Getting Tough

The toughest thing about guarding against web site security breaches is that you never know how or when they will occur, or where they will come from. But one thing’s for sure: When they come, the consequences can quickly lead to lost sales. “Any kind of security breach that hits customers is devastating, because they won’t come back to our site if it doesn’t perform well or if they realize their credit card number was stolen,” says Ricardo Santos, CTO of Scrapology Inc.`s Scrap-ology.com, a retail site for scrapbook lovers.

As recent events have shown, a growing number of security threats can infiltrate web sites and computer networks in unexpected ways, causing major damage to any e-retailer that hasn’t scrambled fast enough to download the latest network security patch or established administrative rules that effectively guard against careless downloading of virus-plagued e-mail attachments.

And because criminal hackers are constantly thinking of new ways to attack—and are more capable of launching serious attacks due to the global spread of broadband Internet connectivity—web site operators cannot be too vigilant in trying to stay ahead of them. “The security threat is growing,” says Keith Powell, senior manager in the retail practice and a web site security expert at consultants BearingPoint Inc. “And it’s not just because hackers are smarter, but because they’re getting access to broadband from anywhere in the world.”

While broadband is good for quick downloads of graphics-intensive web sites, it also provides a wider pipe for hackers to break into a site to steal customer data like credit card account numbers or simply to disrupt operations, such as a denial of service attack, he adds.

At the same time, an expanding global market for stolen credit card data is providing more incentive for criminals to join the ranks of hackers, experts say. “The attack profile is growing in several dimensions, and there seems to be more motivated hackers and criminals,” says Richard Stiennan, analyst specializing in retail security systems at Gartner Inc. “What’s also growing is what criminals do with the credit card data after it’s stolen. In the past this was a game of 12-year-olds, now it’s a game of older and more pervasive perpetrators in Eastern Europe and other places around the world who realize there’s a market for the data. And if they get the data, they know how to sell it.”

Santos knows the threat posed by credit card account thieves all too well. A few weeks ago, his credit card issuer called to say his account had been canceled because the account number had been stolen following an e-commerce transaction. That’s one of the reasons Scrapology, which launched this summer, has taken extra precautions to assure a bullet-proof e-commerce operation. “Credit card data security is a real concern,” he says.

Fortunately, as Scrapology and other online retailers have learned, the growing security threat is accompanied by a growing number of ways to keep the criminals at bay. But no one’s saying it’s easy. “There are tens of millions of web servers and hundreds of thousands that take credit cards, and hackers are always fishing for the ones that are easiest to attack,” Stiennan says. “They scan the Internet looking for an open firewall port, or a site with an old version of patch software.”

Large online retailers have come to accept the fact that they must dedicate IT staff and infrastructure to guard against intrusions that can bring credit card account thefts, viruses and denial of service attacks. Ritz Interactive Inc., which operates 15 retail web sites including RitzCamera.com and BoatersWorld.com, has designed and built a proprietary system, using an operating system from Sun Microsystems Inc. on IBM’s Websphere platform, for encryption and deletion of customer data, says CEO Fred H. Lerner. “With our encryption and deletion strategy, our customers’ information is always protected,” Lerner says, adding that Ritz guards its network with a complex system of commercial firewalls. “We’ve never had a breach of security, no viruses or denial of service attacks.”

Alternate means

Smaller retailers, however, must often find alternate means to maintain security. And some are better than others.

Many small retailers use a web site hosting service, which can handle most of the chores of maintaining security. “When you’re a big retail shop, you can afford to have folks watching for intrusion or denial of service attacks,” says Santos. Scrapology.com uses a hosting service. “We like to take advantage of our hosting provider’s security expertise.”

Scrapology’s hosting service, which Santos declines to name, provides security benefits of running multiple network servers to separate different operations—in Scrapology’s case, serving up web pages, processing back-end transactions and managing product databases—but it offers additional benefits as well. Santos receives an update every hour on key performance metrics of his site, including whether the site is meeting its standard of being available for download more than 99% of the time.

Moreover, if someone tries to hack his site, Santos says, the host provider will arrange to isolate the attack from Scrapology while monitoring how it operates. “The attack will actually hit a web space where our provider can learn how to guard against it,” he says.

But even hosting services can run into security problems. And so Scrapology is planning to take another major step to even greater security by retaining a second web site hosting service. This will provide full redundancy of web site operation should its first hosting service ever fail due to a network intrusion or other problem, Santos says. “There’s always the potential of security risk, so you take the best measures you can,” says Santos, who formerly worked as a network systems engineer for Exodus Communications, an Internet service provider. “We want to make our customers’ first-time and second-time experiences consistently positive.”

Eternal vigilance

Whether using a hosting service or not, e-retailers must be constantly aware of new threats that may arise to security.

Moreover, hackers are always looking for new ways to attack sites, whether they’re looking to steal credit card data or simply disrupt operations, causing the list of potential security threats to grow constantly. In recent months, for instance, many companies have prohibited their employees from changing their desktop screensavers, because hackers had discovered that screensavers downloaded from the Internet provided a good way to infiltrate hard drives and corporate networks with a worm or virus.

