Retail environments are under attack. Successful attacks have been in the news for years, but they are now increasing at an alarming rate. McAfee released a Threat Advisory
to its customers on this topic in January of 2014 and also highlighted this issue in its Quarterly Threats Report
Based on our research of recent attacks, we have built the following recommendations for securing retail environments.
At least one of the recent, successful retail attacks started with Spearphishing. The attackers got on the network by tricking a user into downloading the Citadel Trojan from an email. This Trojan was then used to steal credentials and also perform reconnaissance on the environment. This is not only a challenge for retail environments. In fact, according to Allen Paller, director of research at the SANS Institute, 95% of all attacks on enterprise networks are the result of successful Spearphishing.
- McAfee E-Mail Gateway (MEG)
- The McAfee Email Gateway is the best way for retail environments to protect themselves from Spearphishing. Key capabilities against targeted attacks include:
- McAfee Web Gateway (MWG)
- McAfee Web Gateway is equally relevant for situations where the attack starts with web browsing or social media rather than email. Key capabilities against targeted attacks include:
- Point of Sale Security
The one thing that all of the recent, successful retail attacks have in common is Point of Sale (POS) systems. In each case, the POS system was targeted because this is where credit card data can be found in unencrypted form. Because PCI requires that all payment information be encrypted when stored on disk, the attackers do not attempt to get data stored in applications or in databases.
The actual theft of credit card information happens by installing malware on the POS systems. Once installed, the malware scans system memory for credit card data (referred to as "RAM scraping") and saves that information to a file. To prevent this from happening, McAfee recommends installing application whitelisting technology on POS systems.
- McAfee Application Control (MAC)
- McAfee Application Control is the ideal solution for protecting POS systems. Once installed and configured, it uses application whitelisting technology to simply block the execution of any application or script that is not explicitly authorized. It effectively "locks down" the system so that malware cannot be executed on the POS device. Key capabilities against targeted attacks include:
- This is McAfee's top recommendation for retail environments. If you are a retailer, we strongly encourage you to implement application whitelisting technology on your point of sale devices.
- McAfee Integrity Control
- McAfee Integrity Control software combines the industry leading whitelisting technology of McAfee Application Control and change control technology to ensure that only trusted applications and changes occur on fixed-function devices like point of service (POS) systems.
- Intel Data Protection Technology for Transactions
- Using a combination of hardware authentication and end-to-end encryption, Intel® Data Protection Technology for Transactions is designed to secure both credit/debit and personal data from the moment a transaction is initiated all the way through the storage of the encrypted information on retailer and bank server networks.
- Secure Payment Transactions and Consumer Information from Point-of-Sale to the Server
- Intel Data Protection Technology for Transactions protects against the growing threats retail organizations face from malware and targeted attacks in four key ways: End to end encryption for transactions, central management and updates, whitelisting and authentication of secure devices, and strict policy driven access to transaction information.
- Data Exfiltration
After the sensitive information is harvested from the memory of the point of sale systems, the attackers now need a way to get it out of the environment. This could be done by exfiltrating it directly from the POS system to the internet, but other techniques have been used. For example, in at least one case, the data was first moved to an internal server for temporary storage. After a period of time it was exfiltrated from this server via FTP.
Seeing and stopping the file transfers and also seeing the ancillary activity (lateral movement within the environment) is critical for retail organizations.
- McAfee Network Data Loss Prevention (DLP) and McAfee Web Gateway (MWG)
- McAfee Network DLP can be configured to stop exfiltration of sensitive data. Key capabilities against targeted attacks include:
- McAfee Security and Information Event Management (SIEM)
- The McAfee SIEM can be configured to notify or take action when suspicious activity is seen. Key capabilities against targeted attacks include:
- Identify suspicious activity like a high volume of logins from multiple locations.
In the case of at least one successful retail attack, each infected POS device would log into and send stolen credit card data to a single file share. This high number of logins would have triggered a default correlation rule in the McAfee SIEM.
- Understand when deviations from the norm occur.
For example, the compromised account from the previous example might have had legitimate access to the file share. However, it was probably not normal for that account to be used several hundred times in one day. Similarly, it might be normal to see FTP traffic in the environment but not normal to see it from the system that was exfiltrating the data. The McAfee SIEM normalizes all of the activity that it sees, so it knows when a deviation happens and has the intelligence to take the appropriate action.
- Take action to protect the environment.
The McAfee SIEM integrates with McAfee ePO to take protective action on endpoints when necessary. For example, when the McAfee SIEM identified the suspicious logons it could have made a list of the POS systems that were initiating the connection. It could then instruct McAfee ePO to perform a security scan on those systems. This level of automation provides an added degree of safety in large and complex environments.
- Additional Resources
These three areas were brought to light by recent attacks on retail organizations, but they are not the whole story. Future attacks may be different or other factors in the threat landscape may change, so it is absolutely critical that retail organizations consider their overall security postures. This includes endpoint security, network security, data protection and all the other domains of IT security.
McAfee is here to help on all of these fronts. For more information, please contact us Are you an MSP? Learn more about Intel Security Managed Services Specialization
- 9/25/2014 >> Added "Webinar: Point of Sale and credit card transaction security for embedded systems – critical compliance and threat mitigation techniques and solutions"
- 9/23/2014 >> Initial Release