but not in consumers, Toshiba remains focused on keeping you...
Transcript of but not in consumers, Toshiba remains focused on keeping you...
The Importance of Rock Solid Reliability,
Unmatched Security
Bill Phillips – [email protected]
Information Security Manager
Session Overview
Some say that “any news coverage is good news” – but not in
retail. With security front and center in the minds of
consumers, Toshiba remains focused on keeping you out of
the headlines!
Agenda
Todays Security Landscape
Retail Breach Case Study
Recommended Retailer Best Practices
Toshiba’s efforts to keep you out of the headlines
Retail Breach Case Study - Revisited
Agenda
Todays Security Landscape
Retail Breach Case Study
Recommended Retailer Best Practices
Toshiba’s efforts to keep you out of the headlines
Retail Breach Case Study - Revisited
Today’s landscape includes threats from diverse, global
sources – all extremely motivated
Criminal EnterprisesBroad-based and targeted
attacks
Financially motivated
Getting more sophisticated
Hactivists Targeted and destructive
attacks
Unpredictable motivations
Generally less sophisticated
Nation-States Targeted and multi-stage attacks
Motivated by information and IP
Highly sophisticated, endless
resources
Sources of Data Security Threats
Point of Sale is the #2 attack target across all industries
#2 Target: Point of Sale
24% of Attacks
Source: 2016 Verizon Data Breach
Investigations Report
Insider Misuse
Cyber-Espionage
Card Skimmers
Web App Attacks
Physical Theft
Crimeware
Errors
POS Intrusions
90% of security attacks in retail fall into 3 patterns
89% of breaches had a financial or espionage motive
63% of confirmed breaches involved leveraging weak, default or stolen passwords
30% of phishing messages were opened and 12% clicked on attachment or link
Incidents by Pattern: All industries versus Retail
Source: 2016 Verizon Data
Breach Investigations Report
All industries Retail
3%
The impact of PCI Compliance PCI Compliance does
improve Security
Posture
The key is maintaining
compliance to reduce
the risk of a breach
Over 10 years, not a
single organization was
compliant at the time of
a breach
“Security is something you do,
not something you have”
Source: 2015 Verizon PCI
Compliance Report
Time to Discovery of an Incident In 93% of cases, systems
were compromised in
minutes or less
In 83% of cases, the
victims was not aware for
weeks or more
~75% of the time,
Detection of breach was
from Law Enforcement or
3rd Party. Not internal
Source: 2016 Verizon Data
Breach Investigations Report
How do WE work together to prevent this …
It’s a partnership with shared responsibilities
Agenda
Todays Security Landscape
Retail Breach Case Study
Recommended Retailer Best Practices
Toshiba’s efforts to keep you out of the headlines
Retail Breach Case Study - Revisited
Retail Breach Case Study
WS
IPS
POS
Internet
DCMail
Test
FW
WSWS
IntranetPOS Lan
Malware infected
resume via spear-
phishing email
Add Domain User and
Domain Group as well
as backdoor
System
Admin User
created as
well as
backdoor
System
Admin User
created as
well as
backdoor
Also found
Help Desk
Domain Admin
EXE to
capture CC
No. and
FTP off site
Via port scanning
found POS test server
Source: FOCUS15
Intel Security
IPv4
blocked
inbound to
POS … but
IPv6 was
enabled
and not
monitored
System
Admin User
created as
well as
backdoor
Local
Admin also
present
Agenda
Todays Security Landscape
Retail Breach Case Study
Recommended Retailer Best Practices
Toshiba’s efforts to keep you out of the headlines
Retail Breach Case Study - Revisited
Retailer Best PracticesMulti-Tiered Approach
Retailers’ security strategies should include:
• EMV-compliant payment terminals
– Protection against fraudulent use of lost or stolen cards, counterfeit cards and skimming
– EMV does not protect card data
– No protection for CNP or Mag stripe readers
• P2PE
– No sensitive (account) information in the clear in the POS System
– Removes POS system as an attack vector
• Tokenization
– Protects data at rest and transit during authorization process
• Network Segmentation – (Isolate POS systems)
• Secure communication protocols
Retailer Best PracticesRetailers’ security strategies should include:
Comprehensive internal set of security policies and practices
‒ Should include awareness training from Corporate to Store
‒ Do not leaving default accounts enabled
‒ Setting userid access rights and passwords
‒ Following best practices for password management (Complexity, Length, etc.)
‒ Best practice network security and monitoring
‒ Software update process (OS security patches, Anti-Virus, etc.)
‒ Incident response plan
‒ ….
Physical security of assets (particularly controllers)
– Do not allow unauthorized personnel unlimited access to the POS system
‒ Set a BIOS Administrator Password
• Disable unused ports
• Limit boot sequence/boot devices
No system can offer protection
if security controls are
bypassed, or set incorrectly to
allow access where it’s not
required.
Agenda
Todays Security Landscape
Retail Breach Case Study
Recommended Retailer Best Practices
Toshiba efforts to keep you out of the headlines
Retail Breach Case Study - Revisited
TGCS Operational Security WorkgroupMission Statement
The TGCS Operational Security team is a cross-functional WW working group focused on the protection of
TGCS information and information systems from unauthorized access, use, disclosure, disruption, modification,
or destruction in order to provide confidentiality, integrity, and availability. The team is primarily responsible
for maintaining an enterprise-wide corporate information security program and ensuring the protection and
privacy of information assets including data, software, and equipment.
