All you need to know about ATM

Security (Part 2 of 5)
abdelhameedqotb (25) (/@abdelhameedqotb)in #technology
(/trending/technology) • 3 years ago

Part II
This was a research I made with a Russian colleague year ago and thought
it might help someone out there.

Kindly note that at the end of this part you would nd References section
for the whole paper ( the 5 parts) this part and the upcoming ones, as it
would be dif cult to separate the references of each part

Also be noted that this paper was written to address Non-technical folks to
give them an overview of Securing the ATM

Backup Security Measures

Backup security measures need to be in place for both information
security control and physical security. This is to ensure that integrity is
maintained for the information and physical security systems. Backup
security in the case of ATM's may involve a reserve of power set aside to
maintain physical security features such as alarms and CCTV cameras.
(APHIS,2014)

Risk Management, analysis and Computer Security Incident

Management
The objective of an information system security program is to protect an
organization's information by reducing the risk of loss
Login (/login.html) Signof
upcon dentiality,
integrity and availability of that (https://signup.steemit.com)
information to an acceptable level. A good
(/) (/search) (/submit.html)
information security program involves two major elements, risk analysis
and risk management. In the risk analysis phase, an inventory of all
information systems is taken. For each system, its value to the
organization is established and the degree to which the organization is
exposed to risk is determined. Risk management, on the other hand,
involves selecting the controls and security measures that reduce the
organization's exposure to risk to an acceptable level. To be effective,
ef cient and re ect common sense, risk management must be done
within a security framework where information security measures are
complemented by computer, administrative, personnel and physical
security measures.

Risk management becomes a senior management issue. A balance has to

be reached between the value of the information to the organization on
the one hand and the cost of the personnel, administrative and
technological security measures on the other hand. The security measures
put in place need to be less expensive than the potential damage caused by
the loss of con dentiality, integrity and availability of the information.
Many formal risk analysis methodologies on the market require technical
expertise in the area of information technology and relevant controls and
Login (/login.html)
availability of precise threat frequencies Sign
that may be up
beyond the reach of
(/) (https://signup.steemit.com) (/search) (/submit.html)
many audit of ces, at least initially. The objective is to build up over time
the necessary expertise and resources. (INTOSAI, EDP Audit Committee,
1995)

A risk assessment is carried out by a team of people who have knowledge

of speci c areas of the business. Membership of the team may vary over
time as different parts of the business are assessed. The assessment may
use a subjective qualitative analysis based on informed opinion, or where
reliable dollar gures and historical information is available, the analysis
may use quantitative analysis. The ISO/IEC 27002:2005 Code of practice for
information security management recommends the following be
examined during a risk assessment:
• security policy,
• organization of information security,
• asset management,
• human resources security,
• physical and environmental security,
• communications and operations management,
• access control,
• information systems acquisition, development and maintenance,
• information security incident management,
• business continuity management, and
• regulatory compliance.

(Sattarova, F. Y. and Prof.Tao-hoon, 2007)

Computer Security Incident Management.

The National Institute of Standards and Technology (NIST) describes a
computer security incident as ―resulting from a computer virus, other
malicious code, or a system intruder, either an insider or an outsiderǁ.
Similar to responding to natural disaster incidents, computer security
incident management requires a process and a team to follow the process.
The new player would be an individual well versed in information systems
technology and security. In the event of an incident caused by an attack,
the entity should have response procedures in place to recognize an event.
Login (/login.html) Sign up
Some attacks are detected by a sensor, a network analyst or a user
(/) (https://signup.steemit.com) (/search) (/submit.html)
reporting something unusual with the computer. Containment is critical
for stopping malicious network traf c or a computer virus, the spread of
which could be terminated by taking the computer(s) off-line, if the IT
department or service provider performs these functions. This would
include ensuring the destruction of any hard drives that still maintain
security information and that any breach is acted upon to mitigate losses.
(APHIS,2014)

Training
Employee and contractor behavior is the primary source of costly data
breaches. It's also the best way to prevent loss.
Security can't be guaranteed.
As Clint Eastwood once said, "If you want a guarantee, buy a toaster." The
only secure system is one that's unplugged, turned off, and in a locked
room. Since it's not practical to leave our systems turned off, we need to
understand the risks to our systems and prepare ourselves to defend them.
Preparation begins with understanding — and that's where awareness
comes in. With all the news stories about hackers and breaches involving
personal information and ATM Security, it's easy for the security message
to sound over-used and tired. It's easy for people to say, "It won't happen
here." Yet, studies and surveys repeatedly show that: the human factor
(what employees do or don't do) is the biggest threat to information
systems and assets.

