Mitigating Security Breaches in Retail Applications WHITE PAPER

Similar documents
De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Copyright

SECURITY TESTING. Towards a safer web world

C1: Define Security Requirements

OWASP Top 10 The Ten Most Critical Web Application Security Risks

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Solutions Business Manager Web Application Security Assessment

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

SECURING DEVICES IN THE INTERNET OF THINGS

Next Generation Privilege Identity Management

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

RiskSense Attack Surface Validation for Web Applications

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Certified Secure Web Application Engineer

90% of data breaches are caused by software vulnerabilities.

SECURING DEVICES IN THE INTERNET OF THINGS

Managed Application Security trends and best practices in application security

CSWAE Certified Secure Web Application Engineer

Web Application Firewall Subscription on Cyberoam UTM appliances

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

IBM Future of Work Forum

Securing Devices in the Internet of Things

mhealth SECURITY: STATS AND SOLUTIONS

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

IoT & SCADA Cyber Security Services

Securing Today s Mobile Workforce

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

IBM Security Network Protection Solutions

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Security Solutions. Overview. Business Needs

AKAMAI CLOUD SECURITY SOLUTIONS

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Application Security Approach

Simple and Powerful Security for PCI DSS

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Security Communications and Awareness

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Ingram Micro Cyber Security Portfolio

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Combating Cyber Risk in the Supply Chain

Teradata and Protegrity High-Value Protection for High-Value Data

Securing Your Most Sensitive Data

RiskSense Attack Surface Validation for IoT Systems

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Achieving End-to-End Security in the Internet of Things (IoT)

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Security Communications and Awareness

QUICK WINS: Why You Must Get Defensive About Application Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Panda Security 2010 Page 1

Choosing the Right Security Assessment

Web Application Security. Philippe Bogaerts

Development*Process*for*Secure* So2ware

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

ANATOMY OF AN ATTACK!

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

Protecting your next investment: The importance of cybersecurity due diligence

Q WEB APPLICATION ATTACK STATISTICS

6 Vulnerabilities of the Retail Payment Ecosystem

Building Trust in the Internet of Things

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

HEALTH CARE AND CYBER SECURITY:

Aguascalientes Local Chapter. Kickoff

Security in India: Enabling a New Connected Era

Web Application Vulnerabilities: OWASP Top 10 Revisited

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

COMPLETING THE PAYMENT SECURITY PUZZLE

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Best Practices in Securing a Multicloud World

Protect Your Organization from Cyber Attacks

GOING WHERE NO WAFS HAVE GONE BEFORE

OWASP TOP OWASP TOP

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Application. Security. on line training. Academy. by Appsec Labs

Are we breached? Deloitte's Cyber Threat Hunting

Certified Ethical Hacker (CEH)

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Continuously Discover and Eliminate Security Risk in Production Apps

Presentation Overview

Maximum Security with Minimum Impact : Going Beyond Next Gen

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Secure Application Development. OWASP September 28, The OWASP Foundation

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Transcription:

Mitigating Security Breaches in Retail Applications WHITE PAPER

Executive Summary Retail security breaches have always been a concern in the past, present and will continue to be in the future. They have been a preferred target for the hackers for a long time due to the large amount of sensitive data available for exploitation. With the increase in Digitization of customer journeys in retail from Engagement, Product Discovery and Purchase, the security threats have also increased manyfold. In the retail domain, information such as CCard No., Bank Account No., Contact No., Address, DOB, Email, etc. are all in high demand. The hackers can either sell an individual s account details or completely dump the databases which are in high demand on the dark web, for a financial gain. The resultant financial implications of a breach are huge. The damage done to the reputation hurts even more and it might take a long time to win back customers confidence. This whitepaper delves deeper into areas to be considered in the retail environment viz. Attacker Entry Points, Attack Vectors and the Best Practices to help reduce the application vulnerabilities. 2

MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / WHITE PAPER Security Breaches Application Security Statistics Some of the top security breaches in the retail industry are listed here, which clearly shows the large extent of financial implications: RETAILER Eddie Bauer [1] SECURITY INCIDENT 360 retail stores infected FINANCIAL IMPLICATION Veridian Credit union sues Eddie Bauer (amount not disclosed) A research project on web application vulnerabilities by Contrast Security [6] led to some interesting observations > > 25% of web apps still vulnerable to eight of the OWASP top ten > > 69% of web applications are plagued by vulnerabilities that lead to sensitive data exposure > > 55% applications are exposed to cross-site request forgery flaws > > 41% web apps are affected by broken authentication and session management issues > > 37% applications are affected by security misconfiguration > > 33% apps affected by lack of function level access Home Depot [2] 60 million cards hit by security breach Around $19.5 million The research also found that there are at least 45 vulnerabilities per application. This continues to show that the application is a weak link in this chain and most of the breaches occur through the application s weaknesses. ebay [3] Target [4] 145 million customer accounts compromised 40 million credit card account compromised Not disclosed $240 million spent to replace customers cards Retailer ecosystem and entry points for attacker Heartland Payment Systems [5] 130 million credit card accounts compromised $139.4 million A typical retailer has several systems behind the Web / Mobile app such as Order Management System (OMS), Warehouse Management System (WMS), Store apps, Transport Management System (TMS), Product Information Management (PIM), CRM, etc. And even though the attack surface is mostly concentrated in the web / mobile application, each one of these systems can be an entry point for an attacker (internal or external), who can then gain access to sensitive information.

