Nov 27, 2018
In this podcast on Zero Trust security; an encore to our November 15 webinar, during which, Dave and Merritt explored the architectural concept of Zero Trust and discussed how it can be leveraged by financial institutions to gain tighter control of ATM networks. Today, we want to take a deeper dive a few of the questions we received during the live webinar and actionable outcomes to consider when it comes to applying this concept to your operations.
The Forrester Tech Tide: Zero Trust Threat Prevention, recently published in the third quarter of 2018. Download a copy today.
Hello again, I'm Scott Harroff, chief information security architect for Diebold Nixdorf, and I'm your host for this episode of COMMERCE NOW.
Today I'm joined by Dave Phister, director of security solutions for Diebold Nixdorf, and guest speaker Merritt Maxim, principle analyst for Forrester. Today, we're going to discuss an interesting concept, zero trust security. This podcast is actually an encore to our November 15th webinar during which Dave and Merritt explored the architectural concept of zero trust, and discussed how it can be leveraged by financial institutions to gain tighter control of ATM networks.
Today, we want to take a deeper dive into a few of the questions we received during a live webinar, and in actionable outcome to consider when it comes to applying this concept to your operations. A link to the webinar replay can be found on the podcast show notes. If you'd like to learn more about this topic, we'll give you a little bit more about this in a few minutes.
With that, I'd like to welcome Dave and Merritt. We're happy to have you on the show today.
Yeah, thanks Scott, excited to be here today as well, appreciate that. And also thanks to Merritt for being with us here again today to talk about zero trust and ATM security.
Yeah, and thanks Scott and Dave for having me, I'm looking forward to our discussion here.
Right, so let's dive right in. As I mentioned, there was a lot of useful information provided during our zero trust security webinar, but one question was asked by several webinar attendees, which was can you summarize, and give me bullet points, which would provide me a list of the key things I can do right now to help safe keep my ATMs?
So where we're going to focus our time today is in looking at that. And we're going to go through each of these individual bullet points. I know each of you have some areas you'd like to highlight. So let's get started with Merritt, and his thoughts on topic one, which is controlled access.
Yeah, sure, thanks. So I think as kind of a backdrop to this, it's important to realize that although we are increasingly moving to a cashless society, ATMs are still a relevant part of our kind of daily lives, and we still use them, and have to rely on them for a variety of purposes. But because they're still relevant, it also means they're still active in the public, and they store cash, which is still a useful target for hackers. For all the talk about cyber attacks, and malware, and viruses, the reality is there still are numerous instances of people physically just trying to get access to an ATM to actually steal the cash out of it. A much more kind of low tech way to ... instead of trying to, say, steal credit card numbers or Social Security information online.
And what this means is that organizations do need to think about securing the physical asset itself. And this is increasingly, I'd say, problematic because the traditional model where the ATMs are only located within the branch is not necessarily a model now, they're located everywhere, they're in airports, they're in hotel lobbies, they're in convenience stores, or at gas stations, and those are all in the name of providing convenience, but that also means that those assets are now potentially more accessible to a greater part of the population, which may be inclined to try to steal the currency out of the ATM itself.
And so what this means is that as you distribute and extend your ATM network, you can't overlook the need to just control and manage physical access to the machine itself. So that can include everything from verifying who actually has access to the system, whether they're going there to do maintenance, or whether the part of the currier that actually is putting new currency, or reloading the ATM at some interval. And also looking at what kind of locking mechanisms do we now need to have in place to actually secure the head compartment of the ATM itself.
So again, these are all measures that have been in place for some period of time, and which companies have already been using, but it never hurts to stress the importance of doing this because the ATM is still a target. And from a IT side, you can also begin to look at logging all of your activity of maintenance on those machines as well. There's still the possibility of potential insider abuse, maybe if they actually have access to ATMs that perhaps they may be sharing that credential with somebody else in exchange for sharing the proceeds of a theft, and again, having logging and various analytic mechanisms in place to track and monitor the usage and alert when there is unauthorized access. So if you see a maintenance call on a device beyond, outside of its normal operating windows, you can flag and eventually block that device, and then maybe using the video analytics that are embedded into the ATM itself, use that for forensic purposes to follow up with law enforcement.
