Michael Kalinichenko, SafenSoft CEO
Source: www.bankir.ru, December 2011
Some reasons induced me to write this article, main of which is an information vacuum round a subject of the electronic crimes connected with illegal access to information resources of ATMs and banking networks through ATMs. For many people the cybercrime and ways of fight against it remain something far, almost Hollywood. Nevertheless, threat of cyberattacks is quite real, its noticeable not only at the international level, but also in Russia. The traditional criminal frauds with plastic cards become traditional, they gain the new lines leaving far beyond use of habitual skimmers and microcameras for shooting of input by the client of the PIN code. At the same time, new methods of illegal receiving personal information of clients (certainly, together with money on their accounts) actively develop. These are systematically developed and excellently organized attacks directed on numerous gaps in systems of safety of the ATMs software. Such "silent" crimes are much safer for malefactors they are difficultly to find, difficult to prove, difficult to track down the criminal. ATMIA sounded the alarm in 2009 when messages on breakings of information security of ATM systems gained mass character. Quite recently, in the fall of 2011, the second edition of the special management of ATMIA on ensuring protection of the ATMs software and forming of new security policies for counteraction to new threats was let out already. I want to share theses of this management with you.
So, cybercrimes from the sphere of science fiction moved to real life. Actively practice of purposeful attacks for which the term APT (Advanced Persistent Threats) is entered develops. Feature of such criminal operations is systematic studying of weak links of information system, their check on durability with the subsequent massive attack to the weakest place of information protection. Relevance and danger of this threat already estimated not only information security experts, but also banks, and many on own bitter experience. Following the results of poll "2012 Global State of Information Security Survey" the PricewaterhouseCoopers companies in which nearly 10 000 heads of financial institutions, the senior officers of information security, technical directors and other specialists of the top management took part, a half of respondents called targeted attacks to information resources the most sensitive issue of information security of their enterprises. For the last few years this type of attacks already were tested on themselves by representatives of the companies of a state administration, the nuclear industry, safety and the international financial organizations. Frightens that at present only 16 percent of poll participants have the developed policy of information security in which APT threat is addressed.
In cases with banks the ATM becomes the most frequent victim of hacker attacks. Imperfection of the Windows operating system, vulnerability of appendices, comparative ease of masking of a harmful code under harmless updating or a patch so the ATM becomes tempting production for the electronic criminal. The security services of bank capable effectively to prevent threats of physical breaking, sometimes are absolutely powerless against cybercrimes as properly don't estimate probability and potential of such threat, so and don't arm with effective practicians of counteraction of.
Specialists of ATMIA developed the list of recommendations about ensuring information security of ATMs (it is possible to study the text of recommendations here in more detail), with which basic provisions I suggest to get acquainted below.
The new guide to protection ATMs software from ATMIA is urged to help producers of ATMs and to banks to protect the ATM from threats of information security. Among authors of the management experts of ATMs producers Diebold, NCR, Vantiv, Triton, Wincor Nixdorf, specialists of Microsoft corporation and the Russian developer of information security.
Ensuring multilevel information security with using of decisions of various vendors is the main recommendation in a context of protection against difficult threats, especially for banks.
The main philosophy of ATMIA management is an integrated approach to ensuring the information security, guaranteeing protection both against external threats and against malicious actions of insiders. Introduction of several lines of defense software, depriving the swindler of the slightest chance of success is recommended. Information security of the ATM has to be attached to life cycle established on the ATM software taking into account need for updating and software maintenance and also the device.
The complex system of information protection of the ATM includes a combination of such means, as firewalls, means of protection from malicious software and cyberattacks, control devices of devices and integrity of system, and also tools for software updating and management of changes.
The local firewall is necessary for the ATMs interacting through a joint or external network. Control of appropriate rules of an autonomous/terminal firewall will allow to prevent access of harmful programs to ATMs. Firewalls can take root like software as part of an operational environment of the ATM or on the hardware device built in the ATM or being near it. Software solutions, as for their breaking of insufficiently physical access are safest.
