Blog: PCI Advice

2×4 Security

Martin Smith 07 Feb 2020

I had someone at the house recently, talking about physical security. We have all the usual stuff like alarms and CCTV, locks on the windows and doors but the aim of the exercise was to have someone who is familiar with attacks vectors (physical security in this case, but the principal applies to all types of security practices) to take a walk around and review it.

The patio door is a favourite of attackers, and a sliding type has a relatively weak locking mechanism. There are a few options out there for better locks, different secondary locking mechanisms and vibration / motion alarms on the glass (he didn’t feel our laid-back Terrier cut the mustard!)

His recommendation was simple. You can put all the controls in the world on that door, but slapping a strip of 2×4 wood in the gap where the door slides open defeats most attacks short of breaking the glass.

A simple control with a lot of impact.

It doesn’t have to be difficult…

We see a lot of high jinx heist movies with elaborate attacks through the air vents, or Tom Cruise coming down from the ceiling on a rope (Toast!) but the reality is often very different. Find a relatively simple exploit and sneak in (usually) undetected.

Stories have hit the press regarding ‘Mage Cart’ overlay attacks, and how hard they are to detect. They will often be in the environment for months, as the actual payment processes as normal. The customer received their goods and is none the wiser.

It takes the card issuers to ‘spot’ fraudulent activity for multiple card holders, and then track that back to a common point of interaction. At this point you get the phone call that you may have been hacked.

The fundamental point here is that all these elegant attacks, started from source code modification. Someone got in and changed a file and it went unnoticed.

Particularly in the PCI space for Credit Card processing, go beyond the basic controls that are required for compliance such as SAQ-A for E-Commerce:

  • Patch it (operating systems / CMS and ANY OTHER SOFTWARE)
  • Anti-virus (yes even Linux!)
  • File-integrity monitoring
  • Strong passwords / Multi-Factor Authentication
  • Hide your admin page if it faces the internet from defaults

Shut the door, before the security has bolted….

For many attacks including trojans and ransomware, the very first thing they will do is dial home to their command and control (C+C) servers. If they are not able to make contact, they will often go dormant or delete themselves. There is no point in encrypting a server if you can’t exfiltrate the key to sell back to the victim for bitcoin once the files are encrypted!

Rather than investing in complex Intrusion detection or many-layered anti-malware products, have you looked at your servers and checked if they can browse the internet? With central updates such as Microsoft Update or Linux repositories, and specific locations for anti-malware updates there is no reason not to whitelist all outbound access.

The 2×4 solution here, is to block outbound internet access by default. It will stop most attacks before they start. Don’t forget to check things like outbound DNS rules are to specific servers. The Dreaded Destination=ANY for DNS on the firewall could allow an attacker to masquerade outbound communications as an innocuous DNS request.