I love sushi. I love big fat burritos. I love tikka masala. So now that my taste buds are salivating, what do my epicurean preferences have to do with cloud security? They all come from restaurants I frequent, and 9 time out of ten I pay for these delights with my credit card. I never thought twice about it, until I read Tracy Kitten’s article for BankInfoSecurity here: It details how many restaurants are falling victim to attacks that put their customer’s credit card information at risk.
After your meal, the bill comes, and most restaurants use some sort of POS (point of sale system) that tallies your fare. You hand over the credit card and the waitperson disappears for a bit to process your tab. Now I’m not going to go into the danger of insider threats and card spoofing by nefarious servers, but when your card is swiped at the POS machine, it is supposed to be a secure way of payment. But not always.
The attacks are not happening at the processing centers (as was the case with Global Payments breach last year), but are infiltrating the POS (point of sale) systems each restaurant uses to facilitate payments: “a POS network attack that exploited a security flaw in cloud saas software.”
This has happened on several occasions to major franchises like Subway and Zaxby’s. The article noted above talks about an unnamed, regional reseller who fell victim to this vulnerability gap. So the issue is not just big national chains. But regardless of size, each one is responsible to some level of compliance. If their POS system is faulty, they are obviously falling short in the eyes of PCI, CIP, GLBA and a handful of other oversight agencies.
The problem is serious:
“The breach is the largest attack on credit and debit cards (Marjorie) Meadors has seen during her 30-year career (as a fraud investigator for a bank). “It’s really going to affect more of our customers than any other breach we’ve had locally,” she says. “We’re looking at several hundred of our customers now, and some of the banks I’ve talked to have hundreds of customers affected as well.”
So what’s a restaurant to do? Especially one with multiple locations. Is every location responsible for their own security? Of course it is, but not in the way that you think. Security must cover the lifecycle of the payment, not just where it’s processed. So the answer lies by examining the issue from an enterprise perspective. Whether the restaurants are independently run as franchises or under the corporate banner, they all look to HQ to provide some level of malware protection, firewall, intrusion detection and access control.
In a way, you can approach the issue with the same consideration as one would BYOD. These are typically remote access software units. There are even some restaurants in which each member of the wait staff use a handheld POS. It’s partially about encryption, but it is more about policy and recognizing who is accessing the data. What data is transmitted? How is it transmitted? What data, if any does it retain?
So going back to the cloud computing solutions, every franchise or owned-and-operated location must agree to some oversight by the parent entity, which in turn provides the umbrella security infrastructure coverage. This includes the monitoring of their customers sensitive data. And the only way to do that is in real time. And for many budget conscious companies, the best way to do that is using cost-effective cloud security solutions. Bottom line, someone must take the reins to satisfy compliance. And that typically falls to the parent company. The larger problem (and this is indicative of many mid-sized companies beholden to various compliance regulations) is the lack of IT resources to carry out the monitoring, alerting, archiving, and reporting. Combine that with the drive to expand marketshare, and the problem can easily overwhelm any IT department. That’s where security-as-a-service makes more sense. IT departments can concentrate on other growth priorities while experts using cloud-based tools to close the vulnerability gaps.
Additionally, compromises to remote access represent a very high percentage of the ways of how attackers get in. Some studies show that the 47% of the merchant attacks in 2012 were linked to remote-access vulnerability. Merchants and restaurant operators are not security specialists and software providers can’t be 100% depended on to detect fraud, so it is incumbent upon the merchant to take the necessary steps to shore up their IT landscapes.
Restaurants processing credit card transactions need to collect data and monitor, report and alert on all systems and applications that contain sensitive cardholder data. To effectively do this, they need to manage a great many details from failed system-level and application-level login attempts to asset or service changes to the notification of any suspicious firewall activity in real-time.
But the question remains: would an active SIEM and Log management initiative prevent fraud stemming from unpatched software (as the article contends was the root cause of this latest breach)? A vulnerability scan that correlates data and integrates with SIEM certainly would. From the cloud the scan continuously analyzes (24/7/365) the entire extended network and can find that one POS unit or IP address that is out of synch with compliance. It then can create an immediate alert to the responsible person to remediate the issue. Further integrated with Log management, it archives the issue for automated reporting that would satisfy any auditor.
In the end your customers put a trust in you, not your software. This is all the more reason real time monitoring needs to become a greater priority. It can be easily achieved with great agility and scalability when applied through the cloud without the heavy capital expenditures. It is understood that investment in this type of infrastructure is not as sexy as an advertisement or hiring the balloon guy to go from table to table. However, consider the immediate liability, loss of business and damage to your reputation if your customers feel your restaurant or retail shop is an open invitation to every hacker, thief and low life–not to mention all the fines to be suffered by lack of compliance.
So who’s up for a great sirloin? I know a great place downtown if you want to meet me, and I’ll even show you how to protect yourself using the cloud.
– CloudAccess Staff