new tns ip payments security white paper
DESCRIPTION
This new white paper considers the risks inherent in moving a payment transaction network away from a traditional dial, X.25 or frame relay network to an open IP network. The document considers a range of security measures, including understanding the risks of moving to IP, protecting from DDoS threats, holistic network security, equipment, personnel and process, as well as securing against hacking attacks.TRANSCRIPT
White Paper
Bridging the Security Gapfor IP Payment Networks
White Paper
Contents
Contents
Executive Summary
Are You Prepared for the Risks Of IP Network Migration?
Problems with IP-Based Transaction Networks
Distributed Denial of Service Attack
Understanding the Risks
Securing IP-Based Transaction Infrastructure
It Comes Down to a Focus on Security
Learn More, About TNS
1
2
3
4
5
6
7
9
10
Executive Summary
Moving your card payment transaction network from the
walled garden of X.25, frame relay and dial networks to
an open IP network and the public Internet reduces costs,
simplifies your business,and helps create new business
opportunities to generate revenue.
But does a cheaper communication path also
expose your business to more risk? Or, are the
risks involved in moving to an Internet- based
transaction infrastructure, such as the impacts
of breaches and lost customer goodwill, too
great to even consider?
But a cheaper Internet- based communication path can
also expose your business to more risk. How will your
business be impacted if this increased exposure results
in a serious data breach or a significant disruption in
service?
With the right infrastructure, people, and equipment,
payment service providers can take advantage of the
public Internet and enjoy significant savings over closed
or guarded X.25, frame relay, and dial solutions. By moving
to IP, you can consolidate networks, simplify topologies,
and save money.
But, to take advantage of IP for transaction networks,
several steps must be taken to ensure your network,
equipment, people, and processes are up to the challenge.
Secure Sockets Layer (SSL) encryption is only the first of
many requirements for paymentservice providers to build
a payment solution that exceeds the level of security of
legacy systems and delivers on the availability, cost
savings, and openness of Internet- based infrastructures.
In particular, special care must be given to the choice of
network provider, as solutions to many of the challenges
with Internet- based transactions rely on leveraging the
power and security of cloud- based approaches to keep
your business up and operational during a hacking attack.
2
Are You Prepared for the Risks of IP Network Migration?
IP makes sense. If you are not leveraging IP as the primary
mode of transport for your payment transactions today,
you will be in the future.
And the reasons are obvious: IP is simple, ubiquitous,
resilient and very easy to deploy. The same network that
you use to carry e-mail, voice, and to surf the Internet can
be used to carry your financial/transaction data as well.
This results in fewer networks to manage and lower
networking costs for your business.
However, as payment processors and service providers
move from early trials and pilots to carrying the majority
of their payment transaction traffic over IP, many are
not taking advantage of the latest technologies and
approaches to build a network that is as stable and
reliable as their proprietary networks of the past.
In fact, many commercially deployed IP-based networks
today are simply not up to the challenge of global
large-scale deployments over the Internet. And, as these
legacy solutions begin to handle more and more of your
transaction traffic, the exposure to your business in terms
of risk increases exponentially.
To add to the challenge, the risks these networks face
continue to evolve. An acknowledged standard approach
today may become the security risk of tomorrow.
This evolutionary state of threats necessitates constant
vigilance with your IP security infrastructure, and the need
to create a culture of security that can continually adapt
to meet the challenges of the ongoing threats. If you are
relying on dated security measures, you are placing your
network at risk.
In this paper, we review the best practices for Payment
Service Providers (PSPs) and payment processors to build
reliable, highly secure transaction networks on an IP-based
network infrastructure.
Was Your Legacy Network More Secure Than Your New One?
Doing business on the Internet exposes your network to
a whole host of new criminal threats. PSPs and payment
processors in particular are key targets of these criminals,
as they carry key cardholder data and provide access to
large sums of money via the payment transactions that
cross their networks every day.
When your network was based on X.25 or frame relay, you
didn’t have many network security problems. In fact, these
closed systems provided security from what one might be
exposed to by using the public Internet.
First, the proprietary nature of legacy transaction
networks provided a gate that kept people with few
resources and capabilities out of the network. These
closed networks required proprietary equipment to enter
them — creating, in essence, a firewall that kept potential
criminals out.
