The home improvement chain also said the malware responsible for the breach has been removed from all stores.
As web sites become more complex, so do their security requirements. Most merchants for which it tests system vulnerability initially fail, Security Metrics says.
Consumers want the online transaction between their laptop and an e-commerce server to be secure. But if the e-commerce server is itself vulnerable, “the back door to the bank is open,” says Brad Caldwell, CEO of Security Metrics, a provider of security and testing services to online merchants and other businesses.
Caldwell says he has seen an increase over the past three to four months in requests for quotes on forensics services-in this context, the recovery and resolution between merchants and credit card companies after a merchant’s site and database have been hacked into and credit card data stolen.
Why the increase? As web sites become more complex, so do their security requirements, a fact sometimes overlooked by web site operators adding new web services to make operations more efficient. “If you have a new service like a new mail exchange system, for example, IT has to open up a port in your firewall to do that," Caldwell says. “Every time you open another port, you have potentially added new bugs. And some hacker may find a way to get in through that service. As we expect more and more from technology, we open up more points of entry for an attacker.”
Preventing hackers from getting into an e-commerce database is far less expensive than the cost of forensic services to clear up the aftermath of an attack after it occurs, Caldwell says. Security Metrics provides preventive security testing as well as forensic services, and surprisingly, most of the companies for which it provides preventive security testing initially fail the test.
“People in IT do the things they believe they need to for security, but they may not understand all the facets. We check for thousands of different system vulnerabilities to see if we can get into your system using our automated system, and most merchants fail the test when we do a security analysis,” he says.