but not in consumers, Toshiba remains focused on keeping you...

The Importance of Rock Solid Reliability,

Unmatched Security

Bill Phillips – [email protected]

Information Security Manager

mailto:[email protected]

Session Overview

Some say that “any news coverage is good news” – but not in

retail. With security front and center in the minds of

consumers, Toshiba remains focused on keeping you out of

the headlines!

Agenda

Todays Security Landscape

Retail Breach Case Study

Recommended Retailer Best Practices

Toshiba’s efforts to keep you out of the headlines

Retail Breach Case Study - Revisited

Today’s landscape includes threats from diverse, global

sources – all extremely motivated

Criminal EnterprisesBroad-based and targeted

attacks

Financially motivated

Getting more sophisticated

Hactivists Targeted and destructive

attacks

Unpredictable motivations

Generally less sophisticated

Nation-States Targeted and multi-stage attacks

Motivated by information and IP

Highly sophisticated, endless

resources

Sources of Data Security Threats

Point of Sale is the #2 attack target across all industries

#2 Target: Point of Sale

24% of Attacks

Source: 2016 Verizon Data Breach

Investigations Report

Insider Misuse

Cyber-Espionage

Card Skimmers

Web App Attacks

Physical Theft

Crimeware

Errors

POS Intrusions

90% of security attacks in retail fall into 3 patterns

89% of breaches had a financial or espionage motive

63% of confirmed breaches involved leveraging weak, default or stolen passwords

30% of phishing messages were opened and 12% clicked on attachment or link

Incidents by Pattern: All industries versus Retail

Source: 2016 Verizon Data

Breach Investigations Report

All industries Retail

3%

The impact of PCI Compliance PCI Compliance does

improve Security

Posture

The key is maintaining

compliance to reduce

the risk of a breach

Over 10 years, not a

single organization was

compliant at the time of

a breach

“Security is something you do,

not something you have”

Source: 2015 Verizon PCI

Compliance Report

Time to Discovery of an Incident In 93% of cases, systems

were compromised in

minutes or less

In 83% of cases, the

victims was not aware for

weeks or more

~75% of the time,

Detection of breach was

from Law Enforcement or

3rd Party. Not internal

Source: 2016 Verizon Data

Breach Investigations Report

How do WE work together to prevent this …

It’s a partnership with shared responsibilities

Agenda







WS

IPS

POS

Internet

DCMail

Test

FW

WSWS

IntranetPOS Lan

Malware infected

resume via spear-

phishing email

Add Domain User and

Domain Group as well

as backdoor

System

Admin User

created as

well as

backdoor

System

Admin User

created as

well as

backdoor

Also found

Help Desk

Domain Admin

EXE to

capture CC

No. and

FTP off site

Via port scanning

found POS test server

Source: FOCUS15

Intel Security

IPv4

blocked

inbound to

POS … but

IPv6 was

enabled

and not

monitored

System

Admin User

created as

well as

backdoor

Local

Admin also

present

Agenda






Retailer Best PracticesMulti-Tiered Approach

Retailers’ security strategies should include:

• EMV-compliant payment terminals

– Protection against fraudulent use of lost or stolen cards, counterfeit cards and skimming

– EMV does not protect card data

– No protection for CNP or Mag stripe readers

• P2PE

– No sensitive (account) information in the clear in the POS System

– Removes POS system as an attack vector

• Tokenization

– Protects data at rest and transit during authorization process

• Network Segmentation – (Isolate POS systems)

• Secure communication protocols

Retailer Best PracticesRetailers’ security strategies should include:

Comprehensive internal set of security policies and practices

‒ Should include awareness training from Corporate to Store

‒ Do not leaving default accounts enabled

‒ Setting userid access rights and passwords

‒ Following best practices for password management (Complexity, Length, etc.)

‒ Best practice network security and monitoring

‒ Software update process (OS security patches, Anti-Virus, etc.)

‒ Incident response plan

‒ ….

Physical security of assets (particularly controllers)

– Do not allow unauthorized personnel unlimited access to the POS system

‒ Set a BIOS Administrator Password

• Disable unused ports

• Limit boot sequence/boot devices

No system can offer protection

if security controls are

bypassed, or set incorrectly to

allow access where it’s not

required.

Agenda




Toshiba efforts to keep you out of the headlines


TGCS Operational Security WorkgroupMission Statement

The TGCS Operational Security team is a cross-functional WW working group focused on the protection of

TGCS information and information systems from unauthorized access, use, disclosure, disruption, modification,

or destruction in order to provide confidentiality, integrity, and availability. The team is primarily responsible

for maintaining an enterprise-wide corporate information security program and ensuring the protection and

privacy of information assets including data, software, and equipment.

Our mission is to have best of breed security for our customer’s protection.

