POS terminals, just another kind of computer
Recently Tod Beardsley a Security Engineering Manager at Rapid7, and Wim Remes a Manager of Strategic Security Services for Rapid7 spoke about the latest malware to infect point-of-sales systems. This being MalumPoS.
Tod Beardsley had this to say about the emerging malware threat:
“The latest report on MalumPOS is another proof point that criminals are understanding that point-of-sale systems are simply another kind of computer, and general-purpose computers all have the opportunity to run malware. Unfortunately, this is a realisation that many companies still have not realised in a practical way. If a device has a USB slot, has an Ethernet port, or is on a wireless network, then it is possible to attack it and alter it. Understanding that point-of-sales devices are attackable computers is just the first step in addressing the problem. Unfortunately, POSes have several strikes against them. They are often running on out-of-date, unpatched platforms (such as Windows XP), they are rarely audited and maintained by dedicated IT security staff, and configurations are often in the default state, including default administrator passwords. Hopefully, retailers will come to appreciate the risk posed by unconfigured, out-of-date POSes. The criminals already have. End users of these systems need to start demanding reasonable security from their vendors that includes easy-to-use “first boot” procedures to custom configure their enterprise, a reasonable patch management schedule, and regular updates against known threats vulnerabilities.”
Wim Remes continued to provided the following comment on the NTT vulnerability report:
“The NTT vulnerability report does not stand out because it contains revolutionary new findings, but because it applies a solid methodology to a significant dataset, with findings that give organisations a good baseline to compare their own data against. The report also provides good insight in control areas that can work for a variety of businesses to limit their attack surface and improve their incident response capabilities. It is important to note that more than 70% of the organisations evaluated did not have an incident response plan. Aside from controlling the attack surface, having the skills and tools necessary to limit the impact of an eventual breach is key to any information security practice.”