By Omri Dotan
According to the 2016 Verizon Breach Report, attackers are getting faster in their hacks and, unfortunately, victims are still slow to detect they’ve been hit. What does this mean for retailers, especially with Cyber Monday? With uptime and website performance crucial to a successful e-commerce event (remember the outcry after Amazon had Prime Day website issues?), it’s important retailers and e-commerce sites alike have their security strategy set for any day-of attacks.
With annual online events like Cyber Monday specifically, website functionality and performance is a top concern for most retailers. A one-second page delay could potentially cost an average e-commerce site $2.5 million in lost sales every year. And with Adobe reporting $3.07 billion was spent online on Cyber Monday alone in 2015 (a 16 percent increase over the previous year), this e-holiday is one you can’t leave vulnerable to attackers.
We’ve seen more recently the impact of a cyber attack around online business in the form of the major DDoS attack that affected several U.S. websites last month. Imagine the devastation surrounding an attack of this magnitude on Cyber Monday. Moreover, such DDoS attacks are sometimes simply a diversionary smokescreen for more cunning harvesting attacks. A recent survey found that for more than two-thirds of DDoS attacks, victims reported another type of security incident coinciding with the attack. The Carphone Warehouse hack is a case in point, with the theft of personal and banking details of an estimated 2.4 million people carried out while IT was busy dealing with an onslaught of online traffic.
When you add in credit card fraud with man-in-the-middle attacks, as well as malicious, fraudulent sites that lure unsuspecting customers, you get a dangerously unpredictable transactional environment for both vendors and customers.
So, what’s the solution here? There is no silver bullet. And the cure may not be immediate. But, the answer is for retailers to turn the tables and make targets and defenses unpredictable to attackers.
What might this kind of cyber security approach look like? Certainly the basics still count:
- Get your internal systems and procedures in order. Make sure you can recognize the signs of a DDoS attack and have an incident response plan.
- Try limiting the effects of DDoS with defenses at the network-level. Firewalls, reverse proxies and forward proxies can help reduce DDoS effects.
Serious impact can be achieved at the endpoint level. Here, you have the most potential to outsmart attackers and throw unpredictability back at them. Build a security stack that includes emerging technology, such as Moving Target Defense (MTD), to eliminate holes in your endpoints and servers for hackers to slip in data-stealing attacks. MTD centers around morphing the attackers’ targets, increasing the cost of attack efforts and breaking the asymmetry between the attacker and the defender.
A recommended endpoint security stack should include:
- A reliable anti-virus: Anti-Virus continues to be a necessary product to include in your security strategy. Selecting an anti-virus that reliably protects against basic attacks is a good foundation for your product stack.
- An advanced attack prevention layer: Protecting against advanced threats gets trickier, unfortunately. Attackers constantly modify their evasive techniques to avoid detection by security products. Some newer technologies preempt such attacks by employing evasive techniques themselves (such as MTD).
- Good patch management: Poor patching practices was a top underlying theme across all retailers in last year’s SecurityScorecard retail security report.
Stay cyber aware this holiday season -- the biggest, revenue-pumping sales event of the year could easily turn into the ugliest nightmare (with lost business and damage to your brand’s reputation). It’s not worth taking that risk.
About Omri: As Chief Business Officer, Omri Dotan oversees Morphisec’s go-to-market strategy and business development. A pragmatic visionary, Omri brings over 25 years of leadership in global hi-tech operations to Morphisec.