Securing Your Network

Securing Your Network

One of the things that you should do in securing your network, is to limit internet access to only the sites that a particular station needs. For example, a Point-Of-Sale workstation usually only needs to be able to access the internet in order to validate credit and debit transactions. When that is the case, then your firewall should be configured to only let those stations through to the sites they need for authorization.

By limiting the access of those stations to only the card processor site, it prevents users from randomly browsing web sites during slow times. Thus, they cannot be checking their personal email or checking out the latest funny videos. This is not to punish them, but rather to eliminate those common vectors of attack. It prevents those viruses and malware-bearing emails from being read, and their payload potentially being unleashed on your workstations. It also prevents those drive-by downloads from malicious sites, from doing the same.

Obviously, there will be stations that need to access additional sites. However, if these sites can reasonably be limited to just those sites that need to be accessed, they should similarly be limited. It may be possible to limit those stations to only your company email, vendor sites, your store web site, etc. Additionally, those stations should be restricted to use by only those users that need to be accessing the sites that the stations are being allowed access to. Those users should also be trained on what to be aware of when accessing outside sites. In particular, the user or users that are accessing the company email should be trained on how to recognize potential phishing, or other malware, type emails.

Limiting the avenues that expose your network to outside contact, can go a long way towards preventing the network from being compromised. Such limits are often evaluated from the perspective of limiting outside access in. Access restrictions should be evaluated, and restrictions imposed from your network out, as well.

Dave.

New Twists Ransomware and Spear Phishing Attacks

New Twists on Ransomware Spear-phishing Attacks

In recent years we have seen an increase both the number of spear phishing campaigns, and increased ingenuity as to the ways that scammers try to assist you in getting your systems infected, or attempt to fleece you out of money.

In the past, this may have been something sent via emails that used official-looking emails complete with a financial institution’s corporate logo, or they could get phone calls from a fake bank account executive. The email or caller could tailor an email to the customer with personalized information they downloaded, making it seem like it was a legitimate email.

The fake bank account executive or emailer would then indicate there is an urgent problem with the customer’s account, and then ask for birthdates, Social Security numbers or passwords. The virtual trap could also be set by the official-looking email asking customers to click on a link embedded in the email to, say, update their account information. However, the link takes the unsuspecting victim to a fake but legitimate-looking website, where the customer is then tricked into listing passwords, bank account numbers, Social Security numbers, user ID’s, access codes, and PIN’s.

Some recent twists on the above are:

An email that spoofs your email account in the emails “sent from” field. The body of the scammer’s email claims that they have already hacked into your system via a porn or adult dating website that you “supposedly” recently visited. The email indicates a direct threat to email explicit photos or videos to all of the contacts in your email system, specifically to your employer, and/or the police, if you don’t send money to a specific destination as of a specific date and time.

One or both of the following may be included:

  • Instructions on where to go to pay the ransom.
  • Clickable links that direct you to site to pay a ransom, and/or a link that actually infects your system with encryption malware, which subsequently locks you out of your system, with another ransom demand in order to get a key to un-encrypt your drive(s).

Typically, the best thing to doing in these situations is to immediately delete the email, and clear it out of your mail deleted mail folder and the follow-up with staff on how to be diligent about recognizing and handling these sorts of threats.

– John

Beware of Fake Emails

Beware of Fake Emails

Recently, I have noticed a great increase of emails, both at home and at work, that appear to come from legitimate sources, but are bogus emails. Sent under recognizable names, either personal or professional, the sender wants you to open the attachment so your information can be stolen, a virus installed, and your computer shut down for a ransom.

The fake emails that come to me most often are supposedly from my daughter, who lives in another state and works for a university. The email address looks correct, yet the subject information is something that I know my daughter would never say to me. The first thing I did, before opening the first one like this, was to call her and ask if she sent me an email. When she said, “No,” I immediately set my computer to block further emails from this address. That worked for a while, but now they have returned with a small change from the original email address used. Hackers can be very sneaky.

Other malicious emails I have received say they are from UPS about a package that may have been lost, from the Internal Revenue Service about a tax I supposedly owe, and from DHL about a delivery.

The best way to deal with fake emails is to install a good anti-virus program, and also use extreme caution before opening any attachment that looks even remotely “fishy.” Carefully assess the email address, subject line, and even the language used. Ask yourself if this is an expected email, or something unexpected. Be careful and be safe!

