Point of Sale Systems: How to Stop Critical Entry Points for Malware
February 20, 2014
Point of Sale (POS) systems have long been the target of financially-motivated crime. And in 2013 the magnitude of cybercrime against POS systems skyrocketed, with 97% of breaches in the retail sector and 47% in the healthcare sector aimed against POS systems. With sensitive financial and personal records getting exposed by the millions, the FBI recently warned that POS systems are under sustained and continued attack.
During this webcast, we will take you into the three critical entry points to POS system attacks. We’ll discuss how the attacks look, the timelines for these breaches, and what proactive security measures you can take to help your organization minimize the risk to your POS systems.
Hello everyone and welcome to this webcast. Today, we're gonna be talking about Securing your Point of Sale or POS systems, How to Stop Malware and Data Theft. My name is Chris Merritt. I'm with the Solution Marketing Team here at Lumension, and for the next few minutes, we'll be talking about some really interesting stuff that's going on today and quite relevant to lots of security discussions going on. Before I start into the presentation, a little housekeeping. I wanna make this as interactive as possible, so if you have questions along the way, just click on the questions tab up there, I'll answer 'em as I can. And then, of course, at the end, I'll take questions that occur to folks until we run out of time. So, with that, let's get started.
So today, I'm gonna start a little bit of setting the stage, what we're gonna be talking about. We'll talk about a couple of the major attack vectors that we're seeing out there that are getting after POS systems and the like. Then we'll talk about what the implications are for organizations, and finally, a wrap-up with how to minimize the risk that people are facing today.
So, let's set the stage. The focus today, of course, is on POS, point of sale systems, but we need to also consider other fixed-function assets that, you know, every organization that takes credit card information, payment information, or even just provides information for say travelers, things like self-checkout, kiosks, ATMs, things like this. There's a growing number of mobile POS systems out there based on iPad and other tablets. So a lot of other types of systems that out there, and we'll touch on those a little bit.
In addition, we need to consider the entire, for lack of a better phrase, supply chain. So we need to think about the back office assets, like servers and workstations, things like desktops and laptops, etc. But also, and I think everyone understands why, the bigger supply chain involved, you know, the vendors that are involved in our day to day operations, both on the security side and on the, just the supplier side. For folks who might not get the allusion, it's now been determined that the Target hack at the end of last year was achieved by hacking a HVAC, a heating ventilation air conditioning company sub-contractor. They got hacked, which allowed the hackers to then get into the Target servers, which then allowed them to get into the POS controllers, and so on, so forth.
So, you know, real important that we think bigger than just the POS system itself, that's kind of my message there. We're gonna focus on the retail sector, but, you know, we also need to consider other sectors where POS systems and the like are used, particularly healthcare and the financial sectors. So why is this? Well, in the retail sector, according to the latest Verizon Threat Landscape Reports, in the retail sector, 97% of attacks involve some sort of tampering. Of those, 59% were on payment servers and 47% were against payment terminals and pay at the pump type machines. Okay, that makes sense. That's where POS systems are. Well, okay, what about healthcare?
This is really interesting to me. POS systems and desktops were the most commonly attacked assets in the healthcare industry in the last couple of years. Payment terminals at 70%, POS controllers at 41%, and desktops, which is what we normally think of as being the most important thing, at 17%. But that also, you know, kind of illustrates the supply chain issue that I'm talking about, not only within the organization, but beyond the organization, to include business associates. Okay, what about finance? Well, obviously, it's mostly ATMs, 66%, but it's also database and servers, so part of the extended chain, 20%, and end-users at 9%. So lots of different types of assets that can be exploited, and when they are, they can then be used, leveraged to get to the POS system. So, just a little bit to set the stage.
Okay, so what are the three main attack vectors we're gonna talk about here today? Let's start with a chart about a threat environment. This is from a report by the IHL group last August, focused primarily on the retail, but, you know, pertains to a lot of other organizations. So they've done this report for several years, and it demonstrates that over the years, compliance is always a big issue. And that makes sense, so I mean that's where, the most obvious thing that we can take care of, the thing that we can go to, budget committees and get money for, etc.
