Can you defend your POS systems against advanced persistent threats?

Advanced persistent threats are putting your POS environments – and the extremely valuable information within those systems – at risk. Just look at these data breach statistics. And as if that wasn’t concerning enough, identifying and defending against these malicious actors is very difficult.

But let’s slow down before we get into the specifics of POS security in this regard.

What are advanced persistent threats (APTs)?
In short, APTs are sophisticated cyberattacks with defined targets. They’re advanced due to that sophistication as well as the organized cybercriminal groups that often launch those attacks. Persistent refers to the lengths that hackers will go to in order to successfully compromise networks and efficiently extract sensitive data – sometimes it takes months to break into systems, and usually, cybercriminals will stay on those compromised networks for many more months – until exfiltration or detection, whichever comes first.

For an APT in practice, look no further than a recent report from Fireeye. This document detailed how one financial-focused APT, known as FIN6, manages to steal incredibly large volumes of payment data from retail and hospitality sectors. This group and similar ones use frameworks called Attack Lifecycles, and they slowly but surely make off with millions of card numbers after going step by step through that lifecycle.

A common APT attack lifecycle
An APT attack lifecycle looks something like this, but there are many sophisticated permutations:

Step 1: Hackers send out fake emails and phish for credentials.
Step 2: With credentials, cybercriminals move around within networks that either belong to retailers or their third-party partners until those hackers find POS systems.
Step 3: Cybercriminals infect retailers’ POS environment with malware.
Step 4: Data is exfiltrated.
Step 5: Hopefully days later – but often it’s months – retailers realize they’ve been breached.

While that might seem like a simple explanation, the methods used to steal credentials, move laterally within networks, identify POS environment and so on, are incredibly complex and cutting-edge.

So, you’re probably asking how you can protect against APTs. Simply put, it takes a lot of work. As InfoSecurity pointed out, there are many steps that you can take, from informing employees on phishing techniques to implementing better detection tools. But, holistically speaking, there is a better answer: Take a layered approach to payment card data and POS security.

“Layer POS security with P2PE and tokenization.”

Defend the network and layer the rest
Obviously, you need to defend your network, which CIO recommended, but that won’t be enough. You also need to protect your POS environment with point-to-point encryption. Then, when that data is no longer in motion and within other software and databases, you should rely on tokenization to protect it.

This layered approach reinforces the need for highly integrated payment processing solutions. You want to be able to rely on a POS environment that doesn’t compromise security and that means removing the gaps that can appear between disparate, disconnected software and services.

As a final point, it’s necessary to implement an integrated payment processing solution that covers your cross-platform requirements. After all, your retail business has its own set of specific needs. If you don’t consider those requirements and instead opt for a one-size-fits-all solution, you might find yourself turning business away regardless of the security of the platform.