This past summer’s Blaster and SoBig viruses created huge numbers of e-mail messages to hit in-boxes, taking up precious time as well as clogging and sometimes shutting down e-mail systems. “SoBig hasn’t radically disrupted our ability to respond to customers, but it’s certainly wasting our IT resources,” Dave Dierolf, vice president of IT for consumer electronics retailer Crutchfield.com, said after the virus hit. “We’re always irritated by having to spend time on viruses instead of customer service.”

Worms and viruses can be programmed in an unlimited number of ways to harm computer data. For example: a worm can kick off a malicious code that destroys data and automatically spreads to other network applications, and a virus can spread destructive codes as well as clog e-mail in-boxes. “A worm is a software program and can be made to do anything,” Powell says.

IRCE 2008 Conference Multi-Media CD-ROM

Web site operators also need to be wary of e-mail attachments that are not clearly from a known source. “I see stuff get into sites through made-up queries to customer service from alleged buyers,” says Powell. One of the more common techniques is for a hacker to attach a seemingly harmless though unusually worded attachment to an e-mailed customer service inquiry, such as “screenshot.jpg,” he adds.

“Whenever you see an attachment with a jpg file from someone you don’t know, there’s a good chance you’ve just received a worm,” Powell says.

Infrastructure counts

Network infrastructure can also make a big difference in a company’s ability to control security breaches. Most recent viruses have attacked Microsoft’s Windows network operating systems, leading some network administrators to opt for alternative systems such as Apple Computer Corp.’s Macintosh operating system or the Linux open-source platform. But even these other systems need to be closely monitored to ward off viruses, Powell says.

“People think that Linux is free from viruses and worms, but that’s not true,” he says. Although Linux is most often implemented by companies with sophisticated IT staffs that can provide their own virus protection, Powell cautions that individuals or companies without much IT expertise should be aware of Linux’s vulnerabilities. Not only is it susceptible to viruses, but it is not compatible with any commercially available anti-virus software, such as Symantec Corp. software commonly used in Windows, he says.

And though Microsoft Windows operating systems are the target of most attacks, not all Windows systems operate at the same risk. Because Microsoft provides most of its security attention—and software patches—to its latest available operating systems, including Windows 2003 and XP, web sites using older versions could be at greater risk, Powell says. “If you’re on Windows NT or 95 operating systems, it may be a good time to upgrade to take advantage of the patches,” he says.

Raising the threshold

Crutchfield and other retailers say they’ve been able to keep their e-mail marketing and other forms of e-mail communications, such as order confirmations, flowing by taking steps to guard against getting infected by SoBig and other viruses and worms. In addition to assuring their systems have the latest anti-virus software patches, retailers are paying closer attention to the way they manage outgoing e-mail, to assure it has “from” and “subject” headings that are clear to recipients. “You have to raise the threshold for monitoring e-mail for every domain,” Dierolf says.

Crutchfield also uses what it says is an effective anti-spam tool, SpamAssassin, which runs on a Linux server and is available from SpamAssassin.org. It also runs WebShield from Symantec.

Altrec.com, a retailer of outdoor sports apparel and gear, got hit with hundreds of SoBig e-mail messages daily, but effectively guarded against the virus by using the open-source MailScanner anti-virus software, also running on Linux, says Shannon Stowell, co-founder and vice president of business development.

And at Bluefly.com, an anti-spam program enabled the discount-priced fashion retailer to experience a strong August—despite that month’s SoBig attack—in terms of the number of e-mail marketing messages delivered and converted to orders, says executive vice president Jonathan Morris. “We’ve not seen any interruption this month,” he said following the SoBig attack.

paul@verticalwebmedia.com

On Guard: Steps to minimize breaches

To guard against web site attacks, there are two major steps web sites need to take, says Keith Powell, senior manager in the retail practice at consultants BearingPoint Inc.: installing intrusion detection software or services, available from companies such as Cisco Systems Inc., IBM, Microsoft Corp., VeriSign and Vontu, to get an early warning of any impending security breaches, and deploying tiered security layers with multiple servers to minimize intrusions into any one area.

“You should have a minimum of three servers in a retail environment,” he says. “For example, one to serve up web pages, another to run applications like shopping carts, and a database server for providing product information.” He adds that critical applications like shopping carts should not be exposed to web servers, but run on private network servers to protect personal consumer data.

Also crucial, Powell adds, is the way servers and firewalls are configured in a TCP/IP environment. While a server for displaying web pages typically uses the TCP/IP entry point known as port 80 for basic http (hypertext transfer protocol) data transfers, a server that handles credit card transactions with Secure Sockets Layer encryption should use port 443 for https data transfers.

Although some web sites will minimize infrastructure costs by sending transactions through ports 80 and 443 with the same server, this can make it more difficult to administer site security, Powell says. “You can put ports 80 and 443 on the same box, but that’s the poor man’s way to do it,” he says. “You open your site up to more problems if you use one server for both ports.”

He notes that there are more than 65,000 active TCP/IP ports that hackers can use to try to enter a web site, so site operators need to set up a system that details through which ports their sites will accept data transfers. “If a request for data does not come in through port 80 or 443, then you may want to block that request,” Powell says.