The most common information security mistakes of e-commerces
Almost every month a new incident involving a big retailer, e-commerce or web platform makes the news headlines. Most retail fraud is now committed online, and in 2014 alone hackers managed to steal more than 61 million records from retailers. We will try to analyze the most common managerial and operational mistakes retail organizations make when defending against hackers.
Almost every month a new incident involving a big retailer, e-commerce or web platform makes the news headlines. Meanwhile, Gartner says that worldwide information security spending will reach $71.1 billion - almost 8% growth, as organizations become more threat-aware. Meanwhile the global cost of cybercrime exceeded 400 billion dollars, most retail fraud is now committed online, and in 2014 alone hackers managed to steal more than 61 million records from retailers.
Even though organisations are spending more, they are continuing to lose money. We will try to analyze the most common managerial and operational mistakes retail organizations and e-commerces make when defending against hackers.
Underestimating the value of their data on Black Market
Many online businesses, e-commerce and online retailers still seriously underestimate the Black Market value of the data they possess and handle every day. Customer databases from online stores are probably one of the most expensive on the Black Market, because they usually have correct, up-to-date, and complete customer records, sometimes with credit card numbers or other financial data. A better quality of records can be only found in e-banking databases, that is not as popular and thus less traded on the Black Market.
Completeness and accuracy are very important factors for databases pricing on the Black Market. Even spammers prefer to purchase personal records stolen from an online shop rather than from a blog or a free forum, because they may better target their subsequent spam emails for a higher click through rate, which consequently generates more income.
Obviously, cyber criminals who make money via stolen credit card or identity theft need as much information about their victims as they can obtain to bypass Fraud Prevention Systems. Therefore, customers of online stores are perfect targets for them as well.
Gaining a false sense of security from big budgets
Quite often, companies tend to purchase several very expensive solutions (such as SIEM or DLP) from well-known security brands, without really analyzing whether the solution is actually what they need and is appropriate for their business environment. Unfortunately there are no magic solutions that can suddenly resolve all their problems in default configuration.
I have witnessed large e-commerce businesses that spend several tens of thousands of dollars on WAFs or IPSs solutions, and then failed to enable them (due to high amount of legitimate users blockage in default configuration). I have even witnessed large companies where security teams were reading penetration test report six months after delivery, while top management was convinced that they are doing very well insuring corporate cybersecurity according to the industry best-practices. Obviously, I am not surprised that hackers are still making headlines.
Failing to conduct proper and independent risk assessment
As we hear about attacks on the Targets and eBays of this world, many SME e-business owners gain a false sense of security, believing that they will not be attacked as their customer databases are not big or interesting enough to hackers. This assumption is incorrect, because in the majority of cases hackers are not looking for customers and data from a specific web shop, they are just looking for [commercially] exploitable data. All retailers are at risk and should have a cybersecurity strategy.
A very first step before spending one single cent on cybersecurity is to conduct a thorough risk analysis. A risk analysis is the vital base, without which it’s just impossible to build and maintain a secure infrastructure. First of all you need to properly identify sector specific, regional and corporate cybersecurity risks, as all of them should be taken into consideration.
Then you need to understand how important the consequences and associated losses of these risks are. Finally, you need to sort the risks by their priority for your business. When identifying the risks - don’t rely on your in-house team only, the more external experts you may have – the better it will be. Turn to your colleagues from other companies to see which risks, problems and incidents they had recently. Many, if not vast majority, security breaches occur because security team hasn’t taken a particular risk into consideration or didn’t assign it with right priority during allocation of human and financial resources.
Failing to select both efficient and effective products
When your cybersecurity risks are properly identified, analyzed, understood, and prioritized - it’s the right moment to select both efficient and effective solution to mitigate the risks. In today’s overheated security market many companies fail to identify solutions that would be both efficient and effective for their infrastructure. Efficient means doing the job well in comparison to the others from the same niche, for example, an award-winning antivirus that technically outperforms other AV solutions can be considered as efficient.
However, its efficiency does not guarantee in any manner that it will be effective for your business environment and related risks. Effective means doing the right and appropriate thing for your particular circumstances. For example, an antivirus will hardly replace a professional DLP solution, and if your main concern is an insider threat – AV is not effective solution to mitigate it. Even if AV sales manager will tell you the contrary.
Sticking to one supplier or vendor
Sometimes companies tend to source cybersecurity solutions from one vendor/reseller in order to simplify the buying process and have a single point of contact for any cybersecurity issues. In fact, very few companies can offer you a complete portfolio of products and services without outsourcing or subcontracting. Obviously, vendors, especially large companies, will try to sell you everything they can, however such practice is far from being technically efficient. Every single vendor should provide you with specific expertise where its products or services outperform the others on the market. Otherwise your cybersecurity budget and efforts will be in vain.
Information security products and services definitely need diversification. For example, web application security involves regular vulnerability and malware scanning, web penetration testing services, integrated and managed Web Application Firewall, data integrity monitor, and IDS that will alert you about any anomalies. Obviously, even for this relatively short list it’s difficult to find a company that will provide you with top-quality across all the items without calling out their partners or third-party suppliers.
Talk to your colleagues, read analysts’ reports, check the media and independent reviews, and make a short-list of suppliers you are interested in work with. At the end you will be able to compare their offerings and see which company inspires you with confidence. And try to avoid working with resellers and third-party integrators – these guys very often try to sell you solutions that bring them more money, not more security to your network.
Getting information from wrong sources
Statistics are not always appropriate for cybersecurity. For example, sometimes, a sudden jump in data breaches only reflects one big hack (e.g. Target) that impacted the total number of compromised records. At the same time many security incidents are never disclosed on public and therefore never get into any statistics. Many security consultants and analysts that can provide you with nicely written reports about the recent trends and statistics in cybersecurity. Quite often, however, these reports omit or fail to highlight the real risks, talking rather about marketing hype trends, such as Advanced Persistent Threat (APT) protection or Dark Web threat.
If you want to understand the latest trends on web application security for example – read bugtraq and vendor-neutral white papers about new vectors of web attacks. Talk to your local law enforcement agencies – they can share interesting experience about the latest cybercrime cases in your domain of activity about which infosec media will probably never write. Finally, visit websites like XSSposed and see how all modern WAFs are being by-passed on live websites of multinational companies.
Perceiving security as a follow-up, not as a continuous process
Many large e-commerce companies tend to give priority to development of new functions, features, or products, completely forgetting about securing them before deployment. In the aggressive and highly-competitive business world it’s a pretty understandable approach – if your competitor will be the first company launching a new mobile platform – his shares will go up, while yours will go down.
However, think about the consequences if tomorrow your company will make a sensational headline about the biggest data-breach in your sector. Keep in mind that once stolen – your data will remain forever on the Black Market, and the losses you will incur may last many years, as you cannot predict when hackers will decide to launch targeted phishing campaign against your customers. Therefore, bear in mind that a data breach is something your company could have long-standing repercussions.