Mitigating Security Breaches in Retail Applications WHITE PAPER
Executive Summary Retail security breaches have always been a concern in the past, present and will continue to be in the future. They have been a preferred target for the hackers for a long time due to the large amount of sensitive data available for exploitation. With the increase in Digitization of customer journeys in retail from Engagement, Product Discovery and Purchase, the security threats have also increased manyfold. In the retail domain, information such as CCard No., Bank Account No., Contact No., Address, DOB, Email, etc. are all in high demand. The hackers can either sell an individual s account details or completely dump the databases which are in high demand on the dark web, for a financial gain. The resultant financial implications of a breach are huge. The damage done to the reputation hurts even more and it might take a long time to win back customers confidence. This whitepaper delves deeper into areas to be considered in the retail environment viz. Attacker Entry Points, Attack Vectors and the Best Practices to help reduce the application vulnerabilities. 2
MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / WHITE PAPER Security Breaches Application Security Statistics Some of the top security breaches in the retail industry are listed here, which clearly shows the large extent of financial implications: RETAILER Eddie Bauer [1] SECURITY INCIDENT 360 retail stores infected FINANCIAL IMPLICATION Veridian Credit union sues Eddie Bauer (amount not disclosed) A research project on web application vulnerabilities by Contrast Security [6] led to some interesting observations > > 25% of web apps still vulnerable to eight of the OWASP top ten > > 69% of web applications are plagued by vulnerabilities that lead to sensitive data exposure > > 55% applications are exposed to cross-site request forgery flaws > > 41% web apps are affected by broken authentication and session management issues > > 37% applications are affected by security misconfiguration > > 33% apps affected by lack of function level access Home Depot [2] 60 million cards hit by security breach Around $19.5 million The research also found that there are at least 45 vulnerabilities per application. This continues to show that the application is a weak link in this chain and most of the breaches occur through the application s weaknesses. ebay [3] Target [4] 145 million customer accounts compromised 40 million credit card account compromised Not disclosed $240 million spent to replace customers cards Retailer ecosystem and entry points for attacker Heartland Payment Systems [5] 130 million credit card accounts compromised $139.4 million A typical retailer has several systems behind the Web / Mobile app such as Order Management System (OMS), Warehouse Management System (WMS), Store apps, Transport Management System (TMS), Product Information Management (PIM), CRM, etc. And even though the attack surface is mostly concentrated in the web / mobile application, each one of these systems can be an entry point for an attacker (internal or external), who can then gain access to sensitive information.
Retailer Interface Mapping STORE PIM 4
MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / WHITE PAPER Retail Application Security - Attack Vectors Now that we know the Attacker Entry Points, we understand the possible threats that any retail application can be compromised through. The path through which a hacker gains an unauthorized access to a device / network to deliver a malicious payload is termed as an Attack Vector. Some of the important Attack Vectors are listed below:
Security Best Practices to Mitigate the Threat POS Application: Endpoint systems such as POS should be protected against malwares, a major threat which has led to several security breaches in the past. The following best practices should reduce the attack surface and help prevent attacks: m-commerce App Controls: Below are a few specific controls that can be used for Mobile apps: CONTROLS VULNERABILITIES MITIGATED MITIGATION DESCRIPTION Patch updates Ensure the latest patches are installed on the POS systems and the servers in the ecosystem. Authentication / Authorization and Session Management Broken Authentication, Session Management and Privilege Escalation Encryption Encrypt all data stored or in transit with strong encryption algorithms (AES for data at rest and x.509 certificates for data in transit). Secure Data Integrations Encrypt sensitive data using strong algorithms Sensitive Data Exposure Sensitive Data Exposure, Sniffing and Data Tamper Access to Internet Restrict Internet access to POS system to reduce the attack surface. Root / Jailbroken Detection Code tampering Authentication Use strong authentication viz. multifactor authentication to access the POS machine and segment the network for POS machine to add another layer of defense. Code Obfuscation Prevents effective re-engineering End-Point Security It is vital to have an endpoint security solution monitoring the POS systems continuously for any malwares or malicious activities. Security Patches Prevents latest vulnerabilities 6
MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / WHITE PAPER e-commerce Application: Following are some of the controls that can be implemented to mitigate attacks: What s in Store for the Future? CONTROLS Implement Proper Authentication Parameterize Queries Use Output Encoding Validate user input data Encrypt data at rest and data in transit Implement Access Controls Logging Intrusion Detection and Prevention Endpoint Security VULNERABILITIES MITIGATED Broken Authentication and Session Management Privilege Escalation Injection Injection and Cross Site Scripting Un-validated Redirects and Forwards, Injection, XSS and Remote Code Execution Sensitive Data Exposure, Sniffing and Data Tamper Insecure Direct Object References and Missing Function Level Access Control Sensitive Data Exposure and Security Misconfiguration Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Malwares The advent of newer technologies such as IoT (Internet of Things) and AI (Artificial Intelligence) brings in a whole new dimension to the way customers interact and shop. The opportunities for adopting these technologies in retail are practically numerous and limited only by one s imagination. However, with the increase in adoption of these technologies, it also brings increased security concerns. Especially, considering no clear global standards exist and hence the security threats increase exponentially. As with any new adoption of technologies the industry should constantly evolve in bringing out standards, and security community should work towards bringing out best practices and ensure these technologies can be used securely. Conclusion The retail industry has been one of the prime targets for the hackers in the past and the statistics clearly show that. It s only a matter of time before people who are unaware will be taken off-guard and have their businesses turned upside down. Security can hence no longer be taken lightly and the security checks needs to be in place at every point in development and not at the end of development lifecycle. The best practices mentioned in this paper should be a minimum to start with. Moreover, the hackers always try to find new ways and methods to breach the systems and hence the security team should be constantly focused on the latest trends, vulnerabilities and take appropriate actions to defend the applications from attacks.
MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / WHITE PAPER About EVRY EVRY is a $1.5 billion Nordic IT major having 8,500+ employees and is a preferred partner for Enterprise Digital Transformation. Our 1500 dedicated employees, supporting operations in the USA, Singapore, India and group offices in Europe, are ready to collaborate with you in driving Digital Transformation. At EVRY, we follow the industry standard methodology based on OWASP, provide best practices in mitigating the risk and help our customers to move to production with confidence. EVRY has experience of several years on web, cloud, mobile and IoT applications in various domains such as retail, banking & finance, insurance, healthcare and ISVs. Author Shreyas Ranganath Security Architect EVRY India Pvt. Ltd. References: 1. http://www.seattletimes.com/business/retail/credit-union-sues-eddie-bauer-for-failing-to-prevent-data-breach/ 2. http://www.reuters.com/article/us-home-depot-breach-settlement-iduskcn0wa24z 3. http://www.businessinsider.in/cyber-thieves-took-data-on-145-million-ebay-customers-by-hacking-3-corporate-employees/articleshow/35630666.cms 4. http://www.breitbart.com/tech/2017/05/28/cost-targets-data-breach-nearing-300-million/ 5. https://www.computerworld.com/article/2518328/cybercrime-hacking/heartland-breach-expenses-pegged-at--140m----so-far.html 6. https://www.contrastsecurity.com/security-influencers/25-percent-of-web-apps-still-vulnerable-to-eight-of-the-owasp-top-ten 7. https://www.insight.com/en_us/learn/content/2017/07202017-the-future-of-merchandising-top-4-retail-technology-trends.html
For more information about all our solutions and offerings, get in touch with: info.ind@evry.com or info.usa@evry.com India Headquarters: EVRY India Pvt. Ltd. Ground Floor, No. 42, 27th Cross Brigade Software Park 1, Building B Banashankari Stage 2, Bangalore 560 070 Karnataka, India Phone: +91-80-67388000 Fax:+91-80-67386802 www.evry.in USA Headquarters: EVRY USA Corporation 1425 Greenway Drive, Suite 490 Irving, Texas 75038, USA Phone: 972-514-1113 / 1-844-9-EVRY-USA Fax: 972-514-1109 www.evry.com/us Global Headquarters: EVRY ASA Snarøyveien 30A 1360 Fornebu, Norway Tel: +47-06500 / +47-2314-5000 www.evry.com Copyright 2017 by EVRY India. All rights reserved. The contents of this document are protected by copyright law and international treaties. EVRY India acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document. The reproduction or distribution of the document or any portion of it thereof, in any form or by any means without the prior written permission of EVRY India is prohibited.