It’s been a busy week for information security in the retail and hospitality sector. Earlier last week, InterContinental Hotels Group (IHG) acknowledged a credit card data breach that impacted more than a dozen properties across their hotel brands spanning the United States and the Caribbean. Similarly, fast food chain Arby’s disclosed on Friday that it had recently remediated a breach of data on up to 1,000 of their corporate-owned locations.
In both cases, the culprits were compromised point-of-sale (POS) systems used to process credit and debit cards. While both IHG and Arby’s discovered these problems and addressed them internally, the damage was already done.
The fact is that POS systems continue to be an increasingly popular target for malicious attackers. Unlike years ago when most POS systems were integrated, proprietary hardware, OS and software stacks with built-in card processing, today’s POS systems capitalize on commodity PC hardware, plug-in card processing units, and standard operating systems like Microsoft Windows and Linux. While that gives tremendous flexibility to companies that need POS terminals, it creates a nightmare scenario for exploitation of these devices that control money.
While there are many ways that attackers can try to exploit POS systems, one of the most common is through the introduction of malware that flies under the radar, capturing keystrokes, cardholder data and other information along the way. To counter this, it’s critical for organizations to ensure that their POS systems based on commodity hardware and operating systems are protected through comprehensive vulnerability management.
An effective vulnerability management program addresses the complete lifecycle of vulnerability prevention, detection and remediation:
- It has to be continuous. Rather than conducting manual point-in-time scanning, true vulnerability management must be constantly assessing the problems in your environment that can lead to data breach or other threats.
- It has to assess vulnerabilities by asset and business value. The same vulnerability on two different systems isn’t necessarily the same risk. A system that contains payroll data (or in the case of POS systems, inventory and cardholder data) is decidedly more critical than a system containing only public information such as an informational website.
- It has to be actionable. A vulnerability management solution has to tell you not only where the problems lie, but how to fix them. Specific configuration changes, links to current, vendor-approved patches and consensus-driven recommendations are critical to ensuring that discovered vulnerabilities are fixed properly, the first time.
For organizations such as retail, hospitality and others whose core business relies on face-to-face interaction with customers, the need for a comprehensive vulnerability management platform is critical.