Example
Late one night in Kiev, an ATM started dispensing cash seemingly of its
own accord. In its investigation of the matter, Kaspersky Labs discovered
that the bank’s internal computers were compromised. These computers
were used by staff responsible for processing book keeping and daily
transfers. Malware called Carbanak was installed in the computer by a
targeted phishing attack and allowed the attackers to view everything done
on an infected system. Once the system is infected, Carbanak logs
keystrokes and takes screenshots every 20 seconds so it disclosed to the
hackers routine banking operations and procedures. Training employees
to identify phishing attacks and social engineering is of paramount
Login (/login.html) Sign up
importance. It is dif cult to protect against an employee with malicious
(/) (https://signup.steemit.com) (/search) (/submit.html)
intent, but at the very least, awareness training can reduces the risk of
malisons attack. Kaspersky has disclosed that more than 100 banks across
30 nations have had their accounts compromised by Carbanak. (Perlroth,
2015)

The best way to achieve a signi cant and lasting improvement in

information security is not by throwing more technical solutions at the
problem — it's by raising awareness and training and educating everyone
who interacts with computer networks, systems, and information in the
basics of information security.(APHIS,2014)

CIA
For over twenty years, information security has held con dentiality,
integrity and availability (known as the CIA triad) as the core principles of
information security. Many information security professionals rmly
believe that Accountability should be added as a core principle of
information security.

Con dentiality
Con dentiality is the term used to prevent the disclosure of information to
unauthorized individuals or systems. For example, an ATM transaction
requires the card to be physically present at the ATM, from which the
customer enters his PIN to authenticate the transaction and the ATM
processes the transaction through a secured network. The system attempts
to enforce con dentiality by encrypting the card number and PIN during
transmission, by limiting the places where it might appear (in databases,
log les, backups, printed receipts, and so on), and by restricting access to
the places where it is stored. If an unauthorized party obtains the non-
physical details in any way, a breach of con dentiality has occurred.
Breaches of con dentiality take many forms. Permitting someone to look
over your shoulder at the ATM screen while you are entering your PIN on
it could be a breach of con dentiality. If a laptop computer containing
sensitive information about a company's employees is stolen or sold, it
could result in a breach of con dentiality. Giving out con dential
information over the telephone Login
is a breach of con Sign
(/login.html) dentiality
up if the caller is
(/) (https://signup.steemit.com) (/search) (/submit.html)
not authorized to have the information. Con dentiality is necessary (but
not suf cient) for maintaining the privacy of the people whose personal
information a system holds. (Sattarova, F. Y. and Prof.Tao-hoon, 2007)

Integrity
In information security, integrity means that data cannot be modi ed
without authorization. This is not the same thing as referential integrity in
databases. For example, integrity is violated when an employee
accidentally or with malicious intent deletes important data les, when a
computer virus infects a computer, when an unauthorized user vandalizes
a web site, when someone is able to cast a very large number of votes in an
online poll, and so on. If an automated process is not written and tested
correctly, bulk updates to a database could alter data in an incorrect way,
leaving the integrity of the data compromised. Information security
professionals are tasked with nding ways to implement controls that
prevent errors of integrity. (Sattarova, F. Y. and Prof.Tao-hoon, 2007)

Availability
For any information system to serve its purpose, the information must be
available when it is needed. This means that the computing systems used
to store and process the information, the security controls used to protect
it, and the communication channels used to access it must be functioning
correctly. ATM systems aim to remain available at all times. Which means
preventing service disruptions due to power outages, hardware failures,
and system upgrades. Ensuring availability also involves preventing
denial-of service attacks. In 2002, Donn Parker proposed an alternative
model for the classic CIA triad that he called the six atomic elements of
information. The elements are con dentiality, possession, integrity,
authenticity, availability, and utility. (Sattarova, F. Y. and Prof.Tao-hoon,
2007)

