auditing archives: the case of the file sharing franchisee

Report

Tags:

Post on 29-Jun-2015

606 Views

Category:

Business

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

An unfortunate franchisee with hundreds of restaurant locations hired an IT company with little security skills to configure their restaurant POS systems across multiple locations. By allowing every restaurant access to the same programs and files back at corporate HQ, it promoted process consistency across each restaurant management system, making information exchange easy, but also opening security holes.

TRANSCRIPT

Auditing Archives SeriesThe Case of the File-Sharing Franchisee

Business background

Successful franchisee owns over 100 well-known restaurants in the Midwest.

Business background

Shared files with restaurant management across states via a server at the corporate location.

Business background

Used a third party IT company to configure system hardware and software for all restaurant locations.

How hackers could get inThe corporate back office server that shared files across restaurant servers used an always-on, insecure, virtual private network (VPN) connection.

IT staff configured the corporate office remote access insecurely, which provided access to the ‘flat’ internal network structure.

What is remote access?Remote access is the ability to access a computer or server from a remote location. It is often used in mid-large organizations among employees who need access to shared files and company networks.

Unfortunately, it’s very common for remote access to be set up insecurely.

How hackers could get inA hacker could break into the insecure remote access at corporate headquarters by cracking an easily-guessable password, and find the file server connected to 100+ other restaurants via the always-on VPN connection.

How hackers could get inOnce in the file server he could guess the in-store POS system password.

One by one, he could download malware into each restaurant’s POS system and gain sensitive payment card data.

What the business did wrong

Third party IT group configured all restaurant systems identically and with an easily guessable password.

What makes a good password?

A password should not be found in a dictionary in any language. It should contain at least 8 upper and lower case letters, numbers, and special characters.

Passwords should be changed every 90 days.

What they should have done

This problem could have been prevented through more secure remote access at the corporate location.

Specifically, requiring two-factor authentication for each login (e.g., a password and a one time code) and individual complex system passwords for each restaurant location.

SecurityMetricsWe Protect Business

ServicesPCI, HIPAA, & data security solutions for businesses of all sizes

QualificationsGlobal provider of ASV, QSA, PFI, PA QSA, P2PE services

ExperienceAssisted over 1 million organizations with compliance needs

top related

gloherbals - micro franchisee
Health & Medicine
burn franchisee
Health & Medicine
franchisor-franchisee relationship and franchisee...
Documents
iref franchisee-presentation
Education
medica franchisee presentation
Health & Medicine
dosalicious franchisee proposal
Business
find the right job support we provide franchisee and master...
Documents
franchisee disclaimer
Documents
boardmarks - franchisee
Education
franchisee agreement term
Business
naturals franchisee presentation
Business
facilitator: keith miller chair, coalition of franchisee...
Documents
seemas academy franchisee
Education
«franchisee name» acn «acn » atf «trust name» “sub...
Documents
franchisor-franchisee relationship and franchisee
Documents
franchisee business
Documents
franchisee policy 2009
Documents
franchisee success
Business
discussion paper on “distribution franchisee” paper on...
Documents
gloherbals - franchisee
Health & Medicine