There is an article in the Sunday, January 16, 2011, New York Times that says the American and Israeli governments were behind Stuxnet, confirming a rumor that has been running around ever since Stuxnet was identified. The consensus of the experts is that Stuxnet is to cyber warfare what the airplane was to conventional warfare, a radical game changer.
So why does Stuxnet matter to merchants, processors, acquiring banks and the card brands? A whole lot if you think about it.
First, Stuxnet proves beyond a shadow of a doubt that governments are investing in cyber war and that in cyber war anything on the Internet is fair game. While Stuxnet was built to target Iran’s centrifuges that are used in refining Uranium, there were a number of incidents of “collateral damage.” This “collateral damage” was the result of Stuxnet attacking anything that used the same Siemens SCADA controllers. Granted, Stuxnet was not as nasty to devices that were not centrifuges, but it still caused problems. Imagine if an entity wrote an attack for a common device or protocol hoping to actually target another particular entity. Do you think your organization could become “collateral damage” in such an attack? I would say it is highly likely.
Second, imagine then the damage that could be done if a terrorist group or a government decided to go after another country’s financial systems using a Stuxnet type of attack. Does such an attack sound unrealistic? It should not given that the quickest way to bring any country to its knees is through its financial systems. And what makes things doubly worse is that, thanks to outsourcing, most banks use a very limited number of application solutions thus making such an attack all that much easier. Given the reliance of countries on their economic capabilities, such an attack would likely only be carried out by a rogue nation such as North Korea that has nothing to lose or even any other country if it is provoked long and hard enough.
But what if the attack was directed against credit card terminals? While a lot of people would say that would be farfetched, it also is not as wild as it might seem. All you need is someone on the inside at Ingenico, Verifone and the like to doctor the card terminals’ software to do whatever you want it to do. Even large merchants do not necessarily monitor their card terminals, so such an attack could go on for quite a while before it was noticed, if it even ever was noticed. Criminal gangs have been producing limited numbers of doctored terminals for the last four to five years. Imagine this done on a large scale and you start to understand how nasty a threat this could be. If introduced from the manufacturers into the distribution stream, there would be no way of knowing that you had been compromised unless you were monitoring your network properly which most organizations do not do.
Finally, there is the doctoring of integrated point of sale (POS) solutions or similar applications. Again, not as farfetched as you might think. There have been a number of instances over the years where software was written to provide backdoors or other openings in systems that allowed information to be leaked. This is why certain governments have gone into the software business. This is also why there are now valid concerns about how you confirm that your software is only doing what it is supposed to be doing.
The bottom line in all of this is that these concerns are no longer the ramblings of the paranoid among us. These once imaginary seeming scenarios have actually come to pass and we need to address what to do to mitigate them. So from a PCI perspective, what should an organization be doing? While all of the PCI DSS provides methods to protect an organization, the following are what I consider the most important regarding inside attacks.
- Monitor your internal network – This is the single, most important way to protect your network from doctored devices and applications. A doctored device or application must transfer the information it has collected either in real time or in a batch process. Transmission may be outbound or via an inbound process. Outbound monitoring should be the easiest because most organizations know what external IP addresses to allow. Inbound communications are always disputed by most organizations. But if you remind people of how GoToMyPC and others of its ilk operate, they begin to understand how their networks could be easily compromised from the outside.
- Analyze your logs – This is probably the next area where a lot of organizations are not doing a good enough job. Most organizations do a good job collecting log data, but then do a mediocre or poor job analyzing that data to find exceptions. The reason for this poor performance is a lack of defining criteria for attacks. While the initial implementation did a good job creating initial definitions, as time goes on, the log analyses are not enhanced or updated to reflect changes in attacks and new attacks.
- Tighten internal controls – Once inside most organization’s security perimeters, security gets pretty loose and free, if it even exists at all beyond a logon. Unfortunately, attackers understand this fact, hence why they focus on getting inside. Because once an attacker is inside, it is pretty much a cake walk to get whatever they want. This is why locking down ports, reviewing firewall and ACL rules, disabling or removing unused services and disabling or removing unused user accounts become so important. The fewer attack points you provide on your internal network, the more resilient it will be should an attacker get inside.
Remember, while the City of Troy was protected by insurmountable walls, Troy fell because they were attacked from the inside; an attack vector that Troy felt was not realistic or possible. Troy’s short sidedness was the result of their arrogance and a failure to understand that an enemy determined to defeat you will find a way to overcome the insurmountable. Learn from Troy’s mistake.
PCI Guru 