Potential Impact on Organizations and Individuals

FIPS Publication 199 de nes three levels of potential impact on
organizations or individuals should there be a breach of security (i.e., a

Login (/login.html) Sign up

(/) (https://signup.steemit.com) (/search) (/submit.html)
loss of con dentiality, integrity, or availability). The application of these
de nitions must take place within the context of each organization and the
overall State interest.

The potential impact is LOW if The loss of con dentiality, integrity, or

availability could be expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals.
Clari cation: A limited adverse effect means that, for example, the loss of
con dentiality, integrity, or availability might:

● Cause a degradation in mission capability to an extent and duration that

the organization is able to perform its primary functions, but the
effectiveness of the functions is noticeably reduced;
● Result in minor damage to organizational assets;
● Result in minor nancial loss;
● Result in minor harm to individuals.
(DoIt, State of Maryland, Department of information technology,2008)

The The potential impact is MODERATE if The loss of con dentiality,

integrity, or availability could be expected to have a serious adverse effect
on organizational operations, organizational assets, or individuals.
Clari cation: A serious adverse effect means that, for example, the loss of
con dentiality, integrity, or availability might:
● Cause a signi cant degradation in mission capability to an extent and
duration that the agency is able to perform its primary functions, but the
effectiveness of the functions is signi cantly reduced;
● Result in signi cant damage to agency assets;
● Result in signi cant nancial loss;
● Result in signi cant harm to individuals that does not involve loss of life
or serious life threatening injuries.
(DoIt, State of Maryland, Department of information technology,2008)

The potential impact is HIGH if The loss of con dentiality, integrity, or

availability could be expected to have a severe or catastrophic adverse
effect on agency operations, organizational assets, or individuals.
Login (/login.html)
Clari cation: A severe or catastrophic adverse effectSign up that, for
means
example, the (https://signup.steemit.com)
(/) loss of con dentiality, integrity, or availability might:
(/search) (/submit.html)
● Cause a severe degradation in or loss of mission capability to an extent
and duration that the agency is not able to perform one or more of its
primary functions;
● Result in major damage to agency assets;
● Result in major nancial loss;
● Result in severe or catastrophic harm to individuals involving loss of life
or serious life threatening injuries
(DoIt, State of Maryland, Department of information technology,2008)

Controls
When Management chooses to mitigate a risk, they will do so by
implementing one or more of three different types of controls.

Administrative controls – Policies, Procedures, Standards & Guidelines

Administrative controls (also called procedural controls) consist of
approved written policies, procedures, standards and guidelines.
Administrative controls form the framework for running the business and
managing people. They inform people on how the business is to be run
and how day to day operations are to be conducted. Laws and regulations
created by government bodies are also a type of administrative control
because they inform the business. Banking sectors have policies,
procedures, standards and guidelines that must be followed, the
administrative controls applied to ATM's involve securing card data and
customer PIN's. Other examples of administrative controls include the
corporate security policy, password policy, hiring policies, and disciplinary
policies. Administrative controls form the basis for the selection and
implementation of logical and physical controls. Logical and physical
controls are manifestations of administrative controls. Administrative
controls are of paramount importance. (Sattarova, F. Y. and Prof.Tao-hoon,
2007)

Logical controls
Logical controls (also called technical controls) use so ware and data to
monitor and control access to information and computing systems. For
Loginand
example: PIN's, passwords, network (/login.html)
host basedSignrewalls,
up network
(/) (https://signup.steemit.com) (/search) (/submit.html)
intrusion detection systems, access control lists, and data encryption are
logical controls. An important logical control that is frequently overlooked
is the principle of least privilege. The principle of least privilege requires
that an individual, program or system process is not granted any more
access privileges than are necessary to perform the task. A blatant
example of the failure to adhere to this principle of least privilege is
logging into Windows as user Administrator to read Email and surf the
Web. Violations of this principle can also occur when an individual collects
additional access privileges over time. This happens when employees' job
duties change, or they are promoted to a new position, or they transfer to
another department. The access privileges required by their new duties
are frequently added onto their already existing access privileges which
may no longer be necessary or appropriate. (Sattarova, F. Y. and Prof.Tao-
hoon, 2007)