If you ever think you may have been hacked, call us at once for help. Our techs can work with you to get you back on track! Our number Is 425-672-4806 or you can email us.

Marlene

Granting Administrator Privileges to users

Granting Administrator Privileges

Granting administrator privileges to users is one thing that I often see, that is done much more than it should be. The reason given is this simplifies those occasions when software needs to be installed or updated. However, in general, this is a bad practice.

The simplification of installing legitimate software will be exploited if you are ever the victim of malware or viruses. Since the user that the infection uses already has administrator privileges, the malware does not need to find anything to exploit for it to have access to your entire system. If the malware already has inherited the privilege from the user login and can wreak whatever havoc is in its payload.

On the other hand, if the user is given basic user privileges, and the malware is unable to find any way to exploit the system to increase its privileges, then the damage is contained to what the captured user can modify. While that is still upsetting, having to restore some documents, and change user settings is more desirable than having the entire computer system corrupted and compromised. Not to mention, the potential effect on other computers on your network, if administrator-level privileges can be leveraged against them.

With properly set permissions, users can do everything that they need, without elevated privileges. It can take some extra time to setup the appropriate permissions, but not nearly the time that it takes to recover from a malware attack that could have been limited in scope by a simple restriction of administrator level privileges.

Dave

Signs Your System Has Been Compromised

Signs Your System Has Been Compromised

Users need to be on the alert for signs that your system has been compromised. Let us look at some of the signs. One that often occurs is that icons on the desktop have been moved, or new icons have appeared. If new icons have appeared, and no software has been installed, as far as is known, it is a red flag that the system has been compromised.

Hackers will often install new software when they gain access to a system, to give them further control, or the ability to gather additional information from the system. Most times, there is no obvious trace of this additional software, but many times they are sloppy, and those surprising new icons are an indication.

Icons being moved is often also an indication. This is often due to the hacker going through and clearing those new icons. However, those icons moved some of your old icons when they were installed, and the hacker does not know exactly where the old icons were on the desktop. Or, the icons were subsequently auto-arranged, and are thus not in the location on the desktop that users had moved them to.

Another big indicator is that your system suddenly slows down. The screen may lag when you are typing, or processes that used to take a second or two, now take many seconds, to even minutes. This is due to the system having an increased load, due to the additional software that has been installed, and what it is doing to steal information or use the computing power for other nefarious activity, such as cryptocurrency mining. Cryptocurrency mining is using computing power to unlock cyber currency, such as Bitcoin. This takes a great deal of computing power, cybercriminals are farming this activity out to compromised systems, rather than using their own.

Basically, be alert to any change in the way that your system looks, or responds. While it may be due to legitimate changes, often it is a sign that unwanted people have gained access to your system.

CCS provides IDS products.  Contact our Sales Department to discuss the right solution for your operations.

Dave.

The threat of Attack on Point-Of-Sale (POS) systems

The threat of Attack on Point-Of-Sale (POS) systems

In the retail world, the threat of attack on Point-Of-Sale (POS) systems is always high, as they are a prime target for the bad actors trying to get credit card information. There is always new malware being created to try to get that information. There are, however, steps that can be taken to reduce the risk, even with regards to the latest attack software.

The best thing that you can do is to isolate your servers and workstations as much as possible. In an ideal world, these would be completely isolated, and not interact with any other systems. The reality is that this is very rarely the case. With that in mind, let’s look at some things that can be done.

The first step is to make sure that your firewall is as restrictive as possible. Your POS workstations and server if needed should only be restricted to accessing what is absolutely needed. In most cases, this is only your credit card processor. In no case, should your firewall allow either the workstations or the server, unrestricted access to the internet? The firewall will eliminate the chance for drive-by downloads, or users browsing to malicious sites.

Along those lines, any computers that are used for general internet browsing, and also email, should be on a separate network. If it is not possible to implement workstations on a separate physical network, at least use a different logical network as in a different network address range. Even just the different logical network, will stop the majority of malware infections.

If remote access is needed, and it should be restricted to those cases where it truly is needed such as your support company, then it should be restricted to only those addresses that have a legitimate reason to connect. Also, any such connections should be closely monitored. One such method is to disable the remote access software, and only enable it when your support personnel is actively connecting. Of course, it is again disabled as soon as they are finished.

