European banks are losing millions to ATM criminals, which highlights the importance ATM-focused security audit engagements. What are the main ATM risks and what industry framework are useful when considering ATM security audit?
There are many security frameworks and best practice standards that are being used to help in conducting various audit engagements. 可以说, the most relevant for this topic is the Payment Card Industry Data Security Standard, 或者PCI-DSS, that covers environments where sensitive account data is stored, 处理或传输, including those environments that can impact the security of the cardholder data environment. Let’s have a look at two of the PCI DSS main requirements in the context of an ATM security audit.
Support Information Security with Organizational Policies and Programs
An information security policy determines the responsibilities of partners, 管理层与员工, identifies risk and defines controls that cover the risk. The potential risk for an ATM includes cash-in-transit robbery, 对顾客的攻击, 针对IT系统的网络攻击, 相关政策应该有助于预防, 识别, 对此类事件作出响应并从中恢复. For detailed information about ATM risk, I recommend the MITRE ATT&CK框架, as it helps to view and compare techniques that have been already used by different adversary groups.
整体, information security policy should help facilitate effective management and operational decisions. 从审计团队的角度来看, sound documentation always helps to understand the risk tolerance and its material impacts on an audit client.
Install and Maintain Network Security Controls
As always, all networking devices should be identified, documented, regularly patched and hardened. In the ATM context, I recommend to start with the review of network diagrams and related data flows. 从那, you can 识别 administrative access points, firewall placements and network segmentation. Potential areas of an investigation can be identity and access management (e.g., 多因素身份验证, 跳转服务器使用情况, 授予和撤销程序), allowed traffic flows by existing firewall rules, evaluating the effectiveness of firewalls placement, review of selected device settings and installed patches. 也, it is worth physically inspecting ATMs to make sure there are no network cables or network devices easily accessible from the outside.
When planning the ATM security audit and building its scope, auditors should dedicate significant time to better understand the governance and business processes surrounding ATM management. Usage of industry frameworks, such as PCI-DSS, is beneficial. 然而, audit tests need to be selected and calibrated to the ATM-related risk inherent to the audit client. 除了, involvement of penetration tests would enhance the quality and reliability of the delivered audit engagement.
编者按: For further insights on this topic, read 阿列克谢帕诺夫’s recent Journal article, “Key Considerations To Effectively Plan And Determine The Scope Of An ATM Security Audit Based On PCI DSS” ISACA杂志,第2卷,2024.
