Security managers should be checking their list twice

With Black Friday just around the corner, here are some tips to make sure your site remains up and running.

it checklist 1
Credit: Thinkstock
Make sure it is a holly jolly time of the year

As IT Ops teams begin preparation for the upcoming holiday season, which in retail is the busiest time of the year for web traffic, the team at BigPanda along with some other vendors have prepared a checklist of the key factors IT Ops teams need to consider to ensure their IT infrastructure is ready.

Retail companies such as the Gap do over 30% of their yearly sales within the short time frame of holiday shopping. Sales are continuing to increase year over year in online and mobile. According to the National Retail Federation, 84% of retailers expect to see online site conversion rates to increase, followed by average daily site traffic at 71%.

Utilize an IT monitoring platform
Credit: Thinkstock
Utilize an IT monitoring platform

This will reduce risk and find structure in unstructured patterns of noisy data. The big thing that happens during the holiday season is the amount of customers goes up dramatically. Being prepared for what will be a massive fluctuation and load on their systems is really key.

Change auto scale algorithms for the cloud infrastructure
Credit: Thinkstock
Change auto scale algorithms for the cloud infrastructure

For IT Ops teams, they go from what might be nominal state throughout the year to extremely noisy. These spikes can cause what is known as alert storms. The IT Ops teams get overwhelmed by the amount of data coming out of the systems at this time by using an IT correlation platform that makes sense of that data and sorts it so that teams can take action.

Change auto monitoring thresholds
Credit: Thinkstock
Change auto monitoring thresholds

Evaluate monitoring tools and integrations to correlate what is happening across those monitoring tools and consolidate them into groups, making it easier for the IT teams who have to look at the data.

Review monitoring metrics
Credit: Thinkstock
Review monitoring metrics

There may be some human processes to alter. Work with developers to test applications for stability – may need additional support to accommodate peak season.

Security testing
Credit: Thinkstock
Security testing

Ensure necessary changes are made because the potential for unanticipated load or exposure to hackers is a real threat. Utilize a unified search capability that allows for retrospective and future planning.

“They need to rigorously test their business continuity across applications ahead of the big days, as well as the underlying technology that supports IT resilience. You don't want the first time you have to try and recover in minutes for real to be in the heat of the shopping day!  Seconds count in online sales," said Rob Strechay, vice president of Product, Zerto.

Ways to prevent outages
Credit: Thinkstock
Ways to prevent outages

Know what your critical services are and how to keep them up with a bulletproof plan around them. For instance, if Amazon checkout goes down – you need a disaster-recovery plan for this. But if the recommendation engine has problems, this could be bad but it is not at the same level of critical service.

DR plan in place
Credit: Thinkstock
DR plan in place

A good disaster-recovery plan should categorize applications according to their business criticality, have clearly defined recovery point objectives (RPO) for each, and should be tested multiple times before and during the buying season. This level of planning can help companies avoid lost revenue and customer experience problems associated with extended outages, says Chuck Dubuque, vice rresident of product and solution marketing at Tintri.

Revalidate your DDoS mitigation strategies
Credit: Thinkstock
Revalidate your DDoS mitigation strategies

Review and revalidate your approach to mitigation Distributed Denial of Services (DDoS) attacks, says the Denim Group. Unfortunately, DDoS attacks have become increasingly simple to set up and have become even more difficult to defend against. The October DDoS attack against Dyn, a managed DNS provider, sent 10x to 20x the amount of traffic to Dyn servers, denying them the ability to provide DNS service to some of the top companies on the Internet. We suggest you revalidate your DDoS mitigation infrastructure, review plans for response should you encounter a DDoS attack, and update your plans based upon the more sophisticated recent DDoS attacks that have occurred.

Confirm your phishing resiliency
Credit: Thinkstock
Confirm your phishing resiliency

The holiday season will likely see new and as-yet-unimagined phishing attacks against both your co-workers and your customers. Phishing remains a preferred attack vector by fraudsters, and will remain so for the 2016 holiday season. Although there will always be some subset of people that will click on links on phishing emails, reaffirming your internal and external resiliency with some last-minute training and awareness might be able to prevent some damage of sophisticated spear fishing attacks. 

Scan against your Web attack surface
Credit: Thinkstock
Scan against your Web attack surface

In a perfect world, you would be able to run an automated vulnerability scan before the latest round of functionality hit the web, prior to the holiday freeze. We suggest you run an automated application vulnerability scanner against your Internet-facing applications one more time to see if any last-second functionality might have introduced a nasty SQL injection or XSS flaw that are straightforward for attackers to identify and exploit. Although you will likely be in a holiday freeze, scary application vulnerabilities are worth addressing as they provide an increasingly preferred path of approach for fraudsters.

