There is some more information about Target’s data breach we reported last month and how it happened. According to information leaked to Brian Krebs, a web server would have been compromised, and from there a Trojan would have been distributed to Point of Sale (POS) terminals.
This malware is specifically designed to work in POS and steal credit card information directly from RAM memory, as soon as a credit card is swiped. Cybercriminals were entering Target’s network periodically to gather stolen information from the different POS.
How can companies protect themselves against this kind of attacks? Antivirus are obviously not the solution, we are talking about targeted attacks where the malware has been specially designed to avoid the installed antivirus detection as a starter.
As POS are usually closed platforms, people could think a good solution would be a whitelisting solution. This type of programs are designed to only allow certain applications to be executed on a computer, and in fact this could be a valid approach to certain kind of attacks: for example, an insider attack where an employee tries to infect a POS installing some malicious software in it. However, that solution does not cover all the holes. Many times malicious applications are installed exploiting vulnerabilities, and this kind of installations are not detected necessarily by whitelisting software.
POS are a really appealing target, and cybercriminals will try to sneak in. It is not a matter of luck, eventually they will give it a try, and to be protected you need a solution that covers different aspects of the POS and is able to:
- Restrict execution of software: only allowed programs will be allowed to run.
- Identify vulnerable applications: warn about outdated software.
- Enforce behavior of trusted processes: in case a vulnerability in a trusted process is exploited.
- Traceability: In case an incident takes place, tools to facilitate all necessary information to answer the 4 basic questions: since when the intrusion has happened, which users have been affected, what data have been accessed and what have they done with them, and how and where the attackers were coming from.
documented recorded information that allows to find the source of the attack.
These are not all the security measures that can be taken, but at least these four points should be mandatory.