Chad Ghosn joins the online furniture retailer from Expedia.
From spear phishing to SQL injection, hackers are finding many ways to steal data.
As the holiday shopping season gets into full swing, retailers can expect to see more criminal attempts to crack their web sites and network security systems. And this year cyberthieves are likely to step up stealthy techniques like spear phishing and SQL injections to compromise web sites and steal customer account data, says online security expert Erin Nealy Cox, executive managing director and deputy general counsel of Stroz Friedberg, a risk management and forensics firm specializing in online properties.
“The holidays are always a robust time for hacking with the uptick in the use of credit cards,” Nealy Cox says. “But as retailers prepare for the holidays, not only should they stock shelves and plan for the crush of customers, but also make sure they have a strong security system and procedures in place.”
Nealy Cox, a former federal prosecutor who coordinated the prosecution of cybercrime cases throughout the United States, offers the following tips to respond to, as well as prevent, criminal infiltrations of web sites and computer networks:
- Spear phishing is a variation of broadly distributed e-mail phishing attacks designed to trick e-mail recipients into clicking to a legitimate-looking, but phony, web site and entering information like credit card account data. In the case of spear phishing, criminals do enough research to get the e-mail addresses of particular people, such as executives at a retail company, then e-mail them what appears to be a legitimate document from a co-worker. When the recipient clicks the icon indicating an attached document, instead of seeing a document he may see just a blank page and make a note to follow up with his co-worker at a later time. “The recipient might think nothing of it, but what may have happened is that clicking that attachment took him to a hacking portal, where malware was downloaded to his computer,” Nealy Cox says. The malware would then search for security openings that expose data, such as customer e-mail addresses and payment card account information. The same malware might also install keylogging software designed to capture the recipient’s keystrokes to steal his personal account information when he shops online. To guard against such attacks, Nealy Cox advises a combination of technology and policies. In addition to the standard practice of installing firewalls to block most suspicious e-mail, companies should also train employees to carefully check the e-mail headers of incoming messages for any unusual characters that would indicate they’re not coming from a trusted party, and to simply not click on unexpected attachments without first checking with the person who supposedly sent them.
- SQL, or structure query language, is a programming language for managing data across multiple related databases, such as customer account data and e-mail lists, and SQL injection attacks are designed to find web site and network security vulnerabilities and steal, or otherwise compromise, confidential data. (On retail sites, criminals often try to insert data-stealing scripts into fields where consumers enter such information as name and address. Security experts advise web site managers to install software that screens the data entered in those fields to prevent command scripts from executing.) In addition to the usual firewalls, Nealy Cox advises that companies plan to mitigate any effect of SQL injection attacks by having in place a good database management and recovery plan. This includes knowing exactly where sensitive data such as customer accounts are stored, who has access to them, and having a designated response team charged with immediately checking sensitive data when a security breach is discovered. “The first 72 hours is critical,” she says. “And mapping is key. A big company especially needs to know where its sensitive data is.”
- Cloud-based computing and data storage, which is becoming more popular as way for retailers to use other company’s web servers to manage their web sites, applications and databases, requires retailers to take extra steps to ensure that these systems are built with the proper firewalls and that effective policies are in place should a security breach occur. “Cloud environments are no more or less secure than any other company’s network environment,” Nealy Cox says, “but cloud agreements need to address liability in a detailed way.”
If there’s a security breach, a service-level agreement with the cloud provider should clarify who has access to data, who responds to and investigates a security breach, and how the retail is ensured that a breach has been fixed.
As in other common online security problems—such as distributed denial of service, or DDOS, attacks, which send massive volumes of traffic to web sites in attempts to prevent their web pages from loading—retailers should always take the common steps of updating passwords and other security features, but at the same time being careful not to alter any evidence of network infiltration that could help investigators determine how a breach occurred, Nealy Cox says. She adds that retailers should be aware that proper investigations and remedial actions following security breaches can take several months. “Protecting your network requires a viligent process, and there’s no silver bullet,” she says.