But these are all, I think, useful things and it never hurts to stress the importance of looking at what kind of measures you should be putting in place to actually control access to the asset itself, because that's ultimately going to help minimize the risk of fraud or attacks against the infrastructure.
Excellent. So Merritt, I spent Wednesday and Thursday of last week it Pittsburgh with the Secret Service, FBI, and a lot of really high profile banks and credit unions, talking about the strategic and tactical points around ATM security, and skimming around ATMS, and gas stations, and a lot of different areas. So let's focus a little bit on talking about the end point security aspect. So Merritt, can you share a little bit with me around how end point security should be addressed?
Yeah, absolutely. And it's a good point to raise. When we talk about threats to the ATM, we've certainly seen instances of card skimming, or card readers that are inserted into the terminals and used to capture credit card data. But also we're seeing scenarios, there was a large ring that was arrested or discovered last year, mostly in Europe, that were actually attacking the banks back office systems, and using that to actually issue, literally just to spew out cash at designated ATMs at certain periods of time for criminals to collect. So the point is that the ATM is connected to your network, it is a valued part of your network, but because it's connected to the network, it also means it's potentially vulnerable to exploitation, either through skimming type things at the end point itself, or through lateral movement from hackers who have gained access to your network elsewhere, and are trying to move either towards a specific ATM or class of ATMs, and use that to allow it to behave abnormally, that may allow users to them actually extract cash from that ATM.
And so this means you need to follow many of the same kind of best practices that you follow for traditional, say, desktop end point, whether it relates to keeping your operating systems up to date and patched, and making sure that you're not running a legacy or outdated code for which a zero day exploit may actually be available, and may be able to be utilized. You could also include at the ATM end point actually hardening the operating system. So there may be certain functionality in that operating system that is not necessary for the safe operation of that ATM, and therefore you may be able to reduce our remove some of that functionality which further reduces the potential vulnerabilities you may face at those systems.
And then also applying appropriate network controls, this can include firewalls, micro perimeters, network access control, things like that, to ensure that there's a trusted connection between the ATM and it's only authorized to interact with other trusted parts of the network, so that if it gets a phantom request from some other unknown device, it won't communicate with that, and therefore would minimize the risk of those devices being able to go in and extract information.
And lastly, there's ... we've been talking a lot about the technology aspect, but you need to accompany this with the process framework, right? In terms of how you do patches, how you test them, how you upgrade them, how you install them. And also, from a risk and vulnerability standpoint, having a vulnerability risk model in place so you can access based on a given vulnerability as it's identified, A, is this relevant to our organization? B, is it significant, and then C, what's our appropriate counter measure? Is this something that we don't deem to be a significant threat and we can put it as a lower priority, or is this something that requires immediate attention, and we're going to therefore deploy a team to go out and deal with that.
So you need to have those processes in place to accompany kind of your overall approach, because that's ultimately how you're going to better defend yourself against this kind of expanding attack surface.
You know Merritt, I think you hit it right on the head with all the different points you touched on. And to your point, keeping the firmware up to date on your dispensers, keeping the XFS software up to date, keeping your operating system up to date, keeping your terminal software up to date, and having all this end point security controls in place is really, really important. And I can't agree with you more on all those different points.
But what I'd like to do is I'd like to touch just for a second on encryption. And for me, when I look at encryption, I look at two different things relative to anything that has card holder data, whether it's an ATM, whether it's a gas station, whether it's a point of sale terminal. For me, I look at how do we protect data at rest? Whether that's on a hard drive. How do we protect data in motion, whether that's between an ATM, or a gas pump, or a point of sale station, and whatever's actually approved in that transaction.
So Merritt, could you give me just a little bit of context around how you think about encryption around these devices?