ATMs function as ordinary computers and have the interface ports. At emergence of requirement for access to the ATM (for example, at service of hardware by the contractor), the person gets access and to ports, and, so can establish malicious software or get unauthorized access to system. Instruments of control of ports can prevent similar access, or limit to its certain circle of users, using authentication. Function of ports protection or restrictions of connection of external devices (for example, USB) can possess instruments of protection of the terminal (firewalls) and means of counteraction to malicious software.
Strict and methodical control of changes is a secret of competent installation of corrections and updatings in environments where such value have inviolability of data, availability of service and confidentiality. The more software it is established on the device, the more corrections is required.
Special value has decision-making process about a choice of the necessary corrections and determination of importance of their introduction. In the organization there has to be an accurate set of criteria for making decisions on corrections, especially regarding definition of "the corrections having critical value for safety", according to the PCI DSS standard.
Its recommended to define a standard cycle of installation of corrections. Optimum monthly installation though some operators of ATMs use also more rigid schedules is considered. More long than quarter it is considered to be a cycle too long against constantly changing threats.
Means of protection from the malicious software, including systems of prevention of invasions, decisions on the basis of black/white lists (blacklisting/whitelisting), tools for integrity control the software and an operating system can add a firewall.
Typical decisions which are used for protection against infection by viruses, prevention of target attacks and introduction of a malicious code, can function on the basis of a "black list" paradigm (the prohibitive principle), or "the white list".
Quintessence of this principle is the statement "everything that isn't forbidden it is authorized". Typical solutions on the basis of black lists are the antiviruses forbidding performance of a code which is present at a database of virus signatures. Quite often antiviruses get out as the most habitual means, without possible shortcomings and risks. As the reasons of such choice often call their low cost, a mention of a concrete product in the PCI DSS standards and satisfaction with work of versions of this product for personal computers or corporate networks.
Counterarguments are obvious: it makes sense to consider not only cost of licenses, but also operating expenses and resources which are required on updating of signatures, and also vulnerability of the ATM from so-called threats "zero day" (absent in signature bases of this vendor). Besides, standards of PCI DSS also mentions other possible options, for example, based on white lists. If the choice of a security measure is made in favor of a traditional antivirus, it is necessary to hold surely careful testing for its compatibility with software, established on the ATM, and also to be convinced of the minimum influence on productivity of an operating system of the ATM.
The solutions based on the principle of white lists allow implementation of only those appendices which are in an explicit form entered in the list of the resolved. Such solutions are optimum for the systems not subject to frequent changes, and there is a typical case of the information environment of the ATM. In ATMs the configuration both hardware, and program part is standard, the set of the software is known in advance, updatings and changes are made seldom, in strict accordance with the approved politicians.
If the harmless appendix isn't entered in the white list, it will be blocked along with the dangerous. In comparison with antiviruses, solutions on a basis of "white lists" are much more compactly also don't need frequent updatings, that is consume less system resources and influence system productivity less. Their main advantage is protection against new threats, including target.
Solutions on the basis of white lists will help:
Intrusion Prevention system at the level of a host (HIPS - Host Intrusion Prevention system) is good alternative to antiviruses as allow starts only the entrusted appendices and processes, and excludes probability of false operations.
Also it is necessary to pay attention to tools which allow to exercise control of integrity of the operating system, executed files, libraries and drivers. They will help to strengthen safety system, blocking implementation of not entrusted software, and allowing work only those appendices which have the certificate of the entrusted publisher software. Thus, the malicious software won't be able to be started.
So, we considered typical components of complex system of ATM information security.
The additional value of such system that it not only will allow to find and stop attacks from the outside, but also will help to trace inaccurate or malicious actions from administrators that is especially important in the conditions of possible not coordination of actions of the personnel in remote territorial branches of bank, and also impossibility to supervise the staff of the third-party serving organizations.
Today there is a number of the solutions combining the above described functionality. Authors of ATMIA note that for reduction of risks of information breaking ATMs, use of solutions of several vendors will be the most correct.
Finally, there is one more council. Choosing solutions for information ATM protection, don't forget about the main principle of creation of any safety system: complexity is the enemy of safety.
The increase in quantity of protective measures or complication of their settings at all doesn't guarantee real protection. Making a choice between simple or difficult technology or system, you remember that in distant prospect the simple option can be more reliable.