Website Security: Roundtable for Retailers
Achieving true success as
an Internet retailer is difficult
enough on its own.
But when merchants take unnecessary
risks involving the security of their ecommerce
websites — whether they do
so intentionally or not — the virtual road
to Web success becomes fraught with peril.
Education is the best defense against the multiple website security
threats faced by today’s online retailers, so we spoke with
representatives from four of the leading solutions providers to get
some answers. By understanding the specific dangers, the potential
havoc they can create, and the strategies and methods that
may help prevent them, merchants can rest easier and focus on the
already challenging task of running a retail business.
WM: What are the most potentially damaging security threats that e-commerce merchants should be aware of?
Jeremiah Grossman, founder and chief technology officer
of WhiteHat Security:
The most widely used website attack techniques over the last
several years has been SQL injection, PHP file include, password
reuse, denial of service, and malware infection. The bad
guys, whether classified as hacktivists, cyber-criminals or nation-
state sponsored, all want data and they’ll take the path of
least resistance to get it.
Johnnie Konstantas, security director at Juniper Networks:
Malicious insiders, which are privileged users who leverage
their position to gain access to high-value information like
stored user credentials in an effort to profit from this information
or retaliate toward employers for layoffs or other perceived
slights. Also botnets or automated hacking, which are scripts
that leverage many distributed computing resources to overwhelm
and subdue e-commerce servers.
Ken Beer, director of Web security business at Trend Micro:
Hackers gaining direct access to the back-end systems that
store customer data, or gaining direct access to data through
the website directly. Also, denial of service attacks in which
the hacker floods your site with bogus traffic, making it impossible
for real customers to use the site.
Kurt Baumgartner, senior researcher for Kaspersky Lab:
Complete breach of their Web infrastructure, resulting in complete
server compromise and access to customer credentials and
employee email archives. On a technical level, these compromises
often are attributed to SQLi (SQL injection) vulnerabilities,
Web application vulnerabilities, abuse of default and poorly
configured services and credentials, and sometimes theft of Web
admins’ passwords.
WM: How can merchants best defend themselves against these threats?
Jeremiah Grossman of WhiteHat Security:
Hack yourself first. It is way better to have someone that
you know and trust constantly attempt to hack your website
and point out the weaknesses so they can be fixed. Also implement
a Secure Software Development (SDL) Lifecycle.
When mistakes are identified from the hack yourself first
policy, tie them back to a missed process or control in the SDL.
As a result over time, new code quality and security will improve
dramatically.
Much of the value that a comprehensive security program
provides is noticing when a breach occurs, being ready to respond
quickly and preventing catastrophic damage — all of
which requires ongoing monitoring of traffic and logs.
Johnnie Konstantas of Juniper Networks:
Web server-specific protections are a must-have for e-commerce
firms. The more advanced solutions will detect attempts at misuse
and hacking, even by insiders, well before the attacker is successful.
Also, solutions that collect forensic data on attack
attempts can help firms continually optimize their security configurations
and policies.
Ken Beer of Trend Micro:
Merchants who manage their own website e-commerce infrastructure
should have an audit done to understand where
their current weaknesses are. After the initial audit, ongoing penetration
testing and vulnerability scanning should be done so
that the site can be tested against the latest threats and techniques.
Merchants who outsource their website e-commerce in frastructure should make sure the service provider they use can
present the results of such audits and regular scanning activities.
Kurt Baumgartner of Kaspersky Lab:
In addition to their Web applications and frameworks, many
merchants don’t understand default configurations of remotely
accessed tools and services on their servers and how to modify
and update them, which they need to act on. SQL injection is a
problem that should be well understood by merchants’ code reviewers
and developers so that Web apps can be properly defended.
Web admins and developers should be carefully guarded
against viral malware and Web-based client-side exploits delivering
spyware.
WM: What security-related trends should online retailers expect to see in the next two years?
Jeremiah Grossman of WhiteHat Security:
More breaches and a shift to the cloud as online retailers continue
leveraging service providers for security cover. While the average
online retail website has become more secure over the last several
years, the threat landscape has become far more hostile. Billions are
lost annually due to cyber-crime with little sign of slowing.
Johnnie Konstantas of Juniper Networks:
Online retailers will start adopting newer more innovative
methods to protect their Web servers, including countermeasurebased
types of solutions that are just now emerging as a category.
These break with the traditional detection-based model and
rather get ahead of the attack by predicting it at the onset. They
then turn the tables on hackers by deceiving them with decoys,
making the process of hacking attempts tedious and expensive
in terms of time, and ultimately unsuccessful.
Merchants may also take a more active role in educating their
customers on behaviors to protect their identity and privacy. In
general, as online commerce goes mainstream, all participants will
have a stake in ensuring secure transactions that will spawn new
and more informed buyer behaviors and better and more effective
means of protection.
Ken Beer of Trend Micro:
The trend today is finding ways to enable more and more e-commerce
from mobile devices. The reality is that security controls are weaker
because merchants need to make the buying process easier for these
mobile devices. You don’t want to force an iPhone user to type their
credit card number on that tiny keyboard every time they want to
buy something, so the credit card number is going to get stored somewhere
for ease-of-use reasons. Every merchant that offers these mobile
shopping services will have to store these numbers, so the risk of
a breach goes up.
We will likely see more and more cases of second-tier merchants
who lose much of their customer’s financial information
to skilled hackers who know how to circumvent the “good
enough” security measures these merchants have put in place.
The robustness of preventive and reactive security measures will
continue to be one of the characteristics that distinguish first-tier
from second-tier e-commerce merchants.
Kurt Baumgartner of Kaspersky Lab:
Offensive tactics are becoming better known to hackers and
widely distributed at no cost. Ready to use, scalable, automated,
open-source attack packages and many freshly discussed vulnerabilities
are quickly catalogued, managed and distributed. Both
organized cybercrime and independent cybercriminals are using
these tools to their advantage. In many ways, online retail is becoming
less secure for the retailers.
WM: Which is all the more reason for merchants to take their Web security as seriously as possible.


Leave Your Comment
Login to CommentBecome a Member
Not already a part of our community?
Sign UpSign up to participate in the discussion. It's free and quick.