Welcome to another installment in my cybersecurity for business owners series. Black Hat held a good webinar today on securing POS (Point of Sale) Systems. I published an article on this topic (with input from one of our security engineers, Scott “Shagghie” Scheferman) a couple of weeks ago but this webinar had some additional soundbites that may be useful to business owners, particularly those who use POS systems.
Eric Fiterman was the first presenter, and he brought up some interesting points:
- Initial results indicate that the compromise Target's network and the initial attach vector may have been the energy control systems. As we’ve noted in other scenarios and after discussions with many vendors, energy control systems, microgrid systems and other clean energy systems are emerging everywhere, and security implications seems to be a secondary concern at best when they are installed and integrated with existing networks. In a previous post I noted this is a similar situation with networked medical devices being installed in hospitals.
- Eric mentioned the heavy emphasis on compliance vs actual security. We’ve noted this after more than a decade of securing information systems for the Department of Defense, where the emphasis on “doing things right” in the security realm outweighs the importance of “doing the right things” in security.
- The push towards the cloud expands the attack surface significantly, often in ways that are not immediately obvious or understood.
- Anything that holds a credit card number should be considered a POS system.
Mr. Fiterman recommended the following ways in which to reduce one’s risk as a business owner:
- Reduce exposure by getting rid of data that is not required for immediate business purposes and using third party vendors (PayPal, etc) to process credit card payments.
- Encrypting credit card numbers at the point of acceptance.
- Focusing on security in addition to compliance (you can’t really ignore compliance or else the regulatory agencies get mad at you).
- Understanding how your network and domain infrastructure can work against you.
- Locating the initial attack vector asap, rather than focusing on the end target (although that also needs to be fixed). Otherwise you can be chasing a number of feints and actual attacks that are all originating from the same initial entry point and spend for more money and time trying to eliminate the threat.
Jeffery Guy, a former Air Force cyber ninja and current security expert, also spoke. His message was that every company should expect to be breached and that although a compromise may only take seconds, it will take months of time and an average of $341,000 to fix each breach (as Target is finding out now).
70% of all cyber attacks against businesses happen against small businesses, and although many business owners feel they “aren’t worth the time” of an attacker, the reality is that they are the primary targets and victims of cybercrime.