Data protection: Securing your e-business
Data protection: Securing your e-business

Companies need to do all they can to keep customer data safe. Jessica Twentyman reports on what to look out for and how to protect yourself.

Miscreants intent on online fraud have never had it so good. A sophisticated supply chain of specialists has sprung up in recent years, offering them all the tools and information they could possibly need to wreak havoc on internet businesses, according to Forrester Research analyst Geoffrey Turner.

“Hackers identify new vulnerabilities, develop new exploit code and put the malware up for sale,” he says. “Programmers develop toolkits to manage this malware and offer them as a subscription service for fraudsters. Identity thieves specialise in acquiring consumer identity information and bundling it into packages for sale in online black markets. Market operators create and maintain online portals where these specialists can offer their wares to online fraudsters.”

It seems enough to give any information security professional in charge of a thriving e-commerce site sleepless nights. They should be concerned, says Ken Munro, managing director of penetration testing company SecureTest. “I'd say that somewhere between a third and half of e-commerce sites we test have some kind of vulnerability,” he reports. “But at least it's us finding them and not someone with malicious motives.”

For UK clothing retailer Cotton Traders the warning comes too late. In June, the firm was forced to admit that hackers had gained access to the details of thousands of credit cards used by customers to buy products from its website.

That kind of high-profile theft is every organisation's worst nightmare, and coding at the earliest stages of their website design is usually to blame for vulnerabilities, says Munro. “No matter how strong your firewall or how dilligent your patching process may be, if your web application developers haven't followed secure coding practices, attackers will walk right into your systems,” he warns.

The two main vulnerabilities Munro's company finds regularly are exposures to SQL injection and cross-site scripting attacks. It is the first kind of attack, it is widely speculated, that brought Cotton Traders such unwanted publicity.

Yet they are far from unusual. “By our estimation, this kind of attack hits a website every five seconds – up from once every 15 seconds last year,” says Carole Theriault, a senior security consultant at Sophos. “We regularly contact big-brand e-commerce site operators to let them know they're at risk of being compromised in this way, but many don't even respond.”

Cross-site scripting (XSS) attacks, meanwhile, have been exploited to craft powerful phishing attacks and browser exploits. Symantec identified 11,253 site-specific XSS scripting vulnerabilities in the last six months of 2007, compared to 6,961 between February and June, according to Symantec's Internet Security Threat Report.

In both kinds of attack, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a fairly reliable safeguard against data theft, according to security experts. That's because the standard requires an annual web application penetration test and a complete review of web application codes and firewalls, significantly reducing the risk of hacking vulnerabilities at the web application layer.

But attacks don't need to be invasive in order for a hacker to steal customer data, points out Donal Casey, principal security consultant at systems integrator Morse. “With phishing, for example, a hacker doesn't even need to touch your website for your company's good name to be compromised,” he warns. “All they've got to do is send out 10,000 emails and hope that a few land in the inboxes of people prepared to believe that they've been sent by a trusted supplier.”

The problem is compounded by the fact that phishing attacks have matured and are now more difficult to identify than their misspelt, poorly formatted predecessors, says Jonathan Etheridge, lead IT security analyst at banking group HSBC. “Phishing emails can be very convincing these days, so we need to ensure that our customers can be confident that they're dealing with us when they think they are,” he says.

His company is taking no chances. Visitors to the website of First Direct, the HSBC-owned online and telephone bank, are informed whether they are on the legitimate site using VeriSign's Extended Validation (EV) secure socket layer (SSL).

“The certificate sits on the web server that handles online banking and, when a user is on the genuine site, a green bar appears to reassure them of that fact. If the website's not legitimate, a red bar appears,” says Etheridge. HSBC has recently decided to extend its use of EV SSL beyond the First Direct customer base to online banking customers in other parts of its business, he adds.

Just as phishing is primarily seen as a threat to the banking industry, distributed denial-of-service (DDoS) attacks are most commonly associated with sites that take high volumes of payments online, such as gambling and adult content providers.

Many of these now employ dedicated DDoS mitigation services from vendors such as Prolexic, which monitor and filter traffic flows on their behalf, removing threats before they reach the customer's network infrastructure.

But that's not to say that other online companies are immune from DDoS attacks – in fact, they are arguably more vulnerable to being held to ransom while their site is bombarded with phoney traffic because they are less likely to employ this kind of mitigation service.

For Chris Cooper, IT security manager at low-cost airline Flybe, that means working hard with the firm's internet service provider to monitor traffic flows to its website. “In this way, we ensure that, with the ISP's help, we're mitigating against this risk as far away in the network as possible. And we do so without the considerable cost of a dedicated, third-party mitigation service.”

Working in an industry that is routinely taken to task on its environmental impact, Flybe always has its eye out for activists looking to deface the site. It uses enVision monitoring tools from RSA to collect, process and report on the event logs generated by more than 2,000 devices connected to its core databases. The company is currently working to use these logs for network intrusion detection.

But with data breaches regularly hitting both the headlines and corporate reputations, every organisation should be concerned about having effective response plans in place to protect themselves from legal prosecution and public image disasters, should the worst happen, says Forrester Research analyst Jennifer Albornoz Mulligan.

“We recently surveyed security professionals in Europe and North America, and only 45 per cent of organisations felt fully prepared to handle the loss of customer data, while just a quarter felt equipped to deal with a theft of their intellectual property,” she says.

