We’re going to look at the security vulnerabilities that face eCommerce at high-traffic times.
It’s just before a big sale or holiday shopping season kicks off. Are you ready to ride the waves of a Category 5 surge in sales or will hanging-10 dreams become an e-com nightmare?
Cybercriminals love a great sale.
There will be a notable spike in shopping as people rush to take advantage of the deals and bargains available on events like Black Friday and Cyber Monday. It is a fabulous time for sales and revenue — and lurking hackers.
Spikes in traffic, employee vacations, and weak security tools and policies transform peak sales days into ideal days for cyberattacks. Is your online business prepared?Tweet
Cybercriminals know how to exploit busy times, like holiday shopping seasons. If left unchecked, your surge in sales will increase their revenue.
Imagine: your staff is on holiday or flu-ridden, the number of customers is dizzying, and your attention is like a paper boat trying to navigate a tidal wave of urgent matters. In a brick-and-mortar store, shoplifting goes through the roof. In an online store, the risks are insanely higher. And, there is no emergency security team to guard the doors and survey monitors.
Holidays are a perfect storm for hackers. Even if a security and fraud detection system is in place, it will take DevOps and security engineers that much longer to analyze the alerts and decide if they present a real threat. Traffic and sales spike dramatically, making it easier to blend in undetected. The flu hits staff. Employees are off for holiday travel.
Security tools are rendered ineffective by eCommerce goals.
While there are plenty of automated tools to detect and block suspicious or malicious activity, they are often rendered ineffective. Prohibitive rules or potential problems mean these tools are misused or unused altogether.
There are good reasons automated security tools simply don’t work for online businesses. As an online business, you need to make sales.
Retailers cannot afford to block every IP address that might be flagged as a potential problem. Most detection systems are highly inaccurate and the transaction they block may actually be legitimate. In addition, shoppers coming from mobile devices may be sharing an IP address for many of the users in the same areas, which means that blocking that specific IP address may also block access to dozens — if not hundreds — of other shoppers. A cyber attack is bad but blocking or rejecting a legitimate transaction is as bad or worse.
“Web applications and e-commerce sites are at risk of cyber attack year round. However, the risk increases significantly during the holiday shopping. Overwhelming network demand and the focus on maximizing sales make it more challenging for organizations to effectively detect, identify and stop attacks.”Ivan Novikov, Wallarm CEO
[More about e-commerce security and compliance in the Wallarm PCI DSS whitepaper.]
4 ways online shops can always protect against hacks — surges welcome.
What can retailers do to effectively protect against these threats? Here are four things to prepare any online retailer for huge sales and holiday shopping seasons:
- Audit ahead of time.
Conduct a security audit of all your systems where customers will shop and transact and where eCommerce stores are implemented. You should do this regularly. You should definitely perform a pre-surge audit ahead of a major sale or holiday rush like Black Friday or Cyber Monday. Check everywhere that your traffic will spike. Ensure your platforms, too, such as WordPress, Joomla, and Drupal — as well as any and all containers under them — are fully patched.
- Verify the right configurations.
Verify the configuration of external services and APIs — especially for third-party payment services like Stripe and Braintree. It is very easy to misconfigure authentication and data protection settings.
Setting up the right configurations can ensure you get your customers and your customers stay secure.
- Automate against hijacking legit accounts.
Most e-commerce attacks are driven by hijacking legitimate accounts — either through phishing attacks or by guessing passwords or substituting a password from one of the known caches of stolen passwords available on the dark web.
Legitimate accounts have established patterns of access and usage. There are automated tools, such as Wallarm, to detect anomalous activity and protect against behavioral attacks like that. Humans simply cannot identify that in time without automation.
- Filter by risk to target resources.
Suspicious or malicious activity is almost constantly present, but you can’t treat it all the same. It’s crucial to filter the attacks by risk to resolve issues most effectively. In situations where hackers become more active and DevOps resources are limited, it is important to focus the attention on the attacks that either have a higher potential impact or specifically target your sensitive or important assets. You can prepare to evaluate the risk of attacks.
Modified from first appearance in TechSpective on 11/22/2018