This is a guest post from Paul Bishop. Paul is a systems engineer for NCR Corporation with 16 years of service in various roles and capacities. He currently consults with NCR’s retail channel partners and helps them implement NCR hardware and software solutions in a variety of retail outlets. Paul is presently working on a project to roll out Watchguard firewalls and NCR Security Services to channel partners and their client bases. When he’s not working he can be found at home with his wife and 3 cats.
Security and PCI compliance are a concern for everyone doing business today unless your users are still using a cigar box and calculator and only accepting cash payments.
How can you secure your end user and make it harder for crackers* to gain access to financial information and perpetrate identity theft?
*Hackers are good guys, crackers are the bad guys. Hackers figure out how to root Androids, jailbreak iPhones and find security holes in software which they then report to developers. They never use their knowledge to perpetrate crimes only to learn, teach others and make money legally. Crackers are the criminals. They employ the same methods that hackers do, but use their knowledge to commit crimes. While you typically hear the work hacker used to describe the bad guys, it is a misnomer used by the media incorrectly well over 99% of the time. Crackers wear black hats and hackers wear white ones.
The most important way a user’s network can be secured is using a layered security approach. Do not install a firewall and expect it will catch everything. It will not. Firewalls are simply a first line of defense at the perimeter of your network. They do a great job at catching many threats, but no one firewall will catch 100% of spam, viruses, malware, ransomware (think Cryptlocker) or any other junkware that is out there.
After a firewall there should be antivirus installed and updated on every machine that touches the firewall and the internet. It should go without saying, but outdated AV software is as much a threat as not having any.
After installing a firewall and anti-virus, make sure to whitelist both web sites and applications. Malware cannot infect machines if the code cannot be run. Had Neiman Marcus whitelisted applications, they likely would not have had their customer data stolen. The malware running on their servers was nearly identical to the name of their credit processing software, so whitelisting would more than likely have shut down the threat, even if it was not detected. Whitelisting is much easier than blacklisting in a general way because you identify only the web sites and applications that are allowed to run, excluding everything else.
Complex passwords is yet another line of defense. We all hate typing H8cMpLxPwd5 to log on to our machines. But we should. PCI standards dictate a 7 character password with 3 of the following 4 characteristics; capital letters, lower case letters, numbers and special characters. It’s fairly simple to make a complex password that’s still easy to remember. Like the one you just read. That one is really easy to remember since it’s short for Hate Complex Passwords! Recognizable as a pattern but very difficult to crack.
Finally, network segmenting. Many retailers like to provide their customers with Wi-Fi access. When doing so, it is of the utmost importance to keep the Wi-Fi separated from the POS segment of the network. Never in any instance is it okay for customer Wi-Fi and POS to be on the same network segment.
Setting up layers of security will help you and your end users filter out the threats that exist today. When implementing all of the above suggestions for network security, the risk of intrusion and theft goes down significantly and peace of mind goes up inversely.