Beyond the relentless headlines of data breaches, credit card theft, and many other cybersecurity-related stories lies a very simple explanation. Sometimes it’s as simple as an employee clicking on a link within an email, or a user of a popular cloud service using 123456 as the password.
So with recent headlines reporting the widespread theft of “millions” from ATMs infected with Tyupkin malware, we undertook an analysis in an effort to understand the simple explanation behind the attack. A clue to this simple explanation lies in the title of this post. Simply put, the attackers were able to gain physical access to the ATMs and reboot using a Live CD. They then followed up with direct manipulation of security controls and installation of the malware executable onto the machine. Not only could the attackers infect a system and ultimately steal the millions as we all saw across the 140 characters that inevitably follow such stories, but the malware was also able to delete itself, and clear all logs in an effort to cover the tracks of the criminals.
Herein lies the nub of the issue. There are solutions that can greatly reduce the risk of malware attacks. However, there is not just one solution that will accomplish this. ATM security must be implemented in a layered approach. The layers create barriers of protection to make the work of criminals more difficult. Changing the boot order sequence, would go far in preventing the attacks. Eliminating the capability to boot from external media would also be effective as another layer of protection.
To add more protection, we need to consider how ATMs are deployed. Some models are designed to be used in certain settings. Additional physical protection for the ATM CPU needs to be implemented. In such circumstances there are approaches that should be considered that not only include physical security controls (such as alarms and closed-circuit TV) but also tamper-proof security controls. Best practice recommends a layered approach to security so that criminals must jump lots of hurdles and not just one. A weakness in one layer is mitigated by security provisions elsewhere.
A combination of physical, process, and logical controls provides a robust environment. Determining the level of security for such environments means that in future risk assessments should not assume that all devices will be in physical environments that are controlled, and that today criminals are becoming more brazen in mixing physical and cyber elements in modern-day crimes.
We would like to thank the team at Kaspersky for providing their analysis into the criminal campaign to our research team.
The post Defence-in-depth, more than a buzzword appeared first on McAfee.
