“Torch it, Shane. Burn everything”: Snidely K. ‘Whip’ Whiplash. Ransomware and protecting your organization from the bad guys.

In 1986, evolutionary biologist Dr. Joseph Popp infected many people with AIDS, just not the way you might think.  “AIDS Information Introductory Diskette” was the world’s first known ransomware attack and was introduced into systems through a floppy disk which Popp mailed to his victims. 30 years later, the bad guys are still relying on human error to bring forward a new generation of even more dangerous ransomware threats. If you’ve missed out on encryption ransomware, lock screen ransomware, master boot record (MBR) ransomware, consider yourself lucky! Dr. Popp defended his hostage taking by explaining that the money was going to the PC Cyborg Corporation for AIDS research. Today’s hostage takers are harder to find and more interested in stealing your money than social causes. These days, if your network, mobile or desktop computer, falls victim to “ransomware” your financial data and business records could be locked with strong encryption along with a demand that you to pay for a key to unlock the files. Are you familiar with Bitcoin and the dark internet?

The evolution of IP connected devices at retail has changed the nature of threat vectors. Today, retailers must be as concerned with their Non-Card Data environment as they are protecting the card data environment. Ransomware is one of the clearest examples of the expanding data security threats. According to an analysis published by Trend Micro the average ransom demanded was approximately $722. Hollywood Presbyterian Medical Center paid $17,000 and The University of Calgary paid $20,000. Trend Micro found the majority of organizations that are infected by ransomware end up paying the ransom. Three-quarters of companies which had not suffered a ransomware infection reported they would not pay up when presented with a data ransom demand. Clearly, people tend to see things differently when they’re the ones in the hot seat. Retailers have millions of dollars in sales at risk, would you pay if your stores where offline?

How big of a problem is ransomware within the C-store space? During this year’s NACS conference at the “Technical Tools of Data Protection” session, Hugh Williams, CIO of Maverick said: “We focus so much on the CDE, but probably the biggest threat out there is ransomware. It’s looking for ingress right now. They are not some much interested in your card data, they want your other stuff”. When the room was asked who had been attacked by ransomware, nearly a dozen retailers raised their hand.

Protecting yourself from ransomware attacks, or how not to be the next ransomware victim, is a major challenge.  The first step is to understand that this challenge is beyond the scope of PCI and your POS. Ransomware finds its way into your environment in a number of ways. Two common threat vectors are leveraging iOT devices or tricking people to inadvertently undermining the security of their device, like enabling a marco on a windows document.

Stopping employees from opening the door to the bad guys takes “people and process”. Maintaining a secure network that closes the door to the bad guys requires good tools and proper scanning and patching. Management often doesn’t prioritize internet security until it’s too late. CIO’s work to develop ROI analysis to drive budget for investment network security. CEO’s need be educated on protecting the business from internet threats like ransomware, and having a full disaster recovery scenario that is fully backed up and periodically tested.  To harden defenses against ransomware attacks, retailers can adopt policy changes. IT departments can close the door by expanding the objectives of data security beyond PCI with an emphasis on scanning and patching outside of the card data environment. In the c-store business, iOT is only growing. Are your pumps IP enabled?

Untangling Internal Scanning: how zone routers impact PCI scanning requirements

Retailers who are evaluating how to maintain PCI compliance are likely to hear the word “scan” from third party compliance providers, or as a part of a letter from your acquiring bank.  The evolution of the POS EPS and move to POS IP connectivity for payment and loyalty has introduced new complexity to PCI scanning requirement. Retailers with newer POS now have an EPS as a part of their system. The EPS sits between the POS and the Front-End Processors and separates the card processing from the POS system creating both the Card Data Environment and Non-Card Data Environment. One result of this configuration is the need for a “Zone Router”. The Zone Router is typically installed behind the Store Router/Firewall/Gateway and Store LAN and in front of the POS/EPS. Retailers with Zone Routers need to consider how this technology impacts their responsibility for Internal Scanning

 PCI DSS v3.0 chapter 11.2 says that you must “Run internal and external network vulnerability scans at least quarterly and after any significant change in the network”. What “significant change” means is open to interpretation by the QSA, but could mean; new system component installations, changes in network topology, firewall rule modifications, product upgrades or almost anything touching the network.

For many Retailers, their expectation is that a single scan will satisfy PCI DSS requirements. For most merchants, however, the requirement is to conduct at least two separate scans: one from the inside (i.e., an “internal scan”) and one from the outside (i.e., an “external scan”). External vulnerability scans look for holes in the store perimeter firewall(s), where malicious outsiders can break in and attack the network. Internal vulnerability scans operate inside the store perimeter firewall to identify real and potential vulnerabilities inside the business network. Retailers with a Zone Router installed must perform three scans; external, and internal scans both within the CDE and Non-CDE.

Internal and External scans are critical components to maintaining PCI and protecting the network and hence, the business from attack by data thieves.  Like loss prevention, internal scanning is a hedge against disgruntled employees who have targeted systems from the inside, or malware, such as viruses or Trojans, that are downloaded onto a networked computer via the Internet or a USB stick. Once the malware is on the internal network, it sets out to identify other systems and services on the internal network—especially services it would not have been able to “see” from the Internet. Internal scans search the internal network for threats to assure the business valuable assets are properly secured.

The challenges of scanning within the CDE for POS systems with Zone Router is new and not all POS systems have defined how to manage this requirement. Retailers seeking managing a new set of scans, particularly for organizations managing centralized scanning engines, will find this requirement adds cost and time to compliance activities. When implementing a Zone Router, Retailers should consider how they will manage all three separate scanning requirements inside of a single actionable approach to their vulnerability scanning.