If you’re lucky enough to work at a retail company, the next several weeks of holiday shopping may be the difference between a financially successful or unsuccessful year. As buyers, we’re all too familiar with the holiday shopping season, regardless of whether we either choose to buy our gifts from Amazon and other online retailers, or brave the traffic and crowds for a more hands-on experience. That said, you may be less familiar with what goes on behind the scenes at retailers who are looking to capitalize on the extraordinary human phenomenon of ‘the holidays’.
If you’re lucky enough to be a security leader working at a retail company, the odds are that you approach the next several weeks with more than a bit of fear and apprehension. In all likelihood, the technology department has already initiated its annual “holiday freeze” – the lockdown of systems and new application functionality that provides a stable environment to capitalize on the surge of business.
While Black Friday, Cyber Monday, and the holiday shopping season in general may bump your heart rate up a notch or two, the success of the two month selling sprint is increasingly on the shoulders of Information Technology to deliver and Information Security to protect. While everyone else is gorging themselves on turkey, football, and shopping, retail security professionals are the busiest they will be the entire year.
Given that Black Friday is just over a week from now, I’ve put together a list of 11th hour tasks that can be knocked out in a short period of time. This list includes observations of some of the best practices of Denim Group’s retail clients over the years and has a distinct web and application focus (which reflects the large body of work that Denim Group has accumulated in these areas). Some of these tasks will probably be “no-brainers” for many, however I suspect you will find at least a few that you are not focusing on – but should. Given that Black Friday is just over a week from now, this list compiles tasks that can be knocked out in a short period of time. That said, tasks, such as measuring the security risk of suppliers, are simply too big to take on this late in the game.
With that in mind, we’ve come up with the following “Top 9” list. Why 9 you might ask? As a tip of the hat to geeks that are Python fans, I’ll invoke and misquote the cleric character played by Monty Python’s Michael Palin in Monty Python and the Holy Grail,
“Then shalt thou count to nine, no more, no less. Nine shall be the number thou shalt count, and the number of the counting shall be nine. Ten shalt thou not count, neither count thou eight, excepting that thou then proceed to nine. Eleven is right out. Once the number nine, being the ninth number, be reached, then lobbest thou thy Holy Hand Grenade of Antioch towards thy foe, who being naughty in My sight, shall snuff it.”
Here are our Top 9! Enjoy…
- Manually Test Authorization Rules to Prevent Account Takeover (ATO) Attacks. Now that most brick and mortar retail vendors have moved to the EMV chip technologies to prevent certain types of credit card fraud, attackers are shifting their strategies to exploit user accounts for online access. This was the case when the majority of Europeans switched to EMV technologies nearly ten years ago, and is now playing out on this side of the Atlantic. We recommend security work closely with their colleagues in the fraud department to understand the business logic behind authentication and authorization for their online accounts. Automated application vulnerability scanners are virtually powerless to identify ATO risks, so a manual review of authorization workflows is something that should be done in preparation for Black Friday. Review ATO alerting rules so that they are fresh in your mind should you encounter a spike in ATO-related activity.
- Revalidate Your DDoS Mitigation Strategies. Given that Black Friday and Cyber Monday represent two finite time periods of intense commerce, review and revalidate your approach to mitigating Distributed Denial of Services (DDoS) attacks. Unfortunately, DDoS attacks have become increasingly simple to set up and have become even more difficult to defend against. The October DDoS attack against Dyn, a managed DNS provider, sent 10x to 20x the amount of traffic to Dyn servers, denying them the ability to provide DNS service to some of the top companies on the Internet. We suggest you revalidate your DDoS mitigation infrastructure, review plans for response should you encounter a DDoS attack, and update your plans based upon the more sophisticated recent DDoS attacks that have occurred. Given the example I just gave about Dyn, it wouldn’t hurt to review your DNS resiliency too!
