6 minute read
Cyber Security
Garett Seivold, LPM Senior Writer Garett Seivold is senior writer for LPM. A trained journalist, he has spent the majority of his career writing about security, risk management, supply chain, and loss prevention topics. He can be reached at GarettS@LPportal.com.
In Search of a Better User Experience, Retailers Create Cyber Vulnerabilities
Successful web application attacks pose a serious threat, accounting for 43 percent of all data breaches in 2019 and up double from the year before, according to the 2020 Data Breach Investigations Report (DBIR) by Verizon. With online shopping surging 30 percent in 2020, it’s little surprise that cyber attacks are common, with nearly 400 million customer records exposed in attacks on retailers last year, according to calculations by Bloomberg. Such events can do lasting damage—78 percent of customers indicate they would be concerned about doing business with a retailer if the company experienced a breach, according to survey findings released in November by Generali Global Assistance.
Retailers are implementing advanced security to prevent online intrusions, but as retailers expand their online operations, the sheer expanse of their attack surface makes protection difficult. Many experts point to retailers’ desire to create better user experiences—faster shopping, more personalization—as a primary challenge for retailers moving forward. To create a fast and easy shopping experience for consumers, retailers must deploy a complex web of applications. And with more applications at work the harder it is to spot and manage vulnerabilities.
Successful web application attacks pose a serious threat, accounting for 43 percent of all data breaches in 2019 and up double from the year before, according to the 2020 Data Breach Investigations Report (DBIR) by Verizon. Retail industry data tells a similar story, with web applications becoming the primary target of attacks on the retail industry. “Over the last few years (2014 to 2019), attacks have made the swing away from point‑of‑sale devices and controllers, and toward web applications,” according to the DBIR.
Many web applications contain a labyrinth of layers, according to Stephane Konarkowski, senior security consultant for Outpost24, a provider of vulnerability management technology. “If not designed with security in mind, they can be a breeding ground for vulnerabilities,” he wrote for the RSA Conference. In its research, Outpost24 found 3,357 publicly‑exposed web applications running over 401 domains among the top retailers, with 8 percent of them considered suspect (often test environments left online and potentially providing a backdoor for bad actors) and 22 percent running on old components.
Exploitation of vulnerable web app infrastructure is one variety of the attack pattern, according to the Verizon DBIR, and the use of stolen credentials is another. Data show the two “are close competitors for first place in the hacking varieties category, and there is not a great deal to distinguish between them from a percentage point of view,” said the report. “In a perfect world, someone else’s data breach would not raise the risk to your own. However, that is increasingly not the case, with the adversaries amassing datastores of credentials from other people’s misfortune and trying them out against new victims.”
Other studies and surveys point to three other strategies that may help retailers get a better handle on current and emerging cyber threats.
Stephane Konarkowski Continued on page 62
“Whaling” is when hackers send extremely specific emails to CEOs that contain attachments with malicious code to facilitate keystroke recording, including to their personal email accounts. The emails differ from mass attacks and are carefully and specifically crafted to encourage the big cheese to open them.
Continued from page 60
the group notes. Data indicate emails to CEOs that contain that the average ransomware attachments with malicious payouts for all businesses have code to facilitate keystroke 1. Cyber criminals shift grown from less than $10,000 recording, including to their from attacking people to in the third quarter of 2018 personal email accounts. business, requiring a focus to more than $178,000 per The emails differ from mass on employee behavior. event by the end of second attacks and are carefully Nationally, data quarter 2020. “Large and specifically crafted to breaches were down enterprises are making encourage the big cheese 30 percent in 2020, average ransomware to open them. Common with the number of payments of over $1 targets are chief investment individuals impacted million,” said the ITRC officers, company CEOs down more than 60 2021 predictions report. and presidents, directors of percent, according “BEC scams cost research and development, to preliminary data businesses more than and chief information and from the Identity Theft $1.8 billion in 2019.” technology officers. Resource Center Eva Casey 2. Cyber alignment Protecting executives from (ITRC). The ITRC sees Velasquez is worth reviewing. this threat should include a fundamental change in Surveys with information security for family members as how identity crimes are being security professionals show executives’ loved ones have committed rather than crime that sophisticated, targeted also received targeted email going away. Cyber criminals attacks are often the greatest attacks. Tricking a relative are making more money concern and threat to US into installing malicious defrauding businesses with businesses, but that company code could allow a hacker to ransomware attacks and IT security teams spend most obtain sensitive information phishing schemes that rely of their time fixing security if an executive uses a home on poor human behaviors vulnerabilities introduced computer for work purposes. than traditional data breaches by their own application A study by Verizon that rely on stealing people’s development teams. Social Enterprise Solutions showed personal information, engineering attacks are that many high‑level according to ITRC predictions similarly shortchanged in time individuals with access for 2021, which it believes and budget, surveys suggest. to privileged information could be a long‑term trend. In short, many organizations (CFOs, directors of HR, board
“There is a clear shift in (and perhaps most) are not members, and so on) have tactics away from cyber attacks spending their time, budget, increasingly become the that require mass amounts and staffing resources on the targets as hackers focus their of consumer information to problems that its security‑savvy aim. In the past, attackers fuel identity crimes, and that’s professionals consider to be used “spray‑and‑pray” good news for consumers,” the greatest threats. While tactics where they would said Eva Casey Velasquez, issues such as compliance attack broadly and hope ITRC president and CEO. “With and application security take a to hit something. Targeting that said, businesses of all significant amount of their time, is now more refined. More sizes are now the targets of cyber‑security teams may need studies find that malware cyber criminals who know how to focus more on emerging samples are unique to a to take advantage of human threats such as targeted attacks specific organization. behaviors—not hope for a and social engineering exploits. When an attack is highly technology failure—to rake in Advice: retailers should ensure targeted and customized to billions of dollars.” that they’re correctly aiming a particular organization, it
Cyber criminals are focusing cyber‑security resources at becomes harder to identify and on cyber attacks that require their greatest risks. can be difficult to recognize as logins and passwords to get 3. “Executive protection” something suspicious, warned access to corporate networks should have a broader Ed Powers, partner and former for ransomware or business meaning. Because it’s managing principal for Cyber email compromise (BEC) getting harder to get Risk Services at Deloitte & scams, according to the average workers to open Touche. His advice is to assume ITRC. These attacks require unknown email attachments, that some of these attacks less effort and are largely hackers have been targeting are going to be successful automated, the risk of getting bigger game with more plan accordingly. That is, be caught is less, and the payouts sophisticated weapons. prepared to react quickly and are much higher than taking “Whaling” is when hackers effectively to minimize the over an individual’s account, send extremely specific impact of successful hacks.