Second, a specialized network only carrying transaction
traffic with proprietary systems was fundamentally
more expensive to attack and therefore less attractive
to hackers. Hacking into a proprietary network took them
to only a few places; the barriers to entry were high, and
the payoffs were low.
Businesses for years relied on these closed networks to
make transactions fast for their customers, to consolidate
their transactions back to corporate offices, and to make
the deployment of large-scale interconnections cost
effective.
But many of these same businesses did not realize that
they were also relying on their closed systems to provide
security against the general threats that exist against
all types of networks. All of these proprietary, expensive
technologies and specialized systems provided powerful
security against criminals.
3
Problems with IP-Based Transaction Networks
A transaction network based on IP is the opposite of
a closed or proprietary system. IP-based transaction
networks use common, off-the-shelf equipment, common
transport, and standard protocols (SSL and IP). Moreover,
the network is connected to an ISP network, and all the
ISP networks are connected together. This design enables
access to the public Internet, with its ability to lower costs.
However, this type of infrastructure removes virtually all
of the “security by obscurity” payment processors enjoy
in proprietary transaction network systems.
Payment processors and PSPs building IP-based
transaction networks need to replace the security benefits
that were inherent in the legacy infrastructure with new
solutions designed for IP-based networks. And they must
try to do this without significantly increasing costs.
How does a payment processor know it is secure?
The Payment Card Industry Data Security Standard
(PCI DSS) gives end users and PSPs guidelines on how
to secure and maintain the security of their infrastructure.
But, the now tri-annual update process of the PCI DSS
provides a guideline that may not be able to stay up to
speed with the constantly evolving threats. PCI DSS sets
a standard for compliance — it does not define the best
you can do to protect your network.
For payment processors and PSPs, the PCI DSS does not
cover many of the issues they must address. PCI does not
cover issues such as DDoS attacks, and does not provide
any guidance to many of the specific issues that they face.
These organizations are exposed to significant threats
if they are relying on the standard capabilities of off-
the-shelf equipment to provide their overall transaction
security. Often, these products are secured simply
with SSL and are built on top of open source or other
commonly available operating systems, with little concern
to hardening their security or providing additional threat
countermeasures.
Many systems used in production environments by PSPs
and payment processors were built in-house and were
originally designed and deployed as trials or prototypes.
They were built quickly, inexpensively and without the
rigoroustesting required to ensure they are as secure as
possible. Of particular concern are the components of
this type of equipment that can also be easily and
inexpensively acquired by criminals.
This gives criminals easy access to a test environment
they can use to design effective attacks against existing
production systems.
Relying on your equipments’ security and open standards
to protect your payment infrastructure is clearly not a
complete solution.
Hackers do not have to ‘succeed’ to be successful
Without adequate protections, a hacker leveraging
bandwidth alone can bring your network down.
If the criminal’s goal is to disrupt your business, this
can be accomplished without actually breaching your
network; they can simply flood your network with bad
data requests. Without adequate protections, you will
not be able toprocess transactions, and, as all payment
processors and PSPs know, any processor or service pro-
vider that cannot process transactions will not be
in business for long.
Protecting against Denial of Service attacks is an area
where legacy networks shined. Legacy dial networks
are inherently Denial of Service safe. It was virtually
impossible to be denied a transaction over dial networks,
because if a port is down, the network simply dials to the
next one.
But with IP, a hacker focused on damage, not simply
financial reward does not actually have to be successful
to cause significant damage.
The move to IP-based networks reduces the
cost and level of effort required by criminals
to attempt to hack your network. For example,
a botnet that can be used to implement a
distributed denial of service (DDoS) attack
against a chosen target on the Internet can
be rented for a few hundred dollars a day.
Computing power and bandwidth can literally
be had for pennies, making it easier than in
the past to crunch the data necessary to break
encryption keys. And criminals from all over the
world can communicate, share information, and
help each other with techniques that make your
business more exposed than ever before.
