarily in the South and mid-Atlantic U.S.; Chipotle, a national Mexican-style restaurant just recovering from a massive food safety issue; and InterContinental Hotels Group (IHG), which owns and operates more than 5,000 well-known hotels across the globe, have all issued statements regarding breaches of payment processing systems. In the cases of IHG and Shoney’s, initial indications of their respective potential breaches were noticed and reported by various financial institutions (i.e., third parties), which identified suspicious patterns of activity on consumer credit cards. Chipotle, on the other hand, said during an earnings conference call that it had detected “unauthorized activity” related to the chain’s point-of-sale (POS) systems. In all three instances, it appears that the attackers hacked into the organizations’ systems, dropped malware on the point-of-sale devices, and began to remotely capture data from credit cards used at infected terminals.

The scope of each individual breach is not yet known. What is known, however, is the prevalence of these types of breaches across retail and hospitality organizations—they’re considerable targets, given the amount of payment processing that occurs daily and the vulnerability of today’s POS devices.  While there are many security controls that organizations should have in place that can help reduce their exposure to these types of attacks, there are two in particular that have been consistently shown to provide the most effective protection against the type of attacks suffered by these brands, and that’s what we’re going to look at here.

Upping the ante on cybercriminals

Point-to-point encryption (P2PE) is one of the most effective controls an organization can use to protect data collected, stored, and moving through its systems. A P2PE solution encrypts data from the point of capture (i.e. the swipe) until it reaches the provider’s secure decryption environment, generally the bank processing gateway. This means that any data on the card cannot be read—or stolen—in clear text as the transaction Is taking place; the card scanner itself encrypts the data at the point of interaction. Even if a POS terminal has been remotely infected with malware—as is likely the case in the Shoney’s, IHG, and Chipotle breaches—card track data is unavailable to criminals when moving through a P2PE system, because it’s encrypted. Therefore, to successfully compromise a terminal with P2PE, an attacker would need physical access to the actual card readers to modify them (such as by installing a skimmer or replacing the card reader hardware with a compromised unit), which makes the whole process riskier and more traceable.  And even then, the volume of cards collected by this method would be limited to those swiped at the compromised terminal itself – not those collected on other non-compromised POS devices at the merchant.  In fact, IHG, in a security-minded move, had started the process of implementing its own Secure Payment Solution (SPS), with point-to-point encryption, across some of its branded franchises, but not all locations had yet taken steps to do so, and those were the ones affected by the just-announced breach.

According to the IHG breach notice on its website, “Properties that had implemented SPS before September 29, 2016 [the date identified as the start of the breach] were not affected.” The notice continues, “Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected.” And there’s the rub: the implementation of payment processing hardware/software using point-to-point encryption stopped further collection of personal and financial data from systems that were otherwise affected by an active malware infection.

In addition to security benefits, P2PE often reduces the Payment Card Industry (PCI) compliance burden on the merchant, as the scope of the merchant’s cardholder data environment (CDE - the systems that are expected to meet PCI DSS security requirements) is typically reduced to include only the capture devices themselves, and the routing devices that are used to connect to the credit card processor.  For organizations that are struggling with the cost and complexity of configuring their systems to the stringent requirements of PCI DSS, and operating and maintaining those systems in a compliant manner, P2PE can be a worthy investment.

Harden system access

In addition to P2PE, organizations need to start getting more serious about the use of multi-factor authentication (MFA). Requiring that second factor before allowing access is a significant barrier to fraud, yet companies are hesitant to enforce MFA because it creates an “inconvenience” to their users or requires a change to longstanding computer access procedures. As it relates to these recent breaches, we know that malware was used to affect payment systems. While none of the companies has yet disclosed how malware ended up on their systems, it’s highly likely that phishing was the attackers’ initial entry point. According to the 2017 Verizon Data Breach Investigations Report (just released last week), “Use of stolen credentials to access POS environments continues to rise and is almost double that of brute force for hacking actions.” Phishing attacks are the simplest and most surefire way attackers acquire users’ valid credentials.

It’s a sad truth that humans are easy targets for trickery—we’re inclined and conditioned to trust others, and we’re curious by nature. Therefore, when a victim is sent an email that looks legitimate, it’s probable that he or she will click a link or download an attachment without giving it a second thought. At this point, the attacker can drop malware on the victim’s system or steal credentials. If the credentials obtained via phishing allow the attacker to connect to and pivot through the network, it’s usually game over for the affected organization. If, however, the adversary is required to input a second (or third…) form of authorization—a newly generated code or a biometric, for example—the attack can’t progress any further unless the attacker somehow gains access to that additional factor as well. Fully aware of this issue, the PCI DSS has required multi-factor authentication for all remote access to an entity’s CDE for years.  Now the PCI Council is upping the ante, as it has amended the PCI DSS requirements to also require multi-factor authentication for ALL privileged access to a CDE, whether it be via remote or local connections, by February of 2018.

Don’t get stuck in the mud

Breaches are happening faster and more furiously every week. April was a flurry of activity, but unfortunately the Shoney’s, Chipotle, and IHG incidents are not uncommon occurrences. Until organizations are able to prioritize the implementation and operation of fundamental security controls consistently throughout their environments, we’re going to continue to see breaches of this magnitude. Point-to-point encryption and multi-factor authentication are two basic ways to dramatically improve your information security posture and to insulate your organization from common attacks.