Posted by: Sean Finnegan Director, Cybersecurity

 Last week, we published a paper on “Threat Modeling a Retail Environment.” The intent of this paper was to help provide the retail industry with risk and mitigation guidance that could be applied in their environment where there is a unique set of requirements and challenges.  As a follow on to that information, today we published a new paper focused on “Protecting Point of Sale Devices from Targeted Attacks.”  Given point of sale (POS) devices were the focus of many recent targeted attacks in the retail industry, we thought this guidance would be helpful. 

While the details of specific compromises will vary, we know from public reports that these attacks succeeded because an attacker was able to place custom malware across a large number of POS devices in order to harvest information from transactions. 

While we recognize that there is a wide variety of POS systems and architectures in use, we again leveraged the combined experience of our retail and cybersecurity teams to provide guidance that we believe to be practical and effective across most environments.  In this paper we provide specific guidance to help harden POS devices against attack including some recommendations specific to Microsoft Windows POS platforms.  We also address techniques to help protect customer and payment data from disclosure, using specialized hardware such as the use of encrypting card readers.

Finally, we leveraged our experience in responding to targeted attacks across industry to provide guidance specific in helping to mitigate the ability for an attacker to move laterally throughout a retail infrastructure.  We built this section on guidance already provided in the paper “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques” and discuss specifically the impact of Active Directory design, service accounts, and shared local accounts in preventing lateral movement by attackers in retail. 

You can find the paper here and feel free to share your constructive comments about the paper on our Twitter handle @MSFTSecurity.