Meeting tight margins, pressing deadlines, Board and Customer expectations are the tasks of Retailers every single day. It is not easy to be competitive in this Market, whether you are a huge Enterprise, or a small to medium rapidly growing Business.
The Board is looking to the CIO for constant business transformation, in order to meet the market needs. Most CIOs get lost while satisfying business requirements, and are not able to focus on Security. That is one of the main reasons why Retailers are constantly getting hacked, day after day. PCI can add multiple additional mandates, but until Security is “baked” into businesses transformation strategy, projects will continue to end up being compliant, but not secure. Recently, Oracle published an advisory on Micros Retail legacy product stating that they have been compromised, and there is a high chance that many retailers or hotel giants may be facing a catastrophic breach. It may actually cause multiple breaches, as most Retailers deploy the software using the same Consulting Companies, or implementing consistently inadequate Security practices. Most of them roll out the complete deployment live, believing that they have deployed a PCI compliant version, so they are safe. That is a pervasive myth, and if your CIO believes in this myth, you may need to question if he is actually the right person handling the “Keys to the Kingdom”.
Micros Retail, when defining the terms of a Contract, specifically states that their version is PCI compliant. However, if you make any changes during the deployment which do not adhere to PA-DSS guidelines, then you may NOT be compliant and this is a risk. Many businesses are so focused on meeting newer business requirements during the deployment of the new POS technology, that they make changes without carefully following PCI-defined Best Practices, becoming non-compliant.
Most Companies are not aware of how often this descent into PCI non-compliance occurs. The CISO, or possibly a Director or Manager assuming the role of a CISO, may actually report directly to the CIO. The CIO is seriously pressing the CISO (or stand-in) for the project to “Go live!”, and pre-establishing adequate Security measures are an afterthought. Even multi-billion dollar Businesses are still not hiring, or effectively making use of, a defined CISO. Even if hired, he/she is only permitted to effectively function at only a Manager or Director level, with no authority to require that implementing effective Security measures be at least as important as the Project itself. Even if he/she is passionate enough, or willing to insist on performing the job typically assumed by a CISO, this may still result in being “asked” to wait until after the Project goes live, being ignored, or worst case, being “let go”.
Micros Retail developed an upgrade of Tradewind POS software to Xstore POS Software. If the recent breach exposes Tradewind platform or legacy Xstore, it may now become a Retailer Board’s top priority to either finally upgrade from Tradewind, or to update the legacy Xstore version. A retailer may already be moving from Tradewind/Tradecenter to the Xstore/Xcenter environment. Their motivation could have been either business transformation, or it may have taken a mandate from Microsoft stating that you can’t receive Windows XP patches anymore. Many retailers have been planning since 2009/2010 to upgrade from Tradewind to Xstore, or even deploying a fresh Xstore environment.
The paths described above to roll out or upgrade are not easy as they appear on paper. This requires replacing almost everything from front-end to back-end and changing all back-end integrations to your CRM, Marketing, Payroll and Finance toolsets. This is basically building an entirely new environment, moving the existing business to the new one.
Making a mistake is very easy to do during this time. We have seen Security-conscious Companies making sure more-than adequate security is “baked” into their project lifecycle, and still wind up opening themselves up to unnecessary risks without being aware of it. Perhaps a System Administrator, trying to configure a small application, without malicious intention, just opened up the entire environment to bad guys. We have seen such scenarios occur. During one of the recent deployments, we noticed that one System Administrator implemented an Endpoint Management Tool, during the Xstore deployment, to install and configure endpoint POS machines. He did not configure Security settings, such as basic SSL, or changing the default password, and was happily enjoying advertising that his Tool was working. The good news is, that our experts involved in the Rollout life-cycle caught it, red flagged it and made them configure Security Best Practices in the Tool, saving the Retailer from being published on Brian Kreb’s blog. A few other very common mistakes we have often seen happening are hard-coded Passwords, Default Logins, running user accounts as Administrators, shared accounts, traffic over plain texts, no encrypted MQs and many others.
If you read Brian Kreb’s blog recently, or read VISA advisory, they mentioned Micros Retail compromise, and which IOC’s you could verify to keep your environment safe. You do not need to wait and block these IOCs until they are published. If you are following Security Best Practices in your strategy, you may already be safe against any such IOCs. Here is the link to VISA-published IOCs related to Oracle Micros Retail breach. If you look at these advisories, the first one is asking you to change passwords. If you are using local accounts and don’t have an Endpoint Management Technology and a vetted procedure for changing the passwords, chances are you will take months to change the passwords on all of your POS machines.
Best practice: Change Password periodically per PCI mandate, and have a process already in place for immediate Password change. If you need a tool, buy it. It’s worth your investment.
The second recommendation is to scan your network for executables. Frankly, if you have not deployed an Application Whitelisting Tool yet, now is the time. If an application is not related to your Business function to run on POS machines, then it should NOT be allowed to run. If the Application Whitelisting Tools such as Bit9 or McAfee Application Control are implemented, it will not allow malware to run, so even if you have malware on your POS, it will NOT run.
Best practice: Deploy an Application Whitelisting Tool. Also, have an Endpoint Management Tool in place, in case you really need to run a script to search for bad files in your POS machines.
The third recommendation is to scan your network against IOCs linked to MalumPOS and Carabank. Once again, these executables mentioned in the list should already be prohibited from running on your POS machines, and if you do not have a subscription to a Threat Intelligence Feed that gets updated every few minutes with IOCs, then you are at risk, and you should subscribe as soon as possible.
Best practice: Implement Application Whitelisting and have your Endpoint and Perimeter Protection Devices receiving some sort of Threat Intelligence Feed that gets updated every few minutes. This way, as soon as one Retailer has seen a bad executable, you will receive intelligence on the file immediately and it gets blocked from entering and running in your environment.
For now, if you are not following the above stated Best Practices, then please make sure to check against VISA published IOCs. Brian Krebs also graciously published a list of IOCs from his source. You may want to check those IOCs too. Here is the link to Brian’s list:
If you are really seeking to make sure you have not made any mistakes in your Xstore deployment end-to-end, EthicalHat is one of the few companies that offer a Targeted Assessment for the Xstore environment. EthicalHat will run end-to-end Security Testing, including Business Logic Testing to make sure not only Xstore/Xcenter has been configured securely, but the underlying technology or third-party tools and integrations are deployed with Security Best Practices, to positively make sure you are protected against breaches. If you are a CIO, and believe that this assessment could slow down your implementation, it is not true. The EthicalHat Team will work with you to prioritize high risk items and “bake” Security into your project. Even if you have already “Gone live”, we highly recommend running our Xstore assessment to make sure you have deployed Xstore safely in your environment.
For more information, please visit us at https://www.ethicalhat.com/xstore-it-security-assessment/ – or call our Xstore Specialist at 1-8448ETHICAL.
*Image Source: Oracle.com