The last 3 years have been filled with credit card breaches of some of the largest retailers in the world. These breaches have exposed hundreds of millions of credit card numbers and put millions of people worldwide at risk. To add insult to injury, in the last month 6 point of sale providers have been breached potentially impacting over 1 million Point of Sale (PoS) registers1. In the case of Oracle’s Micros unit, Micros servers were breached and infected with malware to allegedly harvest retailer usernames and passwords as the retailers logged on to the Micros service and sent this information back to the cyber gang.
A plethora of cardholder information, PoS server logins, and more can be found across the social web. Following the recent Micros PoS server software breach, numerous customers of the PoS software were found on the social web. Dumps of IP addresses, logins and passwords for servers around the world were posted to places such as Pastebin. One can easily find individual credit cards including names, CVV and expiration dates as well.
The PCI Council has outlined requirements for protecting PoS systems, payment networks, cardholder data environments (CDE), and more. Social is a newer threat vector that presents risks to these payment environments. The PCI council monitoring requirements. PCI DSS v3.22 outlines Breach Monitoring requirements in Section 10.6.1: “Review the following at least daily: All security events,” and “Checking logs daily minimizes the amount of time and exposure of a potential breach.” Monitoring social networks and the digital web can greatly contribute to indicators of compromise (IOCs) related to a specific retailer. If the retailer uses Micros, PCI compliance with social media monitoring provides early warning information that is key to fortifying your network by changing server passwords, and ensuring your Cardholder Data Environment (CDE) is blocked from intruder access and limited to just required entities such as the Payment Processor or Acquiring Bank.
This is further supported by Section 12.10.5, which says to “Include alerts from security monitoring systems” which “are critical in taking quick action to prevent a breach.” Identifying a post that includes the IP of one of your servers gives you a critical heads up on a potential breach and allows a retailer to be more proactive.
We commonly see daily posts of new proof of concept (PoC) malware targeting CVE (Common Vulnerabilities and Exposures) and CVSS (Common Vulnerability Scoring System) vulnerabilities. These examples are from Twitter, Pastebin, and Google+.
CVSS is used by organizations and their vulnerability scanners to identify new vulnerabilities and operationally prioritize patching. This is a requirement of PCI v3.2 Section 6.1: “Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.” CVSS includes scoring that changes based on the availability of malicious code in the wild. Social media is a great way to identify when PoC malware is available in the wild. Malware authors thrive on boosting that they’ve created new PoC malware code that will exploit a vulnerability by posting a link to it on social media.
As a former PCI QSA (Qualified Security Assessor) and current PCI participating member, achieving PCI compliance with social media is no easy task. But leveraging social media can assist in maintaining your PCI compliance with social media as well as providing early warning signs to avoid a breach. Your strategy should include:
- Monitoring Social Media for emerging threats to payment systems, including malware exploiting system vulnerabilities (PCI Section 6.1)
- Monitoring Social Media daily for breach IOCs including data dumps of credit card numbers and the source of those cards. Additionally these posts can include co-branded retailer credit cards. (PCI Section 10.6.1)
- Reviewing Alerts to identify social media threats and allow for quick action to prevent a breach. This includes identifying risks to your cardholder data environment or stores on the social web, including external posts with server and network logins. (PCI Section 12.10.5)
If you’re not monitoring social media today for threats to your payment environment you have a huge blindspot. The good news is that it doesn’t require another appliance or database in your CDE, but rather a solution that can monitor and report when these activities occur and if they present a risk to your payment environment. It also enables you to become more proactive while ensuring you’re PCI compliance and minimizing a breach.
1 Forbes Article on Oracle Micros Breach
2 PCI compliance with social media security standards