The last year has seen a significant rise in the quantity and impact of attacks on eCommerce (eCom) websites which has cumulatively resulted in the exposure of millions of personal data and, in some cases, card holder data records.
In many cases, relatively simple attacks have been used to compromise eCom applications despite the best efforts of Information Security staff and standards bodies such as the PCI Security Standards Council (SSC). The potential impacts of data breaches include class action lawsuits, brand/reputational damage, fines from regulators such as the Information Commissioner’s Office (ICO) and card scheme fines from Mastercard and Visa.
Looking further into the recent breaches, there is no doubt that firms such as British Airways, Ticketmaster and Quora will have invested significantly in security and compliance. So where did it all go wrong? Are the standards not strong enough, or have the threats increased in sophistication? Why are breaches which affect millions of people so common?
After investigating security across many eCom sites, it is apparent that gaps really do exist in many cases. One problem is that there are so many different ways to attack an eCom site, for example:
Many organisations only defend against a sub-set of these attack points or, in some cases, mistakenly believe that one or more contracted third parties is covering certain areas when this may not actually be the case.
Should an attacker gain unauthorised access to an underlying server involved in the delivery of a web site or the CMS application, then it can be straightforward to modify pages and code associated with critical pages such that information entered by a customer is duplicated to another web site under the control of the attacker.
The issue associated with this particular attack is that the data (sensitive details such as personal data or credit card data) is not necessarily stored on the compromised server itself, but is nevertheless duplicated to a second malicious web site controlled by the attacker. The eCom site will appear to continue to process transactions ‘normally’ and so the attack can remain undetected for some time, harvesting many thousands of stolen records over a period of weeks or months.
This means that it is vitally important to ensure that access to the eCom servers and associated management systems are strongly protected, both from internal and external attackers. Additionally, detection of unexpected changes to core code and anomalous calls in client transactions are all measures that could be used to detect and prevent the success of such an attack.
An online web application associated with the delivery of sales transactions can minimise the risk of a successful attack using effective eCom security management, such as:
Regular testing and scanning of the eCom site is an essential basic, should be frequently conducted, with anomalies remediated as a priority – after all, attackers are testing and scanning all eCom sites across the Internet continuously.
A challenge mentality should be present in the teams managing the site’s infrastructure, code (whether bespoke, off the shelf eCom software / cloud service or a hybrid of the two) and cyber security. This is preferable to considering penetration testing and vulnerability scanning as “tick box exercises” – even issues rated as low risk should be reviewed and managed as part of an effective risk management regime.
It is also recommended to conduct regular focused eCom risk assessments on new or existing sites, or when changing underlying application frameworks or adding new features such as voucher codes or customer product reviews.
An effective eCom risk assessment should cover:
Relying on just baseline security practices such as patching and network security is quite clearly not the only requirement to ensure adequate protection of an eCom website, and many different threats and attacks need to be considered.
An eCom risk assessment, combined with regular testing and scanning, will ensure that the many risks of an eCom breach are understood, properly managed and mitigated as far as possible.