Put yourself in the shoes of a cyber-criminal for a moment. You've gotta make a living too, right? But its not always easy selling stolen credit card data on the dark web. While you apparently have little difficulty hacking into a POS system and siphoning off credit card data for months and months undetected, here's the thing... the going rate for stolen credit card data on the black market is in decline. It's simple supply-and-demand. There's too much stolen credit card data available. A US credit card used to be able to fetch $20-30, but of late that data is falling closer to $5-10. Essentially, you're making 1/3 your usual wage! What's a cyber-criminal to do? Work 3 times harder? No. Besides, just like any other enterprising go-getter, you want more work/life balance.
As shown in the graph below provided by Proofpoint Q1 2017 Quarterly Threat Report, there were 4.3x new ransomware variants in Q1 2017 than in Q1 2016!
What would prevent that same cyber-criminal from using those same infiltration tactics to deploy ransomware on the POS and within minutes, not months, accomplish their goal. If a major retailer was unable to ring out a single consumer on Black Friday, the busiest brick-n-mortar shopping day of the year, what ransom would they be willing to pay? How many millions of revenue would they lose even if they recovered without paying the ransom?
Makes a lot of sense. And the "proof-of-concepts" are already happening with WannaCry, NotPetya, and Jaffe as the most notable. Cyber-criminals have ransomed unsuspecting small businesses for financial gain... and I believe, to test the waters before hitting major retail brands where it hurts... the Point-of-Sale.
Locking Down the POS
At Netsurion, we specialize in secure, resilient, and compliant payment networks for merchants. And with our acquisition of EventTracker, a leading security intelligence platform listed 10 consecutive years on the Gartner Magic Quadrant for SIEM, we're excited to be on the forefront of this problem before it becomes an epidemic. I'd like to offer these 5 tips on protecting merchants from a POS ransomware attack.
- Secure, Resilient and Compliant Payment Networks: Partner with a managed security service provider to remotely and centrally manage the networks of all of your locations. This provider should actively manage your next-gen firewalls' effectiveness, properly segment your network, encompass secure Wi-Fi, and also offer network resilience in the form of automatic cellular fail-over to keep your business running during any disruption of broadband service.
- Point-to-Point Encryption: Implement PCI-validated P2PE solutions to encrypt cardholder data at the POS to prevent clear-text cardholder data from being present in your network and reduce PCI DSS scope.
- PCI DSS Compliance Management: Going hand-in-hand with the two above, enlist a vendor that can streamline your PCI DSS compliance management including SAQ (self-assessment questionnaires), vulnerability scans, and provide support to not just report your compliance (or lack thereof) but actually help you gain and maintain compliance. PCI DSS is crucial, but it is not the end-all be-all of your security program. Being PCI DSS compliant should be viewed as receiving a high school diploma, not a PhD.
- Advanced Threat Protection: In today's environment of ever-mutating malware and new threat vectors, long gone are the days of the firewall/anti-virus tandem being sufficient. Businesses must deploy managed endpoint threat detection and response (MDR) or SIEM (security information and event management) capabilities to quickly predict, prevent, detect, and respond to any incident of compromise.
- Franchise Security Adoption: For franchise-model brands, there is an added layer of complexity. Identifying and choosing to implement effective cybersecurity is not enough. Wrangling hundreds of franchise business owners is like herding cats. A change management strategy to effectively communicate, organize, and shepherd a standardized security program into all franchise locations is a must. Your security service providers should partner with you to develop and implement such as program.