If the world's largest retailers are not impervious to data breaches, web security expert Igor Khromov warns that small and midsized retailers are just as at risk
Igor Khromov, head of sales and marketing at penetration testing and vulnerability scanning company High-Tech Bridge
, commented: "The cost to Target will be enormous: hard costs of millions of dollars in clean up and reparation and inestimable soft costs in brand damage and loss of reputation." Given this is not the first major retail data breach, he added that such breaches are common.
He added: "Small e-commerce operations do not believe that they will be similarly attacked. But this cannot be further from the truth – and the first step in securing a website is to understand that all e-commerce websites of whatever size are regularly targeted.
Threats to smaller e-commerce sites
Khromov said the two primary threats to retailers trading online come from financially motivated hackers and from politically motivated 'hacktivists'.
"Hackers might be after the passwords of your customers (in case they are re-used with other, larger or financial firms); they might consider you as part of the supply chain providing access to larger targets; they can and do seek to hide child pornography in hidden, orphaned pages on smaller sites; or they might wish to compromise your servers to use your bandwidth in a denial of service attack against other companies," he explained.
"Hacktivists tend mostly to deface pages to spread a political message," he continued. "You do not need to be a part of the argument; your site is merely used as a billboard. But smaller sites are also targeted because of their suppliers, their customers, their products or even just their nationality.
"All of this can and does happen – and the first and most important step in securing a website is the realisation that if you do nothing, it will happen to you."
Best practice attack and defence
Understanding how and what the adversaries will attack is key to defending a retail website. "The first and most obvious step is to strengthen your access control," advised Khromov.
"Ensure that only strong passwords are used and that access to your software is limited to only those who really need that access. Make sure that everyone understands the methods and dangers in phishing and spear-phishing attacks, since this is the most common and successful method of breaching a website."
The next most common attack is directly against vulnerabilities in the software run by the website. "The defence is to find them and eliminate them before the attackers find them and use them," he said. "The first step is to ensure that you always use the latest version of all software, and implement all patches that are released by the software vendor, paying particular attention to any third party add-ons and plug-ins that you have installed.
"But this doesn’t solve the vulnerabilities that your supplier doesn’t know about, or simply doesn’t care about," he added. "These you need to find yourself. The best way to do this is to scan for vulnerabilities or probe with penetration testing; and the most cost-effective method is to use an on demand, cloud-based service."
What to do in the event of a breach
Khromov also makes the good point that incident response should never be an afterthought, but that it is an essential part of any security plan.
"Clearly a clean backup is essential," he urged. "If you can switch this to a clean server, then the compromised server can be disconnected from the internet and analysed without too much loss of continuity." But he told retailers to remember that the vulnerability used for the original hack will almost certainly also exist on the back-up; so this still needs to be found and patched as rapidly as possible.
Information sharing is also important, helpful, and possibly legally required. "In Europe, if the proposed data protection regulation is adopted, you will have 24 hours to disclose the breach to your national authority," he said. "But contacting your local CERT
[Computer Emergency Response Team] should be automatic; they can help with advice and assistance."
Finally, it might sound obvious, but Khromov said: "Do not forget to inform and apologise to any affected customers. The extent and speed with which you do so might vary depending on the breach itself; but it is worth noting that journalists, commentators and bloggers are not slow to criticise delayed notifications, nor praise well-handled ones."
In summary, Khromov said there are the three parts of securing an e-commerce website: "Recognise the threat (so you can formulate an adequate security plan); locate and remedy flaws in your system (to reduce the likelihood of a breach); and prepare and rehearse an incident response scheme (to minimise the effect of a breach).
"They will not guarantee your security, but they will most certainly reduce the likelihood and the effect of one," he concluded.