:: By Xuyen Bowles, Sentek Cyber ::
Is your business busy prepping to grab a piece of the expected $3 billion in online sales that will generate from this year's Cyber Monday? Does part of your prep include attention to cybersecurity? It’s not only shoppers and business owners who look forward to Cyber Monday — cybercriminals do, too.
Cyber Monday is a security threat for online retailers because the massive increase in web traffic can make it easier for malicious traffic and anomalies to go unnoticed. Hackers are able to hide their efforts within the high volume of that traffic — just like a pickpocket in a crowded street.
Whether it’s by setting up phishing sites, which lure shoppers to give away usernames, passwords, or even credit card details, or by planting malicious code to siphon customer identities and credit card information, cybercriminals use Cyber Monday to their advantage.
While your business is finalizing special promotions and stocking up on inventory, it should be polishing its cybersecurity measures, too.
Review Security Policies From End to End
When we say end to end, we mean it. Now is the time to:
- Review your business’ policies, procedures, and architecture.
- Run audits on event logs to ensure there are no issues.
- Audit firewalls for rules and policies ensuring the removal of any rule or policy not in use.
- Inspect all software packages your business uses for up-to-date security patches by their respective vendors.
- Ensure e-commerce applications have requirements to follow PCI-DSS/NIST certifications.
- Make sure you have full encryption all the way from the front end of an application right through to the backend database. Transport layer protocols need full encryption, too. Review encryption certificates.
- Implement two-factor authentication.
As you look at the technical side, don’t forget the people. Make sure your staff understands the policies and how important they are — there’s no point in having policies on paper if they aren’t followed. Conduct cyber awareness and social engineering training for all employees. Run exercises for incident response and contingency plans to make sure your staff can handle any situation that may come up.
Know the Popular Types of Attack
Understand what attacks your organization could be vulnerable to. If you don’t know the threat, you can’t protect yourself against it.
Social engineering attacks have become the choice of malicious actors and hackers. This type of attack exploits a company’s employees to get information allowing access to the systems. It’s often as simple as a hacker cold-calling an employee at a company, pretending to be a member of the company’s internal security team to get sensitive information, such as user IDs and passwords.
This is why it’s so important to train employees on cybersecurity practices. Otherwise, your company is considered vulnerable, as the annual DEF CON conference shows. Every year, hackers and IT professionals at the conference cold call corporate employees and get them to disclose sensitive information. Every year, major U.S. companies such as Home Depot and Walmart fall for these social engineering tactics.
Advance persistent threat (APT) attacks occur over a long period of time. The attacker’s goal is to avoid detection and plant malware that aids in extracting data. Normally, these types of attacks are used by nation state-sponsored actors. Any company connected to the internet could be a target of this type of attack, at any time.
Netflix, Amazon Web Services, and Twilio were among those recently affected by Distributed Denial of Service (DDOS) attacks. These attacks targeted Dyn’s managed Domain Name System (DNS) infrastructure. The multi-vectored attack interrupted consumer traffic to get to e-commerce sites. Although this attack was aimed at a DNS service provider, this type of attack can happen to any website at any time.
As the case of Target shows, social engineering attacks combined with malware can easily be used to steal sensitive information — hackers stole an incredible 40 million credit card numbers from Target in the span of two weeks. This happened not because Target’s security systems failed, but because their human ones did. The security team Target had hired flagged Target’s security team, which didn’t act.
Make sure your security team is prepared for all these types of attacks, and that all staff understand how social engineering attacks work so they can be vigilant, too.
Conduct Vulnerability Assessments
When you have ensured your e-commerce application is up-to-date and your staff knows all the security protocols, it’s time to conduct vulnerability assessments.
Hire a third-party cyber assessment team to assess if there are vulnerabilities you have not found. It’s important for a third-party to conduct this assessment, as they will bring fresh eyes to your systems and find things your team has overlooked.
You need to conduct:
- Web application testing, which starts from the internal side of the application network, beginning with the operating systems and moving to the backend of the application or databases. Then the team will assess the web application from the internet just as an attacker would see it.
- Penetration (PEN) testing normally follows a full vulnerability assessment. PEN testing has a cybersecurity specialist attempt to hack or penetrate through the web application to the internal network and databases. Depending on the scope, PEN testing can test the security of the system, the readiness of IT staff, and even the effectiveness of the cyberawareness training for all staff. PEN testing is important for cyber readiness not only for Cyber Monday, but for every day.
With the endless cyber threats out there, the world of e-commerce can seem intimidating. However, if you follow our advice to review and update your security protocols, make sure your staff practice cybersafety, and conduct vulnerability assessments, you will have gone a long way toward preventing attacks aimed at your business.
This Cyber Monday, don’t let criminals get in the way of sales. Take steps to make sure your business is secure so you can focus on profits rather than security threats.
About the Author:
With 20 years of experience in the enterprise space, Xuyen Bowles now oversees one of the most successful cyber security firms in San Diego, CA. Sentek Cyber (a division of Sentek Global) offers a wide array of cyber security protection from penetration testing, consultancy, training to advance threat detection. "It's not a matter of if, it's a matter of when." Ms. Bowles finds great gratification in helping companies ensure they are safe from data breach.