industry unlocked
Laurance Dine , Managing Principal , Investigative Response at Verizon
web app attacks that target e-commerce sites . Customers have a right to expect that the retailers they shop with are doing everything in their power to protect them from these threats and those that fall short risk damaging consumer trust and brand loyalty . This doesn ’ t require a huge shift in mindset for retailers , as the industry has long understood the need for loss prevention , so it ’ s a matter of expanding these measures beyond cameras and security guards to employing better cybersecurity practices .
Given the potential rewards that can be gained from hacking e-commerce applications and websites , these should be one of the core assets that retailers are protecting . To ensure a reliable 24 / 7 service for shoppers , retailers should have mitigation systems in place that can protect their websites from DDoS attacks . It ’ s also crucial to take all available precautions to secure customer data . These can include using mobile device management to restrict employee access to sensitive information ; encrypting data so it ’ s useless in the event of a successful breach and basic hygiene such as ensuring software patches are fully up-to-date to protect against viruses .
Lastly , retailers need to put in place processes to stop POS terminals from being tampered with to minimise the chance of card details being stolen at the point of purchase – just simple physical steps such as checking card readers daily for visual changes such as new peripherals or cables can go a long way to reducing incidents .
Ultimately , consumer trust will always be damaged by a cyberbreach of any kind . Added to this , there ’ s a risk of regulatory fines and lost business from customers turning their backs on retailers they no longer trust . As such , retailers should be doing all they can to defend against cyberattacks to minimise the risk to their business .
Kevin Bocek , Chief Cyber Security Officer , Venafi
Retailers need to do much more to bring their defences in line with customer expectation . Yet in theory , this should
Kevin Bocek , Chief Cyber Security Officer , Venafi
be reasonably straightforward . After all , customer ’ s security expectations aren ’ t particularly complicated ; we as consumers simply expect that our personal details are secure .
This means deploying encryption to protect all data in transit – in particular sensitive information such as our address or card details . This is a core expectation under PCI DSS and it ’ s so important that for the last three years the PCI SSC has spent significant energy on making sure old TLS and SSL encryption protocols are not in use .
But hackers are increasingly hijacking encryption in order to hide their attacks . In 2016 more than 40 % of attacks against retailers came through encrypted traffic . Gartner expects 70 % of attacks in 2020 to come over encrypted traffic . Retailers cannot simply assume that because traffic has been encrypted , that it is therefore secure . Using the same encrypted tunnels that customers , mobile apps and APIs use , they can travel around largely undetected while appearing trusted . A retailer might have spent a fortune on expensive intrusion detection , anti-virus and firewalls but without any ability to look at the encrypted traffic flying across the retailer ’ s network , these defences are rendered useless .
Put simply , retailers cannot rest on their laurels : just using a valid encryption protocol and having the required security controls mandated by PCI is not enough . They all need to work together correctly .
Encryption is most likely the hardest and poorly understood part of cybersecurity . If it ’ s not used properly , or if the WAF , NGFW , IPS , DDoS security controls are not enabled with the machine identities – specifically TLS keys and certificates – to decrypt and inspect all traffic , then retailers have wasted large amounts of their investment and it ’ s no wonder attacks can still be successful .
Today getting keys and certificates to all of these security controls is confusing , complicated and time consuming . Huge breaches like the one at Equifax can still exploit simple vulnerabilities if they hide in encrypted traffic where security controls like WAF and NGFWs can ’ t do their job .
The answer for retailers is to automate the process of managing the machine identities – like TLS keys and certificates – that create and enable encryption . This goes beyond simply keeping a record of each machine identity , it calls for establishing controls over all keys and certificates and being able to feed them to all security controls to look for cybercriminals hiding in encrypted traffic .
Without this , DDoS attacks , web application exploits and other network attacks will still be successful . Only once retailers have this capability can they truly protect their customer ’ s payment information – and until then , they will not be meeting customer expectations . u
46 Issue 04 | www . intelligentciso . com