4
Distributed Denial of Service (DDoS) Attack
As mentioned earlier, many off-the-shelf IP solutions
to this problem are inadequate. Your ISP may advertize
Distributed Denial of Service (DDoS) protection as a
selling feature to your business. But, once you look under
the covers, you typically find that the DDoS capabilities
of ISPs are designed solely to keep their core ISP network
up. The ISP’s focus is to prevent themselves from being
adversely impacted, not specifically keeping you and
your business up and running. So if you are depending
on your ISP’s DDoS system to ‘protect’ your network
(with techniques such as black hole filtering or
null-routing), all of the traffic destined to your IP address
may be discarded during an attack—both the bad traffic
and the good transaction traffic from your legitimate
paying customers.
The reality is that the Internet is a big front door and a
criminal does not have to actually come in; they just need
to knock a lot to disrupt your business dramatically.
One breach can literally mean the end of your business
The uncomfortable truth is the direct costs and the
reputational damage from an attack to a business can be
devastating. And while every business is different, consider
the implications to your business if you could not process
transactions from 10 a.m. to 3 p.m. tomorrow.
What would the financial impacts be?
Do you have service level agreements in
place with your merchants? And what about
your merchants? Would they move to other
providers? And most importantly, what
is the long term impact to your business’
reputation should you be breached or your
service becomes unavailable?
Payment security is big news, and when a corporation
has a breach or service disruption, it often gets spread
all overthe news, not only exposing the flaw, but also
damaging the reputation of the business. For example,
Sony’s PlayStation Network was the victim of a DDoS
attack in August 2014, prompting much press coverage
and speculation about a repeat of the lawsuits filed as a
result of a 2011 security breach which cost Sony more than
$15 million. Ultimately, news on even the small breaches
and attacks get printed.
The costs of a breach can be devastating to your business
— not only the transactional costs, but also the loss of
goodwill and reputation. Given this fact, the overall
importance of ensuring the security of your IP-based
transaction network simply cannot be overemphasized.
Even if you have only IP-enabled a single payment
application with low volumes, the door from the public
Internet to your payment systems is now open, putting
your entire business at increased risk.
5
Attacker BotnetController
Attacker compromisesvulnerable system
Victim
Large volumesof traffic sentto overwhelm
victim network
Understanding the Risks
So, given the risks, what are the problems that must be
managed in the IP context?
Distributed Denial of Service (DDoS)
A distributed Denial of Service attack is an attempt by
a hacker to prevent legitimate users of the service from
using the service. In practice, it’s a relatively simple thing
to accomplish. Criminals get a number of compromised
computers, known as bots, join them together to form a
botnet, and send traffic to one IP address all at the same
time. Botnets are available for rent online starting at a
few hundred dollars. A person with a small amount of
knowledge and money, could create a large amount
of damage with ease.
In 2014, a botnet took control of more than 162,000
WordPress sites which it then used to amplify DDoS
attacks against unsuspecting organizations.
The latest data from Verizon’s 2014 Data Breach
Investigations Report shows that DDoS attacks have
grown to an average of 10Gbps (bits per second) from
4.7Gbps in 2011. The number of packets on average is
now 7.8Mpps (packets per second), which is a massive
increase from 0.4Mpps in 2011.
PSPs, payment processors, and financial institutions can
experience multi- day outages from a sustained attack.
And as discussed, asking your ISP to solve the problem
may result in them simply shutting your entire service
off—not the best way to maintain high service quality
Ωand availability for your customers.
Gateway spoofing
A type of man-in-the-middle attack, these attacks redirect
users through a third-party to steal or sniff transaction
information. These types of attacks can go undetected for
days, weeks or months, exposing potentially millions of
transactions and cardholders to the criminal.
In many situations, the only indication that a problem
has occurred with these sorts of attacks is a few
milliseconds of latency in the network. While less
common than DDoS attacks, man-in-the-middle and
gateway spoofing attacks pose one of the greatest
risks to payment processors and PSPs since they can
occur and exist without easy detection.
Denial of service is a concentrated attempt to impact
service by disrupting processing on the system. The goal
with denial of service attacks is to max out processors,
trigger unrecoverable errors, crash systems, or install
malware on systems, potentially disrupting network
services for a period of days or weeks.
Duration of Largest DDoS Attack
6
■ 48% 0–6 Hours
■ 11% 7–12 Hours
■ 5% 13–24 Hours
■ 15% 1–3 Days
■ 10% 4–7 Days
■ 6% 1–4 Weeks
■ 5% 1+ Month
Source: Arbor Networks, Inc. 2013
Denial of service attacks are especially troubling for
payment processors and PSPs who have built their own
proprietary gateways. Often these gateways are built on
top of common, open-source tools, and rely only on those
open-source components or commonly available
components for their security compliance.
