Capítulo III: Curtiembre Mypes en el Perú
3.3. Aspecto Ambiental
✓ Signature-less detection: Your chosen solution should use a wide variety of data sources and detection approaches when evaluating suspicious files. You want to avoid signature-based approaches that are vulner-able to zero-day attacks. Ideally the product has a rules engine or API that lets you and your staff participate in the creation of new detection mechanisms. A vendor may even enable the sharing of security knowledge within its customer base and make that information available in the form of rules and policies.
✓ Efficient, high-value reporting and administration: The solution should provide you with standard templates and practices for getting information and actionable items and allow you to build out your own approaches as well.
✓ Professional services with proven expertise in deploy-ing protection: Most deployments of POS security soft-ware take place with a professional services engagement.
Make sure you choose a product backed by a team of professionals with experience deploying security soft-ware in organizations similar to yours.
By spending the time and effort thinking about what you really need on the front end, you can maximize the value of your POS security software deployment management for years to come.
Understanding the Security Maturity Model
As you prepare to select and deploy proactive POS security protection, it’s a good opportunity to assess the current state of your organization’s information security. The following four areas help you determine the “maturity” level of your program:
✓ Oversight
✓ Technology
✓ Process
✓ People
For each area, you answer a series of questions that are com-piled into functional area ratings and then overall ratings for each category. The maturity of your organization on each dimension is then assigned one of the following ratings:
✓ Nonexistent (0)
✓ Ad hoc (1)
✓ Repeatable (2)
✓ Defined (3)
✓ Measured (4)
✓ Optimized (5)
Performing this self-assessment provides you with an idea of the current state of your security controls and can assist you in defining the requirements for your POS threat detection, response, and prevention program. The products and vendors you choose should be able to work within your technical envi-ronment and culture, bringing you value regardless of where your organization lies on this spectrum.
Managing Smart Policies
Signature-based detection is simply not effective against advanced threats for POS systems. While some people say that the alternative — whitelisting or application control — is too hard, they’re not correct. These people think of whitelist-ing as a long list of appropriate files, but it’s bigger — and better — than that.
Smart policies aren’t plain old “lists.” They’re covering mechanisms that catalog metadata, patterns, and system information to help detect nefarious behavior. They then impart trust to each of those items. Simply put, smart policies are a short list of observations and actions that describe a system state as positive, negative, or neutral.
Smart policies distill application control and attack detec-tion into an understandable and manageable task. That’s why they’re so valuable!
Chapter 6: Deploying Proactive Point-of-Sale Security 39
Do you trust all of the applications contained within your main software repository? If so, you can express that trust using a single smart policy. Do you automatically mistrust anything downloaded within a web browser? You can express that distrust in a smart policy as well. If you receive threat intelligence reports that rate a given binary file as “middling”
and requiring further investigation, a smart policy can also handle that situation.
Smart policies can overlap, which means that multiple smart polices can apply to a single file. POS security systems allow this to occur and come to conclusions about a suspect piece of malware by taking all of the trust ratings into account. Next generation security products allow you to express policies as imparting trust on a spectrum.
Don’t take deployment flexibility lightly
When it comes to enterprise secu-rity, one size does not fit all. Your operations may be more staff-centric or more automation-centric or some-where in the middle. Your software deployment strategy may depend upon trusted repositories and con-figuration agents, or be nonexistent altogether.
At the same time, your company cul-ture may be open and permissive or more traditional and controlled. On top of that, you may want to focus more on detection — finding the bad guys — or more on prevention and the default deny strategy. Only you will know how these things work in your environment.
One thing’s for sure — you don’t want a vendor or specific product that tells you what to do and how to do it. Instead, you want one that looks at your requirements and envi-ronment and then works with you to develop the right approach.
You need to be able to fit multiple solutions into the various parts of your ecosystem, and you need prod-uct knobs and dials that custom- configure each one. And depending on how daunting this sounds, you need a services partner that can guide you efficiently and effectively.
This stuff really does matter!
Integrating with other Security Products
Many organizations use Security Information and Event Management (SIEM) systems to correlate the many sources of security information across the enterprise, looking for signs of attack. When choosing components of your security infra-structure, you should select products that fully integrate with your SIEM and allow the use of correlation rules.
Of course, every organization is unique, so the correlation rules that you use must be specific to your data sources and should include POS security information. A correlation rule that works with events from a Snort intrusion detection system may or may not be effective with information gathered from a similar NetWitness product. When designing correla-tion rules, organizacorrela-tions should ask these quescorrela-tions:
✓ What types of threats do we want to monitor?
✓ What are the typical attack patterns for such threats?
✓ What are the sources and types of events currently being tracked within the SIEM?
✓ Which of these events are used most often in monitoring for potential threats?
✓ How often do investigations resulting from those events result in false positives?
✓ When investigating an event, what types of additional information does the analyst need?
✓ Are we collecting the right data to make incident response quick and conclusive?
Using these questions to guide event correlation across a vari-ety of security products enhances your security capabilities in many ways. It can reduce the time it takes to prioritize alerts and investigate incidents from days to minutes. Investigations are further expedited by locating every instance of a suspi-cious file across your POS systems. You can then analyze files — both automatically and on-demand — that arrive on your POS systems to quickly determine their risk. Finally, you can ensure remediation by enforcing security policies that help in stopping an attack and preventing it from happening again.
Chapter 7
Ten Tips for Successful Point-of-Sale Security
In This Chapter
▶ Ensuring optimal defenses by using proven security controls
▶ Making sure your point-of-sale risks are minimized
C
ybercriminals are getting increasingly sophisticated, and there’s no end in sight. The threats, risks, and com-pliance requirements associated with point-of-sale (POS) systems have become so challenging that IT administrators, security managers, and compliance officers are scrambling to find reasonable ways to get their arms around it all.In this chapter, we give you ten ways you can more easily reach your POS security and compliance goals:
✓ Minimize the customer data you collect and store.
Acquire and keep only the data required for legitimate business purposes and only for as long as necessary.
When data is no longer of business value or relevant to security compliance, properly dispose of it. Shred paper documents and remove hard drives from your POS sys-tems and related computers. You can even take your security efforts a step further by encrypting the sensitive data you collect on laptops, mobile devices, flash drives, and backup tapes. Encryption makes it more difficult for unauthorized parties to read in the event of loss or theft.
✓ Manage the costs and administrative burden of the PCI compliance validation process. Try segmenting your infrastructure among multiple teams to minimize the complexity and scope of compliance. Having full visibility
into all enterprise assets beyond your POS systems (for example, network hosts, applications, and databases) along with the necessary templates to determine PCI-relevant data gives you a snapshot of the corporate assets that are affected and helps minimize the compli-ance pains.
✓ Maintain PCI compliance throughout the checkout process to guard data against all the possible points of compromise. If you’re able to detect transactional data point infractions in real time and stop anything intro-duced into your infrastructure that’s outside of known software (such as advanced threats), you can ensure that transactional data (such as credit card numbers) are pro-tected at every step along the way.
✓ Develop a strategy to protect your infrastructure on multiple levels. Eliminate every opportunity for cybercriminals to exploit your POS terminals, kiosks, workstations, and servers. The ability to collect end-point information in real time provides you with the information to properly assess the risks. Monitor traffic and create a central log of security-related information to alert you to suspicious activity on your network.
✓ Maintain real-time inventory and actionable intelligence on all network systems, and control the overall security of your infrastructure to maintain PCI compliance.
Employ multiple layers of security technology to stymie sophisticated hackers. Establish a baseline for the soft-ware that should reside on your POS and related systems.
Schedule security patches on your own timetable and elim-inate the need for constant profile scanning that can nega-tively impact the performance of your POS environment.
✓ Extend the life of your systems to keep them compli-ant. Often you can’t upgrade for extended support after an operating systems’ end of life. By implementing a positive security model, you can stay compliant in any end-of-life situation and get protection from zero-day and other attacks against your POS systems. This approach will keep you in-the-know — at all times — what’s run-ning on every in-scope system across your organization.
Rather than guessing what’s compliant and what’s not, you can determine on a real-time basis if you have any vulnerabilities and whether any in-scope systems have fallen out of compliance.