Physical controls
Physical controls monitor and control the environment of the work place
and computing facilities. They also monitor and control access to and
from such facilities. For example: doors, locks, heating and air
conditioning, smoke and re alarms, re suppression systems, cameras,
barricades, fencing, security guards, cable locks, etc. Separating the areas
that are freely accessible from those that should only be accessed with
suf cient authorization (Eg. wall mounting the ATM to deny back panel
access) is a very important measure for ATM security. An important
physical control that is frequently overlooked is the separation of duties.
Separation of duties ensures that an individual can not complete a critical
task by himself. For example: an employee should not also be able to
authorize himself to inspect/reload the ATM. Collusion between
employees is still possible, but the risk is smaller than giving all controls to
a single person. An applications programmer should not also be the server
administrator or the database administrator - these roles and
responsibilities must be separated from one another. (Sattarova, F. Y. and
Prof.Tao-hoon, 2007)

References Login (/login.html) Sign up

(/) (https://signup.steemit.com) (/search) (/submit.html)
Animal and Plant Health Inspection Service (APHIS). Information Systems
Security Control Guidance Document (2014 February 12). Federal Select
Agent Program. Clarke, J. (2009). SQL injection attacks and defense.
Burlington, MA: Syngress Pub.
http://www.selectagents.gov/resources/Information_Systems_Security_Con
trol_Guidance_version_3_English.pdf

Atmsecurity.com,. (2015). Acketts Anti-The Device protects ATM attacked

at Total Garage in Binchester, County Durham | ATMSecurity.com ATM
Security new. Retrieved 24 March 2015, from
http://www.atmsecurity.com/articles/atm-fraud/acketts-anti-the -device-
protects-atm-attacked-at-total-garage-in-binchester-county-durham.html

(5/20/12). BBC. HSBC cash machines hit by IT failure. Retrieved from:

http://www.bbc.com/news/business-18140620

Bankinfosecurity.com,. (2014). Malware Attacks Drain Russian ATMs.

Retrieved 24 March 2015, from: http://www.bankinfosecurity.com/russian-
malware-attacks-drain-atms-a-7412/op-1

Berson, T. Kemmerer, R. and Lampson, B. (1999).Realizing the Potential of

C4I: Fundamental Challenges. Retrieved from Microso research website
http://research.microso .com/en-us/um/people/blampson/63-
C4ISecurity/Acrobat.pdf

Brad, G. (2005,January 12) .The Role of the Security Analyst in the Systems
Development Life Cycle. SANS Institute Retrieved from
http://www.sans.org/reading-room/whitepapers/awareness/role-security-
analyst-systems-development-life-cycle-1601

Clarke, J. (2009). SQL injection attacks and defense. Burlington, MA:

Syngress Pub. https://books.google.co.in/books?
id=KKqiht2IsrcC&printsec=frontcover&dq=Clarke,+J.+%282009%29.+SQL+i
njection+attacks+and+defense.+Burlington,+MA:+Syngress+Pub.&hl=en&s
a=X&ei=zQ8PVdPNEdLauQTYrICoAg&redir_esc=y#v=onepage&q&f=false
Shirley, R.(2009, April) THE SYSTEM
Login DEVELOPMENT
(/login.html) SignLIFE
up CYCLE (SDLC).
Computer Security
(/) Division, Information Technology Laboratory
(https://signup.steemit.com) (ITL),
(/search) (/submit.html)
National Institute of Standards and Technology.
http://csrc.nist.gov/publications/nistbul/april2009_system-development-
life-cycle.pdf

Daniel, K.(2011-2015). Various topics about Security systems. Retrieved

from http://theinfopro.blogs.451research.com/index.php/tag/secureworks/

DoIt, State of Maryland, Department of information technology.(2008,

September). Standards for Security Categorization of Information Systems.
http://doit.maryland.gov/support/Documents/security_guidelines/Security
_Categorization.pdf