If you think about how common problems are on the
PC, it is scary to think about a transaction network
being susceptible to the same problems. But, the fact is
most machines that are hacked are built on the same
core operating systems used on most desktops and
servers. This is particularly true for payment gateways
built in-house — these systems leverage commonly
available components without significant modification
and hardening that are necessary for higher security.
For processors, the risks of denial of service attacks are clear:
1. A compromised transaction network that cannot
process transactions due to equipment failures.
2. The network is null-routed out of availability by the
Internet service provider to keep the ISP network from
being affected.
3. A compromised transaction network that leaks
confidential information, increasing business liability.
In all cases, denial of service attacks and hacking
attacks must be addressed in any transaction
network deployment.
Securing IP-Based Transaction Infrastructure
As a payment processor, there are three main areas to
address when securing your IP-based infrastructure:
1. Your network — how does it function, what capabilities
does it provide, and how is it built?
2. Your people — what is their expertise, what procedures
do you have in place?
3. Your equipment — how is it maintained, how well is it
shielded from threats?
Your network equipment is important, but equipment
alone is not the magic bullet. Many things need to be
involved in the overall solution—from the client devices
to the transaction gateways to the network in between.
Everything needs to be managed as one cohesive unit
to ensure maximum security.
1. Your network
The network connection between terminals and
payment gateways is the most likely entry point for a
hacker. Therefore, your network infrastructure needs to
be up to the task of helping you manage, defend and
protect your network from criminals. While there are
several issues to consider, there are a number of best
practices payment processors and PSPs should leverage
when upgrading to an IP-based transaction infrastructure.
7
Operational Security Concerns in the Next 12 Months
■ 65% DDoS attacks toward infrastructure
■ 62% DDoS attacks toward customers
■ 57% DDoS attacks on services (DNS, email)
■ 48% Infrastructure outage (partial or complete) due to failures or misconfiguration
■ 44% Bandwidth saturation (streaming, over-the-top services)
■ 35% Botted/compromised hosts on service provider network
■ 3% Other
Source: Arbor Networks, Inc. 2013Su
rve
y R
esp
on
de
nts
0%
10%
20%
30%
40%
50%
60%
70%
Use a cloud-based DDoS mitigation solution that is transaction-ready and independent of your ISP
The goal of your DDoS, Intrusion Detection System (IDS)
and firewall solutions should be to protect your network,
while letting the good transactions through. This requires
specialized expertise and specialized configurations — not
the same, run-of-the-mill IDS and firewall solutions used
by corporations for securing baseline data networks.
A cloud-based DDoS mitigation solution should be
transaction aware and shut down distributed denial
of service attacks while keeping your transactions
processing and your merchants happy. A solution must
not only understand obvious threats, but also make
intelligent, policy-based determinations about whether
each and every packet is a good one or a bad one, with
the focus of keeping transactions up and operational.
Test your network regularly through the use of ethical hacking
Is your network regularly tested? Do you have dedicated
people on your staff tasked with finding new ways into
your network? Ethical hacking on your own internal
systems helps you find ways to make your network more
secure. Ethical hacking also helps keep your security team
on guard as the network is constantly under attack.
Use 24x7x365 trending and monitoring solutions that are security focused
Many times, the biggest problems are not obvious but
occur gradually over time. It’s a 24x7x365 world, and
hacking attempts occur literally every minute from all
points around the globe. Therefore, it is important to have
your network monitored 24x7x365 not only for uptime
and bandwidth, but also for security concerns and trends.
By integrating security monitoring into your overall
network monitoring, you are always on watch for trouble.
And, should anything start to occur, it can be caught early
before it becomes critical.
Use partners that continually perform integration testing on all new software releases
Every software upgrade potentially exposes your network
to more risk. While one patch may solve one security
problem, it may expose another. More importantly, this
exposure might not be in the piece of equipment that had
its software updated.
Making sure that every piece of equipment, with every
software update on any piece of equipment does not
expose an exploitable hole in your security is an important
part of providing transaction networks. This continual
integration testing is essential to ensuring your network
is as secure as possible.
