"Remote access and desktop services, in combination with the exploitation of default and/or stolen credentials, is a huge problem in the retail and hospitality industries," the Verizon report states. "Opportunistic attacks are carried out across many victims who often share the same support and/or software vendor."
According to researchers, as soon as an intruder discovers a particular vendor's authentication method and schema (be it for TCP port 3389 for RDP; or TCP port 5631 and UDP port 5632 for pcAnywhere), he will be able to exploit it across a multitude of that vendor's partners and customers.
"Oftentimes, in lieu of conducting a full port scan for these remote service applications, attackers will customize their scripts to exclusively look for these ports and search a broad swath of the Internet," the report states. "This speeds up their capability of searching for and finding services unprotected by router/firewall ACLs and allows them to quickly check for default credentials as well. This of course relies on remote access authentication schema being uniform across all of that particular vendor's customers --but hey, who are we kidding? They always are."
Jim Walsh, CISO for point-of-sale products vendor MICROS Systems, knows all too well how attractive a chain restaurant or hotel is to a hacker. MICROS, the largest POS company for the hospitality industry, is used in almost all major restaurant and hotel chains around the world.
"If someone can get into one of our customer's systems, they've pretty much figured out how to get into the other 5,000 of them. That makes them an even greater target."
Prompted seven years ago by what Walsh said was a sudden upswing in high-profile breach events, MICROS went looking for secure ways to support customers remotely, and also launched an education initiative to start educating clients on how best to protect themselves. Here he shares with CSO how he mitigates the risk of hackers breaking into his customer's networks.
CSO: Briefly explain the scenario of MICROS customer support several years ago.
Jim Walsh: Not too many years ago POS applications like ours were storing full track card holder data that was not encrypted. In fact, historically the card holder industry required us to store that information, just until a few years ago. It was not uncommon for that information to be stored and to be there and to have a number of years-worth of data, so there was a lot of low-hanging fruit for attackers. With remote applications sitting there, always on and in listening mode, and in a lot of cases well-known, generic-user names and passwords were being used, it was pretty easy to get into these systems.
The last half dozen years there has been an explosion in data theft and compromises. Most notably for us, that's card-holder data thefts, because our products are all payment processing applications. A lot of our customers were being compromised.
One of the things we saw that was a common denominator in these compromises was poorly-managed remote access tools. A lot of our customers had remote desktop or a tool, like pcAnywhere, always on and always in listening mode. It gave the attackers a pretty easy method of ingress into their payment processing network.
So what did you do?
We saw a lot of our customers being hit and remote access was part of the reason why. So we decided to look at new tools to facilitate remote access. Although pcAnywhere has served us well, and is still an approved tool if it's deployed, configured and maintained in a manner that is in keeping with our remote access policy and manual, we were looking for new remote access tools that would allow us to access securely.
The reason we chose the tool we are using now, a tool from Bomgar, was mainly for security reasons. First and foremost, it is not an "always on" application. It's only on when you need it to be on. It does not provide, by any means, an easy method for an attacker to gain access to a customer's network.
How does your current remote support system work?
If you are a customer and call us for support, in order for us to connect to your system, we would connect to a Bomgar session. We would give you the link you and would join our session and type in a one-time session password.
After you join, you have to answer a few questions and only then can our people connect to your system.
Also, we have over 5,000 of our own people routinely connecting to these customers systems and this system also means none of our own people can connect to a client's system without the client's knowledge and consent. As a security officer, it makes me feel a lot better knowing our people can't get into a customer's system unless the customers knows about it and lets them in.
What does this system require of your clients?
It doesn't require loading anything on the customer's system, they just need internet access. There were similar tools that work similarly and are web-based, but those tools didn't give us control over things like the access log, which is important, especially with PCI DSS.
The tool we use gave us appliance and software that is resident on our networks so we have control over the tool, the application and the logs. We also interfaced it to our CRM (customer relationship management) system that we use worldwide. We've rigged the tool so you can't start a remote access session without first going into the CRM system and creating a case. We did that because wanted to make sure for every remote connection to a customer system, there is a support case that goes along with it. Our people shouldn't be connecting to a customer system without a support case, so you can't start a session without going into the CRM first.
Once you do that, there is the collaborative information exchange between the two systems which allows us to better manage the access logs and review the data. For example we auto-populate the Bomgar session details with the CRM details, the case number, who is the agent and that sort of detail.
Do you suggest your clients follow any particular security standards or use any particular products to best mitigate risk?
We don't manage our customer's networks. They take our POS system and they deploy it in their IT environment, and they are in control of it. Historically, they would load a tool and have it sit there and run all the time. We didn't have any control over that.
But in the last five years, we have actively worked to educate the customers that doing that is not the right thing to do anymore. You're setting yourself up to be compromised.
We put out lots of security documents. One was a recommended security policy in terms of remote access; what are the approved methods of remote access. Essentially we don't take the stance that it's our role to enforce things like PCI DSS, but we do take an education stance and try and guide our customers properly. If they don't follow our guidance, it's not uncommon to get them to sign some kind of disclosure document to attest to the fact that we did tell them to do certain things to protect themselves and they chose not to.
Has it helped?
It has. Some jump quickly and do what we recommend, others will just not do it until they are breached. But the majority have come a long way and are much better off than they were five years ago. But there are still some customers out there who just stick their heads in the sand.