Security
and POS Best PracticesPeter Harris
–
Peter.Harris@Toshibgcs.com
Product Line Manager
Session Overview
Are you leveraging best practices to ensure the inherent security of 4690? Attend this informative session to learn what they are and how they can be applied.
Agenda 4690 OS Security Functions including Hardware, and ACE
Best Practices 4690 OS Security Case Study
Who is next…
4690 OS - a track record of success in retail
Designed specifically for retail store environments‒ Reliable, secure and flexible Thin Client
Rock solid performance ‒ Approaching 1 million
installations worldwide Smallest footprint of any proven retail operatingsystem today
Dial-tone reliability – trusted 24 xx 365
16 of the top 25 retailers run 4690 OSTGCS 4690 Embedded Linux based Operating System is the premier point-of-sale platform in the retail industry today, delivering broad functionality and remarkable reliability.
4690 OS
–
Data Integrity and Security•
Data Integrity– Guaranteed data writing Mirrored file capability Totals retention Terminal storage retention
•
Security– Multilevel access authorization Enhanced user security with V & V OpenSSH, Secure Telnet, Secure FTP Directory Services with V Whitelisting and File Integrity Monitoring with V6.5
TGCS Security Bulletins
TGCS Security Workgroup Communications – Controlled Distribution to
4690 OS Entitled Customers Currently by Marketing Flash to TGCS Sales Team and Business Partners for Customer Delivery Future Plan via Entitled Customer Only Web Portal
Toshiba 4690 OS Security and Hardware
Terminal Hardware‒ 4690 terminals don’t require a hard disk or CD-ROM
‒ No auto-run for
devices in USB ports or CD-ROM‒ Keylocks
• Keyboard Cash Drawer Printer - Journal Station Operator Authorization (Application
Controller Hardware‒ No auto-run for devices in USB ports or CD-ROM
‒ Controller only drives your POS front end Remote access use Secure Shell (SSH) or Netop
‒ Console ID Security & FTP Lockout SSDs
Toshiba 4690
OS Security 4690 OS Architecture– Controls on File Management Media-less terminals Special Image Build Tools Software Distribution Methods Embedded Linux Layer is locked down
Windows Programs will not execute on 4690 OS– Modern Win net protocols typically do notwork with 4690 OS
Limited pool of deep 4690 OS skills available in the marketplace WW – Hackers will have to acquire 4690 skills Product Documentation removed from external website
Security Functions in the 4690 Operating System Enhanced Security
Directory Services /
Open LDAPSSH / SFTP
Console ID Lockout / FTP ID Lockout
Netop
Data Security for Payment Cards
Command Line Logging
SSL Certifications
Secure Delete
Encrypt Tool
MBrowser
Enhanced Menu
SSD Support
FIM
White Listing / Audit / Block
4690 OS
– Security
4690 OS– No user access to 4690 Linux core It’s not a general purpose OS Multilevel access authorization Whitelisting
with Vb Enhanced Security– Supports various password rules
Directory Services / Open LDAP– Enterprise management of IDs and passwords
4690 OS
– Whitelisting
File Integrity Monitor (FIM)– Customer creates baseline of golden system Customer periodically runs scans of store controllers, pulling results and comparing with previous scans
for unexpected file changes Whitelisting – Customer creates authorized program list using offline scan tool
– Each file included on the Whitelist has a signature Each open request verifies signature if the file is on the Whitelist and if signature matches Report Exception Mode Provides trace logging and system events for file status, but allows all opens to proceed Protect Mode Prevents execution of all files that do not match the signature. Files can be defined to always be blocked.
BEST PRACTICES
4690 OS Security with ACE