Ecommerce Security Solution – WSA’s approach to eCommerce
Businesses practices are transforming their digital journey with time, wherein organizations of all sizes – from Small to large enterprises are getting digital. The evolution of B2C e-commerce segment has transcended to a multi billion dollar industry. The ease in which an e-commerce portal can be set up in today’s date with relatively at an unexpected cost is worth the overall transformation got any business. Accordingly, digital channels are rapidly becoming the preferred choice of many organizations to interact with businesses.
In one side getting businesses online is too attractive for organizations and on the other side the web applications have turn out to be a "soft spot" for hacktivists and cyber criminals attracted in stealing credit card information and other customer data. The proliferation of these channels is attracting unwanted attention from fraudsters looking to capitalize on new online and mobile vulnerabilities. Web application security is one of such crucial element for e-commerce security.
Cyber threats, on the other hand, are evolving in volume, sophistication, and influence, making it tougher for internal security teams to sense and address advanced security threats around the clock. Recently, multiple cyber-attacks on retailers – including Staples, Home Depot, Neiman Marcus, Kmart, Michael’s, Dairy Queen, Bebe – have been seen with millions spent to return to business-as-usual. Digital threats are constantly evolving and cyber criminals are using progressively sophisticated techniques to target vulnerabilities without being detected. Systems and technologies that supports e-commerce is also susceptible to abuse and failure in multiple ways of which the following are the most common:
- Fraud – It is one of the biggest aspects which results in direct financial loss.
- Theft of confidential, proprietary, technological, or marketing informationbelonging to the firm or to the customer is the other part. An intruder may disclose such information to a third party, resulting in damage to the key customer, a client, or the firm itself
In some cases, retailers will take years to recover their brands and online relationships with their customers. Such cyber attacks highlight the urgency for retail organizations to contend with ever increasing risks to customer protection, continuity, responsibility, and operations. Such cyber issues generally have led to brand degradation and change in consumer behavior.
In the past, retailers have taken a compliance approach to cyber risk, focusing on payment card industry compliance. Recent events illustrate that compliance does not equal risk management. As retailers innovate to meet business demand and drive growth through, for example, omni-channel retailing, they also increase their cyber risk profile. Businesses can no longer afford to be ‘sitting ducks’ and need to understand the risks and threats of operating online whilst being prepared to both prevent and respond to an attack. Cyber security must be part of marketing strategies and technology enablement, and not delegated to IT as an add on
We at WSA, lay emphasis on:
- Building and maintaining a secure network for ecommerce portals
- Protecting personal and sensitive data across the environment
- Maintaining a periodic consistent vulnerability management program
- Executing robust access control measures as per the solution blueprint
- Regularly monitoring and testing networks (including measures such as Network Access Controls etc.)
- Maintaining an information security policy which creates a “system” for the organization to be followed across deployments
For mitigating the risks relevant to e-commerce industry we primarily emphasize on the following WSA security services
- Vulnerability Management and Penetration Testing (across platforms)
- Secure Software Development Lifecycle
- Security Compliance and Audit
- Managed Security Services (Security Operations Center)
Figure 1 Comprehensive WSA Framework for E Commerce
From a testing perspective, we would emphasize on the following key areas:
- External Vulnerability Assessment – The purpose of this assessment is to identify as many security vulnerabilities that are accessible from the Internet. The focus is to identify the breadth of potential security issues on systems that have externally routable IP addresses or are reachable from the Internet, including the Demilitarized Zone (DMZ) and any IP ranges that are associated with the organization.
- External Penetration Test– The identification and validation of security vulnerabilities that are accessible from the Internet. The focus is to identify the depth and impact a few critical vulnerabilities may have that are externally facing.
- Web App Security Assessment – The focus of this assessment is to identify the use of insecure coding practices, security flaws in the application design or misconfiguration of the application and supporting services
- Internal Vulnerability Assessment – The identification of as many security vulnerabilities that are accessible from inside the organization. The focus is to identify the breadth of potential security issues on systems that are accessible from within the organization network, emulating a threat from an internal resource, such as an employee, contractor, or business partner
From a Software Development Lifecycle process perspective:
We would emphasize on integrating security as a critical component at appropriate phases of an organization’s software and system development, integration and maintenance processes
- Secure Coding Guidelines
- Secure Architecture Standards and Review
- Secure Code Standards, Review and Testing
Increased application security focus makes business sense, not just through avoiding incident costs, but also enabling the business value.