Yeah, sure. Encryption is ... it's not kind of dark magic that it may have been viewed back 15 or 20 years ago, this is a standard capability that can be used in lots of places. And traditionally there would often be a response, "Well, we can't use-"
... fixes, and traditionally, there would often be a response, “Well, we can use encryption here because the network's too slow, or the hardware can't handle it.” That's not a really valid argument anywhere. You really need to be encrypting everywhere, at all possible, not just for data at rest, but also in transit. Again, the performance impact is pretty minimal, but the benefits of it should be pretty obvious, in terms of it protecting you against various breaches and ensuring that your data's being encrypted appropriately. This does require, just like in the previous section, this does require, still, some process in place around how you do, for instance, key lifecycle management. So, how the keys are created, how they're stored, how they're rolled over. Just saying, “We're going to encrypt everything and we're done with it,” that's a good first step, but you need to have this process in place. Includes, possibly, deploying hardware storage modules, or HSMs, to actually store the key material and having a dedicated team in place that actually manages that key, because encryption is really only as strong as the underlying key managing processes. If you've got poor key management processes, and the keys are just stored on a USB drive in someone's desk, the value of the encryption is considerably reduced. That really puts a premium on making sure that you've got these various types of hardware mechanisms in place, and that you need to have that host ATM encryption, using things like TLS with a message authentication code to prevent against man-in-the-middle attacks.
These are all, I think, pretty standard processes, but always worth reiterating, because encryption is a very powerful tool that provides us a lot of value in preventing against these types of attacks.
Yeah, Merritt, you've completely nailed it, and I think that anyone listening to Commerce Now should think about contacting whoever does the transaction process for their ATMs. They should really ask their transaction processor, “How do we encrypt the data between our ATMs and the transaction processor?” And, likewise, I think everybody should ask the OEMs, “How do you encrypt data at rest on the ATMs?” That's incredibly important. It shouldn't be overlooked and everybody should understand how that works.
What I want to do, right now, is I want to switch a little bit over to Dave. Dave, what I'd like to do is just spend a little bit of time and ask you about, now that we've encrypted data on the hard drive, now that we've encrypted data between ATMs, or all these other point-of-sale, or gas pumps, or everything else, to the hosts that actually drive them. Give me a little bit of your thoughts on runtime integrity. How do we make sure that the software that's running on these devices actually is doing what it's supposed to do?
Yeah, absolutely, Scott. It's a great point and Merritt talked earlier about endpoint security. This runtime integrity really becomes a sophisticated version of endpoint security. It's another layer of security that is really an expansion area, in our opinion, in the ATM space. The rest of the world is moving to heuristics and behavioral endpoint monitoring, and this will, eventually, occur in the ATM space, as well. It's already beginning to. Merritt talked about zero-day malware. We talked about that during the webinar, as well. This is ATM specific malware. This is some pretty nasty stuff. We need to move away from solely relying on antivirus. We have to move away from relying antivirus and signatures, and focus on intended behavior.
Scott, if we can predefine and authorize ATM behavior, now, that requires us to understand what the expected behavior should be. We can deploy that to the endpoint and then monitor that behavior in real time. We can, actually, detect this ATM zero-day malware without a signature, by detecting this unauthorized behavior. If we take that one step further, tie that post-event operations into the security policy, how they output into an alarm, then, now, we begin to have some real time alarming notification and response capability to defend against the threat.
This clearly requires adjusting the framework and processes to avoid attacks that would take controls of the lower level software, that might allow privileges to be escalated and to remove these security policies. But, again, this type of sophisticated application layer security that monitors the actual behavior on the ATM could go a long way to defending the endpoint from some of this zero-day malware that we're seeing continue to evolve in the marketplace, Scott.
Dave, I think what you just touched on is really, really important. Because, to me, when I look at an application, again, whether it's on an ATM, whether it's a gas pump, whether it's a point-of-sale terminal, to me, what the whole monitoring concept is all about is in looking at this application saying, “I expect you to do A, B, C, D, E, F, G, and that's all.” At the end of the day, if, suddenly, as opposed to doing A, B, C, D, E, F, G, you do H, I, J, K, L, M, N, O, P, there's a real issue going on.