“Incident response planning is an essential element of the IT security and risk management practice. The worst time to try to figure out how to respond to an incident is in the wake of one actually occurring, so your team should develop formal plans for critical and common incidents and vet these through tabletop exercises,” she advises.

In fact, a common criticism aimed at companies whose websites fall victim to attack is that they simply don't act promptly and with transparency in reporting the event. Certainly that was the case at US clothing retailer TJX, which announced in early 2007 that more than 45 million credit card details had been stolen from its systems. The company had to repeatedly release information correcting previous statements, such as the total number of accounts involved, leading to accusations that it had poor understanding of and control over its security systems.

Similar charges are now being levelled at Cotton Traders, whose recent confession related to thefts that took place almost six months earlier, in January 2008.

It's easy to forget in the blizzard of headlines that these companies have been victims of crime, too. But as Casey puts it: “However devious and greedy the attack, it's your website and your responsibility. The public will see it that way, and so should you.”

CASE STUDY: FLYBE

As IT security manager at regional airline Flybe, the bulk of Chris Cooper's time and attention is devoted to just three vital systems: the company's operations system AIMS, which is used to manage aircraft schedules and crew rostering; its engineering database, where the maintenance and service records of aircraft are kept; and its website, www.flybe.com.

A whopping 85 per cent of Flybe's annual sales are made through that website, representing around £2 million in revenue a day. “Protecting customer data is our first and foremost priority,” says Cooper. “If that information fell into the wrong hands, the impact on our corporate reputation and future growth potential would be a complete disaster.”

But securing Flybe's e-business channel is no easy task in an industry where regulatory changes come thick and fast, and IT systems need regular updating in order to comply with them, he points out. “Every change has a security impact that needs to be reviewed in depth.” Plus, a wide range of disparate systems underpin the website, creating multiple points of potential failure.

For these reasons, Cooper is a firm believer in using the services of a third-party penetration testing company “at least once a year and twice if possible”.

Testing is backed up by an ongoing programme of careful monitoring. Cooper and his team use RSA's enVision to keep track of a large range of security events and alert them to any unusual activity. “These alerts can range from a simple notification that a new domain administrator has been created on the Windows network to a complex correlated alert showing that particular activity was seen on the firewall, followed by unusual traffic detected by our intrusion detection systems and then an unexpected logon to a server,” he explains.

EnVision also enables the airline to match the standards for secure storage of credit card details expected by PCI DSS. This strict regime of testing and monitoring gives Cooper the confidence to assert that he and his team could handle most threats. And they are guided by a simple mantra: “Review and improve, review and improve, review and improve.”

CHECKLIST FOR BEST PRACTICE, SECURE E-BUSINESS

1. Work towards PCI compliance …quickly
As of June 2008, any business that accepts payment card details online has to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). But many aren't. A survey of 65 UK companies with at least 500 employees, conducted in April 2008 by LogLogic, revealed that only 14 per cent had achieved compliance.

2. Or use a payment card scheme
For Donal Casey, principal security consultant at Morse, websites don't need to take credit card information at all, and those that don't might even be considered more trustworthy. “I'm more inclined as an online consumer to buy from sites that use payment card schemes such as PayPal or Google Checkout, because I don't necessarily want to give my card details out to the vendor,” he says.

3. Don't skip on penetration testing
Even if your budget doesn't stretch to the services of a third-party specialist, no online business can afford to neglect any vulnerability in their core web applications. You should be actively looking for exposures to URL manipulation, SQL injection, XSS, session hijacking and password-in-memory attacks. In terms of day-to-day business risk analysis, focus on unauthorised logins, personal information modification and price-list modifications.

4. Consider managed security service providers for 24/7 monitoring
Providers such as IBM and VeriSign have employees around the globe who can manage event systems and triage incoming incidents more cost-effectively to decide which ones require immediate attention. Choose a partner on the basis of relevant skills such as event cross-correlation, comprehensiveness of supported devices and geographic expertise.

5. Or deploy the best technology to do it in-house
Security information management tools, such as those from netForensics, ArcSight or Intellitactics, or log management technologies from LogLogic and other vendors produce important information on computer security issues. You should include critical incidents in your incident reporting tracking system, as well as those reported manually, to provide a comprehensive view of all security incidents.

6. Arm your team with forensics skills
Many organisations hire forensic experts for crucial investigations, but you still need someone on staff who can perform basic tasks such as hard-drive imaging and can tell you when to call in the experts.

7. Stay vigilant to the threat of phishing
It's not just the major retail banks that need to worry. In Symantec's Internet Security Threat Report, 87,963 phishing hosts were detected in the second half of 2007, a 167 per cent increase from the first half of that year. The company warned that small businesses are increasingly becoming targets as they often lack the resources to protect themselves. Smart online businesses exercise proper vigilance and stay updated of the latest phishing hazards – whatever their industry.

8. Provide a point of contact
Do you have a formal process for reporting security threats and incidents? You should have. The best option is a single incident reporting method, such as a website portal or telephone hotline, combined with a back-end incident tracking system that provides a repository of information on all active incidents.

9. Learn from your peers
“Information security is a tightly knit community in many areas and industries,” says Jennifer Albornoz Mulligan of Forrester Research. “These are collaborative environments: be prepared to contribute in order to benefit from them.”

10. Regularly revisit your incident response plans
Not only will new attack methodologies arise, but business risks will change as well, says Mulligan. “The moment you settle is the moment you will fall behind and put the organisation in jeopardy with an inadequate or incomplete incident response plan.”