Team leads development, documentation and maintenance of information security policies, procedures,

and standards.

Team initiates, and promotes activities to create information security awareness throughout

organization.

Team monitors and routinely audits compliance to all information security policies and procedures.

TGCS Product Security WorkgroupMission Statement

The TGCS Product Security team is a standing internal working group that is focused on reviewing and

maintaining the security posture of our product portfolio. The team has an advisory role with product teams to

address education, product design, testing, standards compliance and vulnerabilities. It will address total solution

security and ensure consistent customer communications.

Our mission is to enable best of breed security for our customers.

Cross-functional team of Project Manager, Senior Technical Staff members from hardware and software,

Senior Software Test Architect, Legal Advisors

PA-DSS V3 Assessments

ACE, CHEC and TCxGravity

Vulnerability Reviews and Impact Investigations

Development of Security Bulletins

Increased Application Security Education

Beyond Payment Code Developers

Increased Application Testing

Both Static and Dynamic

Product Security Workgroup Activities TGCS Security Bulletins

– Entitled Customer Only Web Portal as well as Subscription based

• Keyword search of Weekly CERT Reports

– Investigating FMI, NRF, and R-CISC

• Analysis by effected Product Teams

– Bulletin created if impacted

Restriction of Product Technical Items

– Entitled Customer Only Web Portal

• In Conjunction with the iSupport portal

• To include:

– HW/SW Technical Publications and Education

– Technotes (Knowledge Base)

– Downloads (BIOS/HW Drivers, RMA, Diags)

– Security Bulletins

19

TGCS Security Bulletins via Web Portal

Security Alert: 4690 OS – OpenSSL Vulnerabilities

Security Bulletin released for vulnerabilities in the OpenSSL

library included in Toshiba 4690 Operating System

>Read more

Restricted to Entitled Customers

and Business Partners

TGCS Security Bulletins via Web Portal

Restricted to Entitled Customers

and Business Partners

TGCS Security Bulletins via Email NotificationRequires Subscription

Restricted to Entitled Customers and Business Partners

4690 OS - a track record of success in retail

Designed specifically for retail store environments‒ Reliable, secure and flexible‒ Thin Client

Rock solid performance ‒ Approaching 1 million installations worldwide

Smallest footprint of any proven retail operatingsystem today

Dial-tone reliability – trusted 24 x 7 x 365

16 of the top 25 retailers run 4690 OS

TGCS 4690 Embedded Linux based Operating System is the premier point-of-sale platform in the

retail industry today, delivering broad functionality and remarkable reliability.

Toshiba 4690 OS Security and Hardware Terminal Hardware

‒ 4690 terminals don’t require a hard disk or CD-ROM

‒ No auto-run for devices in USB ports or CD-ROM

Controller Hardware

‒ Physical access: controller should be in a locked room

‒ No auto-run for devices in USB ports or CD-ROM

‒ Controller only drives your POS front end

‒ Secure Remote access: SSH, SFTP, Netop

‒ Console ID / FTP ID Lockout

4690 OS

– Whitelisting & File Integrity Monitor with V6.5

– Follow 4690 OS recommendations for locking/closing/restricting ports, files, network

protocols, etc;

– No root access to 4690 Linux

Toshiba Product offering

4690 OS, TCxGravity, ACE and CHEC

– Support for EMV, P2PE, Tokenization

– Enable your PCI validation

TCxPay

– P2PE and Tokenization are included out-of-the-box

– Comprehensive State Management enables retailers to monitor payment terminals

24/7, with immediate alerts should a payment terminal be unplugged or tampered

with

– Meets latest security requirements and security accreditations, including PA-DSS

and PCI DSS

Agenda







WS

IPS

POS

Internet

DCMail

Test

FW

WSWS

IntranetPOS Lan

Malware infected

resume via spear-

phishing email

Add Domain User and

Domain Group as well

as backdoor

System

Admin User

created as

well as

backdoor

System

Admin User

created as

well as

backdoor

Also found

Help Desk

Domain Admin

EXE to

capture CC

No. and

FTP off site

Via port scanning

found POS test server

• Source: Intel Security

FOCUS15

IPv4

blocked

inbound to

POS … but

IPv6 was

enabled

and not

monitored

System

Admin User

created as

well as

backdoor

Local

Admin also

present

28

Summary

Implement enterprise wide Security Strategy from Corporate to Store

Security awareness training

Implement EMV, P2PE, Tokenization

Latest software (install security patches, Anti-virus)

Avoid shared passwords

Define network zones (Isolate POS Systems)

Define, set & adhere to permissions/access

Utilize the security functions provided in OS

Find the right partners

BE VIGILANT!

but not in consumers, Toshiba remains focused on keeping you...

Documents

Transcript of but not in consumers, Toshiba remains focused on keeping you...