For me, what I want to understand is, when we have an application that supposed to behave in a certain way, and we define criteria for that behavior, and something happens outside of that criteria, for me, what I want to have happen is, I want you, the ATM transaction processor, or I want to have the backend credit unit, the backend financial institution, I want them to understand that something has happened outside of what we consider to be normal, and I want them to do something different.
Give me a little bit of context, Dave. Help me understand, from your thought, how we do analytics? How do we determine that something unusual is happening? How do we determine that something unusual is going on and how do we respond to that? And then do something different. Help me frame analytics.
Yeah. It's a great point, Scott. Again, another area beyond encryption and runtime integrity where, I believe, the market is expanding. This is all really focused on gathering the data. First of all, we need to have access to the data. So there has to be some centralization. We have to have the components, the clients, the infrastructure, in place to be able to centralize the data. Then we need to focus on correlating that behavior, that expected behavior, A, B, and C, that you talked about earlier, and turning that into a flow, a sequence, if you will, a pattern that we can match.
If we see patterns that don't match, then, certainly, the sensors are going to trigger. And if we've established the security appropriately within the security policy, we can, perhaps, stop the next critical operation at the endpoint, whether it's ATM, whether it's in the retail space, as well. We can launch an alert, a notification, if you will. If we are in an infrastructure where we have an alarming capability, and that alarming capability can be tied to a centralized infrastructure, then we begin to piece together a real time monitoring capability that can take a look at transaction flows, use cases. Gather all this data, correlate it, and recognize when an endpoint is doing something that it wasn't originally intended to do.
As we move forward, the modules, themselves, the software that you talked about, the transaction area, the hosts, they will begin to include these data components, and the analytics, so that we can do a better job of, not just monitoring the operation of the endpoints, from an availability, or an asset, perspective. Certainly, being able to better understand what's happening from a threat perspective and be able to respond as quickly, as possible. Every operational environment is different, Merritt, touched on that. So it's not a one size fits all, by any stretch of the imagination, but, I think, if we put physical and digital monitoring in place, and we have access to that data, we certainly can do a great deal more to protect the endpoint.
I think you really hit it there. When I look at our ecosystem of financial institutions, and retailers, and government bodies, and commercial level entities, I look at a large variation. I look at folks from your large, large, large financial institution has 10,000 ATMs across North America. I think about how that extends all the way down into the small credit union, if you will, that has one or two branches, and one or two ATMs. I think there's a huge variation in how people manage their infrastructure. How they manage their devices. How they handle the monitoring. How they manage the endpoint security and-
How they handle the monitoring, and how they manage the endpoint security, and encryption, and everything else. And to me, I look at it from the standpoint of I might be this huge, huge financial institution that has 50 people that does nothing more than from eight to five, work on my point of sale terminals, my ATMs, or my different kinds of devices, all the way down to this small institution that just wants to have their name on an ATM, sitting in the corner of parking lot somewhere. So help me understand a little bit.
When I move from someone that has a financial infrastructure down to somebody that just wants to have their brand on something, help me understand how I can look at ATM as a Service, as something where I just want to have somebody do everything for me, versus somebody that wants this huge environment of controls, and infrastructure, and people wrapped around this thing called an ATM.
Yeah, it certainly can be a daunting task, depending on certainly your position in the market and your capabilities. It can be overwhelming from an asset and availability management standpoint, configuration management, typical information security standpoints, not to mention overwhelming from a security policy management, incident management, having to pay attention to what's happening at the endpoint from an anti-skimming standpoint, and what's happening perhaps in the channel with regard to malware prevention, attacks against the host, it can be extremely overwhelming for those entities that really only have a couple of endpoints in operation.
And the reality, Scott, and I'm sure Merritt you would agree, technology is moving too quickly. And if we don't maintain pace with technology, then certainly there will be vulnerabilities. And the fact of the matter is, there are experts out there and advantages to subscribing to a managed-service or an ATM as a Service, not only from an availability standpoint, but also from a security standpoint. Merritt, you touched earlier on, when we were talking to Scott about encryption, the key management aspect of it, this is something that is a specialized skillset.
