Holiday Prep for E-commerce and Retail: Cyber Threats and Strategies [WEBINAR]

  1. holiday-prep-for-e-commerce-and-retail-latest-cyber-threats-and-strategies-webinar/

Approximately 14% of Americans have already started their holiday shopping – and 2% are already done. Is your e-commerce site ready for Black Friday and Cyber Monday? Paul Fletcher, Cyber Security Evangelist for AlertLogic recently joined HOSTING Product Manager Tricia Pattee for our latest webinar, Holiday Prep for Ecommerce and Retail: Latest Cyber Threats and Strategies. Paul and Tricia reviewed the steps retailers can take right now to ensure they have a PCI compliant hosting environment. Missed it? You can listen to the on-demand webinar here. Read on for some highlights.

Analysis of 2014 data breaches

In order to prepare for a PCI compliant hosting environment, it’s important to have some background information on data breaches. Following are the latest cyber security stats from cyber security firm Mandiant.

  • How compromises are detected

    • 33% of victims discovered the breach internally (down from 37% in 2012)
    • 67% of victims were notified of the security breach by an external entity such as a customer, vendor, or even the hackers themselves
  • Time from earliest evidence of a security compromise to discovery of the compromise

    • 229 days – the median number of days that threat groups were present on a victim’s network before detection (14 days less than 2012)
    • 2,287 days – the longest presence of threat groups prior to being detected
  • Phishing email trends

    • 44% of observed phishing emails were IT related, often attempting to impersonate the targeted company’s IT department
    • 93% of phishing emails were sent on weekdays, with Wedensdays being the most frequent day
  • Threats by customer environment

    • The most frequent types of threats for both cloud and on-prem environments include:
      • Application attacks (40%)
      • Brute force attacks (22 – 28%)

Threats to retail environments

According to Paul, retail environments face a host of security threats including those targeting web applications and eCommerce infrastructures. Denial of Service (DoS) and Distributed Denial of Service (DDoS) are also common. However, newer threats include Advanced Persistent Threats (APTs). An APT is a set of stealth and continuous computer hacking processes, often conducted by hacking groups. An APT usually targets organization and/or nations for business or political motives. APT is broken down by the following:

  • Advanced – the process often uses sophisticated techniques using malware to exploit vulnerabilities in systems
  • Persistent – the process may consist of an external command and control system that is continuously monitoring extracting data from a specific target
  • Threat – this indicates human involvement in orchestrating an attack

In addition to ATPs, Paul warns that hacking groups are also recruiting current employees at companies and encouraging fellow hackers to become employees at certain companies. By recruiting company “insiders,” hackers can gain insights and data into business processes, including supply chains and manufacturing activities.

Steps for maintaining a PCI compliant hosting environment

A lot of organizations think that since security threats are technology-based, that they need the latest technology to fight them. Paul echoes Tricia’s sentiment that people and processes are equally as important. Organizations need to have the following processes scheduled:

Technology

  • Assess
    • External penetration tests
    • Internal vulnerability scans
    • Application security reviews
    • Configuration management
    • Data integrity – is that data still as intended? Was it not manipulated in any way?
  • Analyze and optimize
    • Gather system utilization data
    • Understand resource requirements and limitations
    • Establish threshold capacities
  • Scale smartly
    • Paul recommends that you plan for the “best”, i.e. the best-selling quarter and add 20%
    • Don’t scale technology, then try to add security to it. Plan for security tools as you plan to scale
  • Leverage technology tactics
    • Paul recommends network segmentation in which you isolate functions from operational environment. Create a database zone from the rest of your network.
    • Enforce two-factor authentication
    • Manage your patching
  • Implement a mobile security plan
    • Require complex passwords
    • Enforce timeouts during inactivity
    • Provides software updates and patches
    • Avoid using “jail broken” devices with your apps
    • Encrypt data both ways (in transit and at rest)
  • Train your employees
    •  Update your employees on the latest email, spam and phishing scams

People and Processes

Paul recommends creating and updating communications lists – both online and offline versions. The communications plan should include multiple ways of communication to flow i.e. email, instant messaging, etc. Paul also emphasizes that employees should be aware of the escalation process, expected response and who has access to what information and when.

Now is also a good time to review access privileges for all employees and practice a “least privilege” concept which provides employees with only the access to data that they need. Finally, organizations need to establish a “normal” activity for system accounts and review access logs regularly. Data correlation is essential in knowing what is normal baseline activity and what could be the start of a breach.

New developments in PCI compliant hosting

New compliance regulations suggest limiting the use of sending unprotected primary account numbers (PANs) “in the clear,” meaning that they are not encrypted. Paul notes that obfuscation is an easy solution. Obfuscation is when an organization sends only a few digits of an account number, instead of the entire string of numbers.

With the holiday shopping season starting earlier than ever before, it’s never too early to assess and enhance your PCI compliant hosting environments. Listen to Paul and Tricia’s webinar for more tips on how to prep for the holidays.  You can also contact the HOSTING team of information security and compliance experts any time to discuss your specific needs.

Leave a Reply

Your email address will not be published. Required fields are marked *