Dunlap, S. (12/1/14). Silver City Sun-News. ATM machine stolen, dragged

through streets of Silver City. Retrieved from: http://www.scsun-
news.com/silver_city-news/ci_27046565

(3/19/09). InfoSecurity. Russians hack Diebold ATM so ware. Retrieved

from: http://www.infosecurity-magazine.com/news/russians-hack-diebold-
atm-so ware/

INTOSAI, EDP Audit Committee. (1995, October). Information System

Security Review Methodology. International Organization of Supreme
Audit Institutions. http://www.issai.org/media/13024/issai_5310_e.pdf

John, R. (nd). Firewall Planning and Design. York Technical College

Retrieved from
http://yorktech.com/department/itdept/rouda/PDF/IST292/Chapter%201.pd
f

Kaufmann, L. (8/10/12). IT Security Community Blog. Exploiting ATMs: a

quick overview of recent hacks. Retrieved from:
http://security.blogover ow.com/2012/08/exploiting-atms-a-quick-
overview-of-recent-hacks/

Login (/login.html) Sign up

(/) (https://signup.steemit.com) (/search) (/submit.html)
Kukiewicz, J. (8/30/11) Choose.net. Anger grows over HSBC's online
banking 'Secure Key'. Retrieved from:
http://www.choose.net/money/guide/news/hsbc-secure-key-online-
banking-problems.html

Joe McMahon. (2015).Secure Your ATMs. Retrieved from McAfee website

http://www.mcafee.com/fr/resources/technology-blueprints/tb-securing-
atms.pdf

Marianne, S. and Joan, H. and Pauline, B. (2006, February). Guide for

Developing Security Plans for Federal Information Systems. Computer
Security Division, ITL, National Institute of Standards and Technology.
http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-
nal.pdf

(nd) Paragon Applications Systems. Diebold (US) Enhances ATM QA

Testing with Paragon Tools. Retrieved from:
http://www.paragonedge.com/news/case-studies/diebold-enhances-atm-
qa-testing-with-paragon-tools.html

PCI, (2010, October), PCI DSS Quick Reference Guide, Retrieved from
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%2
0Reference%20Guide.pdf

PCI Security Standards Council. (2013, Jan). PCI PIN Transaction Security
Point of Interaction Security Requirements (PCI PTS POI). Retrieved from
PCI website
https://www.pcisecuritystandards.org/pdfs/PCI_ATM_Security_Guidelines_
Info_Supplement.pdf

Perlroth, D. (2015). Bank Hackers Steal Millions via Malware.

Nytimes.com. Retrieved 24 March 2015, from
http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-
via-malware.html?_r=0

Login (/login.html) Sign up

(/) (https://signup.steemit.com) (/search) (/submit.html)
 Sattarova, F. Y. and Prof.Tao-hoon, K. Vol. 2, No. 2. Security Review:
Privacy, Protection, Access Control, Assurance and System Security.
Retrieved from International Journal of Multimedia and Ubiquitous
Engineering http://www.sersc.org/journals/IJMUE/vol2_no2_2007/2.pdf
The Government of the Hong Kong Special Administrative Region. (2008,
February).AN OVERVIEW OF INFORMATION SECURITY STANDARDS.
Retrieved from:
http://www.infosec.gov.hk/english/technical/ les/overview.pdf

Weight, A. (Sept 2009). ATM Security Working Group. Best Practice for
Physical ATM Security. Retrieved from:
http://www.link.co.uk/SiteCollectionDocuments/Best_practice_for_physica
l_ATM_security.pdf

#cybersecurity (/trending/cybersecurity) #money (/trending/money) #blog (/trending/blog)

#cryptocurrency (/trending/cryptocurrency)

3 years ago in #technology (/trending/technology) by Reply 0

abdelhameedqotb (25) (/@abdelhameedqotb) $0.00 (/technology/@abdelhameedqotb/all-

you-need-to-know-about-atm-

security-part-2-of-5)