Interestingly, number two on this list is the unidentified concern. The fear of the unknown, which, you know, quite frankly, especially these days, is not necessarily unreasonable. It's not paranoia. There's just so many different ways that organizations are being attacked, you're just not certain what you should be paying attention to. Number three on this list was operating vulnerabilities. This issue has been around for a long time. It's especially interesting when we think about the fact that the Windows XP operating system is coming to an end, [inaudible 00:06:41] is no longer gonna be supported by Microsoft in April, so what, about two months from now. And the implications that it has, especially in a POS systems, because, and ATMs also, a lot of ATMs, a lot of POS systems are based around Windows XP embedded, and so the question is, "How do I deal with OS vulnerabilities?"
Then we get to kind of the next set of things. The malware protection, unauthorized application, system changes, and centralized security management. And what's interesting about these, not only their relative position, but also the relative difference between management if you will and IT and operations. So the hands-on focus folks are much more concerned about these issues than management seems to be. So therein lies a big organizational challenge, how do we get the message across. So big differences there, but very important, obviously.
...So, what are people attacking? So here is a chart from the 2013 Verizon DBIR, the Data Breach Investigations Report, came out April last year. Should be seeing a new one shortly. This looks at the variety of compromised assets overall, across all the industries that they conduct their investigations across. If you've not read these reports, they're valuable, they have been increasing their scope by adding information from various law enforcement groups, the Secret Service has been contributing for a while now. Australia got involved last year, a few others, so some really good information in there.
But what I want to point out here is number one, is ATMs. And this is across all the industries, across all of the investigations they conducted, which again, worldwide. So, physical attack, or skimmers, very definitely impacting, having the biggest impact. What's really interesting to me at least here is you see a huge difference between what the large companies see the impact and how small companies see this impact. You know, large companies that have ATMs have a lot of them, and so they're more likely to get hit. We've seen, we know about the flash mob that hit banks, what was that, about a little over a year ago, where they'd compromised a bunch of credit card information, created a bunch of fakes and dupes, and then spread those around the world, and in a 24-hour period, took something like $40 million. It was an incredibly sophisticated heist. So, ATMs, big, big problem there.
But the next six-ish areas, so we see desktop, file servers, laptops, unknown, both servers and people, mail servers, directory servers. Beyond those ATMs, the next six asset varieties, a lot of standard targets for espionage campaigns which then can lead to hacks that go after money. So this is what we in the security business call the "kill chain," something in the Lock...good folks at Lockheed came up with based on their investigation on how hacking attacks occur. And basically, espionage, understanding the terrain that they're going to be hacking is part of the process of an advanced attack, or a targeted attack. So go find out what assets the target has, where are the vulnerabilities, and then start probing a little bit to see where the weaknesses are.
So, a lot of different assets here, and so why am I bringing that up with regard to POS systems? Well, again, this supply chain notion, if the hacker gets into the back office, and then leverages that to get to the POS systems where they can then siphon off the information, that's just as bad as if they get to the POS system itself. So, we can't guard just the POS systems, we need to think more holistically.
Now, after we look at those six, the next two we see, okay, here are the POS systems, so the controllers and terminals. So these are, of course, the favorite of financially motivated criminals. They, you know, lead directly to money. Lots of talk about this in the Verizon reports. Again, I'm not gonna belabor that point here too much, but I think it's well worth your while to pick up the Verizon reports and take a look at that stuff.
Okay, so we know what people perceive as being the weaknesses in their systems. We know what the attackers are going after. What's the timeline? How do these attacks occur? So here's something from again the Verizon report, DBIR, and it looks at the time span of events, this is again overall across all of the incidents they investigated, 2013 timeframe. Well, 2012 timeframe for the 2013 report. And what we see here is that [inaudible 00:13:19] just quite clearly it takes mostly minutes for an attack to occur, so that's that top line. It takes weeks or months for the attack or the hack to be discovered. And it takes weeks, generally, for it to be contained after it's been discovered.
