Securing corporate networks against insider attacks is a difficult challenge to be sure. But how do you prevent such attacks on 1.5 million ATMs worldwide? That's the job of Jim Kirkhope, global manager for ATM network security at NCR, who sees it as an inside-out proposition and one that doesn't necessarily include traditional security software.
There are established ways of locking down desktops and servers. How do you secure a network of ATMs?
With ATMs, the real threats are the insider threats. We have a number of things we do. The majority of the ATMs are Windows-based now. We lock the machines down to the NSA guidelines and use the XP firewall. But, really, you're never going to keep an eye on them all. There are a lot of people out there maintaining ATMs; a lot of people are touching these machines.
What led to your decision not to integrate antivirus on your ATMs any longer?
My feeling: AV was AV was AV. They all did the same thing. When we shipped our machines, we would integrate what the customer wanted. But in the security industry everyone is answering a point problem and my feeling was that no one was tackling the root cause. We found a product that was philosophically aligned with us. I prefer securing from the inside out as opposed to building a wall. They're addressing the root cause, which is the ability to run code that wasn't authorized.
How did your customers react when you told them you weren't going to integrate AV into the machines any longer?
The customer reaction in some respects was polarizing; but it was even before we did this. People had their preferences and you could get into religious debates about the finer points of each AV product. But an ATM, though it's a PC in the box, doesn't have the same threat surface. We don't have file sharing. We don't have Word documents, a lot of the things that viruses travel with. Some customers buy into it and some don't. But the truth is you still have to clean up the system before you lock it down anyway.
Do you think that we're going to see enterprises going without AV?
Well, we still run it internally, but it's the bane of my life. We've had discussions about it here. I've always been an advocate of saying, if you have a firewall and your network is protected you can take worms and that sort of thing off the table. Pure AV, it's so resource-intensive. By the time you take out all the things that make it run slowly, it's not worth much.
Download the complete interview with Jim Kirkhope at searchsecurity.com.