Our mission is to have best of breed security for our customer’s protection.
Team leads development, documentation and maintenance of information security policies, procedures,
and standards.
Team initiates, and promotes activities to create information security awareness throughout
organization.
Team monitors and routinely audits compliance to all information security policies and procedures.
TGCS Product Security WorkgroupMission Statement
The TGCS Product Security team is a standing internal working group that is focused on reviewing and
maintaining the security posture of our product portfolio. The team has an advisory role with product teams to
address education, product design, testing, standards compliance and vulnerabilities. It will address total solution
security and ensure consistent customer communications.
Our mission is to enable best of breed security for our customers.
Cross-functional team of Project Manager, Senior Technical Staff members from hardware and software,
Senior Software Test Architect, Legal Advisors
PA-DSS V3 Assessments
ACE, CHEC and TCxGravity
Vulnerability Reviews and Impact Investigations
Development of Security Bulletins
Increased Application Security Education
Beyond Payment Code Developers
Increased Application Testing
Both Static and Dynamic
Product Security Workgroup Activities TGCS Security Bulletins
– Entitled Customer Only Web Portal as well as Subscription based
• Keyword search of Weekly CERT Reports
– Investigating FMI, NRF, and R-CISC
• Analysis by effected Product Teams
– Bulletin created if impacted
Restriction of Product Technical Items
– Entitled Customer Only Web Portal
• In Conjunction with the iSupport portal
• To include:
– HW/SW Technical Publications and Education
– Technotes (Knowledge Base)
– Downloads (BIOS/HW Drivers, RMA, Diags)
– Security Bulletins
19
TGCS Security Bulletins via Web Portal
Security Alert: 4690 OS – OpenSSL Vulnerabilities
Security Bulletin released for vulnerabilities in the OpenSSL
library included in Toshiba 4690 Operating System
>Read more
Restricted to Entitled Customers
and Business Partners
TGCS Security Bulletins via Web Portal
Restricted to Entitled Customers
and Business Partners
TGCS Security Bulletins via Email NotificationRequires Subscription
Restricted to Entitled Customers and Business Partners
4690 OS - a track record of success in retail
Designed specifically for retail store environments‒ Reliable, secure and flexible‒ Thin Client
Rock solid performance ‒ Approaching 1 million installations worldwide
Smallest footprint of any proven retail operatingsystem today
Dial-tone reliability – trusted 24 x 7 x 365
16 of the top 25 retailers run 4690 OS
TGCS 4690 Embedded Linux based Operating System is the premier point-of-sale platform in the
retail industry today, delivering broad functionality and remarkable reliability.
Toshiba 4690 OS Security and Hardware Terminal Hardware
‒ 4690 terminals don’t require a hard disk or CD-ROM
‒ No auto-run for devices in USB ports or CD-ROM
Controller Hardware
‒ Physical access: controller should be in a locked room
‒ No auto-run for devices in USB ports or CD-ROM
‒ Controller only drives your POS front end
‒ Secure Remote access: SSH, SFTP, Netop
‒ Console ID / FTP ID Lockout
4690 OS
– Whitelisting & File Integrity Monitor with V6.5
– Follow 4690 OS recommendations for locking/closing/restricting ports, files, network
protocols, etc;
– No root access to 4690 Linux
Toshiba Product offering
4690 OS, TCxGravity, ACE and CHEC
– Support for EMV, P2PE, Tokenization
– Enable your PCI validation
TCxPay
– P2PE and Tokenization are included out-of-the-box
– Comprehensive State Management enables retailers to monitor payment terminals
24/7, with immediate alerts should a payment terminal be unplugged or tampered
with
– Meets latest security requirements and security accreditations, including PA-DSS
and PCI DSS
Agenda
Todays Security Landscape
Retail Breach Case Study
Toshiba’s efforts to keep you out of the headlines
Recommended Retailer Best Practices
Retail Breach Case Study - Revisited
Retail Breach Case Study - Revisited
WS
IPS
POS
Internet
DCMail
Test
FW
WSWS
IntranetPOS Lan
Malware infected
resume via spear-
phishing email
Add Domain User and
Domain Group as well
as backdoor
System
Admin User
created as
well as
backdoor
System
Admin User
created as
well as
backdoor
Also found
Help Desk
Domain Admin
EXE to
capture CC
No. and
FTP off site
Via port scanning
found POS test server
• Source: Intel Security
FOCUS15
IPv4
blocked
inbound to
POS … but
IPv6 was
enabled
and not
monitored
System
Admin User
created as
well as
backdoor
Local
Admin also
present
28
Summary
Implement enterprise wide Security Strategy from Corporate to Store
Security awareness training
Implement EMV, P2PE, Tokenization
Latest software (install security patches, Anti-virus)
Avoid shared passwords
Define network zones (Isolate POS Systems)
Define, set & adhere to permissions/access
Utilize the security functions provided in OS
Find the right partners
BE VIGILANT!