So in fact, in the retail industry, their data come out this way. Sixty-five percent of attacks took minutes or less to perpetrate, okay. Ninety percent of them took weeks or more to discover. And 70% of them took weeks or more to contain. And we're certainly seeing that with regard to the Target attack and the Neiman Marcus attack and others. It's just very hard when you have such a distributed ecosystem to stay on top of everything that's going on. So it's not surprising that it takes a long time for people to discover what's going on. The fact that it takes minutes for the hack to be perpetrated is somewhat surprising, but we...if we look at other parts of the DBIR and other reports, we certainly see that a majority of attacks against both front line and back office asset are generally considered to be very low in complexity or difficulty, a low difficulty rating. You know, if this was an Olympic diver, they wouldn't get many points. And that's why it goes so quickly. That indicates, to me at least, that a lot of the basic blocking and tackling that folks need to do to prevent data breaches, that stuff isn't being done.
So, the other point I think that we get out of all of this is that we need to really understand that the attacks are gonna keep coming, that it's difficult to stop them, but we need to also work on our ability to discover when those attacks are occurring, what those attacks mean and start to contain them. And that's kind of the notion behind defense in depth, which, if you've been listening to any infosec discussions, a lot of folks talk about defense in depth, which is based on a military doctrine, and it basically states that we're trading space for time. So in this case, we're trading an asset for time. We recognize that some assets may get compromised, but we need to know about it, so that we have the time to react appropriately, and to contain it and to start to take care of the issue.
So the way that Verizon puts it is that the most important challenge in the security industry is the prevention is critical and we can't lose the sight of that goal, but we have to accept that no barrier is impenetrable. And the detection and response represents an extremely critical line of defense. So, one of the things among others that they recommend is that you stop treating detection and response as a backup plan in case things go wrong, and start making a core part of your plan.
So, what's the result of all of this? We're seeing a lot of alerts about POS systems being victimized. This is from the Verizon page where they have all of their data security alerts. And in the last 12 months or so, we've seen 6 major alerts coming out of VISA about different kinds of attacks against POS systems, against ATMs, etc. And it's gotten bad enough that we even have the U.S. government getting involved. Here's an alert from US-CERT. There was also a message put out by, a confidential message, put out by the FBI at the beginning of the year to many retailers, indicating that they expected the attacks against POS systems and retailers in general to continue. So it's really hit a level of urgency now that we really probably haven't seen before, or have been at least building into.
So, okay, let's kind of recap here. What are the three attack vectors that I've been talking about? Well, the first is this physical attack. The assets can get compromised by someone tampering with them, attaching beacons, or so on, so forth. Just last month, we saw a report about a very sophisticated Wi-Fi skimmer that was actually attached to pay at the pump systems in such a way that you, from the outside, you would never see it. Cyber criminals, or criminals in general, are using 3D printing technology now to create very sophisticated, very realistic looking skimmers. And in fact, another attack vector that we're seeing now, in Britain at the end of last year there was a gang that would install, or figured out how to put a USB stick into an ATM to compromise it with malware. So, the physical attack vector needs to be thought about.
The second area is the network attack. So examples here, hacking and malware, and all the stuff that we're commonly...that are just pretty common. The issue here that I really want to drive home is that it impacts not only these front line assets, the POS systems, the ATMs, etc. but also the back office assets, the controllers, the servers, and even desktops of individuals within the organization.
And then finally, that notion of the supply chain attack that I've been talking about. You know, the Target attack is a perfect example of that. In the defense industry they're kind of, they understand this kind of attack, and now we're seeing it in the retail industries and in other industries, where if I can't attack you, I'll attack one of your vendors, and once I compromise them, I'll use those credentials to get into your system and appear to be legitimate, and thus compromise you.
Now, I have a couple of images on the side here that I don't expect you to be able to read. They come from some really interesting articles that talk about a lot of these different kinds of attacks and all the various entry points. So we'll be sending you a copy of the slide deck tomorrow I believe, and the links will be included in there. The first one is from Merchant Warehouse, supplier of POS systems and so on, so forth. And the second one, the lower one there, is from an article in the Wall Street Journal back in 2011 that kind of investigated how an attack occurred against a store, and it kind of illustrates this supply chain notion, and also this notion of the front office versus, or the front line assets versus the back office. So, very interesting stuff and if you've got the inclination I would encourage you to try to find those articles and read them.
