The migration to remote-working has resulted in a surge in online threats. What are the most effective protection measures?

Due to the pandemic, even companies that previously did not attach importance to online sales were forced to urgently increase their e-commerce capabilities in order to survive.

The rush to develop and integrate new functions in order to go online as soon as possible has resulted in a lack of attention to information security issues and numerous vulnerabilities in new and updated systems.

The most serious threats in the field of information security of websites and web applications are:

  • Various actions for the purpose of fraud
  • Theft of confidential information (including personal data)
  • Using the company’s network and server resources to implement the intentions of the attacker (for example, mining cryptocurrencies, sending spam, distributing malicious codes, etc.)
  • Intrusion into the organization’s information systems
  • Mass unauthorized downloading of information from web pages of sites (web scraping)
  • Disruption of the operability and availability of Internet resources (for example, as a result of DDoS attacks)
  • Modification of the information contained on the web pages, including the replacement of the main page of the site with another (defacement)

For e-commerce companies, the most sensitive are targeted attacks. The purpose of such an attack is to gain access to personal data of customers, various types of fraud (with bonus artifacts, promotions, personal accounts, e-payments), web scraping and DDoS attacks.

Targets and methods of attacks

Targeted attacks on e-commerce companies can target various types of applications:

  • ‘Classic’ browser applications
  • Corporate web applications (intended for internal users)
  • Mobile applications
  • Interfaces for interaction between services within the company, as well as with partner services (API-interfaces)
  • Critical applications (processing, billing, etc.)

In addition, attacks can be directed at networks within which applications and the infrastructure for their provision (physical and virtual servers) are deployed—they can also become objects of attacks and if they become unavailable, then the systems running on them will also be cut off from users for some time.

Methods and means of protection

To identify vulnerabilities in individual IT systems, an analysis of their security is carried out; its results serve as the basis for the formation of a threat model. It contains a description of the information security threats to which the information system is exposed. Having received a comprehensive vision of these threats and having carried out their expert assessment, company leaders, together with information security specialists, develop programs of measures to prevent and minimize them, as follows:

  • Based on the threat model, solutions are selected to protect against attacks. Solutions provided from the cloud are currently considered optimal in terms of the effectiveness of protecting e-commerce systems from threats and the cost of ownership. Among their advantages are relatively low costs (a monthly subscription fee is charged, you do not need to purchase equipment and software licenses), no need for additional personnel (and this is also a saving), high protection capacity, speed of connection (from a few minutes), high expertise by provider specialists.
  • A pilot project (Proof of Concept) for implementing the solution will determine its applicability, taking into account the characteristics of the protected applications and the level of service: including the real time of the solution provider’s technical support service and the speed of its response. It will also help to make sure the provider is competent and ready to interact. In addition, it is very useful to study the customer portfolio of the prospective provider and try to contact his customers. This simple step will help to avoid significant mistakes.
  • If the PoC is successful, start implementing the solution to protect all of the company’s Internet systems. The contract must clearly indicate the required scope and procedure for adjusting the service and supporting the customer, the time frame for responding to attacks and the procedure for notifying about their initiation and the actions of both parties in the course of repelling an attack.
  • In the process of implementing the solution, perform a number of additional efforts to integrate the solution with the customer’s IT systems, which were not covered by the pilot project. Also, it is usually required to customize the service, taking into account the scale and characteristics of the customer’s business and its IT landscape. After completing all the necessary preparatory work and procedures, the stage of productive use of protection and threat monitoring services begins.
  • It is important to remember that building reliable protection of e-commerce systems requires complex work of company leaders, their IT specialists, WAF and anti-DDoS service providers. The greatest success can be achieved only by joint efforts.
  • It should also be remembered that any means of protection must be integrated into the information security management processes, otherwise it will not work effectively. The organization needs to build and ensure that at least the following information security processes work:

    ✔ Vulnerability management
    ✔ Configuration management
    ✔ Monitoring and audit
    ✔ Incident management

And for protection against internet threats to be really effective, information security aspects need to be worked out even at the stage of application development, and preferably even during the design of their architecture—this will reduce further security costs.

Finally, understand that the implementation of WAF and anti-DDoS is not a ‘magic wand’. The world, business and IT do not stand still: various modifications are often made to existing systems, new modules appear.

Changes are also taking place at the level of the business logic of the systems. Furthermore, attackers come up with new ways to attack. Therefore, it is necessary to constantly check the information security landscape for vulnerabilities and monitor (preferably in real time) threats and incidents. Also it is necessary to adjust the means and services of protection to the changes taking place in the IT and information security landscape. This can be done both by the owners of e-commerce systems and by their providers, who maintain further support of the protection systems.