Retail industry websites have the highest amount of security issues, says the most recent WhiteHat Security Website Statistics Report, “with an average of 121 serious vulnerabilities identified per website” annually. Serious vulnerabilities are defined as those with a high, critical or urgent severity as defined by PCI-DSS naming convention, exploitation of which could lead to server breach, user account takeover, data loss or compliance failure.
That’s the bad news. On the positive side, “Great strides are being made in remediating potentially devastating vulnerabilities across verticals and decreasing the window of exposure that places enterprise and customer data at risk,” notes Jeremiah Grossman, author of the report.
The retail industry’s annual average of 121 vulnerabilities is significantly higher than that of the runner-up insurance industry (92) or No. 3 information technology (85). At the low end of the spectrum was the banking industry, with an average of 17 such vulnerabilities.
Grossman, founder and chief technology officer of WhiteHat, recommends a four-step strategy to build out a website security program:
Prioritize all websites, whether on the basis of business criticality, data sensitivity, revenue generation, traffic volume or some other metric, because “knowing what systems need to be defended and their value to the business provides a barometer for an acceptable security investment.”
Measure your security posture from an attacker’s perspective in order to understand what “classes of adversaries need to be defended against and your exposure to them.”
Determine the type of target your organization is. This “provides the basis for organizational security goals,” i.e. should they be on a par with, or lead, relative to industry peers.
Trend and track the lifecycle of vulnerabilities, which will “serve as a guide for which new and/or improved SDL-related (software development lifecycle) activities are likely to make the most impact and drive toward organizational goals.”
Vulnerability counts alone don’t provide a comprehensive picture of website security, Grossman cautions. What must also be considered are “the average number of days it takes to fix a serious vulnerability, the percentage of reported vulnerabilities that are no longer exploitable [the redemption rate] and the window of exposure, or the average number of days a website is exposed to at least one serious vulnerability.”
As these metrics are tallied at each organization, he adds, “Specific operational and software development lifecycle deficiencies can be isolated and improved.”
High response, remediation rates
Retailers as a group are relatively quick to respond to breaches and fix them, taking an average of 27 days, well below the all-industry average of 38 days. Retailing’s remediation rate is also relatively high at 66 percent, trailing only banking (74 percent) and telecommunications (69 percent).
Information leakage — the No. 2 issue, identified at 53 percent of websites — is described by Grossman as a “catch-all term that describes a vulnerability in which a website reveals sensitive data, such as technical details of the web application, environment or user-specific data.” This sensitive data can be used by an attacker to “exploit the system, its hosting network or users.”
Low reopen rates
Grossman says there is a difference between being a target of choice and a target of opportunity. “Targets of opportunity are breached when their security is weaker than the average organization in their industry,” he says. “Targets of choice possess some type of unique and valuable information, or perhaps a reputation or brand that is particularly attractive to a motivated attacker.”
The result — since “foolproof security is an unrealistic goal” — is that companies must determine for themselves which type of target its website is. “By doing so,” Grossman says, “an organization may establish and measure against a ‘secure enough’ bar.”
Being a target of choice sets the bar much higher because the retailer must elevate security to a point where an attacker’s efforts are detectable, preventable, and — in the event of compromise – survivable, because the attacker “will spend whatever time is necessary looking for gaps in the defense to exploit,” Grossman says.
Dealing with website vulnerabilities involves plenty of guesswork, both as to the reason why a site was attacked and how to make repairs. The application security team “may not even know precisely how a vulnerability was fixed, only that it was,” Grossman says.
In the WhiteHat report, 20 percent of the vulnerabilities identified and fixed were reopened, often many times. On the flip side of the coin, however, that means that 80 percent of the vulnerabilities were not reopened.
As to why the vulnerability re-open rate is as high as 20 percent, Grossman can only say, “There are a great number of reasons why a vulnerability might ‘close,’ but the underlying [reason is because the] issue is not really fixed or fixed properly.”
Project Copy Cat
Identity theft and payment fraud aren’t the only cybercrimes that impinge upon retailers’ bottom lines. There are also counterfeits — both fraudulent websites and bogus merchandise.
More than 70 e-commerce sites were shut down this summer by U.S. Immigration and Customs Enforcement (ICE). The action, dubbed Project Copy Cat, idled websites that closely mimicked legitimate e-commerce sites and duped consumers into purchasing counterfeit goods including baby carriers, pro football jerseys and other apparel, instruction DVDs, jewelry and a variety of luxury goods.