Mitigating Security Breaches in Retail Applications - EVRY

W H I TE PA P E R

Mitigating Security Breaches in Retail Applications

Executive Summary Retail security breaches have always been a concern in the past, present and will continue to be in the future. They have been a preferred target for the hackers for a long time due to the large amount of sensitive data available for exploitation. With the increase in Digitization of customer journeys in retail from “Engagement”, “Product Discovery” and “Purchase”, the security threats have also increased manyfold. In the retail domain, information such as CCard No., Bank Account No., Contact No., Address, DOB, Email, etc. are all in high demand.

2

The hackers can either sell an individual’s account details or completely dump the databases which are in high demand on the dark web, for a financial gain. The resultant financial implications of a breach are huge. The damage done to the reputation hurts even more and it might take a long time to win back customers’ confidence. This whitepaper delves deeper into areas to be considered in the retail environment viz. Attacker Entry Points, Attack Vectors and the Best Practices to help reduce the application vulnerabilities.

MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / W H I TE PA P E R

Security Breaches

Application Security Statistics

Some of the top security breaches in the retail industry are listed here, which clearly shows the large extent of financial implications:

A research project on web application vulnerabilities by “Contrast Security”[6] led to some interesting observations >> 25% of web apps still vulnerable to eight of the OWASP top ten

RETAILER

Eddie Bauer[1]

SECURITY INCIDENT 360 retail stores infected

FINANCIAL IMPLICATION Veridian Credit union sues Eddie Bauer (amount not disclosed)

Home Depot[2]

60 million cards hit by security breach

Around $19.5 million

eBay[3]

145 million customer accounts compromised

Not disclosed

40 million credit card account compromised

$240 million spent to replace customers’ cards

Target[4]

Heartland Payment Systems[5]

130 million credit card accounts compromised

$139.4 million

>> 69% of web applications are plagued by vulnerabilities that lead to sensitive data exposure >> 55% applications are exposed to cross-site request forgery flaws >> 41% web apps are affected by broken authentication and session management issues >> 37% applications are affected by security misconfiguration >> 33% apps affected by lack of function level access The research also found that there are at least 45 vulnerabilities per application. This continues to show that the application is a weak link in this chain and most of the breaches occur through the application’s weaknesses.

Retailer ecosystem and entry points for attacker A typical retailer has several systems behind the Web / Mobile app such as – Order Management System (OMS), Warehouse Management System (WMS), Store apps, Transport Management System (TMS), Product Information Management (PIM), CRM, etc. And even though the attack surface is mostly concentrated in the web / mobile application, each one of these systems can be an entry point for an attacker (internal or external), who can then gain access to sensitive information.

Retailer Interface Mapping

STORE

PIM

4

MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / W H I TE PA P E R

Retail Application Security - Attack Vectors Now that we know the Attacker Entry Points, we understand the possible threats that any retail application can be compromised through. The path through which a hacker gains an unauthorized access to a device / network to deliver a malicious payload is termed as an Attack Vector. Some of the important Attack Vectors are listed below:

Security Best Practices to Mitigate the Threat POS Application:

m-Commerce App Controls:

Endpoint systems such as POS should be protected against malwares , a major threat which has led to several security breaches in the past. The following best practices should reduce the attack surface and help prevent attacks:

Below are a few specific controls that can be used for Mobile apps:

MITIGATION

6

CONTROLS

VULNERABILITIES MITIGATED

Authentication / Authorization and Session Management

Broken Authentication, Session Management and Privilege Escalation

Secure Data Integrations

Sensitive Data Exposure

Encrypt sensitive data using strong algorithms

Sensitive Data Exposure, Sniffing and Data Tamper

Root / Jailbroken Detection

Code tampering

Code Obfuscation

Prevents effective re-engineering

Security Patches

Prevents latest vulnerabilities

DESCRIPTION

Patch updates

Ensure the latest patches are installed on the POS systems and the servers in the ecosystem.

Encryption

Encrypt all data stored or in transit with strong encryption algorithms (AES for data at rest and x.509 certificates for data in transit).

Access to Internet

Restrict Internet access to POS system to reduce the attack surface.

Authentication

Use strong authentication viz. multifactor authentication to access the POS machine and segment the network for POS machine to add another layer of defense.

End-Point Security

It is vital to have an endpoint security solution monitoring the POS systems continuously for any malwares or malicious activities.

MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / W H I TE PA P E R

e-Commerce Application: Following are some of the controls that can be implemented to mitigate attacks:

CONTROLS

VULNERABILITIES MITIGATED

Implement Proper Authentication

Broken Authentication and Session Management Privilege Escalation

Parameterize Queries

Injection

Use Output Encoding

Injection and Cross Site Scripting

Validate user input data

Un-validated Redirects and Forwards, Injection, XSS and Remote Code Execution

Encrypt data at rest and data in transit

Sensitive Data Exposure, Sniffing and Data Tamper

Implement Access Controls

Insecure Direct Object References and Missing Function Level Access Control

Logging

Sensitive Data Exposure and Security Misconfiguration

Intrusion Detection and Prevention

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)

Endpoint Security

Malwares

What’s in Store for the Future? The advent of newer technologies such as IoT (Internet of Things) and AI (Artificial Intelligence) brings in a whole new dimension to the way customers interact and shop. The opportunities for adopting these technologies in retail are practically numerous and limited only by one’s imagination. However, with the increase in adoption of these technologies, it also brings increased security concerns. Especially, considering no clear global standards exist and hence the security threats increase exponentially. As with any new adoption of technologies the industry should constantly evolve in bringing out standards, and security community should work towards bringing out best practices and ensure these technologies can be used securely.

Conclusion The retail industry has been one of the prime targets for the hackers in the past and the statistics clearly show that. It’s only a matter of time before people who are unaware will be taken off-guard and have their businesses turned upside down. Security can hence no longer be taken lightly and the security checks needs to be in place at every point in development and not at the end of development lifecycle. The best practices mentioned in this paper should be a minimum to start with. Moreover, the hackers always try to find new ways and methods to breach the systems and hence the security team should be constantly focused on the latest trends, vulnerabilities and take appropriate actions to defend the applications from attacks.

MITIGATING SECURITY BREACHES IN RETAIL APPLICATIONS / W H I TE PA P E R

About EVRY EVRY is a $1.5 billion Nordic IT major having 8,500+ employees and is a preferred partner for Enterprise Digital Transformation. Our 1500 dedicated employees, supporting operations in the USA, Singapore, India and group offices in Europe, are ready to collaborate with you in driving Digital Transformation. At EVRY, we follow the industry standard methodology based on OWASP, provide best practices in mitigating the risk and help our customers to move to production with confidence. EVRY has experience of several years on web, cloud, mobile and IoT applications in various domains such as retail, banking & finance, insurance, healthcare and ISVs.

Author Shreyas Ranganath Security Architect EVRY India Pvt. Ltd.

References: 1. http://www.seattletimes.com/business/retail/credit-union-sues-eddie-bauer-for-failing-to-prevent-data-breach/ 2. http://www.reuters.com/article/us-home-depot-breach-settlement-idUSKCN0WA24Z 3. http://www.businessinsider.in/Cyber-Thieves-Took-Data-On-145-Million-eBay-Customers-By-Hacking-3-Corporate-Employees/articleshow/35630666.cms 4. http://www.breitbart.com/tech/2017/05/28/cost-targets-data-breach-nearing-300-million/ 5. https://www.computerworld.com/article/2518328/cybercrime-hacking/heartland-breach-expenses-pegged-at--140m----so-far.html 6. https://www.contrastsecurity.com/security-influencers/25-percent-of-web-apps-still-vulnerable-to-eight-of-the-owasp-top-ten 7. https://www.insight.com/en_US/learn/content/2017/07202017-the-future-of-merchandising-top-4-retail-technology-trends.html

For more information about all our solutions and offerings, get in touch with: [email protected] or [email protected] India Headquarters: EVRY India Pvt. Ltd. Ground Floor, No. 42, 27th Cross Brigade Software Park 1, Building B Banashankari Stage 2, Bangalore – 560 070 Karnataka, India Phone: +91-80-67388000 Fax:+91-80-67386802 www.evry.in USA Headquarters: EVRY USA Corporation 1425 Greenway Drive, Suite 490 Irving, Texas 75038, USA Phone: 972-514-1113 / 1-844-9-EVRY-USA Fax: 972-514-1109 www.evry.com/us Global Headquarters: EVRY ASA Snarøyveien 30A 1360 Fornebu, Norway Tel: +47-06500 / +47-2314-5000 www.evry.com

Copyright © 2017 by EVRY India. All rights reserved. The contents of this document are protected by copyright law and international treaties. EVRY India acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document. The reproduction or distribution of the document or any portion of it thereof, in any form or by any means without the prior written permission of EVRY India is prohibited.