Happy New Year! December is one of the traditional shopping seasons. With the popularity of the online shopping habit, websites of online shops handle increasing traffic and are busy receiving a deluge of shopping orders. Shopping carts back and forth carry products. A flood of credit card payments have to be processed.
Traditionally, the shopping season is prone to cybercriminal activities. Cybercriminals target Communications Service Providers (CSPs) which build a frontline defence for shopping stores inevitably to bear the brunt of any cyber threat or even attacks. Online stores are inundated with a mountain of orders and transactions whose sensitive data easily fall prey to cybercriminals. Both the security of CSPs and online stores is a matter of great concern to global online shoppers.
As online transactions are frequent over this period, a large number of cybercriminals zero in on online stores to look for ways to access customer data especially the credit card information. One of the ways, some recent news indicated, they adopted is the injection of code of digital credit card skimmers onto the websites which they can use to collect personal data and send it back to their domains. In 2018, there were more than millions of card users involved in the data breaches. Security on sensitive data is a key issue for us to pay attention to.
To protect online stores, a tool like a web application firewall (WAF) can help prevent injection attacks, sensitive data exposure and cross-site scripting (XSS), three of which would be detrimental to the data security. Injection attacks attackers use can spoof identity, delete, update and export sensitive data like credit card details, emails, passwords and even become administrators of the database. Cross-site scripting (XSS) flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Sensitive data exposure means improperly protected sensitive data that is exposed to unauthorized parties. Attackers may steal or modify such weakly protected sensitive data which is necessary to have extra protection such as encryption at rest or in transit to conduct credit card fraud, identity theft, or other crimes.
Aiming at preventing the above-mentioned attacks, WAF usually adopted a set of generic attack detection rules to protect web applications from attacks or threats also including the OWASP Top Ten as listed below:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Yes, the ruleset is the soul of WAF. It usually allows users to switch on or off on their own in different situations. For flexibility, some are thoughtfully designed for users to customize their own rulesets for their special needs on the user-friendly customer portals. Such customer portals also function as a platform to display detailed security event logs and traffic summary information, downloadable for some WAFs, for post-attack analysis.
Online shops are run without limitations of time and space if only internet access is available. It means your target customers are not confined to one particular place but from across the world. In other words, that credit card payments are being processed every moment is no longer a dream. However, the desperate thing can be imagined that at midnight the hectic transactions are confronted with technical problems of WAF adversely affecting the data security of credit cards. But at that time, no help can be seeked.
Relieving the annoying concerns over its technical performance, many service providers staffed WAF, nowadays already developed on cloud basis, with security experts in a 24x7x365 environment. As the cloud-based WAF becomes mainstream, its performance can be monitored and handled all the time. On cloud, virtual patching can be easily implemented to prevent applications with known vulnerabilities that possibly enables a range of attacks and impacts on the users.
With the unofficial kick-off of the flourishing shopping season, many online stores begin to be inundated with shopping orders and credit card transactions. The data breaches or theft of credit cards, no matter how many records leak, more or less undermine the people’s desire for shopping, reducing the number of buyers that less income will be earned and tarishing the company’s image. WAF can help foil the data breaches and thefts.
Other than the data breaches and thefts, being public-facing to handle online deals any time, websites of shopping stores are running the risk of being hitted by HTTP/HTTPS flood. Any tool focusing on the protection against application attacks coupled with those guarding against attacks on the sensitive information seems comprehensive and complete.
At last, wish you a prosperous new year!
For more information, please read about Nexusguard’s Application Protection.