Okay, so those are the attack vectors that we want to look at. What are the impacts on the organizations? ...Here are some data from the Privacy Rights Clearinghouse. They look at breaches in the U.S. They've been doing so over the last, what, since 2005. The graphic here just gets you oriented. The x-axis is the year, going from 2005 to 2013, at least that's where the data are. That y-axis is the breach count, so how many breaches per year. And the size of the bubble indicates the numbers of records that were stolen as part of those breaches. And this covers the entirety of the PRC database, all types of breaches against all types of organizations across all years. So this is just an overview of all of the breaches.
So, one thing we can see from this chart is that the number of breaches per year is going up. I mean, you start down there in 2005 and you basically draw a 45-degree line up to the upper right. Now, part of that is probably the result of better reporting. And in fact, in a second we'll dive into that, but definitely part of this is better reporting. But I suspect that in addition to that, we're also seeing just really more attacks. It's an easier way to make money for cyber criminals. There's no risk, no physical risk. Oftentimes, if you live in a country with no extradition or weak laws, then it's easier to perpetrate and not worry about the consequences.
The other thing that I wanted to comment on here is the quantities. I mean, you look at 2013 there and you see it's 54, call it 55 million records stolen. That's a lot of records. They I think undercounted the Target breach there. They only had 40 million in there. I think it's closer to 110, so that number's gonna go up. Certainly, you know, on par with what we saw in 2007, you know, we're definitely seeing a lot of records being taken. It's certainly getting better, but we're still seeing a lot of records. And if you total this up in the 2005 to 2013 range, remember this is U.S. data only. If we total this up, it means that basically, over two records average for every man, woman, and child in the country have been stolen. So that's pretty scary.
So, let's break this down a little bit. Let's look at the data by organization type, and this is just kind of, you know, stacked bar charts, what can I say. Kind of qualitative look, if you will, at different numbers of breaches as we progress in years. The thing that we see here in the teal color, if I may, is that the number of reported breaches in healthcare going up. And that kind of gets back to what we were talking about before where the reporting is definitely a factor. Why is healthcare suddenly becoming, you know, hit on more often? It's probably more of the fact that under HIPAA and HITECH rules, healthcare organizations in the U.S. are required to report all breaches that impact over 500 records. And so you're just seeing a tremendous increase in the number of breaches reported. Mostly stuff that was probably going on earlier, just wasn't being reported. Now they're required by law to do so. We're getting a better picture of what's really going on out there in the world.
And remember, when I talk about healthcare, I kind of come back to some of that initial data that I was taking about from Verizon, where a lot of those attacks occur via POS terminals and servers...So we can also break down this data by looking at the number of records, and that's a very different story. And we see in 2007, 2011, and 2013, retail lost a tremendous number of records. And I think if I remember correctly, overall, they contributed something like two-thirds of the records in the PRC database.
You know, here we see contributions from, if you want to use that term, from Hannaford breach, the TJX breach, the Target breach, of course. We see in 2009 the impact of the Heartland breach which was a financial organization, and also the breach against the VA, a governmental organization, that lost some backup tapes with a lot of data on them. And we see that impact there in 2009. So, you know, the impact on organizations is tremendous. You know, lost a lot of records. What's that mean to the organization itself? Well, our friends over at the Ponemon Institute do a yearly research study into the cost of a data breach, and they look at it in a very pervasive way. I mean they look at all of the direct costs that you might be encountering. The costs of notification, the fines, the cost of replacing cards, the cost of fraud, the cost of fraud prevention, but also the indirect costs. Things like the cost to your reputation, the customer churn that occurs.
By customer churn, what I'm talking about is study after study shows that customers say that if a company has been breached, they're less likely to do business with that company going forward. And so you lose customers, and then you have to spend time and effort and money to try to regrow the organization. So we see a tremendous number of costs associated. We see that, you know, it kind of peaked in 2010 at $214 average per record across all industries. This varies. In the financial sector, it's much higher. In the healthcare sector, it's much higher. Retail tends to be a little lower. Out of in the 2012 timeframe, we see that it's a $188, out of which $60-ish is direct costs, and $128 indirect. And, you know, $60 per record, what'd we say for 2013, around 55 million records. So that's a big chunk of change.
How good are these data? Well, that's a good question and we certainly, you know, this is a study done on people who have been breached, and, you know, it's gonna be good to a certain level. However, if we look at a one very public breach that occurred couple years ago, 2012, against a financial clearinghouse called Global Payment Network, GPN, and you'll dig into their SEC filings, what you find out is when it's all said and done, it cost them exactly $60 per record in hard costs.
So, I take these numbers pretty seriously. I think they're a pretty good representation of what the costs of a data breach against an organization really are. Now, this is likely to change as we move forward. You know, there's a lot to talk about moving to the EMV, the Eurocard, MasterCard, and VISA card standard, what we call chip and PIN, the U.S. being the only country in the world that doesn't actually have that propagated, which is estimated to cost about $8 billion overall to various segments. Retail stores are gonna have to upgrade their POS terminals. You know, the payment cards are gonna have to change, your online, your mobile, all of that stuff's gonna have to change.
There's also a lot of talk about how we're gonna split up these costs. Now, traditionally the banks have ended up eating these costs, but they're getting to be less amenable to that, shall we say. And, in fact, recently a couple of organizations, the financial services roundtable, and the retail industry leaders association got together and are beginning to put together the framework of how to deal with the cost of data breaches moving forward, which is likely to change the environment that we're currently seeing, and retailers can expect that, you know, this is going to impact their bottom line. There's also a lot of talk about the impact of the interchange cap, which limits fees on credit cards and debit cards and so on so forth, the so-called Durbin Amendment to the Dodd-Frank Act, that's going to also impact the environment that we are looking at going forward.
And, you know, of course, every year, we hear talk about federal legislation in the U.S. to deal with data breaches. You know, what is it, 47 states and territories in the U.S. have some sort of data breach notification rules and data privacy rules. You know, California started that trend. Massachusetts took it to another level when they passed their regulation that said that basically if you hold data of someone, of a Commonwealth citizen, and that data is breached, then you're liable no matter where you're headquartered.
Other states have taken that tack too, such as Texas. But it's a patchwork of legislation, and there's been a push every year for some sort of federal legislation, so that we have some hominization and some common guidelines against which to work. I've quite frankly been a doubter, that that's gonna happen given the realities in Washington, but I gotta say, with what's going on with Target and everything else, you know, who knows, maybe we're actually going to see that. And then the final thing I think that we need to think about when we look at costs are, you know, the implications on PCI. I haven't talked much about PCI. Obviously, PCI is very directly involved when we're talking about payment cards. We just saw the release or implementation of version 3. It's on a three-year cycle, so in theory the next one shouldn't be implemented until 2017. I have to wonder whether we're not gonna see changes made in PCI coming more quickly than the current schedule.
Okay. So we've spent some time talking about the attack vectors. We've talked about the costs and the impacts on an organization. You know, let's not give in to despair here, let's talk a little bit about what we can do about it. What security measures can we take? Now, PCI has a good set of recommendations, or actually regulations, requirements in their document, and like I say, version three just came out, or just got implemented. They talk about things like requiring strong passwords. Pretty much a no-brainer. But if you go back to that article that I mentioned in the Wall Street Journal, one of the things you hear, or you read in there is that the system that allowed the hackers into the network had a default password associated with it.
So, you know, it seems like a really simple thing, but, you know, apparently it's not being done. And that's why it's in the regulations. It really needs to be done. And there are a lot of other things in there like segmentation of your assets, firewalls, and other basics. You know, reducing the amount of data you store. You know, there's the whole movement of card on file. I mean every time I place an order online or by telephone, they, "Do you want to put your card information on file?" Well, that means they're gonna store it. Well, if they're storing it, they're increasing the number of assets that need to be protected, and on a personal level, I don't like it. And if I was the organization, I would be taking a very close look at that balance between customer convenience and security, and the level of risk that you're taking on by providing that convenience.
There are also a lot of advanced tools that are being talked about, and we'll look at those later, but I think what I really want to start off with is let's talk about defense in depth. I mentioned this earlier. This is, you know, basically the notion of applying multiple layers of defense to protect, and to trade space versus time. So think about sentry outposts that are designed to alert central command if there's an attack underway. That is part of a defense in depth kind of notion.