Figure 2 Sample compliance deliverables
From an audit and compliance perspective, oorganizations are faced with increased number of security and privacy requirements stemmed from government regulations and industry programs.
These regulatory requirements have drown a significant amount of compliance efforts across various industries. To help consolidate overlapping security requirements, reduce redundant compliance efforts, and implement consistent control decisions, we focus to provide an integrated compliance approach to support organizations’ for on-going compliance needs.
24x7x365 availability of business services require, 24x7x365 monitoring of the environment with company specific security use cases. We at WSA believe that a co-sourcing model provides higher value than traditional managed security services provider (MSSP) offerings for ecommerce. The value is derived from:
- Monitoring deep within the perimeter using rich internal data sources for better detection of targeted attacks and insider threats.
Evolving monitoring capabilities from compliance, to advanced loss prevention and anomaly detection.
- Getting tailored, specialized support where you need it — from routine systems management and maintenance, to advanced incident analysis and threat research support.
- Leveraging diversity via varied skillset that would likely be cost-prohibitive to hire as in-house staff.
Extended Reading on E-Commerce Risks
In an e-commerce ecosystem, personal and sensitive data such as customer information, financial data, and intellectual property moves horizontally across organizational boundaries, as well as vertical business processes (e.g., order fulfillment process). Enterprises often do not have a good understanding of the movement, proliferation, and evolution of their data / information.
Over a period of time, the approaches used by e-commerce portals to process and store such data including credit card information has become much more sophisticated than the early days of online shopping. This development has facilitated e-shopping overcome one of the utmost impediment in the industry which is consumer trust. As proved by the quantity of money expended online annually, consumers sense much more comfort in spending online than they ever have. Unfortunately for associated businesses in e-commerce, the means used by cyber criminals trying to snip their customer’s details and information have made it much easier than ever for them to compromise a web application.
The transcending shift has to do with the fact that today’s cyber security efforts entail protecting against a larger range of challenges. Novel emerging technologies, trends in mobile usage, social media, well-funded and organized foes, round-the-clock attacks, and more, have pushed this overall industry specific issues to the forefront. Cyber attacks are exploiting weaknesses in traditional controls, some very destructive. Traditional controls around Point of Sale (PoS) and other IT systems are necessary, but may no longer be as crucial from an end-end standpoint.
Cyber risks are becoming more complex in nature and can take a direct impact on the whole lot of aspects beginning with share prices and revenue streams to regulatory compliance and brand reputation. Traditional information security principles and practices can address a large number of risks, but true cyber security demands capabilities — people, processes and technology — be built on intelligent security rather than just information security.
- Organized criminals and gangs, who are financially motivated, targeting consumer payment or personal information
- Insider threats, such as third party supplier systems connected to your network
- Hackivists who are morally motivated, targeting perceived labor relations issues, environmental impacts
- E-commerce website vulnerabilities create exposure points for site defacement or distributed / denial of service attacks (DDoS / DoS)
- Lack of network segmentation or point-of-sale systems exposed to the internet create additional entry points for attack
- Lack of email controls and limited security awareness among staff allows phishing attacks to be successful
- Inter-connected third party (e.g. social marketer, CRM etc.) is compromised and gains access to the retailer's network
- Attack vector shifting from technology to people
- Attack patterns are increasingly starting to look like normal behavior. Threats are increasingly hiding in plain sight. Some of the threats are adaptive and have the ability to go into dormant mode, making them difficult to detect.
- Criminals, state actors and even Hactivists are building better intelligence, capability and have a wider network of resources than organizations (i.e., widening capability gap)
- Supply chain and business partner poisoning or lateral entry are on the rise
In the aftermath of an attack, direct financial losses are just the tip of the iceberg; wider repercussions often follow including reputational damage, loss of consumer trust and unwanted regulatory attention.
Thus, defining a e-commerce security framework and short terms light‑touch security assessment would provide visibility into online and mobile services users behavior, identify the potential of fraudulent or disruptive activities, report on the organization’s risk profile and assess the effectiveness of an organization’s existing operating models, controls and processes to detect vulnerabilities.