The holiday season is here again and it is a prime time for cybercriminals to target websites to steal sensitive data. On Cyber Monday alone, online transactions are set to exceed last year’s record of $6.59 billion. Manatt is taking this opportunity to alert our clients about recent vulnerabilities impacting ecommerce entities and to provide best practices to mitigate risk.
Cybercriminals target ecommerce entities and syphon personally identifiable information (PII), including payment card data, consumer name, billing address and other sensitive data. They are often able to compromise ecommerce sites, modify the web parameters and inject malicious code to capture PII in real time. The unauthorized disclosure of PII can have negative consequences for both the victim entity and impacted consumers.
The Attack Vectors
Attack vectors are the means by which a cybercriminal can gain access to a device or network in order to deliver a malicious outcome. Examples of attack vectors cybercriminals use to gain access to ecommerce sites include:
- Unpatched applications, systems and default configurations: Out-of-the-box applications and operating systems are delivered in a default mode that is not secure. The main reasons to use a default configuration are ease of deployment and administration. But default configurations, such as passwords, built-in user IDs, unnecessary services, unneeded software and insecure protocols can be exploited by cybercriminals, who generally use a scanning tool to identify default configurations and unpatched applications and systems.
- Excessive permissions: Systems, applications and users with excessive permissions or lack of access controls can lead to unauthorized access to PII.
- Cross-site scripting (CSS): This exploit has the ability to insert malicious programs (scripts) on web pages that can then perform a remote code execution on a user’s web browser and subsequently expose sensitive data or deliver malware onto a user’s system.
- SQL injection: When user-supplied input is not validated or sanitized by the web server application, it can result in disclosure of sensitive information, such as PII, passwords and database content, and may destroy the data or make it unavailable.
- Lack of logging and monitoring: A lack of logging and monitoring allows cybercriminals to hide their malicious activity on the business’s network. Organizations that do not have robust logging and monitoring processes in place are blind to the details of the attack and to subsequent actions taken by the attackers.
Preventive Measures
While no single measure can guarantee a hack-proof website or network, ecommerce entities should adopt best practices to help prevent and mitigate the consequences of an attack. These measures should be considered as part of an organization’s security assessment of its environment and vulnerabilities. Best practices for preventive measures include:
- Performing an inventory to identify where PII is being transmitted, processed and stored. It is important for organizations to know where sensitive data is being processed so they can apply additional layers of security on those systems.
- Running periodic vulnerability scans on your websites or external IP addresses to identify known vulnerabilities and remediate in a timely fashion.
- Performing a web application code review or assessment to identify web-based vulnerabilities, such as SQL injection, CSS and web parameter exploits. For more information on web application security, refer to the Open Web Application Security Project (OWASP).
- Applying organization-specific secure system and application configuration standards that address:
- Access controls based on need-to-know (i.e., apply deny all unless explicitly allowed)
- Password management
- Patch management
- Network segmentation
- Strong encryption using industry-standard key management procedures
- Two-factor authentication for applicable transactions (setting up or updating profiles, changing passwords, etc.)
- Developing a robust incident response plan that includes:
- A log retention policy
- Monitoring, detection and analysis
- Containment, eradication and recovery
- Testing the incident response plan and applying lessons learned
Why It Matters
Cybercriminals are continuously scanning the internet for vulnerabilities that can be remotely exploited. To make things worse, once a website has been compromised, cybercriminals will use the site as a launching point to gain deeper access to an organization’s network. A compromise of one system can easily propagate to other systems on the internal network. If you’re an ecommerce retailer, be mindful this holiday season of the ways your organization should be protecting customers’ personal data.