Case study: Using remote access securely
Point-of-sale products vendor MICROS Systems services some of the most popular restaurant and hotel chains in the world. Their CISO explains how they support clients remotely without opening them up for a headline-making breach
By Joan Goodchild , Senior Editor
September 12, 2011 — CSO —
"Remote access and desktop services, in combination with the exploitation of default and/or stolen credentials, is a huge problem in the retail and hospitality industries," the Verizon report states. "Opportunistic attacks are carried out across many victims who often share the same support and/or software vendor."
According to researchers, as soon as an intruder discovers a particular vendor's authentication method and schema (be it for TCP port 3389 for RDP; or TCP port 5631 and UDP port 5632 for pcAnywhere), he will be able to exploit it across a multitude of that vendor's partners and customers.
"Oftentimes, in lieu of conducting a full port scan for these remote service applications, attackers will customize their scripts to exclusively look for these ports and search a broad swath of the Internet," the report states. "This speeds up their capability of searching for and finding services unprotected by router/firewall ACLs and allows them to quickly check for default credentials as well. This of course relies on remote access authentication schema being uniform across all of that particular vendor's customers —but hey, who are we kidding? They always are."
Jim Walsh, CISO for point-of-sale products vendor MICROS Systems, knows all too well how attractive a chain restaurant or hotel is to a hacker. MICROS, the largest POS company for the hospitality industry, is used in almost all major restaurant and hotel chains around the world.
[See also: Security at the point of sale and Retail security:Critical strategies]
"If someone can get into one of our customer's systems, they've pretty much figured out how to get into the other 5,000 of them. That makes them an even greater target."
Prompted seven years ago by what Walsh said was a sudden upswing in high-profile breach events, MICROS went looking for secure ways to support customers remotely, and also launched an education initiative to start educating clients on how best to protect themselves. Here he shares with CSO how he mitigates the risk of hackers breaking into his customer's networks.
CSO: Briefly explain the scenario of MICROS customer support several years ago.
Jim Walsh: Not too many years ago POS applications like ours were storing full track card holder data that was not encrypted. In fact, historically the card holder industry required us to store that information, just until a few years ago. It was not uncommon for that information to be stored and to be there and to have a number of years-worth of data, so there was a lot of low-hanging fruit for attackers. With remote applications sitting there, always on and in listening mode, and in a lot of cases well-known, generic-user names and passwords were being used, it was pretty easy to get into these systems.