Those cover the basics of securing your POS system. It is a good place to start, but it is only a start. Keeping software updated, training personnel, and keeping vigilant are always key components, also.

Dave

Security and Encryption Malware

Security and Encryption Malware

Despite one’s best intent, systems can be infected by viruses, hacked, or crashed due to various reasons and through various sources. Having good security programs, and redundant data/program backup functions in place should be considered a must-have. However, even with these policies and procedures in place, sometimes things can go very wrong.

As a recent example:

A company’s application server was infected with a file encryption ransomware program during the middle of the day. Most of the operating system, and various programs where encrypted.

Doing a repair installation attempt was unsuccessful in correcting the issues, and ultimately, a recovery required pulling selected programs and data from multiple backups. Because the back-ups were incomplete, this created a number of residual issues related to some operating system files/features and selected programs.

This infection was later determined to be the result of all of the following:

  • Failure to restart the server after an anti-virus software update.
  • open RDP Internet ports on the server’s firewall.
  • An un-patched known security flaw on the application server that was known to be vulnerable to remote brute force connection attempts.

In this particular case, the saving grace was…

Their core application software programs and data on at least some of the redundant back-ups were undamaged by the encryption Malware infection.

The end result here was… a recovery project that could have taken weeks or months of work to complete or that could have resulted in massive irreversible data loss, ended up causing only several days of disruption and only a couple of days’ worth of data loss

While all of this might seem like a no-brainer to some, a focused plan that has built-in redundancy should be considered a must for any business.

If you would like a review of your current system for either security or and/or backup integrity, please contact CCS Retail Systems Support Department to schedule your System Security and Recovery evaluation.

– John

New TLS Patch Coming for 8.5.2.1

 

ViewPoint Newsletter | NCR
New TLS Patch Coming for V8.5.2.1 March 6th

Payment Card Industry Data Security Standards (PCI DSS) require all PA-DSS validated payment applications to discontinue the use of “early TLS” (i.e., all versions of SSL and TLS 1.0) by June 30th, 2018. For more information on this, please refer to the TLS 1.2 transition document. 

To comply with this requirement, NCR Secure Pay will no longer accept early TLS connections after 2:30 A.M. on June 5th, 2018. In addition to the previously mentioned updates to NCR Counterpoint V8.5.4 and V8.4.6, we will also be releasing a patch for V8.5.2.1 . Releases will are scheduled as follows: 

  • V8.5.4 Patch 002: Scheduled for 2/20/2018
  • V8.4.6.19 Service Pack: Scheduled for 3/6/2018
  • V8.5.2.1 Patch: Scheduled for 3/6/2018

We do not plan to release patches or Service Packs to support TLS 1.2 in other versions of NCR Counterpoint.

To prepare for the transition to TLS 1.2, you must first ensure that TLS 1.2 is supported and enabled on your workstations by following the appropriate steps for your operating system, as outlined in our TLS 1.2 transition document. 

Marilyn.

Getting Ready For Transport Security Layer (TLS) 1.2

GETTING READY FOR TLS 1.2

Payment Card Industry Data Security Standards (PCI DSS) require all PA-DSS validated payment applications to discontinue the use of “early TLS” (i.e., all versions of SSL and TLS 1.0) by June 30th, 2018.

To comply with this requirement, NCR Secure Pay will no longer accept early TLS connections after 2:30 A.M. on June 5th, 2018. In addition, updates to NCR Counterpoint V8.5.4 and V8.4.6 that will require the use of TLS 1.2 for payment transactions processed through NCR Secure Pay will be released as follows:

  • V8.5.4 Patch 002: Scheduled for 2/20/2018
  • V8.4.6.19 Service Pack: Scheduled for 3/6/2018

We do not plan to release patches or Service Packs to support TLS 1.2 in other versions of NCR Counterpoint. To prepare for the transition to TLS 1.2, you must first ensure that TLS 1.2 is supported and enabled on your

workstations by following the appropriate steps for your operating system, as outlined below.

 Do NOT disable early TLS on your workstations, as NCR Counterpoint Services (CPServices) requires TLS 1.0 for internal communications. Because PCI DSS prohibits the use of early TLS for the external communication of payment transactions only, using TLS 1.0 with CPService does not violate PCI-DSS compliance.

CPServices will be updated to use TLS 1.2 in a future NCR Counterpoint release.

