The Unthought of Repercussions of the Riots and Looting in Cyber Security

August 3, 2020

Chris Ruggieri

       Even on the best of days, Information and Cyber Security is the elephant in the room that no one wants to talk about. Some companies still have Security “at the kid’s table” and only worry about Cyber Security budget after an incident occurs.

Now, we are faced with an entirely new threat that either no one has thought about or one that, again, no one wants to talk about.  CIVIL UNREST.  First of all, let me start by saying that I have absolutely no problem, issue, or complaint about people marching and demonstrating in protest for whatever reason.  Literally, I don’t care what reason someone gives to protest.  The Sky is Blue and Should be Purple.  Protest.  Don’t care.  However, and with that being said, the moment houses, businesses, and other buildings start being torched, citizens being beaten (whether by protestors or law enforcement), and things start being stolen, you have left the realm of protest and entered into riot-dom.  Now, why is a riot a topic for discussion on a Cyber/Information Security blog?  I’m so glad you asked. 

 

       When most people think about Cyber/Information Security, they think of data. They think of networks.  They think of servers.  They think of datacenters.  They think of the individual endpoints.  Let that last one sink in and stew for a moment……….  That’s right.  There’s the lightbulb moment.  That restaurant you dined at last night or that store you made a purchase with yesterday could still have your personal information, including credit card transactions, still on either the point of sale or the back of house server waiting for the end of day close out.  Those rioters and looters just stole those point of sale and servers.  Your data could now be in the hands of a criminal.  And before anyone starts with the whole “but they’re protestors not criminals” argument, a thief is a thief and a thief is a criminal.  Accept it and deal with it.

 

       Now, we’ve found ourselves nose to trunk with the elephant in the room.  I can tell you from personal experience that many Point-of-Sale (look, I’m going to shorten that to PoS because I’m tired and too lazy to keep writing that out) providers WILL NOT SUPPORT THEIR PRODUCT IF FULL DISK ENCRYPTION IS UTILIZED.  Think about that one for a moment.  The best method of protecting the data on those endpoints can’t be used or the PoS vendor will no longer support it.  First off, that’s an unacceptable approach in my mind.  Those vendors need a customer smackdown for their failures, but that is neither here nor there.  Next, we have the fact that some PoS providers “spool” the transactions for the day until closeout with that credit card data stored.  Why?  I’ll get to all that.  Last, but most certainly not least, those PoS and Servers most likely have some form of Administrator credential cached on that machine.  The situation seems dire doesn’t it.  All from the theft of a single machine or even two machines. 

       This is one of those situations where the Information Security community HAS to be proactive.  Let’s run a quick recap of the situation:

 

  1. The theft of the actual device
  2. The customer data stored on the device
  3. The cached credentials on the device
  4. The lack of ability to utilize full disk encryption

 

       We have 4 major risks, and probably more, but these are the 4 I want to focus on.  Not much we can do with the actual theft of the device.  Now some people may say, cable it to the PoS station, but trust me these guys showed up with bolt cutters.  Cabling it down wouldn’t even slow them down.  The customer data……  This one still baffles me.  For the love of all things holy, ENCRYPT AT SWIPE!!!  Encrypting at swipe keeps the credit cards from EVER being stored on the system.  It also make PCI DSS Compliance SOOOO much easier because guess what?  No Credit Card environment!  Next risk is the cached credentials.  Some form of Privileged Account Management (PAM) offering that rotates those Administrator credentials at regular intervals should be in effect anyway,  but if you don’t have one, GET ONE.  PAM would allow you to change that credential across your environment the moment you discovered the devices had been stolen.  At that point, the cached credential they have is useless.  Bringing us to the last of the 4.  The lack of ability to utilize full disk encryption because of vendor’s refusal to support.  I’m going to be blunt (If you’ve read anything else I’ve written then you know bluntness is just my SOP).  To all the vendors that have said they would not support their product if full disk encryption is utilized:  Get up to date or get left behind!  Your excuses have reached the end of their usefulness, much like your product.  BitLocker was released January 30, 2007.  Read that again.  2007!!!!  13 years.  13 years you’ve had to fix your CRAP of a product.  You want to fix 3 of those major 4 and make the theft part irrelevant?  Get a PoS offering that allows for full disk encryption and leave the dinosaurs to be fossilized in time.  We as customers have the ability to MAKE them support encryption.  It’s high time we use that power.

 

       You see now that the elephant in the room is just a small one, friendly and easy going.  It just takes a little bit of prep work to make this particular pachyderm happy.