Now, in information security, what it means also is having multiple technologies that overlap, if you will, that provide different kinds of protection. So one of the misunderstandings that I see out there a lot is that, "Well, defense in depth, I gotta have multiple defenses. Okay, I'll buy, you know, two different AVs, because if one AV misses it, another one'll pick it up." Not really defense in depth. Need to have multiple integrated technologies that take care of attacks at different levels in different ways, and need to be done in such a way that if one is evaded, eluded, whatever, that the others can have a chance of at least detecting that the attack is occurring, and reporting that, and allowing the organization the time required to investigate and contain that attack.
The other thing about this is, you know, it's not just technology. It's about your people and your processes also. Your processes need to be set up in such a way that you're likely to find attacks when they're occurring, so that you can respond and contain. It doesn't really do any good, I think that it's obvious, it doesn't do any good to collect a lot of log information if you only look at it once a month. Because then you kind of fall in that timeline issue that we were talking about earlier.
And then on the people side of things, you know, the people at your frontline. They're the ones who are gonna be, you know, phished. They're the ones who are gonna be getting the email, with the poisoned attachments, and stuff like that. So, we need to think about them, too.
So, successful risk mitigation really starts with a very solid vulnerability management, remember the issue of OS vulnerability we talked about at the beginning. And then adds other layers that go beyond the traditional blacklisting approach. And, of course, you need to consider both network and physical vectors.
So, you need to protect against physical attacks, using some sort of device control system technology. This can prevent things like if somebody tries to add a Wi-Fi beacon to a motherboard that those drivers will not be allowed to run, and so the beacon won't work. You need to, in addition, there's obviously things like making sure that the assets have some sort of tampering evidence, you know, stickers or something like that, so that if they are tampered with, it's noticeable. You need to make sure that if, you know, back to that attack in Britain against the ATMs where people were using USB sticks, you need to make sure that USB sticks, you might need them for repair and service perspective, but you wanna make sure that you're only allowing the certain types of sticks by certain people.
So, on the physical front, you can protect both front line and back office assets, and then this feeds into that whole supply chain notion. So for an example that comes outside of the retail industry, the Stuxnet that everybody knows about, the way that that virus got into a completely isolated nuclear processing station was by a USB stick that attacked a computer that sat at somebody's home, got onto a USB stick that the person took to work and plugged into their highly secure isolated system. So this another example of that supply chain, both, you know, front line asset to back office, and the bigger supply chain of your vendors and yourself.
The next area would be against network attacks. A lot of these attacks, I mean, you know, no matter what kind of hack it is or what kind of malware's being used, ultimately, the cyber criminals are gonna have to install some sort of malware on the box that has to do the job of collecting the information, compressing it into some sort of file so that it can be exfiltrated. And in this regard, you want to have some sort of way of making sure that files that are not allowed to operate or not expected to operate are not allowed to operate. This technology's called whitelisting. And this is especially important in areas where vulnerability management no longer is really an option. Again, I go back to the Windows XP, and the support, EOS, that's coming up very quickly.
So whitelisting becomes a very important part of your defense in depth, because it also works in a very different way from your AV or your blacklisting approach. Your backlist approach says, "Hey, if you're on the list, I'm not gonna let you run." So kind of, you know, the blacklist at the bar, you know, you caused a fight last week, we're not gonna let you in the bar.
The whitelist is a very different, more proactive approach, which says, "Hey, if you're on the list I'm gonna let you in the bar." It's that VIP list, right? Much easier to manage. In 2013, the last three months of 2013, of roughly 8 million new pieces of malware created every month, so roughly 160 per minute, versus a whitelist, a typical endpoint, and I'm talking about desktops here, 26,000 applications, or files, within your applications. So you can create a list of 26,000. Here are the things I'm gonna allow to run, or you can create a list that's growing by 8 million a month.
You can see why the AV list is a little less useful these days. Not useless. Not saying that. And before I get a bunch of questions on that, you know, certainly not useless, but certainly needs to be augmented or complemented by a whitelisting approach. And again, this is, you know, something you want to have contemplated for your front line assets, the ones that are supposed to be locked down anyhow, and then also for your back office stuff, especially things like servers, again, stuff that doesn't change very often.
And then finally, you wanna protect against your network attacks on the back office stuff, you know, no matter how, if it's a direct attack or if it's via the supply chain like the Target attack, with a suite of controls that supply all of this stuff. Now, I know I'm gonna get an immediate question...might take another minute. What about RAM scrapers? So a lot of these malware that we're seeing today that are all in the news are RAM scrapers. So they're scraping the memory of the POS systems. So while the card data is, you know, "in the clear," they're taking that data and putting it into a file that they then later ship off. And that's a very important thing to consider, because a typical AV will not work against that. You know, most of your defenses won't work against that.