Once TLS 1.2 is enabled, you can install V8.5.4 Patch 002 or the V8.4.6.19 Service Pack—depending on which version of NCR Counterpoint you are using—to begin using TLS 1.2 for all communications with NCR Secure Pay.

  V8.5.4 Patch 002 and the V8.4.6.19 Service Pack will only work with TLS 1.2. If you install these updates on a workstation for which TLS 1.2 is not supported and enabled, NCR Counterpoint will be unable to connect to NCR Secure Pay and you will be unable to process payments.

W I N D O WS 8. 1/ W I N D O W S 1 0 / W I N D O W S  S E R V E R 2 01 2 R 2

By default, TLS 1.2 is supported and enabled in Windows 8.1, Windows 10, and Windows Server 2012 R2. Thus,

no additional configuration is required to use TLS 1.2 with these operating systems.

W I N D O S 7/ W I N D O W S  E M B E D D E D  P O S  R EA D Y  7 / W I N D O W S  S E R V E R  2 0 0 8 R 2

If your NCR Counterpoint workstations are running Windows 7, Windows Embedded POSReady 7, or Windows

Server 2008 R2, first ensure that you have installed all current Service Packs, updates, and security patches.

To enable TLS 1.2, create the registry setting entries (in the Client subkey) that are specified in the TLS 1.2

section of the Transport Security Layer (TLS) registry settings page in the Microsoft documentation library

(https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-12).

Every effort has been made to ensure the accuracy of this document. NCR makes no representations or warranties with respect to any of the information contained in this document and specifically disclaims any express or implied warranties of merchantability or fitness for a particular purpose with respect to such information. NCR shall not be liable for any errors or for incidental, indirect or consequential damages in connecting with the furnishing, performance or use of this document.

V E R I FY I N G  T H A T  T L S 1 .2  I S  E N A B L E D

If you are using Windows 7, Windows Embedded POSReady 7, or Windows Server 2008 R2, you can verify whether TLS 1.2 is supported and enabled on each of your NCR Counterpoint workstations by using Microsoft Internet Explorer to access the How’s My SSL? Website (https://howsmyssl.com).

Only use Internet Explorer to verify that your workstation is using TLS 1.2; other browsers do not use the Windows TLS system and may display incorrect results.

The Version section of the page should indicate that your client is using TLS 1.2, as illustrated below.

W I N D O W S  E M B E D D E D  P O S  R E A D Y  2 0 0 9

NCR does not currently plan to test or support TLS 1.2 with Windows Embedded POSReady 2009. Although Microsoft has indicated that an update will be made available to support TLS 1.2 with Windows POSReady 2009 (https://cloudblogs.microsoft.com/microsoftsecure/2017/10/05/announcing-support-for-tls-1-1-and-tls-1-2-in- xp-posready-2009/), merchants who wish to continue using POSReady 2009 must do so at their own risk.

We strongly recommend upgrading any workstation that is running Windows POSReady 2009 to a newer, supported operating system.

Marilyn.

GDPR – The General Data Protection Regulation Compliance Requirements

GDPR – The General Data Protection Regulation

The GDPR imposes rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where those businesses are located. Among the key elements of the GDPR are the following:

Enhanced personal privacy rights – strengthened data protection for residents of the EU by ensuring that they have the right to access their personal data, to correct inaccuracies in that data, to erase that data, to object to processing of their personal data, and to move it

Increased duty for protecting personal data – reinforced accountability of organizations that process personal data, providing increased clarity of responsibility in ensuring compliance

Mandatory personal data breach reporting – organizations that control personal data are subject to stringent reporting and notification requirements in the event of a personal data breach

Significant penalties for non-compliance – steep sanctions, including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply November Accelerate Your GDPR Journey 2017 13

As you might anticipate, the GDPR may have a significant impact on your business, potentially requiring you to update privacy policies, implement and strengthen data protection controls and breach notification procedures, deploy highly transparent policies, and further invest in IT and training.

If your company has business transactions that involve European Union (EU**) Companies or customers, you can contact CCS Retail Systems to help you plan how to avoid GDPR penalties before this regulation is enacted on May 25th, 2018.

**EU Austria, Belgium, Croatia, Bulgaria, Cyprus, CzechRepublic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxemburg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom
 
 

Marilyn McCormick