alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can application whitelisting help retailers improve POS security?

POS security continues to be a pain point for retailers. Whitelisting can help, but it can't fix the problem alone.

How practical is point-of-sale whitelisting as a security control against POS malware? Retailers are obviously failing to prevent attackers from accessing their environments, but is POS whitelisting technology mature enough and effective enough to use? And if so, why don't more retailers use it?

Application whitelisting is an administrative process that allows only pre-approved applications to execute in a system. It hardens the operating system (OS) and applications to ensure only a trusted source can delete, add or modify executables. All other sources are blocked and prevented from entering the environment.

Application whitelisting categorizes everything as untrusted unless otherwise permitted each with its own set of privileges within an environment. Once trusted services, programs and applications have been vetted, POS whitelisting is an effective and proven method to control this environment.

Enterprises need to maintain a list of valid software within the network. They also need to perform regular software and application inventories for license agreements and services running on POS supporting servers, routers, firewalls, and actual POS workstations and devices. Although it's sometimes thought that application whitelisting and continuous monitoring precludes the need for antivirus or antimalware software in the POS environment, it is not actually the case. They need to be on each POS workstation and server for any insertion of malware.

Typically, whitelisted environments are more secure and more accurate. They minimize false positives and are relatively easy to maintain and customize. While blacklisting -- which involves blocking a list of resources from access -- is easier to maintain and install, it also introduces potential for a large number of false positives, requires continual updates and makes it difficult to switch to whitelisting once installed.

On the other hand, listing authorized applications, programs, IP addresses and services while blocking all others requires more than allow or block. The access permissions must be more explicit. Whitelisting requires a methodology for defining and refining access rules. These rules need to be reviewed and validated on a regular basis. Take IP addresses, for example, where a set of IP's are permitted into the POS environment. If the IP addresses use a large number of masking characters, it is possible for hackers to whitelist their way into the environment. Although easier to maintain, masking increases the possibility of spoofing attacks. Specific IPs should correlate to specific allowed applications, programs and services. Dynamic Host Configuration Protocol (DHCP) for POS devices should also be discouraged for similar reasons.

So what can be whitelisted in a POS environment? Whitelists should include the following: known individual or groups of static IP addresses; services allowed to run on POS supporting servers and workstations; ports allowed entry; network equipment that will discriminate trusted against untrusted access and known applications permitted to run on each device.

Whether whitelisting alone is a sufficient POS security measure is questionable; no one control is absolute. Whitelisting is one of five controls recommended by the Council on Cyber Security (CSC), and should be used in conjunction with the other controls, which include:

  1. Application whitelisting;
  2. Use of standard, secure system configurations;
  3. Patch application software within 48 hours;
  4. Patch system software within 48 hours; and
  5. Reduce number of users with administrative privileges.

Whitelisting is one of the preferred and best practices for securing the POS environment, so why don't more retailers use it? It could be a combination of reasons, one of which is they are already committed to blacklisting. Additionally, converting to a whitelisting approach is costly and requires significant effort they may not currently be in a position to spend. Another reason is apathy. They do not consider themselves a big target for hackers, so their perceived risk is low until they become hacker fodder. Security assessments and audits continually find vulnerabilities in design, deployment, configuration and protection schemes. These typically reflect an environment that lacks sufficient controls to achieve proper protection. Conversely, one can over control such that it inhibits growth, affects performance and reduces productivity. Consider whitelisting along with the CSC controls for your environment and make the right choice.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

See what endpoint management lessons your organization can learn from POS security breaches and how whitelisting can be used in endpoint protection

This was last published in July 2015

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments