How Next Gen Firewalls are Increasing Your Business Profitability

Shrinking or flat IT security budgets and personnel; this is what many organizations of any size are facing daily. However, the security threats and compliance requirements continue to grow and become even more complex.

In response, many companies have implemented single security solutions on a reactive basis. For example, they might have started with a traditional firewall to protect their network, then implemented a web content filtering gateway and then added a dedicated intrusion prevention system (IPS/IDS) solution. Nevertheless, each of these solutions can come at a high cost and requires a single specialist to administer and manage; the overall total cost of ownership (TCO) goes through the roof! And these pain point solutions can leave gaping holes between them, exposing the business to potential security breaches and compliance violations, instead of helping mitigate the risks: this can’t be!

The advent of faster hardware and cores has allowed for the consolidation of once stand alone security solutions into a single appliance – Next Generation Firewalls (NGFWs). They provide dramatic improvements in protection versus traditional firewalls, particularly in dealing with today’s more sophisticated and rapidly changing threat landscape. They allow organizations of all size to do more with less and therefore save money!

In the UK, BskyB’s mobile Wi-Fi service, The Cloud, needed to upgrade the content filtering it provided, as it was becoming increasingly difficult to scale the service, and the performance was at risk. The Cloud selected SonicWall NGFW (SuperMassive 9000 series) with its content filtering service, which reduced upgrade work by 75 percent and ensured cost-effective WiFi service performance, delivering twice the capability at a quarter of the cost. Going forward, The Cloud can also use the additional NGFW security capabilities at no additional costs, and benefit from a more straightforward CapEx forecasting.

In Spain, Benetton looked to enhance store operation and productivity across the country by gaining better control of network connections between its stores and its head office. Efficiency is at the forefront of the company’s goals to deliver enhanced customer services at a lower cost.

The company chose SonicWall NGFW to connect and protect its stores and achieve its business goals. By replacing a traditional firewall with a NGFW technology, Benetton Spain ensures the complete protection of their network, while spending 39 percent less compared to their legacy solution; this is very critical to them, as they are able to fund new IT projects from the savings. Another key benefit of implementing a NGFW is in-store personnel productivity, thanks to the content filtering service and application firewall functionality; now shop assistants can access the Benetton Spain website and other sites that helps them deliver a better service to customers. At the same time, users from the marketing department have access to a full range of sites, including social media, which they need for their job, while protecting the network from potential cyber attacks. Also, as a retailer, Benetton Spain has to comply with numerous safeguards like PCI DSS to protect consumer data and credit card details. Because SonicWall NGFW provides IPsec VPN and a gateway AV service, Benetton Spain can tick the PCI DSS compliance box.

As these two particular examples demonstrate, the financial benefits of the NGFW technology are real and very much tangible, from improving employees’ productivity, to better customer service, operational cost savings and allocating budget to other IT projects, and meeting compliance requirements.

The threat landscape is changing rapidly with new types of malware, cybercriminals have become increasingly sophisticated and coordinated in their attacks. They are out to exploit every vulnerability, and if your organization is not taking advantage of the advanced protection offered by NGFWs, then you are at increased risk of a successful attack. Deploying a NGFW will provide the network protection you need, but will also help you to improve efficiency and save up some money you can re-invest into your business!

Ten Tips for Protecting POS Systems from Memory Scraping Malware

In the recently published 2015 SonicWall Security Threat Report, one of the observations on the evolution of attacks on POS systems is the rise in popularity of malware that uses memory scraping to steal sensitive data. No matter how many layers of encryption are applied to sensitive payment data and how carefully this encryption is deployed, at some point the primary account number and other sensitive information must exist in an unencrypted form in order to be useful. The moment that payment data is decrypted for processing, it ends up in the memory of the POS machine, creating a perfect window of opportunity for an attacker to snag this data. Advanced malware can use multiple techniques to access and scan contents of this temporary storage and look for patterns that resemble raw payment data. This data can then be used, for example, to clone cards for fraudulent purchases. This is exactly what happened in some of the high profile retail breaches of 2013 and 2014.

The ultimate goal of RAM scraping malware is exfiltration of the unencrypted data stolen from memory of the infected machine. Therefore, this malware will be very well hidden and it will attempt to remain as invisible as possible in order to access as much data as possible. Mitigating the risks of being hit with such malware falls into two categories: Pre-infection best practices to avoid infection and post-infection best practices to detect and control the attack.

Pre-infection best practices

Protecting yourself from new advanced attacks must always be done on top of executing on the basics which serve to reduce the risk of getting critical systems such as POS systems infected by any malware.

  1. Keep the OS and applications on POS systems fully patched. Most patches are security related, so ignoring them only opens up a larger window of opportunity for attackers.
  2. Firewall off the POS network from the rest of the network with strong (i.e. bare minimum access) access policies as well as with Intrusion Prevention and Anti-Malware.
  3. Use strong, non-default and not shared, passwords.
  4. Deploy and enforce endpoint anti-virus as a last measure of defense.
  5. Encrypt traffic VPN tunnels.
  6. Enable protection against MAC spoofing within the POS network and for critical systems with which the POS terminals communicate.
  7. Lock down remote access to pin-point level of access. Do not allow full L3 tunnels into sensitive networks and use remote access tools that allow verification of remote host integrity before granting access.

Post-infection best practices

A good to approach in evaluating your network security stance is to assume that you will be infected at some point in the future and design processes to allow you to detect and control the infection. In the context of memory scraping malware, the ultimate observable behavior will be communication with non-trusted hosts on the internet. It may not be immediate and it may not be in bulk, as the attacker may want to put time between the act of infection and the act of data theft. However, sooner or later, the attacker will need to get the stolen data from the POS systems into his or her possession. This may happen naively via direct communication, or via more sophisticated methods such as using another compromised system outside the POS network, but with a connection to the POS network, as a gateway. That system may reside in a network that is less strictly observed than the POS network on which may not raise alarms at communication with random servers on the internet.

There are several key technologies that can help you detect or neutralize this data exfiltration:

  • Don’t allow direct communication with the internet from the POS network. This will lock down allowable communications and will block and detect naïve approaches at data exfiltration. For processing purposes, payment data can be sent via an encrypted tunnel to another trusted server(s) on the network (outside the POS network) and then via another encrypted tunnel to the processing server. Communication between these systems should be whitelisted by the firewall via ACLs, with all other traffic (besides perhaps management and updates) blacklisted.
  • Deploy Geo-IP and Botnet filtering detection on all networks. Lock down communication from sensitive systems only to locales that they need to communicate with (if your processor is in the US, why would your POS data need to have access to and from Europe, Asia, LATAM, etc.?)
  • Configure DLP and SSL Decryption to detect Credit Card type data leaving the network in plaintext or inside of SSL tunnels to internet hosts that are unknown. In other words, only allow such data to flow to CC processing servers known to you. Communication of such data to any other system on the internet should be intercepted, logged and investigated. Deny any SSL communication from sensitive networks that does not lend itself to inspection by not accepting your NGFW SSL inspection certificate.

Firewalls occupy an extremely valuable piece of real estate on any network since all Internet bound traffic must go through them. When properly deployed, next-generation firewalls play an important role in reducing the risk of advanced malware infection and data theft in POS networks. To find out more about the capabilities of state of the art NGFWs from SonicWall, read the eBook “Types of Cyber-Attacks and How to Prevent Them.” Follow me on Twitter: @threadstate.