- Confirm Your Phishing Resiliency. The holiday season will likely see new and as-yet-unimagined phishing attacks against both your co-workers and your customers. Phishing remains a preferred attack vector by fraudsters and will remain so for the 2016 holiday season. Although there will always be some subset of people that will click on links on phishing emails, reaffirming your internal and external resiliency with some last-minute training and awareness might be able to prevent some damage of sophisticated spear fishing attacks.
- Scan Against Your Web Attack Surface. In a perfect world, you would be able to run an automated vulnerability scan before the latest round of functionality hit the web, prior to the holiday freeze. Given the nature of our imperfect world, we suggest you run an automated application vulnerability scanner against your Internet-facing applications one more time to see if any last-second functionality might have introduced a nasty SQL injection or XSS flaw that are straightforward for attackers to identify and exploit. Although you will likely be in a holiday freeze, scary application vulnerabilities are worth addressing as they provide an increasingly preferred path of approach for fraudsters.
- Manually Review 11-Hour Promotion Logic. Many 11th hour capabilities involve sales promotions, features, or other user experience components that are essentially custom business logic. Just as automated application vulnerability scanners cannot identify ATO vulnerabilities, scanners are virtually powerless in identifying the most serious logic flaws that might have made it into the applications before the holiday freeze was put into effect. These new features might introduce an entirely new attack surface that your logging and web application firewalls (WAFs) are not looking to detect or block. We recommend a person with a strong knowledge of application security sit down with someone from the business unit to understand the functionality and to develop quick “abuse” case that attackers might invoke to manipulate what has recently been put into place.
- Change Passwords or Add Two-Factor Authentication. Within the bounds of a holiday freeze, you may want to change passwords to certain internal accounts that have the most sensitive function as you go into the next two months. Off-premises accounts such as the company’s Twitter or Facebook account are candidates for passwords too. Consider implementing 2-factor authentication for these accounts and monitor logins more closely for social media sites to make it harder for attackers to successfully takeover accounts with simple username/password combinations.
- Join the Retail Cyber Intelligence Sharing Center (R-CISC). Why go through all this alone, when you can tap into the threat intelligence and collective smarts of the best and brightest security minds in the retail industry? The R-CISC provides threat feeds for common attacks against retailers and can provide common responses on how others are dealing with sophisticated attacks. According to its Executive Director Brian Engle “Throughout the holiday season, the R-CISC provides a weekly briefing call and ongoing threat analysis for members on top of the intelligence and indicators that are shared. Your executives will deeply appreciate the benchmarking and peer discussions you bring back from the R-CISC, and your teams will appreciate the expanded visibility into the threat landscape to focus on the highest priority threats.”
- Conduct Quick Social Engineering Training for Your CSRs. Virtually every successful recent sophisticated attack has some component of social engineering associated with it. Coupled with your efforts to increase your phishing resiliency, train your customers service representatives (CSRs) one more time on what hackers will attempt to do to gain access to customers’ accounts via social engineering. Heightened awareness is a must for CSRs, who are likely your first line of defense in any attack. The US Air Force believes this too. They embedded much of their network operation and help desk functions under their Cyber Command component, the 24th Air Force, to tip off operators to inbound social engineering attempts.
- Review Incident Plans and Conduct Key Player Briefing. In case everything else fails, you should always have a well thought out incident response (IR) plan ready to carry you through a near-death breach experience. Dust off your IR plan and conduct a “key player IR” briefing to remind these folks of their roles. Also, Todd Renaud, CIO at Conn’s suggests you “reach out to key vendors to remind them this is your busiest season” (note, they will be the ones gorging themselves with turkey, football, and shopping…) and they should be available and answer their phones should an incident occur. It won’t hurt to have IR plans fresh in everyone’s memory during this crazy season.
This list is by no means exhaustive and it will be admittedly difficult to tackle all of these tasks prior to Black Friday. However, we hope that if you’re in retail security, you picked up one or two ideas from the above that you hadn’t thought of and that helps you step up your security game during this busiest of seasons.
Happy Holidays and see you in January!