It is very likely that most XP-based ATM networks will remain Windows XP-based for a long period of time after the end of life announced by Microsoft for April 2014. In this context, understanding whether this situation is bringing new security risks, and the extent of these risks, is the fundamental think to do. Migration may come later (may be much later). But what happens next May? The easy answer is: you need a risk analysis before making decisions.
Performing a full risk analysis for your ATM network in this new situation might not seem to be an easy task but surely there are some basic considerations that can be discussed.
For instance, let us consider what is happening today. Current ATM cyberattacks follow well understood patterns. Essentially attackers gain physical access to ATMs and try to deploy sophisticated malware in ways that in general do not exploit Windows vulnerabilities. Given the huge amount of unprotected (or poorly protected) ATMs to date, attacks from the network have been rare (although not unheard of). Prevention of these attacks today is achieved by installing a suitable Cyberprotection solution in your ATM. At this moment we are all well engaged into this malware-antimalware race, especially in some regions of the world.
After Windows XP End Of life, the main foreseeable change in this scenario is the sum of two circumstances: On the one hand, Cyberprotection solutions are being deployed as mitigation actions. This is increasing the level of protection against classical attack patterns, so you bet criminals are looking for alternatives as we speak. On the other hand, vulnerabilities affecting Windows services might become known, and exploitable, without patches to prevent them.
This could potentially result in a new attack pattern scenario. Remote exploits could enable criminals to upload malware over the network in a way much different than what they are doing now. This scenario is plausible because in many cases protection solutions being deployed are based essentially in whitelisting, while this technology alone is not enough to stop this new threat.
This possible new scenario requires some deep analysis both in terms of feasibility and impact. For instance network based attacks might require more skilled insiders, but on the other hand might affect entire networks instead of a few ATMs at a time. The good news is, this change in attack paradigm is not easy for criminals, so it is sensible to assume that there is some time left for us to analyze and react.
Probably the easy part of this reaction would be to ensure a state-of-the-art Cyberprotection solution is deployed in your ATMs. But at the same time we need to understand what Windows services we are using today in our ATMs that are exposed to the network.
Now, some relevant questions. See if you know the answer to them:
- Are your ATMs using Windows services over the network?
- If affirmative, which ATM resources are these services allowed to access?
- Can these services be replaced by programs that provide the same functionality but are still supported from a security point of view?
- If you have already purchased a Cyberprotection solution, have you tested them against attacks based on remote exploits over the network?
To read the opinion of our expert Juan Jesús León Cobos click here
Author: Juan Jesús León Cobos
Director of Product, GMV
Las opiniones vertidas por el autor son enteramente suyas y no siempre representan la opinión de GMV
The author’s views are entirely his own and may not reflect the views of GMV