Cyber Security Guidance for Online Retailers (SMEs)

Defendza's experience shows mid-sized segment of this new wave of online retailers suffer from not only technical security but cultural issues also. As revenues are soaring with larger profitability, it's not the budgets that are an issue but board and management's awareness of cyber risk profile. At this very stage, the importance of cyber security can never be under-estimated. Blind spots during design, development or deployment phases could post a serious risk to the organisation.

There are numerous examples online where a major dip in profits was noticed in the immediate aftermath of a breach. While malicious actors are gaining momentum in the Tactics, Techniques, and Procedures (TTP) utilized during attacks, businesses in this sector must adapt cultural improvements to ensure cybersecurity keeps them on the front foot.

The goal of this checklist-based guidance is to provide online retailers especially SMEs with an overview of both basic and advanced cybersecurity measures they should implement. Overall, the guide will enable organizations to improve their cybersecurity posture, reduce security risks, avoid vulnerabilities, and enhance their resilience. In other words, this guideline acts as a simplified framework that enables businesses to safely release their business applications to the Internet. 

Cyber Security Checklist for Online Retailers

1. Threat Modeling

Evidently, threat modeling is an essential requirement for becoming proactive in Web application security. Businesses should deploy integrative and agile threat modeling that involves collaboration between security, development, and operations teams. In other words, this checklist item allows businesses to identify, communicate, and understand threats for mitigation purposes. An organization can build models and deploy them to forecast what might go wrong. In threat modeling, Businesses can proactively find issues and remediate/prioritize them while designing Web applications.

Businesses can follow the OWASP Application Threat Modeling recommendations that state that a threat model should feature a design of what a business is worried about, a list of assumptions that can be affected if the threat landscape changes in the future, a list of potential threats and actions to be taken, and a strategy of validating the model, threats, and effectiveness of actions.

2. Secure Coding Development Practices

Traditionally, coding standards addressed code style issues. However, in this guide, Businesses are recommended to deploy secure coding approaches that focus on detecting unsafe and insecure coding practices. A poorly written code may result in costly vulnerabilities that can be exploited by cybercriminals targeting to steal sensitive data. Secure coding approaches should be integrated into the development process regardless of the device or environment used while programming.

Businesses can learn more about this strategy from OWASP Secure Coding Guidelines that include input validation, output encoding, password management, authentication, session management, access control, error handling, logging, data protection, and system configuration among others.

3. Penetration testing before going live

It is imperative to ensure that a penetration test is conducted on the application before going live. Performing penetration testing on a new web application can save resources and reputational damage by identifying threats before they are discovered by malicious threat actors. In this case, Businesses should probe their software in a holistic manner to identify vulnerabilities that could be exploited by cybercriminals. Customarily, businesses have been testing and looking down weaknesses in their networks, while ignoring the fact that real motivation is in stealing and reselling sensitive data stolen from a web application. Therefore, this checklist recommends penetration testing of both the network and the application before going live.

Businesses can follow the OWASP Top Ten methodical approach while conducting pentesting on Web applications. Such an approach lists the most critical threats to web applications that businesses should test and mitigate.

4. Secure Build Configuration – Web Server

Undoubtedly, previous hacking attacks on organizations are proof that web security is a critical issue faced by businesses while running online operations. Web servers hosting sensitive data have become a crucial target for cybercriminals. As a result, securing the webserver has become as important as securing the web application and the network. In other words, a business is still at risk if it is running a secure web service on an insecure web server.

Some of the measures that businesses can take to secure the webserver include:

1. Up to date patching of the server’s operating system and other software running on it with the latest updates.
2. Additionally, it is imperative to remove unnecessary services that remain unused after installing the webserver.
3. If the server will be accessed remotely, the connection should be secured using encryption protocols and security tokens.
4. The principle of least privileges should be followed to ensure no misuse by the users managing the server.
5. The web server should be monitored and logs audited to detect suspicious logs that might be a sign of an attempted attack.
6. Default user accounts created during the Web server installation should be disabled or their permission changed immediately. Deleting default web pages including help files are part of this step.

      5. Secure Deployment

One goal of an SME running a web application involves ensuring that service always remains available. However, this can be a daunting challenge, especially during system maintenance and upgrades. Businesses can maintain stable production environments with secure design-based infrastructure and enough policies around application deployment so that service updates are automated. It is essential to run a reliable and safe testing environment to test the changes before deploying them. Once the developers are satisfied that the Web application is ready for prime time, they should deploy it on a staging server that mirrors a production environment to ensure that the service will not be interrupted. Actual code development should not take place in the staging area, and only minor changes on the application settings should be allowed before deploying the web application to a production environment.

6. Secure Access to Production Environment

Users with privileged accounts should be required to connect to a secure Jump Box to administer servers. In fact, production servers should be configured to only accept connections from the Jump Boxes with two-factor authentication to further enhance security. Any user attempting to access critical ports and hosts should first log into the secure jump boxes that have fully patched software, updated antivirus, firewall, and unused services that have been disabled. Moreover, with the jump box, it is possible to control the services that users can access a critical business network.

7. Segregation

One of the cheapest yet often overlooked aspects in cybersecurity is the importance of segregation at the environment, network and user levels. Especially in the retail sector, we have noticed a significant lack of environment segregation as businesses try to push updates often and require flat access to the production environment from their corporate workplaces. Additionally, we have noticed the use of flat network topology across corporate and production assets. This is a critical flaw in the network design as business-critical online retail infrastructure is in the same space as the corporate environment. The reader doesn’t require a list of attack vectors to think around here. Similarly, even if environments are separated due to hybrid models, or website hosted at the service provider, users in teams such as development, database administration, IT support still enjoy unfiltered access both ways. In the scenarios where internal systems are vulnerable, this relaxed access between environments acts as a bridge to help a threat actor gain access into a production environment. Similarly, user-level segregation between different roles is essential. This includes user accounts for an IT admin for corporate work and privileged access accounts.

8. Cyber Essentials for Compliance

Cyber essentials feature a set of technical controls in areas of device hardening and management, patch management, network configuration, and tooling that can help Businesses protect their valued cyber assets and critical data from online threats. Cyber essentials demonstrate the maturity of an organization’s cybersecurity posture. It can be used to conduct security improvements that provide a baseline for major compliance standards, such as HIPAA, GDPR, ISO 27001, NIST, and PCI-DSS. Overall, cyber essentials security measures can be deployed by organizations to protect sensitive information.

Ultimately, vulnerabilities and security flaws have become common in applications today. In effect, Businesses can deploy this cybersecurity checklist to identify and mitigate them during their software lifecycles, starting from design, to development, to production.

Why select Defendza to help you?

Defendza is a specialist provider offering cybersecurity consulting, training services and managed security services. We deliver a truly independent third-party opinion, unbiased expertise free from any inclinations towards vendor partnerships, reselling objectives or promoting any security products. We pride ourselves on being a partner of choice for our clients and helping with their IT security and compliance requirements.

Our experience in the SME segment includes specialized projects in retail, eCommerce, hospitality and leisure sectors. A few of the projects at known brands in this sector include in-depth application security assessments including compromised environments due to magecart form grabbing attacks, supply chain attacks,  Online supermarket retailers including shopping/payment facilities – Oracle e-Business Suite, Oracle Applications, and other bespoke implementations.  Read our retail industry section to learn more about our work.