Lessons in Due Diligence
Posted in Business and Security, PCI on December 2nd, 2009 by Paul – Be the first to commentAn article by Kim Zetter on Wired.com caught my attention: “Restaurants Sue Vendor for Unsecured Card Processor”.
The gist is that several restaurants purchased Point-of-Sale (POS) systems from a particular vendor. These POS systems that were sold were apparently not Payment Card Industry – Data Security Standard (PCI-DSS) compliant and that resulted in a breach costing the restaurants a hefty sum.
One issue comes from unpatched, poorly configured remote access and the other alleged problem came from default login administrator userID and passwords. From the article:
Visa also sent out a bulletin in November 2006 warning that one of the most frequent vectors for hackers to penetrate POS systems was through poorly configured or unpatched remote-access software (.pdf) and default passwords. Nonetheless, the restaurants say, Radiant and Computer World sold them a product that was neither PCI-compliant nor secured against a known attack.
So, the vendor sold them the product that was known to have these flaws but on the flip side, the restaurants bought these systems that are known to have these flaws. I can certainly see the case here but from a security perspective there are some lessons learned when it comes to due diligence and basic security practices.
1. If you blindly believe marketing slicks about the “state-of-the-art” product you’re purchasing that can do everything including cooking your dinner and washing dishes…well… you get the point. Visa had produced a bulletin regarding the flaws with the product a year before one of the restaurants bought the product. A little due diligence in the selection process would have gone a long way.
2. So, you buy a product and install it. It has remote access capabilities. You leave the default administrator ID and password that is well known to anybody who can grab an online manual. You’re breached. If you install a new software product for Pete’s sake, change the default account passwords. If your bank gives everybody a password of “password” to their online banking, would you change yours or just leave it? (BTW, they don’t do that… just an illustration).
3. Implementing a system with known flaws and not updating it is pretty bad. It’s like installing a Microsoft server and not applying security patches for a year. You get breached because of a vulnerability that should have been fixed a year ago. Good luck blaming Microsoft for that one. Patch management is essential.
By no means am I blaming the victim in this case. They are chefs and restaurant managers, not IT or InfoSec people. They relied on the vendor to provide them a product that was up to snuff with PCI requirements and trusted them to sell a product that protected their customer’s information. When we examine and extended this into our own business and technology implementations, their experience provides some lessons for all of us. Hopefully we can learn from this and apply due diligence to all of our vendor interactions and purchases.