Linking 100 restaurants through one insecure server connection is a bad idea.
The following post is a segment in the Auditing Archives series. Hopefully the security failures I’ve seen while auditing businesses will help inspire better practices to ensure your own business security.
I have a sad story to tell. An unfortunate franchisee with hundreds of restaurant locations hired a third party IT company with little security skills to configure their restaurant point-of-sale (POS) systems across multiple locations. By allowing every restaurant access to the same programs and files back at corporate headquarters, it promoted process consistency across each restaurant management system, making information exchange easy, but also opening security holes.
Want to read more Auditing Archives stories?
The sad part of the story is, the IT company configured every in-store POS system identically … with the same easily-guessable password. (Read more about vendor default passwords.) And each of those stores were connected to a common file server back at corporate. Now, if a bad guy can get into the corporate network and on to the file share server, every single restaurant owned by that franchisee is at risk for card compromise.
SEE ALSO: 7 Questions To Ask Your POS Installer
Check out the case study below.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of StarTrek quoting skills. Live long and prosper.