Right before the holidays last year, my credit card was rejected at a local store. The incident was slightly embarrassing and could have been really inconvenient—I had spent an hour in the store carefully selecting items. Fortunately, I had a lot of cash on me and stores still accept the paper stuff. When I got home, I called my credit card company and was told my card was being investigated for fraud because of two purchases totaling $9,000 the day before, neither one of which were typical of my purchases . I’m glad credit card companies have algorithms that catch fraud like that.


As a writer following the retail industry, I was of course curious how someone had gotten my credit card number. It could have been any number of ways, including:

·        A dishonest gas station attendant or waiter using a hardware-based skimmer

·        Keylogging software on a point-of-sale (POS) device (see an earlier post on that) or even my computer

·        A data breach at a retailer’s back end

·        A cyberthief using malware to crack into a retailer’s POS systems and forward credit card information to the thief


With more and more retail devices handling customer information being connected through the Internet of Things (IoT), protecting such devices from malware has never been more important - or so potentially difficult, time-consuming, and expensive. The alternative though is much worse. A breach can cost a company hundreds of thousands in dollars and as much or more in brand reputation.


Enhanced Security through Smart POS Devices

Fortunately, one excellent solution is easy to implement and relatively inexpensive: employing smart POS devices providing enhanced security at the edge. Edge security protects customer payment information where it is at high risk and helps maintain PCI-DSS compliance.


No one security solution protects against all security threats—retailers need a comprehensive security plan. In an earlier post on enhancing retail device security and manageability, I explain how basing solutions on the 4th generation Intel® Core™ processor product family provides a full range of solutions for protecting personal and transactional retail data. This includes a range of hardware-based solutions for doing everything from protecting firmware from compromise to speeding up and enhancing the effectiveness of cryptographic technologies (encryption and decryption).


Whitelisting at the Edge

In this post I want to look into whitelisting, a solution permitting only authorized code to run on a device. In particular, I want to look at how the security technology company McAfee provides whitelisting solutions for embedded retail devices to eliminate the need for anti-virus software and constant patching. I also want to look at how the embedded solutions company BSquare makes them easy to implement through pre-validated images. 


Traditional anti-virus software, which looks for certain signatures and behaviors based on known, potentially malicious code, is a blessing and a curse. It provides valuable protection, but needs constant updating to do it and slows down performance by having to examine every incoming file, as well as perform regular scans. Facing today’s rapidly reproducing malware variants and fast-adapting malicious behaviors, traditional anti-virus software and all the constant updating it requires is no longer enough.


How Whitelisting Works

Whitelisting keeps track of who or what devices have been provided access to a particular privilege, service or device. For instance, a software whitelist limits what software employees can install and run on company devices. Whitelisting can also be used to combat viruses and malware by blocking all software from running on a system except for the whitelisted applications considered safe for each particular device.


For endpoints like POS devices, whitelisting provides a less burdensome and more foolproof means of protection. Correctly implemented, whitelisting is a key component for a robust security plan for fixed-purpose endpoint devices. In fact, it can eliminate the need for anti-virus software, minimizing the memory and processing power required to keep a device safe. Furthermore, whitelisting satisfies a number of PCI DSS requirements related to configuration management, maintaining anti-virus software, patch management, user behavior controls, and others. It is particularly useful for enforcing secure builds on POS systems in retail environments where financial data and currency are handled.


Implementing Whitelisting with McAfee Application Control

An excellent way to implement whitelisting in retail POS systems is McAfee Application Control. This software is designed to block unauthorized applications and code on endpoint devices, servers and other devices, and it can be centrally managed through McAfee ePolicy Orchestrator (McAfee ePO) (Figure 1). This means a retailer can manage whitelisting on hundreds of POS systems from a single screen.



McAfee Whitelisting Diagram.JPG

Figure 1. Centrally managed whitelising solution using McAfee ePolicy Orchestrator (McAfee ePO) and McAfee Application Control.


McAfee Application Control uses a dynamic trust model and innovative security features to block unauthorized applications and foil advanced persistent threats without labor-intensive lists to manage. It imbues retail systems with zero tolerance for zero-day threats, extending coverage to executable files, libraries, drivers, Java apps, ActiveX controls, scripts, and specialty code for greater control over application components. Its small footprint and low performance overhead makes it ideal for protecting fixed-function devices, such as POS terminals.


Adding McAfee ePO single-console management streamlines and automates workflow, policy deployment, updates, maintenance, and reporting across all McAfee technologies used to protect endpoints. For convenience, McAfee ePO software connects management of both McAfee and third-party security solutions to LDAP, IT operations, and configuration management tools.


A Development Shortcut: Embedded Software Images from Bsquare

A great shortcut for developers looking to implement McAcfee Application Control is to work with Bsquare, an embedded  professional services company that partners with McAfee to delivery security solutions for fixed function products. Bsquare’s in-depth knowledge of operating systems and silicon technology, expertise in all stages of device development, time-saving solutions and licensing knowledge, can enable developers to rapidly and efficiently take smart connected devices from concept to market (Figure 2).

Revised Recipe.JPG

Figure 2, Bsquare’s recipe for easy implementation of McAfee Application Control.

Developers can employ Bsquare to supply an embedded software image and provide custom integration and applications as needed to help developer deliver complete retail solutions to their customers. For developers using Microsoft Windows* Embedded as their operating system, Bsquare, as a Microsoft Authorized Embedded Distributor, can take care of all the Windows Embedded licensing, software integration and other key considerations for bringing a solution to market.


Help Retailers Protect Their Customers

Any security breach that affects thousands or millions of people affects the entire computing industry. To combat such breaches, a common goal for all IoT devices should be to provide effective security solutions for the latest threats. Through the comprehensive solutions from Intel and its Intel® Internet of Things Alliance (Intel® IoT Alliance) partners like McAfee, Microsoft and Bsquare, the technology to do that is readily available. In many cases, it’s simply a matter of implementation. We should all ask ourselves, how will I protect my customers today?



Learn More

Contact featured members:

Solutions in this blog:

·        Microsoft Windows* Embedded

·        McAfee Application Control

·        McAfee ePolicy Orchestrator (McAfee ePO)

·        McAfee Embedded Security Solutions available through Bsquare


Related topics:

·        Security - Top Picks (blogs, white papers, and more)

·        Retail - Top Picks (blogs, white papers, and more)


McAfee and Microsoft are Associate members of the Intel® IoT Solutions Alliance. Bsquare is an Affiliate member of the Alliance.


Mark Scantlebury

Roving Reporter (Intel Contractor), Intel® IoT Solutions Alliance

Associate Editor, Embedded Innovator magazine