How to protect your network just like a bank ATM

A report out from Talos on the state of ATM malware contains lots of tips on protecting these machines from malware, and they're just as applicable to other industries.

Jackpotting could leave thousands of ATMs at risk of cyberattack Jackpotting, a cyberattack common in Europe that can empty an ATM machine in seconds, is now targeting Diebold machines in the U.S., says TechRepublic's Brandon Vigliarolo.

It's the 10-year anniversary of the first detection of ATM malware, and Cisco's Talos threat intelligence arm released a blog post about the state of malware that targets ATMs on Thursday.

ATM malware has been a niche, but growing, trend in the past decade since the initial discovery of the Skimer family of malware, which was the first to target ATMs and force them to dispense cash without a bank card.

Since that time, Talos reported, 30 different families of ATM malware have emerged. Many of them bring unique attributes to the table: Some are designed to be DIY kits for entrepreneurial cybercriminals, while others bear the hallmarks of having been coded by nation state actors.

Some ATM malware requires attackers to gain physical access to the target machine, but other forms don't even require a physical presence: As long as an attacker can break into a bank's network and find the right machine, they can install malware and withdraw cash to their heart's content.

Why ATM malware matters to businesses

Those not working in the banking industry may wonder why ATM malware matters to them, especially with most attacks happening outside the US in places like Latin America and Eastern Europe, where ATMs are often older and less secure.

ATM malware may not be a direct threat to those outside the banking industry, or those in places with good ATM security, but the tips that Talos gives on how to protect ATMs from malware are universally applicable, especially for organizations with computers accessible to the public.

There's a long list of recommendations, and all of them are worth considering:

  • Ensure machines and all their related systems (servers, other machines on the network) are kept up-to-date.

  • Disable Windows AutoPlay

  • Configure the BIOS to prevent booting from USB or physical media

  • Set a strong BIOS password to prevent BIOS changes

  • Disable direct access to a computer's desktop at a public-facing computer

  • Force RDP sessions to use multiple authentication factors

  • Reduce a system's attack surface by removing all unnecessary apps and services

  • Monitor network traffic and physical integrity of machines

  • Encrypt the connection between machines and their hosts

  • Restrict access to, and electronically log, any opening of a machine's cabinet/case

  • Ensure physical locations, network connections, and surrounding materials are physically safe and secure from tampering

  • Properly configure anti-malware apps and firewalls that machines connect to

  • Configure a software whitelist that prevents any unauthorized applications from being installed or run on a machine

  • Make sure the whitelist can't be easily disabled, and log any attempts to do so

  • Enable device control so that any connected USB devices or other external hardware won't function

  • Train employees on how to avoid accidentally installing malware

  • Segment your networks, both physically and logically, so that vulnerable machines are cut off from potential attacker entry points

  • Make sure network visibility is high: This can be a key part of sniffing out abnormal traffic

  • Monitor threat intelligence news to be sure you're up on the latest threats

These tips apply to ATMs and public-facing machines, but also to employee workstations as well: Simple steps like whitelisting software, eliminating unnecessary apps, and preventing the use of hardware peripherals and external storage can go a long way to protecting a network and its sensitive contents.

Also see