European banks are losing millions to ATM criminals, which highlights the importance ATM-focused security audit engagements. What are the main ATM risks and what industry framework are useful when considering ATM security audit?
There are many security frameworks and best practice standards that are being used to help in conducting various audit engagements. Arguably, the most relevant for this topic is the Payment Card Industry Data Security Standard, or the PCI-DSS, that covers environments where sensitive account data is stored, processed or transmitted, including those environments that can impact the security of the cardholder data environment. Let’s have a look at two of the PCI DSS main requirements in the context of an ATM security audit.
Support Information Security with Organizational Policies and Programs
An information security policy determines the responsibilities of partners, management and employees, identifies risk and defines controls that cover the risk. The potential risk for an ATM includes cash-in-transit robbery, attacks on customers, cyberattacks on IT systems, and the related policy should help prevent, identify, respond to and recover from such events. For detailed information about ATM risk, I recommend the MITRE ATT&CK framework, as it helps to view and compare techniques that have been already used by different adversary groups.
Overall, information security policy should help facilitate effective management and operational decisions. From an audit team’s perspective, sound documentation always helps to understand the risk tolerance and its material impacts on an audit client.
Install and Maintain Network Security Controls
As always, all networking devices should be identified, documented, regularly patched and hardened. In the ATM context, I recommend to start with the review of network diagrams and related data flows. From that, you can identify administrative access points, firewall placements and network segmentation. Potential areas of an investigation can be identity and access management (e.g., multifactor authentication, jump servers usage, granting and revocation process), allowed traffic flows by existing firewall rules, evaluating the effectiveness of firewalls placement, review of selected device settings and installed patches. Also, it is worth physically inspecting ATMs to make sure there are no network cables or network devices easily accessible from the outside.
When planning the ATM security audit and building its scope, auditors should dedicate significant time to better understand the governance and business processes surrounding ATM management. Usage of industry frameworks, such as PCI-DSS, is beneficial. However, audit tests need to be selected and calibrated to the ATM-related risk inherent to the audit client. In addition, involvement of penetration tests would enhance the quality and reliability of the delivered audit engagement.
Editor’s note: For further insights on this topic, read Aleksei Panov’s recent Journal article, “Key Considerations To Effectively Plan And Determine The Scope Of An ATM Security Audit Based On PCI DSS” ISACA Journal, volume 2, 2024.