Website Security: Roundtable for Retailers

Achieving true success as an Internet retailer is difficult enough on its own.

But when merchants take unnecessary risks involving the security of their ecommerce websites — whether they do so intentionally or not — the virtual road to Web success becomes fraught with peril.

Education is the best defense against the multiple website security threats faced by today’s online retailers, so we spoke with representatives from four of the leading solutions providers to get some answers. By understanding the specific dangers, the potential havoc they can create, and the strategies and methods that may help prevent them, merchants can rest easier and focus on the already challenging task of running a retail business.

WM: What are the most potentially damaging security threats that e-commerce merchants should be aware of?

Jeremiah Grossman, founder and chief technology officer of WhiteHat Security: The most widely used website attack techniques over the last several years has been SQL injection, PHP file include, password reuse, denial of service, and malware infection. The bad guys, whether classified as hacktivists, cyber-criminals or nation- state sponsored, all want data and they’ll take the path of least resistance to get it.

Johnnie Konstantas, security director at Juniper Networks: Malicious insiders, which are privileged users who leverage their position to gain access to high-value information like stored user credentials in an effort to profit from this information or retaliate toward employers for layoffs or other perceived slights. Also botnets or automated hacking, which are scripts that leverage many distributed computing resources to overwhelm and subdue e-commerce servers.

Ken Beer, director of Web security business at Trend Micro: Hackers gaining direct access to the back-end systems that store customer data, or gaining direct access to data through the website directly. Also, denial of service attacks in which the hacker floods your site with bogus traffic, making it impossible for real customers to use the site.

Kurt Baumgartner, senior researcher for Kaspersky Lab: Complete breach of their Web infrastructure, resulting in complete server compromise and access to customer credentials and employee email archives. On a technical level, these compromises often are attributed to SQLi (SQL injection) vulnerabilities, Web application vulnerabilities, abuse of default and poorly configured services and credentials, and sometimes theft of Web admins’ passwords.

WM: How can merchants best defend themselves against these threats?

Jeremiah Grossman of WhiteHat Security: Hack yourself first. It is way better to have someone that you know and trust constantly attempt to hack your website and point out the weaknesses so they can be fixed. Also implement a Secure Software Development (SDL) Lifecycle. When mistakes are identified from the hack yourself first policy, tie them back to a missed process or control in the SDL. As a result over time, new code quality and security will improve dramatically.

Much of the value that a comprehensive security program provides is noticing when a breach occurs, being ready to respond quickly and preventing catastrophic damage — all of which requires ongoing monitoring of traffic and logs.

Johnnie Konstantas of Juniper Networks: Web server-specific protections are a must-have for e-commerce firms. The more advanced solutions will detect attempts at misuse and hacking, even by insiders, well before the attacker is successful. Also, solutions that collect forensic data on attack attempts can help firms continually optimize their security configurations and policies.

Ken Beer of Trend Micro: Merchants who manage their own website e-commerce infrastructure should have an audit done to understand where their current weaknesses are. After the initial audit, ongoing penetration testing and vulnerability scanning should be done so that the site can be tested against the latest threats and techniques. Merchants who outsource their website e-commerce in frastructure should make sure the service provider they use can present the results of such audits and regular scanning activities.

Kurt Baumgartner of Kaspersky Lab: In addition to their Web applications and frameworks, many merchants don’t understand default configurations of remotely accessed tools and services on their servers and how to modify and update them, which they need to act on. SQL injection is a problem that should be well understood by merchants’ code reviewers and developers so that Web apps can be properly defended. Web admins and developers should be carefully guarded against viral malware and Web-based client-side exploits delivering spyware.

WM: What security-related trends should online retailers expect to see in the next two years?

Jeremiah Grossman of WhiteHat Security: More breaches and a shift to the cloud as online retailers continue leveraging service providers for security cover. While the average online retail website has become more secure over the last several years, the threat landscape has become far more hostile. Billions are lost annually due to cyber-crime with little sign of slowing.

Johnnie Konstantas of Juniper Networks: Online retailers will start adopting newer more innovative methods to protect their Web servers, including countermeasurebased types of solutions that are just now emerging as a category. These break with the traditional detection-based model and rather get ahead of the attack by predicting it at the onset. They then turn the tables on hackers by deceiving them with decoys, making the process of hacking attempts tedious and expensive in terms of time, and ultimately unsuccessful.

Merchants may also take a more active role in educating their customers on behaviors to protect their identity and privacy. In general, as online commerce goes mainstream, all participants will have a stake in ensuring secure transactions that will spawn new and more informed buyer behaviors and better and more effective means of protection.

Ken Beer of Trend Micro: The trend today is finding ways to enable more and more e-commerce from mobile devices. The reality is that security controls are weaker because merchants need to make the buying process easier for these mobile devices. You don’t want to force an iPhone user to type their credit card number on that tiny keyboard every time they want to buy something, so the credit card number is going to get stored somewhere for ease-of-use reasons. Every merchant that offers these mobile shopping services will have to store these numbers, so the risk of a breach goes up.

We will likely see more and more cases of second-tier merchants who lose much of their customer’s financial information to skilled hackers who know how to circumvent the “good enough” security measures these merchants have put in place. The robustness of preventive and reactive security measures will continue to be one of the characteristics that distinguish first-tier from second-tier e-commerce merchants.

Kurt Baumgartner of Kaspersky Lab: Offensive tactics are becoming better known to hackers and widely distributed at no cost. Ready to use, scalable, automated, open-source attack packages and many freshly discussed vulnerabilities are quickly catalogued, managed and distributed. Both organized cybercrime and independent cybercriminals are using these tools to their advantage. In many ways, online retail is becoming less secure for the retailers.

WM: Which is all the more reason for merchants to take their Web security as seriously as possible.