VPN might not be enough to secure your POS systems
A recent alert issued by FS-ISAC warns retailers and financial institutions to review and improve their remote access security policies. The recommendation - put out by the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Retail Cyber Intelligence Sharing Center (R-CISC) and the United States Secret Service - includes security controls and steps to be taken when providing access to vendors and other third parties. Because network security is a major concern of many Netop customers and partners, we wanted to share some of the recommendations included in the report.
Over the past year, cyberattackers have utilized four main exploitation tactics:
- Unauthorized access using remote access tools
- Exploiting vulnerabilities in commercial applications
- Email phishing
- Unsafe web browsing
The first of these - attacks through insufficiently secured remote access points - is the primary concern of the alert. Because many retailers rely on third-party managed service providers to maintain their POS systems, VPN and other remote access tools are used throughout the industry. These access tools are only as secure as the credentials that are used to log in to them. The alert recommends that retailers evaluate their current security policies and readiness for cyberattacks.
Among the recommendations in the alert:
- Internal remote access users should be required to periodically change their login credentials.
- Group accounts and passwords should never by used.
- Multi-factor authentication should be required to gain remote access, for both internal users and vendors.
- Customize access rights for vendors to specific network components or devices.
At Netop, we've worked with some of the world's largest retailers and financial institutions to ensure that their remote access solution complies with their security policies. Netop Remote Control is their choice for achieving secure access to POS systems because of our advanced security features, including multi-factor authentication, thorough logging and the ability to customize user roles and rights. We'd be glad to visit with you and to help your organization make sure your remote access strategy aligns with your security standards.