The Green Sheet Online Edition
December 12, 2011 • Issue 11:12:01
'Tis the season of happy (hacker) days
Did you know the Information Systems Audit and Control Association predicts the average American will spend 32 hours shopping online this season? The outlook for cyber shopping is indeed optimistic, especially since the first ever billion-dollar spending day occurred last December.
In total, 2010 holiday e-commerce spending reached a whopping $32.6 billion, according to comScore Inc. And eMarketer expects at least 12 percent in online sales growth during November and December 2011.
Hackers love the holidays
Unfortunately, when online shopping increases, so do opportunities for hackers. An influx of online customers ushers in a hacker invasion seeking to exploit unsuspecting, careless, rushed shoppers. Successful online holiday sales can put a merchant's e-commerce business in more jeopardy than ever.
Business networks are the most vulnerable during the three weeks following Thanksgiving, according to the ISACA. Website security should be top of mind for retailers. Your merchant customers may think, "I was fine last year, so I'll be fine this year." These are the famous last words of nearly every hacked business.
The truth is security problems are getting worse; hacking is becoming easier. In years past, hackers required exceptional computer skills to gain entry into someone's system. Those days are gone. Hacking templates are increasingly popular, with experienced hackers creating scripts that help amateur hackers easily gain access to websites. Hacking has become child's play.
Protecting your merchants
The Privacy Rights Clearinghouse found that 80 percent of small businesses that experience a data breach either go bankrupt or have severe financial difficulties within two years of the breach. Even if an online business avoids the forensic fines, auditing costs and card brand penalties, customers don't forget a lack of security. Hackers use customer information to apply for credit, take over existing accounts and order from online stores. Customers avoid websites that have been hacked.
While it may be difficult to put visions of revenue on the back burner and focus on security, it's well worth the time. It is crucial for your merchant customers to know the potential security risks of e-commerce and learn how to protect their brand and customer information. Fortunately, you can help merchants avoid security liability during the holidays in several ways.
Don't store it
An effective way to protect merchants is to prevent customer card information from being stored on their business networks. A card data discovery tool can help retailers find customer card data on their systems and greatly reduce any chance of card data theft. After all, merchants can't lose what they don't have.
Bob Russo, General Manager of the PCI Security Standards Council spoke in 2010 regarding data discovery. "Before you bring in a QSA [Qualified Security Assessor], you really need to use some kind of methodology to find where cardholder data is on the network," he said.
A good card data discovery tool takes less than five minutes to download and begin using. It checks a network for anything that may resemble card information so merchants can securely delete the data and potentially identify its source.
Also, as human beings, we have a tendency to overlook flaws in our own creations. That is why authors have editors, builders have inspectors and merchants have Approved Scanning Vendors (ASVs). An ASV will regularly scan a merchant's site for exploitable vulnerabilities and alert the merchant so he or she can address issues before they become problems.
It is important for merchants to take care when selecting an ASV. They must ensure that the ASV is reasonably priced, PCI council-approved and provides a person who can field your questions.
Configure and update
It's not enough to install a firewall; it must also be configured correctly. If a firewall is not correctly configured, hackers may enter a network and install malware. This malware probes a merchant's network and can be programmed to aggregate sensitive payment information and send it to criminals.
Proper firewall configuration entails simply adding rules to block inbound and outbound traffic into a merchant's system by controlling access to certain vulnerable ports. By default, a firewall may be entirely open, closed or somewhere in between. Controlled outbound traffic is just as important as inbound traffic, because if someone does happen to sneak in, he or she shouldn't be able to take any information out.
Applications regularly release updates to patch security holes. Security is the number one reason to continue updating to the latest version of the software you're using. Once hackers know they can get through a security hole, they pass that knowledge on to other hackers who can exploit that knowledge. You must install updates on Internet browsers, firewalls, application software, POS terminals and operating systems to fix holes that hackers could squeeze through.
Remind merchants to never send or receive email with sensitive account details like unencrypted passwords, user names or credit card details to your customers. You never know who is on the other end of the email you are sending or who may be watching it on its way there.
Customers are becoming more security-savvy and now check for certain security cues when browsing and shopping. According to research done by Synovate/GMI, 83 percent of online consumers want more assurance that their information is secure.
Tell merchants to check their websites from the outside-in by examining their landing and transaction pages specifically for security. Make sure each page indicates a strong level of encryption with an SSL (Secure Sockets Layer) or TLS (Transport Layer Security) certification in the URL.
Check for evidence of malware such as pop-up ads and suspicious activity.
An e-Christmas wish list
Following is a checklist of the important points in this article. It's not all-encompassing, but it is a tool you can give merchants to help ensure their businesses are naughty, not nice to hackers this year.
- Use a data discovery tool and delete or securely encrypt the data it finds.
- Sign up with a reputable ASV to regularly scan your site.
- Control inbound and outbound traffic by configuring your firewall correctly.
- Install and/or update the latest security patches available.
- Do not email sensitive data.
- Routinely check your site from an outsider's perspective to spot suspicious activity.
Rich Running is the Vice President of Marketing for SecurityMetrics and has 20 years of leadership in marketing, product management, strategy, planning, and general management in high-technology companies. He can be reached by phone at 801-705-5641 or by email at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.