So in this regard, I would suggest you think about the fact that when the file, or when the data has been grabbed in the RAM, in the memory, it has to be put in a file and then that file has to be shipped off, what we call exfiltration. And that requires some sort of executable. So if you have whitelisting, you prevent them from finishing the job, so you've neutered the attack. In addition, there are technologies out there today that will prevent reflective memory injection, which is a way of injecting an attack straight into memory, particularly useful on your servers and other things that are always on. By having that technology in place, you now provide another layer of protection against these sorts of RAM scraper type attacks, so something to investigate and put into your arsenal.
...So, here's a chart, going back to what I showed earlier, this is the retail report from the IHL group. Looking at the types of technologies organizations use today. Tier one is 1 billion and above organizations, and they've actually split out the 5 billion and above here. Tier two is 500 million to 1 billion, and tier three, 250 to 500, and tier four is 250 and below. So what's interesting here to me is that you see that a lot of folks, of course, are using AV, which is what we see in the general data, but it's not nearly what we see in other surveys when we do general surveys.
In the retail industry, we see on average around 57%, versus, generally, I see numbers in the 90s. We contrast that with the second column here, which is looking at whitelisting. So manage and allow only preauthorized programs to load and run. That's whitelisting. Whitelisting's being used more in the retail sector than anywhere else. It's very interesting. Generally, numbers I see are down in the high teens, twenties, something like that. Whitelisting technology is both very old and somewhat new. It's been around when I was doing computing back when we still used stone tablets, but it kind of went out of favor with the PC revolution and everything else, and now it's starting to come back. And we're seeing that here that folks have definitely embraced it as they go forward. And certainly they're using it for both, you know, fixed function assets and for back office stuff.
So, what's the result of all of this? Well, I'm gonna go back to that timeline, kind of this is the "is" condition, right? We see that the compromise takes minutes. It takes months to find it, the compromise, and then takes, well, I drew to days, but it's generally weeks before the attack is actually contained. So I drew, you know, what that's kind of what we were talking about earlier. That's today's situation. What we want to work towards is this, where the difficulty of the attack is high, and the time that it takes for us to find it and contain it is low.
Now, I know I'm gonna get a question immediately, why is this ideal. That's, you know, we dare to hope, right? Dare to dream. Yeah, as I said earlier, the ideal would be a no breaches, but that's unrealistic. We need to expect that we're going to have breaches, and we need to set up our processes in such a way that we're able to handle those breaches when and if they do occur. This then allows us to reinvest the savings that we, you know, the costs that we avoid, and reinvest that into more business-oriented strategic initiatives that help build the organization, build the business, and build the bottom line.
So, with that, I'm done with the majority of the presentation. I've saved a few minutes here for questions. Let's see here. Before I get into questions, let me just point out that what you're seeing on the screen right now is, Lumension has several free security scanning tools that you can download. The first tool there is the Application Scanner. It will scan your network for all the applications that are currently running, and give you an idea of, you know, for instance how many XP systems do you have out there? Do you know about all of them? Can you lay your hands on them all? What versions of Java are running? Java is, you know, commonly exploited at the moment, and is a big problem. There's multiple versions, sometimes organizations have to use an old version. Do you know what all versions you have?
As you dig into the data you can find out what systems have the most unknown files on them. These systems might warrant some additional investigation. In addition, we have a device scanner that lets you look at all of the physical devices and ports that are being used in the organization and determine if those are all legit. You know, do you have additional Wi-Fi signals running around? That might not be what you want. We got a couple of reports on offer. There's a report on targeted threat protection for POS systems. You see the URL there. We also have a couple of reports done by a third party, the Tolly, who looked at application control at a system level, and looked at the system impact and the cost impact of running AC, application control, or whitelisting, versus antivirus, or blacklisting.
Very interesting reports, they did two studies, one on clients, so desktops, workstations, and so on so forth, and one on servers. If you are thinking about whitelisting or curious what the impact is, I suggest you go over to Tolly and download those reports. And of course, if you want to download a version, a trial version of our software, you see the URL there. You can download either a virtual or an actual physical download of our software and get a better understanding of how we can help you protect your assets.
With that, let me go to questions. Let's see, number one and two and four, it looks like, yes, a copy of the presentation will be made available. We'll be shipping a copy of the on-demand version of this webinar and the slide deck itself, so you can get a closer look at some of those graphics that I put in there.
So, let's see here. Somebody asked about do I know of any good resources for...Okay, so some good informational resources that they can leverage to talk about what sorts of problems, what sorts of threats are out there and so on, so forth. Yes, absolutely. Definitely, I showed you some of the CERT information from the Computer Emergency Response Team. Certainly, that's a very good source of information, along with the DHS. So they provide some really high-level macro view, these are big issues, things that you really need to be thinking about. So from a threat perspective, those two good sources of information. I also showed you the alerts coming out from VISA. I'm sure the other card issuers are doing that. I've seen alerts coming from specific banks about problems with cards being hacked and so on and so forth. So, you know, definitely explore with your vendors, your issuers, and so on, so forth what sorts of information they have. Get on their RSS feed or in their email feed or whatever it is.
I've also seen alerts coming out from POS vendors, so your hardware vendors and your software vendors. Certainly a good source of information if they know something's going on that you need to be aware of that would be useful, good information to have. And then, of course, your security vendors. Good source of information. If you want to see what sorts of threats are out there, who else is being attacked in your industry, etc., etc. If you want to go to the Lumension's information source, it's www., oh actually, I don't think you need the www. It's just leic.lumension.com. That should take you to our endpoint intelligence center to give you information about attacks and vulnerabilities and the types of malware that are out there. So I hope that helps with that information.
Let's see. "What about restricting internet?" Yes, very good question, absolutely. One of the recommendations that you see over and over again when dealing with POS systems is that your POS system should be isolated, should be separate, and you don't necessarily want internet access from there. You don't want to mix the sorts of things that you're doing with that box to minimize the likelihood of that box being compromised. The reason is that right now the bad guys, well, anybody can scan the entire internet in basically a couple hours. And they can scan the internet for, you know, running programs. And if your box is internet-facing, and they find that it's got a particular program on it, now they can start to explore that and see if you've got any common vulnerabilities. So this is part of that kill chain thing I was talkxing about earlier. Very definitely an important step, and I'm pretty sure that everybody you talk to will tell you to, if it all possible, you really need to try to do that.
Let's see here. Let's see, another, oh, it's kind of related note, "What about remote POS attacks?" Yeah, very definitely, you know, another big issue. A lot of the POS systems are set up in such a way that the vendors can remote in, so that they can get data, they can do, effect repairs, etc. remotely. Great customer service, but a vulnerability, and so if we go back to that article that I was talking about from the Wall Street Journal, you know, where the remote access was a default password, "POS" was the password. That led to the system being compromised. So there are a lot of vulnerabilities, you want to, you know, make sure that you are verifying that all the Wi-Fi signals, there's connections in your network are secure. You want to avoid, you know, making the Wi-Fi signal that you're using obvious.
The TJX hack was basically started via a Wi-Fi signal that was open, a port that was left open, that allowed the bad guys to get in and that port was, or that signal, the connection was named in such a way that it was obvious whose signal it was. You want to institute a lockout system or a, you know, a way of making sure that if there's certain number of failed password attempts that the system's locked down. You know, I come back to passwords, of course. And along with making sure you don't use default passwords, make sure you use some, what's called a strong password. You know, you see advice from folks like Microsoft that should have upper case, lower case, numbers, and characters. My singular advice on that is make it long. Longer is better, no matter what kinds of characters are in it. Shorter is worse. So whatever you can do to create long passwords is better.
And, of course, you wanna update your systems. Some of this basic blocking and tackling we talked about earlier, patching the systems, and making sure that your configurations are set up, because that's the way that most of these hacks occur. And again, coming back to that data about the low difficulty of the attack.
So with that, I'm right at the top of the hour, so I'm going to let everyone go. Thank you for your questions. For folks whose questions I didn't get to, I will pick them up later. If you have any questions, you can send me an email at [email protected] Thanks for your attention. Have a great day.