8
Targeted Customer Types
■ 48% End user/subscriber
■ 43% E-commerce/business
■ 43% Financial services
■ 34% Government
■ 29% Gaming
■ 13% Gambling
■ 13% Manufacturing
■ 11% Law enforcement agency
■ 11% Utilities
■ 23% Other
Source: Arbor Networks, Inc. 2013
Su
rve
y R
esp
on
de
nts
0%
10%
20%
30%
40%
50%
60%
2. Your people
Many times, hacking attempts start with people, not
machines. It is important your people are up to the task
of maintaining a highly secure, highly available and reliable
transaction network for your business.
There are three areas you should focus on in terms of your
personnel: expertise, training and procedures.
Expertise
Networking expertise is an obvious component of building
a transaction network. You need to have personnel that
understand how scalable and reliable networks are built.
Security expertise needs to be an important skill of your
people. Do you have personnel that focus exclusively on
making sure your network is secure?
Hacking expertise, often missing within payment teams,
is the opposite of security expertise. While a security
expert focuses on policies and procedures to help make
your network more secure, the hacking expert focuses on
understanding how exploits can be used to hack into your
systems. Hacking expertise is a required skill in any
large-scale transaction network deployment.
Training
Your staff needs to be trained against social engineering
attacks so they understand how to secure and maintain
things as simple as passwords in order to keep people out
of sensitive areas.
Procedures
Your personnel need to use defined, standard operating
procedures every time. Items such as how to manage
software rollouts, how to conduct rigorous testing, and
things as simple as password management should all be
part of the procedures your personnel use everyday to
manage your transaction network.
3. Your equipment
Networking equipment is the foundation of transaction
networks, and while many pieces are interchangeable, it
is important to consider the security requirements needed
to maximize the security of your network before making
equipment choices.
First, equipment should be proven by results, and not
simply insured against financial risk. If there is anything
to be learned from disasters like the US Gulf oil spill, it is
there is a difference between proven by results and
insured against financial risk. Just because you have some
amount of insurance against risk, does not mean that a
breach won’t occur.
The equipment you use should be proven to be reliable,
specifically within secured transaction-oriented networks.
Transaction networks are different to traditional IP traffic,
and have very special requirements. The best equipment
for streaming video on the Internet might not be the best
choice for your critical credit and debit card transactions.
Second, your equipment should have the appropriate
certifications for use in transaction networks. While
standards such as FIPS-140-2 play a major part in helping
choose the best equipment, it is up to networking
equipment suppliers and your organization to choose
equipment with the appropriate reliability and
performance certifications.
When building an IP-based transaction network that is
planned to carry the majority of your transactions, care
should be taken in terms of your network, equipment and
people to ensure that every part of your infrastructure
lives up to your expectations for performance, reliability,
and most importantly security.
It Comes Down To a Focus on Security
Are you prepared to risk your entire business on your
existing infrastructure or on your current plans for your
IP-based transaction network?
Ultimately, the answer to that question should drive your
decisions about which equipment and partners to use to
help you build an IP network you can rely on in the future.
An IP-based transaction network can save you money and
provide added benefits to your business. If designed and
operated correctly you can enjoy these benefits, without
taking on unnecessary risks. The key is to focus on making
sure that every piece of the solution can live up to the
challenges and high expectations of securely managing
transaction data.
9
Learn More
TNS has been partnering with leading Payment
Processors, Acquirers, and PSPs around the globe for over
20 years, providing solutions designed to ensure that their
payment infrastructures remain secure, resilient, and
scalable. To learn more about how TNS can help you
better secure your payment host or gateways, contact us
by calling 703 453 8300 or emailing [email protected].
About TNS
Transaction Network Services (TNS) is a leading global
provider of data communications and security solutions.
TNS offers a broad range of networks and innovative
value- added services which enable transactions and
the secure exchange of information in diverse
industries such as retail, banking, payment processing,
telecommunications and the financial markets.
Founded in 1990 in the United States, TNS has grown
steadily and now provides services in over 65 countries
across the Americas, Europe and the Asia Pacific region,
with our reach extending to many more. TNS has
designed and implemented multiple data networks which
support a variety of widely accepted communications
protocols and are designed to be scalable and accessible
by multiple methods.
Visit us at:
www.tnsi.com for more information
10
October 2014