Better POS Security With Network Segmentation and a Zero Trust Approach

Following the much-discussed credit card breach at Target during the 2013 holiday season, CERT issued an alert on January 2, 2014 warning against malware specifically targeting Point of Sale (POS) systems.

Because they transact valuable credit card information, POS systems have always been an obvious target for cybercriminals. Some of the most notorious POS malware in recent years included Dexter, and its variant Stardust, which extracted track data from the system memory and from internal network traffic. In most cases, malware infiltrates POS systems through phishing emails.

To help strengthen POS security, the US-CERT has made the following 6 recommendations:

  1. Use strong passwords
  2. Update POS software Applications
  3. Install a firewall
  4. Use antivirus protection
  5. Restrict access to the internet
  6. Disallow remote access

Here is how Palo Alto Networks technology addresses CERT’s recommendations, along with some additional advice on how to best leverage our network security platform in a POS environment:

  • Apply segmentation combined with a strong zero-trust model as the first line of protection. In every industry, sensitive or restricted data that is subject to tight regulations or is of significant value (examples: credit card information, SSN…) should be systematically isolated from more generally accessible information. Our next-generation firewall’s ability to classify all network traffic based on application, user, and content is ideally suited to define and control access to network zones that should only be accessed by a limited, and identifiable set of users, and whose traffic should be constricted to a well-defined set of applications. Our approach allows you to easily enforce a zero-trust model where no traffic is allowed except the few applications and users authorized in the specific zone, no traffic is trusted regardless of location, and all traffic is inspected and logged.
  • Apply additional granular control where appropriate. One good practice is to block authentication to administrative functions from untrusted zones and from unauthorized users. Our ability to control application traffic at a functional level can enable you to implement such control with very simple policies.
  •  Stop all known malware and detect unknown ones. We have signatures for Dexter and its variants to automatically block DNS and Command & Control traffic. Our ability to strictly control traffic based on applications and users limits the scope of you security risks on POS systems, but also enables you to inspect all suspicious files without any performance degradation.

In summary, deploying our next-generation security platform enables you to more easily control inbound and outbound traffic, screen out malicious traffic, and mitigate risks related to vulnerabilities of software and systems that are behind on patches.

Read more about network segmentation and a zero trust approach with Palo Alto Networks security platform. Let us know what you think.