Responding to New Ecommerce ThreatsDell SonicWall's Amit Singh on How to Secure Networks
Gartner predicts India's e-commerce industry is slated to grow at 70 percent this year, which indicates a significant increase in online transactions. The reason for the increase: rapid growth in the internet user base that prefers to transact online, versus cash transactions, with more residents of tier II and III cities opting for web-based transactions.
Amit Singh, country manager, Dell SonicWall, aligns with the trend and finds an increasing number of e-commerce companies, especially start-ups, entering the marketplace.
Singh says that these companies and a few larger ones are curious to understand the security implications of the increased online business - specifically, fraud - and he sees a new demand for awareness programs and lessons around enabling secure transaction.
"As a first step, the CISOs need to understand that hacktivists are using innovative ways of attacking," says Singh. "Cyber-criminals are using the e-commerce platform as the entry point to reach the networks."
"One way is to equip themselves with certifications such as PCI-DSS and SSL certification that can help set a security pattern," says Singh.
In this interview with Information Security Media Group, Singh tells how e-commerce is open to newer vulnerabilities. Singh also discusses:
- The nature of attacks in e-commerce'
- Ways to thwart emerging threats;
- How security leaders are gearing up to address new online challenges.
Singh leads India's Dell SonicWall business. He brings along 14 years of experience in IT, with expertise in sales, business, sales, product, brand and team management. Before joining Dell SonicWall, Singh led the regional business at Redington.
E-commerce Security Challenges
GEETHA NANDIKOTKUR:With growth in e-commerce business, what are CISO's security challenges today?
AMIT SINGH:Yes, India's e-commerce industry is witnessing a sharp growth. Gartner predicts a 70 percent growth rate and expects $6 billion worth of business in 2015. So, the e-commerce platform gets more vulnerable to cyber-threats, right? It is not just the volume of attacks that challenges CISOs, but innovation in attacks by so-called hacktivists or cybercriminals who use the e-commerce platform as an entry point to the network through SQL injection attacks, malware, etc.
Besides financial losses due to online fraud, CISOs are anxious about the credibility of their company's payment gateway system. Every vendor focuses on enabling customers to make easy online transactions, for fear of losing business to competition. Security practitioners now view security from a varied perspective: ease of transaction, protecting business margins, reputation and, more often, playing a leadership role.
Nature of Attacks, Response
NANDIKOTKUR: What is the nature of attacks you see in e-commerce?
SINGH: You have multiple facets to the attacks. They include web application, denial-of-service attacks or database attacks (an example is SQL injection attacks). There are also attacks on the scripts - people can fiddle around with your pricing and bring about huge losses. This can be addressed by having a stable operating system, understanding how it has been patched with application, database and script.
NANDIKOTKUR: So, are CISOs doing enough to thwart attacks?
SINGH: There are two aspects CISOs must understand. One, the sophistication of the systems from the infrastructure standpoint; the other, the sophistication in malware. While large e-commerce vendors handle losses due to fraud because of sheer volumes of transactions, smaller ones and start-ups are most affected by security discrepancies in the payment gateway. CISOs are doing the right thing in setting up a secure platform, and continuing to add on new features and applications. CISOs must define a security architecture and a scaled-up security strategy as the business expands.
CISOs realize that security must be re-looked at various levels. For instance, with newer delivery mechanisms such as mobile, Twitter and web-based, security practitioners are making sufficient progress in tightening the security infrastructure. In some cases, quarterly security audits gauge preparedness for new type of attacks.
Tackling Payments Fraud
NANDIKOTKUR: How do CISOs handle the upsurge in online payments fraud?
SINGH: CISOs must equip themselves with PCI, DSS and SSL certifications which help in setting a security pattern. These certifications call for deep-down security into the processes, and help reduce incidents to some extent.
CISOs should use the secured layer only while allowing traffic coming into the network. They must know that frauds take place through authentication errors and sometimes identity errors, wherein people hack into somebody's system to gain entry.
Security teams must secure with a network firewall, and then a web application firewall, a must for e-commerce. The reason: frauds take place through the network, through the gateway from the normal firewall, particularly if targeted at the application. So a web application firewall has to pick them up. If you have a poor script which somebody tries to make use of, you should be able to nip it then and there. So, at the web application, firewalls are a minimum requirement other than your normal network firewalls; this can be delivered through SSL solutions.
Securing the Network
NANDIKOTKUR:How can you secure networks in e-commerce?
SINGH: While innovations in the security space are in progress, CISOs take a closer look at internal threats caused due to poor configuration and poor identities, which have been managed in the system for years, paving the way to newer threats, especially for e-commerce.
Some security tips to secure networks:
- CISOs must focus on something called connected security and not operate in silos;
- Tighten security at the endpoint device or at the gateway or executive level;
- While traditional IPS and IDS solutions are used, unified threat management solutions are recommended;
- Having a single view of the network is crucial, as people managing security may not want to analyze the security incident with two different consoles.
How to Mitigate E-commerce Threats
NANDIKOTKUR:Can you elaborate on three things CISOs must do to mitigate threats in the e-commerce space?
SINGH: Three vital aspects are:
- Training and awareness within the organization on emerging threats;
- Periodic audit at base level application and code level;
- If not a full-blown audit, taking a vulnerability test of the applications and coding process.