It's critical to encryption and if you don't do it right, then you might as well not have deployed encryption to devalue the data. Another area where ATM as a Service, a managed-service provider can fill that skillset, that capability, can manage the keys, manage the infrastructure that's in place to deliver the service with trust. So certainly, larger institutions have the assets, they have the wherewithal, they have the partnerships in place to be able to do this, but many do not. And if they don't, it can be daunting, overwhelming, that's when vulnerabilities start to come into play and attacks occur.
And ATM as a Service, it exists out there, and we certainly encourage those entities to subscribe or consider that. What I like to say, Scott, is know what you do and know what you do best. And do that, and if you don't do something well, then you should seek out those who are experts, who do do it well and see if they can't help you.
Dave, you've just completely finished my sentence for me, if you will. One of the things that I'd really like the folks that are listening to COMMERCE NOW to understand is, we're talking about all these security controls. We're talking about all these different ways to protect your assets.
And what I'd really like to do, is to frame this up from the perspective of, "What am I going to do if something bad happens, when there is an incident, whether I get skimmed, or whether there's some kind of a compromise, that data arrest or data in motion, what's my incident response? What am I going to do? Who am I going to call? What are my next steps?"
Because at the end of the day, we can all put all these different controls in place, and these defenses that we're talking about are what I'll legacy or they're aging defenses. But what we really need to do, is we really need to start becoming proactive. We really need to start focusing on what our vulnerabilities are and what our responses are. So anything else, Dave, that you or Merritt like to touch on that could help our audience understand, that if something happens, what am I going to do next? Who am I going to call? What am in going to do next? Can you guys help me out with that?
Yeah, I would add, and make this common to all of our clients, is as perhaps morbid as it may seem, is you actually need to practice and plan an incident response. Just like you have a fire drill every year in your building to verify your evaluation plans, the same thing needs to be held, whether it relates to any data breach of your system. So that means, you actually have a documented procedure in place, you have a team identified to actually handle that. So if and when you actually have a breach in some part of the ATM network, you actually know what to do. A lot of companies think, "Well, either we're not going to be hacked and we don't have to worry about it." Or, the worst case, they also create a policy, and they just put it in a three-ring binder, and everyone kind of forgets about it. So I really encourage you emphasize a kind of practice and the human element is to really understand and make sure you've figured out, just like for disaster preparedness. This is something that has impact to your business and your brand, and if you have a plan in place, if and when something happens, you're much better able to respond to it.
And more importantly, your customers will be much more forgiving of you if you show that you've got, you're ahead of the issue, and you've got a good handle in place. If it takes you three weeks to get back to responding to this specific incident, that doesn't endear customer loyalty or trust. So I think the need to do drills and plan your teams, at maybe once or twice a year, I think, is definitely good advice to take in your organizations, particularly as you look ahead into your 2019 planning.
Yeah, I couldn't agree with you more, Merritt, that the incident management component is often overlooked, certainly by many. We're so focused on the threat and preparing for the threat. Merritt, you and I talked during the webinar about this issue of threats becoming increasing a question of, "When, not if a breach or a compromise will occur?" We don't focus enough on when it occurs, what will we do about it, and I think establishing an appropriate risk management framework is key here, putting the processes in place, as you talked about, Merritt.
Testing these processes, recognizing what's at risk when an incident or a breach does occur, so that you know what the risk mitigation steps are and what the appropriate sequence is for those steps to minimize any damages. Ultimately, that is the key to protecting the endpoint, first and foremost, the users and the customers, and then certainly the brand, as well. So incident management is a critical component to any risk management approach to information security. And again, Scott, another component, just to bring this full circle. That is possible from an ATM as a Service prospective on the managed side of things.
Again, I'd really like to thank Dave and Merritt for joining us today, and helping us talk about this really important topic. And I'd really also like to thank our listeners for tuning in to this episode of COMMERCE NOW. To learn more about this topic, please download a copy of the research report, The Forrester Tech Tide, Zero Trust Threat Prevention, recently published in the third quarter of 2018. Please visit DieboldNixdorf.com/ zerotrust to download a copy today.
Until next time, keep checking back on iTunes or your PodCal system channel for new topics on COMMERCE NOW. Thank you again and have a great day.