The holiday season is upon us and with the host of new regulations varying from city, region or country, many traditional retailers are closing their physical stores and pivoting to ecommerce. In fact, the global pandemic has already contributed to a 30 percent surge of online shopping. The uncertainty at this time means that many retailers prioritized business continuity over web security as they rush to sell online. While this swift transition allowed many businesses to continue trading, they present a bountiful opportunity for cybercriminals and unethical hackers.
While the previously mentioned challenges have proliferated across all levels of industry, no business, regardless of size, is immune from cyberattack. To quantify the potential web application attack surface of major ecommerce retailers, we researched and analyzed potential application security flaws to gauge the true picture of the attack surface posed to the top retail businesses, according to Deloitte. This research was done in order to highlight the most common attack vectors affecting even the biggest retailers through aggregated risk scoring to compare and benchmark their attack surface.
The results, although alarming, were unfortunately not surprising considering the current state of cybersecurity. Indeed, according to Verizon, 43 percent of data breaches in 2019 were directly related to web applications. Taking a critical view of the biggest risks faced by well-known web applications is the best way to assess the current state of web application security. Only with this understanding will we - as an industry - be able to move forward, creating a safer digital retail space that safeguards sensitive customer information, industry operations and business trust.
Understanding the key attack vectors of web applications
Web application security is a well-known issue faced by organizations worldwide due to the sheer volume of applications they own (the majority they don’t even know exist). How these applications have been built can often add an additional threat element to this puzzle. That’s why it is important to understand the key attack vectors hackers use to spot entry points during reconnaissance and work back from there to level the playing field between defenders (your security team) and attackers. Identifying what you own and how this can be targeted by hackers cannot be based on guess work. To mitigate the risk of an attack, you want to ensure your organization’s web application attack surface is maintained at a minimum. The high-risk scores from our study highlights the need for US and EU retail security professionals to do more to protect their applications, especially if they are business critical and revenue generating, by performing regular penetration tests and continuous vulnerability assessments to ensure no backdoors exist.
When measuring your web application attack surface, it is important to remember that everything is connected. It is essential to consider the key attack vectors that are most frequently targeted by hackers to exploit web application software vulnerabilities, including:
- Vector 1 – Security mechanisms – This determines how web traffic between users and the application is secured
- Vector 2 – Page creation method – Differences of coding language and web design program implementation can lead to unique security challenges
- Vector 3 – Degree of distribution – This accounts for the amount of web pages an application has. The more pages, and specifically the more unmonitored pages, that an application uses has the more potential to encounter security issues
- Vector 4 – Authentication – Verification of legitimate user identity should be a continuous effort as access privileges should be constantly monitored and restricted
- Vector 5 – Input vectors – As the number of input fields increases, so too does the likelihood that the attack surface will increase
- Vector 6 – Active contents – When web applications run scripts it initiates active content. The attack surface of applications is directly correlated to the way that these scripts have been implemented
- Vector 7 – Cookies – These are essential for real time application security as they help monitor session activity and can help to keep cybercriminals away from unauthorized areas
Once your digital footprint and web applications have been assessed based on the above threats, the results should be correlated against business criticality and update frequency to determine the overall risk posture. Only by truly understanding the total addressable attack surfaces, considering both areas of strength and weakness, will security teams be able to implement the appropriate security controls in the right place.
Top US online retailers have a larger attack surface
It is no surprise that web application security varied across geographical location, and from company to company as data privacy frameworks fluctuate depending on where you operate. This research revealed several key findings that, if utilized, will help security teams to better protect their web applications.
On average, US retailers displayed a larger attack surface with a score of 35.1 (out of 42.33) when compared to the average score of 30.8 for EU retailer. On one hand, the average US retailers run 3,357 web applications across 401 domains, with 8 percent of them considered as suspect (e.g. test environment) and 22 percent of them running on old components containing known vulnerabilities, there is a clear need to increase application security. On the other hand, the average EU retailer runs 2,799 applications over 509 domains, with only 4 percent considered as according to the previously stated criteria, and 27 percent of them are running on old components containing known vulnerabilities.
Furthermore, the average top three attack vectors identified across US and EU retailers throughout this research are security mechanisms score (95); active content (93.3) and degree of distribution (81.5).
While there are a whole host of ways to minimize the attack surface, the best way to ensure that your web applications are secured is to become better acquainted with them. Remember, cybercriminals are masters of reconnaissance, constantly scouting for a single-entry point. Only by understanding your security weakness will you be able to reinforce your defensive controls.
In the words of the great philosopher Sun Tzu, “Know the enemy and know yourself; in a hundred battles you will never be in peril. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal”. Something that modern hackers know all too well.
Martin Jartelius, CSO, Outpost24