Retailer Interface Mapping STORE PIM 4

MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / WHITE PAPER Retail Application Security - Attack Vectors Now that we know the Attacker Entry Points, we understand the possible threats that any retail application can be compromised through. The path through which a hacker gains an unauthorized access to a device / network to deliver a malicious payload is termed as an Attack Vector. Some of the important Attack Vectors are listed below:

Security Best Practices to Mitigate the Threat POS Application: Endpoint systems such as POS should be protected against malwares, a major threat which has led to several security breaches in the past. The following best practices should reduce the attack surface and help prevent attacks: m-commerce App Controls: Below are a few specific controls that can be used for Mobile apps: CONTROLS VULNERABILITIES MITIGATED MITIGATION DESCRIPTION Patch updates Ensure the latest patches are installed on the POS systems and the servers in the ecosystem. Authentication / Authorization and Session Management Broken Authentication, Session Management and Privilege Escalation Encryption Encrypt all data stored or in transit with strong encryption algorithms (AES for data at rest and x.509 certificates for data in transit). Secure Data Integrations Encrypt sensitive data using strong algorithms Sensitive Data Exposure Sensitive Data Exposure, Sniffing and Data Tamper Access to Internet Restrict Internet access to POS system to reduce the attack surface. Root / Jailbroken Detection Code tampering Authentication Use strong authentication viz. multifactor authentication to access the POS machine and segment the network for POS machine to add another layer of defense. Code Obfuscation Prevents effective re-engineering End-Point Security It is vital to have an endpoint security solution monitoring the POS systems continuously for any malwares or malicious activities. Security Patches Prevents latest vulnerabilities 6

MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / WHITE PAPER e-commerce Application: Following are some of the controls that can be implemented to mitigate attacks: What s in Store for the Future? CONTROLS Implement Proper Authentication Parameterize Queries Use Output Encoding Validate user input data Encrypt data at rest and data in transit Implement Access Controls Logging Intrusion Detection and Prevention Endpoint Security VULNERABILITIES MITIGATED Broken Authentication and Session Management Privilege Escalation Injection Injection and Cross Site Scripting Un-validated Redirects and Forwards, Injection, XSS and Remote Code Execution Sensitive Data Exposure, Sniffing and Data Tamper Insecure Direct Object References and Missing Function Level Access Control Sensitive Data Exposure and Security Misconfiguration Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Malwares The advent of newer technologies such as IoT (Internet of Things) and AI (Artificial Intelligence) brings in a whole new dimension to the way customers interact and shop. The opportunities for adopting these technologies in retail are practically numerous and limited only by one s imagination. However, with the increase in adoption of these technologies, it also brings increased security concerns. Especially, considering no clear global standards exist and hence the security threats increase exponentially. As with any new adoption of technologies the industry should constantly evolve in bringing out standards, and security community should work towards bringing out best practices and ensure these technologies can be used securely. Conclusion The retail industry has been one of the prime targets for the hackers in the past and the statistics clearly show that. It s only a matter of time before people who are unaware will be taken off-guard and have their businesses turned upside down. Security can hence no longer be taken lightly and the security checks needs to be in place at every point in development and not at the end of development lifecycle. The best practices mentioned in this paper should be a minimum to start with. Moreover, the hackers always try to find new ways and methods to breach the systems and hence the security team should be constantly focused on the latest trends, vulnerabilities and take appropriate actions to defend the applications from attacks.

MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / WHITE PAPER About EVRY EVRY is a $1.5 billion Nordic IT major having 8,500+ employees and is a preferred partner for Enterprise Digital Transformation. Our 1500 dedicated employees, supporting operations in the USA, Singapore, India and group offices in Europe, are ready to collaborate with you in driving Digital Transformation. At EVRY, we follow the industry standard methodology based on OWASP, provide best practices in mitigating the risk and help our customers to move to production with confidence. EVRY has experience of several years on web, cloud, mobile and IoT applications in various domains such as retail, banking & finance, insurance, healthcare and ISVs. Author Shreyas Ranganath Security Architect EVRY India Pvt. Ltd. References: 1. http://www.seattletimes.com/business/retail/credit-union-sues-eddie-bauer-for-failing-to-prevent-data-breach/ 2. http://www.reuters.com/article/us-home-depot-breach-settlement-iduskcn0wa24z 3. http://www.businessinsider.in/cyber-thieves-took-data-on-145-million-ebay-customers-by-hacking-3-corporate-employees/articleshow/35630666.cms 4. http://www.breitbart.com/tech/2017/05/28/cost-targets-data-breach-nearing-300-million/ 5. https://www.computerworld.com/article/2518328/cybercrime-hacking/heartland-breach-expenses-pegged-at--140m----so-far.html 6. https://www.contrastsecurity.com/security-influencers/25-percent-of-web-apps-still-vulnerable-to-eight-of-the-owasp-top-ten 7. https://www.insight.com/en_us/learn/content/2017/07202017-the-future-of-merchandising-top-4-retail-technology-trends.html

For more information about all our solutions and offerings, get in touch with: info.ind@evry.com or info.usa@evry.com India Headquarters: EVRY India Pvt. Ltd. Ground Floor, No. 42, 27th Cross Brigade Software Park 1, Building B Banashankari Stage 2, Bangalore 560 070 Karnataka, India Phone: +91-80-67388000 Fax:+91-80-67386802 www.evry.in USA Headquarters: EVRY USA Corporation 1425 Greenway Drive, Suite 490 Irving, Texas 75038, USA Phone: 972-514-1113 / 1-844-9-EVRY-USA Fax: 972-514-1109 www.evry.com/us Global Headquarters: EVRY ASA Snarøyveien 30A 1360 Fornebu, Norway Tel: +47-06500 / +47-2314-5000 www.evry.com Copyright 2017 by EVRY India. All rights reserved. The contents of this document are protected by copyright law and international treaties. EVRY India acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document. The reproduction or distribution of the document or any portion of it thereof, in any form or by any means without the prior written permission of EVRY India is prohibited.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback