Security in a Changing ATM Environment

By Tom Schmidt

The ATM (Automated Teller Machine) environment is changing and that change has serious ramifications for the security of ATMs. This article looks at some of those ramifications, then outlines an approach that can help financial institutions better address their overall security exposure.
 
From closed to open
Many financial institutions today are in the process of moving their ATMs from proprietary dial-up networks to TCP/IP networks. This entails moving the ATM from what is generally considered a "closed," dedicated, and relatively secure network to what is considered a more open, unrestricted, and, in some cases, less secure network.
 
At the same time, the operating system on which the ATM is based is changing. ATMs have begun migrating from the obsolescence of IBM OS/2 to Microsoft Windows to gain business value. But with the move to the Windows platform comes increased exposure to known and unknown security threats.
 
The operating system has also changed from a relatively secure, low-visibility, low-target profile to an operating system that has relatively higher visibility, a relatively higher vulnerability level, and a higher target profile.
This combination -- a change in communication pathways and a change in operating systems -- has increased the overall security exposure of the ATM. Eliminating this increased exposure is complex and costly.
 
Protection needed before patches are available
Another critical consideration is that, because of the complexity and sheer size of the Microsoft operating systems, security vulnerabilities are and will continue to be present in the software.
 
The vulnerabilities used by the SQL Slammer, Blaster, Sasser, and Zotob network worms were "always there." That is, they could have been used to compromise a machine at any time before a remediation patch was applied. In addition, some vulnerabilities today are discovered but not reported. This means they can exist in the code, are known to malicious individuals or organizations, and can provide a malicious person with a vector for attack.
 
Even when holes are reported to a vendor, it can take weeks or even months to fix the vulnerability and make a patch available. On multiple occasions, these vulnerabilities have become public knowledge between the time they were reported to the vendors and the time a patch was available. This creates a window of opportunity where a virus, worm, or other exploit could be created that takes advantage of the vulnerability. Moreover, it can take days to weeks for companies to download, test, and deploy the patch once it is made available.
 
ATMs need to be protected before patches are available. They need to be secure before, during, and after the vulnerability is announced. All security patches need to be thoroughly tested before being deployed at an enterprise level. While Microsoft tests patches with its software and many other common commercial applications, it does not test them with the specialized software and device drivers that are present on ATMs. Applying a new security patch could, in theory, create problems on the ATM. That's why financial institutions should thoroughly test patches in a lab environment before deploying them to production ATMs.
 
Fortunately, by using the latest in security software and processes, there are ways for financial institutions to leverage the benefits of Windows and high-speed networks while mitigating the risks.
 
Best practices = a layered approach
A layered approach, which combines best practices in the application of technology controls and process controls with digital security awareness, is the right approach to securing ATMs.
 
Securing the ATM network begins with basic, level one hardening. The operating system should be hardened and all service packs and recommended patches should be applied. All unnecessary services should be stopped and all unnecessary ports should be closed.
 
The next step is level two hardening. The security level at which the ATM operates should be changed from an administrative level to a locked-down user level. The ATM platform should be baselined and compared to high-security templates from leading security organizations like SANS and the Center for Internet Security. When possible, customers should leverage their dedicated network-level firewalls to isolate ATMs onto their own protected network segments and monitor for unauthorized security events.
 
ATMs should function in a closed and secure mode. They should only allow authenticated and trusted applications to communicate to and from the ATM. ATMs should be able to continuously defend themselves against new, network-based viruses and worms without needing to be updated. ATMs should ensure that applications communicating from the ATM are the correct version and have not been modified in an unauthorized manner. For example, Windows has a valid file called SVCHOST.Exe that could be used by a customer. In fact, the Sasser network worm spreads by creating its own copy of SVCHOST.EXE. The ATM should be able to identify the difference between the two different files, even if they have the same name and use the same network ports.
 
A layered approach also recognizes that perimeter firewalls, network intrusion detection, patch management solutions, and antivirus software cannot by themselves provide adequate protection. For example, perimeter firewalls can't block access to ports used for legitimate purposes, and patch management solutions are ineffective against unknown attacks.
 
To provide a secure and manageable IP-based ATM infrastructure, financial institutions require a real-time solution that includes antivirus, host intrusion prevention, device control, policy enforcement, remediation, and control over managed and unmanaged endpoints. Specifically, such a solution must:

• Protect the institution against known and unknown malware, viruses, worms, Trojans and spyware
• Eliminate misconfiguration and misuse by locking down the ATM ports, protocol, and applications, thereby reducing incident response reports and automating the remediation process
• Reduce complexity with a single agent and centrally managed solution that enforces security best practices through policy enforcement, integrity checking, and automated remediation
• Enable financial organizations to gain control over ATM network security and ensure compliance across their ATM infrastructure

Among the benefits of a layered approach:

• Security-related downtime is minimized
• ATMs are proactively protected without immediate patching
• Security costs are reduced
• Performance of the ATM is not impacted
• Central logging and reporting of security events

Conclusion
According to the latest Internet Security Threat Report, the financial services sector was the third most frequently targeted industry between January 1 and June 30, 2005. Targeted attacks against the financial services industry are expected to rise, as the focus of attackers becomes increasingly profit driven. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. Where traditional attack activity was motivated by curiosity and a desire to show off technical virtuosity, many of today's threats are motivated solely by profit. Criminal acts, such as identity theft, extortion, and fraud, are now common.
For financial institutions deploying ATMs on open networks, such developments require a more vigorous defense against malicious attacks. With better IP ATM security, financial institutions can implement a defense-in-depth strategy and can help preserve brand equity and consumer confidence in online transactions.
 
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.