Change passwords or add two-factor authentication
Credit: Thinkstock
Change passwords or add two-factor authentication

You may want to change passwords to certain internal accounts that have the most sensitive function as you go into the next two months. Off-premises accounts such as the company’s Twitter or Facebook account are candidates for passwords too. Consider implementing 2-factor authentication for these accounts and monitor logins more closely for social media sites to make it harder for attackers to successfully takeover accounts with simple username/password combinations.

Review incident plans and conduct key player briefing
Credit: Thinkstock
Review incident plans and conduct key player briefing

In case everything else fails, you should always have a well thought out incident response (IR) plan ready to carry you through a near-death breach experience. Dust off your IR plan, conduct a “key player IR” briefing to remind these folks of their roles. Also, Todd Renaud, CIO at Conn’s suggests “you reach out to key vendors to remind them this is your busiest season” and they should be available and answer their phones should an incident occur. It won’t hurt to have IR plans fresh in everyone’s memory during this crazy season.

it checklist a
Credit: Thinkstock
Empower managers at Point of Sale locations

Wombat Security Technologies, a provider of end-user security awareness and training, says it’s critical that managers have the ability to inform employees of cybersecurity concerns and offer consistent, effective guidance to their staff members. With the influx of seasonal workers — and customers — during the holidays, it can be difficult to find the time to train employees about the best practices that are needed to keep customer data and company systems secure. Provide tools — like posters and handouts — that managers can use to clearly communicate important safeguards to their staff and that can be put on display in common areas as visual reminders. Moving forward, rather than trying to fit training into tight (and varying) schedules, make cybersecurity part of the new hire orientation process. Require workers to complete a brief training module that explains the types of security issues they might encounter during their shifts and the actions they can take to help prevent breaches.

it checklist b
Credit: Thinkstock
Adopt a ‘see something, say something’ policy

Employees should be encouraged to be attentive to any anomalies and they should know who to contact in the event of a suspected breach or attack. At Point of Sale locations, instruct managers and staff members to regularly inspect credit card machines and other equipment for signs of tampering (like the attachment of card skimmers or pinhole cameras). Ask employees to be on the alert for in-person social engineering scams, where attackers attempt to gain access to sensitive data, areas, and systems.

 

Corporate office workers who regularly connect to email systems, servers, customer account data, corporate social media and websites, and other assets should also be on the lookout for suspicious activities. These employees should be educated about the different types of attacks they might encounter (such as phishing and DDoS attacks).

it checklist c
Credit: Thinkstock
Be proactive about preventing mistakes

It’s important to put policies in place that can eliminate preventable mistakes from happening. For example, over the past several months, there has been a huge spike in wire transfer fraud and compromises of sensitive information like employee W-2 statements. Unfortunately, many organizations have fallen prey to these social engineering attacks because staff members have been fooled into thinking that these requests have come from a legitimate source like a company CEO or CFO.

 

Policies that set forth a clear approval chain for requests like these can easily prevent these types of breaches. Employees who have authorization to initiate wire transfers and/or send confidential data should be made aware that cybercriminals use spoofing techniques to make email addresses and caller ID numbers look legitimate. Before executing on these requests, require employees to obtain verbal confirmation from a known, trusted source. Consider establishing a form of two-factor authentication for these situations. For instance, create a verbal “password” (that changes regularly) and share it only with individuals who are authorized to approve these types of transactions. Or implement a series of security questions that are known only to your executive team. These kinds of protections can make it extremely difficult for cybercriminals to execute a business email compromise attack.

it checklist d new
Credit: Thinkstock
While it’s fine weather, mend your sails

Cybersecurity is important year round, not just during the holidays. All staff members should be involved in ongoing security awareness and training activities that emphasize the need for good cyber hygiene. Full-time employees should understand the ramifications of successful phishing attacks, and they should be actively trained to recognize and avoid the different types of scams that could wind up in their inboxes. And retailers should think beyond the phish; there are many other ways that data and systems can be compromised, and education can prevent many mistakes.

Though best practices are perhaps more critical during high shopping times, they should be applied daily, not just during a couple of months out of the year. Firewalls, anti-virus software, and other technical safeguards are used continuously, and employee awareness and education should follow the same model. Don’t just address end-user behaviors in response to an incident; be proactive in an effort to prevent as many incidents as possible.