Posts

In our regular series The inside story x 3, experts from the Plan.Net group explain a current topic from the digital world from different perspectives. What does it mean for your grandma or your agency colleague? And what does the customer – in other words, a company – get out of it?

As we continue to take advantage of online services, apps, and websites of all kinds, we are creating enormous quantities of data. This data is often stored in clouds and can be linked back to each and every user. At the same time, most Internet users are failing to take the protection of their data as seriously as they should, while companies are often failing to keep up with the rapid pace of developments and resolve dangerous security vulnerabilities fast enough. Even policymakers have only recently reached the point of being able to enforce existing data protection laws.

A case currently receiving wide media coverage, in which a 20-year-old man is accused of spying on politicians and celebrities, shows just how easily data stored in the cloud can be used to infiltrate entire personal networks.

“No Grandma, you haven’t broken the Internet!”

Let’s admit it: who among us hasn’t been just a click away from a potential hacker attack? Even younger users are often tricked by false landing pages or phishing emails that invite them to reveal all of their data and passwords, together with those of their contacts. And net-savvy grandparents who have opted to embrace progress unfortunately aren’t safe either, as their grandchildren may have been kind enough to save all of the passwords to sites bookmarked in their browser. “It’s all just a click away, you see?”

Users are most commonly tricked by deceptively convincing emails that invite them to open an attachment or link. Once opened, a website asks the user to log in to their bank account for the purposes of authentication. If fallen for, this provides hackers with all of the access data they need to empty pension accounts and cause a great deal of upset. And as if this wasn’t enough, criminals are now able to purchase security vulnerabilities on the Dark Net, meaning that they no longer even need a hacker’s technical know-how in order to ply their trade online. Attacks of this kind are completely random, placing even unsuspecting grandmas at risk. No one solution is enough to protect against a threat as complex as this.

A first step in the right direction is using complex passwords and a password manager app – and, most importantly, only using one password per online service.

“Safety first – even in the ‘safety’ of your workplace”

As an Internet user, you aren’t only responsible for yourself, but also for the security of your colleagues and of the employer whose data you are working with. Backups of your own or your company smartphone are now often stored in a cloud automatically, which makes it almost impossible to prevent your colleagues’ data and contact information from being stored externally. If a hacker gains access to a personal account, such as Google Mail, Apple, or Facebook, this will give them automatic access to others’ business accounts and contact information, even though the company’s security standards have been followed.

One solution for this problem is provided by “sandboxes”, which manage the context of usage to help distinguish what is private from what is work-related. To begin with, however, businesses need to establish guidelines that make it clear which clouds are generally suitable to use and which should be avoided in a work-related context.

So what can my company do to properly counter this rapidly growing threat? Here too, your top priority is to not underestimate the human factor. Even the most complex technical safeguards can be rendered ineffective by one employee’s careless actions. Employees who use the Internet in their work should follow the same safety measures that apply to private users. For management this means that, in addition to the company making use of the available technical solutions, employees must also be trained regularly in the safe use of cloud services, smartphones, email accounts, and other tools. If a company provides goods or services over the Internet, there is always a danger that an attacker will succeed in hacking into its applications.

“But why on earth would anybody want to hack my company?”

Many clients, and small and medium-sized businesses in particular, underestimate the threat that hackers pose to them, asking: “Why on earth would anybody want to hack us? We’re far too small and insignificant.” The mass-hacks of today aren’t about hackers targeting specific victims, however. The Internet is home to search engines which, like Google, scan the entire Internet in order to catalogue the infrastructure that it uses, including the manufacturers of servers, routers, and so on, as well as the versions of software installed on them.

If a hacker knows that version 1.4 of web server software “A” contains a vulnerability that they could exploit, they’ll first run a search for the version online before launching an automated attack on all of the potential targets that the search engine suggests to them. This means that anybody present on the Internet can be identified by hackers – albeit indirectly – as a potential target. The only way of protecting yourself is to know the threat, and to invest in security for your system and training for your employees. In a live interview at CeBit 2017, Edward Snowden answered a question about how the Internet could be made a safer place. His response: “Everybody who contributes something to the Internet, whether via text, videos, apps, shops, cloud services, or similar, has an obligation to make their contribution as secure as possible.”

Even when using third-party software (software libraries) and other service providers, without which modern e-commerce platforms would cease to exist, it’s important to know the security risks. Only in this way can the risk be minimised of an apparently secure system being weakened via the unsecured “tunnel” of a third-party provider. Regular updates are an absolute necessity here. Regular pentesting of all system components is also a security precaution providers should take. Specifying security requirements (for example, in the form of secure coding guidelines) is also necessary nowadays when utilising implementation service providers, hosting companies and so on. As no software industry standard has been defined in this respect, it’s important to work with experts capable of defining a state-of-the-art standard. When service providers keep their cards close to their chests on this score, this is often the first indication of there being no long-term guarantee that security vulnerabilities will be resolved.

It was possibly only a simple development error that led to a security gap at eBay in December 2015, which had the potential to intercept client passwords during the login process. The consequences of hacker attacks that take advantage of such breakdowns can be substantial – and extremely unpleasant for the user: SPAM-mail, Phishing or stolen credit cards are only a few of them.

And the eBay example shows: large players are also not spared. Up to 87 percent of all websites have medium security flaws, while 50 percent have serious security gaps. The resulting annual loss worldwide is over 400 billion US Dollars. Stores not only risk serious damage to their image with data loss. Online stores are responsible for the security of client data, and are accordingly liable for data leaks. Processes and methods that target the security of e-commerce solutions are therefore indispensable for stores. However, this is not limited to a particular phase in a project, but runs through the entire period up to the day of implementation and activation. Security is an indispensable part of the design process, part of the implementation, part of the system infrastructure and part of the operation.

Sichere E-Commerce Lösung

The following points in particular should be addressed:

Define clear requirements

It seems so mundane, but it is so important: Security begins before the project starts. And each web-store has its own requirements. In a B2B shop which charges a fee for the download of technical documents, it is of course extremely important to design very safe identification or customer registration and access protection. For a telecommunications provider that offers all of its products through a self-service portal, it is equally crucial that only the authorised user has access on the contract and invoice data. Although both examples require the implementation of access security tools, the underlying requirements are different. These must be recognised in the “Requirements-Engineering” phase, and form the basis for later implementation.

Set your standards

“Secure Coding Standards” help developers write secure codes for the web. Ideally, they fall back on safety tested frameworks. Although these preventive investments are immensely important for the security of the web application, there are still no recognised industrial standards, or a norm which defines the security of web applications. Therefore each agency or online shop must take on the responsibility itself and create its own portfolio of standards in the areas of quality assurance, security and testing.

Therefore, a few years ago we started to collect best practices or recommendations from experts, for example the Open Web Security Application Project (OWASP), so that every client does not need to search for a standard themselves, and to be able to offer truly measurable security.

Search for your security flaws

In addition, at the end of any development, we put it through a “Web Application Security Test”, which checks whether our security standards are actually adhered to. In order to do so, we work with a certified “Ethical Hacker”, a specially trained IT expert that possesses a hacker’s knowledge, but who is working for us. Additionally, this is done using various software tools (we use, for example, IBM AppScan) that simulate attacks on the application. Any suspicious reaction by the application is documented and must later be manually verified or falsified. At the end, there is a report that documents the security flaws that have been found, and provides technical assistance to help rectify the problems.

Consider each security flaw found in this phase not as an error by the programmer, but rather as a success! You’ve discovered this in the development phase. The later an error comes to light, the more expensive it is to rectify.

Conduct continuous monitoring

Factors that cannot be influenced, such as the execution environment (browser), different devices (desktop and mobile) and heterogeneous systems introduce challenges to e-commerce solutions that are not always predictable in advance. Selective security and penetration tests, in which experts (e.g., certified ethical hackers) perform targeted attack attempts, help to keep these factors in mind. Because the number of newly discovered security flaws and the ways in which software gaps can be exploited grows daily.

Moreover, there is the option to install an additional “Web Application Firewall” (WAF). This one checks every incoming request before it is passed on to the actual web application. Therefore, a WAF needs to have a complex set of rules that is customised to the particular web application. Suspicious requests are rejected immediately, and, under predefined conditions, could raise an alarm (e.g., through an email to an administrator, when 100 requests per second are sent from an IP address that contain the code for a SQL injection). As a WAF is an independent system, attack attempts do not even come close to the protected application, or the data to be protected.

Be Secure from the Beginning

The cornerstone for a secure e-commerce solution must therefore already be selected during the design – even before the software is actually used. In addition, regular testing of the software, as well as any resulting updates is unavoidable and absolutely necessary. Only then it is possible to keep the software up to date, and to ensure its safety.

This article was also published at e-commerce-magazin.de.