Depth of defense an issue for Web retailers

Contact Us Contact a Microsoft Representative Your satisfaction Matters!Let us know your thoughts about your Microsoft experience. Home Products Microsoft Dynamics Microsoft Dynamics AX Microsoft Dynamics CRM Microsoft Dynamics GP Microsoft Dynamics NAV Microsoft Dynamics SL Microsoft Office Microsoft Office Professional Plus 2007 Microsoft Office Enterprise 2007 Microsoft Office Small Business 2007 Microsoft Project Microsoft Visio Windows Phone Windows Server Windows Essential Business Server Windows Server 2008 Microsoft SQL 2008 Microsoft Exchange Server 2007 Microsoft Forefront Microsoft System Center Essentials 2007 Microsoft Exchange Hosted Services Microsoft Office PerformancePoint Server 2007 Windows 7 Windows 7 Professional Windows 7 Enterprise Windows Vista Online Services How to Buy How to Buy: Overview Licensing Licensing Options More On Licensing Financing Software Management Software Asset Management (SAM) Support Information for IT Professionals Learning and Training Tools Microsoft Support Services Self-support & Assisted Support Industries Overview Professional Services Financial Services Manufacturing Government Retail Resources Business Resource Center Member Services IT Managers Business Leaders Security Business Goals Security Develop Relationships Drive Innovation Improve Operations Build Connections Regional Sales Teams East Region West Region Central Region Events and Webcasts Newsletter Worldwide Related Links • Microsoft's SecurityCentral • Web application security statistics • Payment card industry forcing retailers hands

Retailers are being pressured by increased attacks, sagging customer confidence, and government and private-sector mandates to shore up their online operations.

In Summary:

When it comes to securing your Web site, what you don't know can hurt you.

As the number and sophistication of attacks against e-commerce sites rise, experts say it's time for midsize companies to understand the threats they face.

"Retailers can't just buy a firewall or antivirus product, install it, and think they're done. Security is not a one-time thing," says Michael Gavin, security strategist at Security Innovation, a risk assessment and education firm in Wilmington, Massachusetts.

While security applications are among the software categories most widely owned by small and midsize businesses, with just over 25 percent using desktop security and encryption software, and more than 75 percent using firewalls, only a fraction—a little over 10 percent—of an SMB's total IT spending is associated with security, according to Justin Jaffe, senior research analyst at IDC in Framingham, Massachusetts.

Top of page

Limited resources, limited expertise

"SMBs typically have limited resources to confront an array of different security challenges, from distributed denial-of-service attacks to payment fraud. They have limited budgets and limited security expertise," Jaffe says.

Gavin says this gap between security purchases and true security know-how is jeopardizing the online retail business. "Midsize retailers have to understand the business threats—what it is that people are after and why they are after it," he says.

The two big areas he says retailers should worry about are identity theft, which includes phishing attacks in which a user's name and password are stolen, and asset protection. "People are looking to steal your customers' identities and either use that information themselves or sell it to other people. They are also looking to get your products and services for free or disrupt business by attacking infrastructure. They want to make money that you should be making," Gavin says.

In addition, new compliance mandates, such as the Payment Card Industry's Data Security Standard (PCI DSS), and increased interaction with third-party vendors, such as proxy payment companies like PayPal, are challenging retailers to be more vigilant, says Dominic Citino, retail solutions specialist at Microsoft.

Danny Allan, director of security research at Web security company and Microsoft Gold Partner Watchfire Corp., in Waltham, Massachusetts, says there are three prominent technical methods by which retailers are targeted: cross-scripting, SQL injections, and information leakage.

In cross-scripting, attackers input code that can read, modify, and transmit any sensitive data accessible by the browser. SQL injections allow attackers to gain control of a database or execute commands on a system. And information leakage is where the retailer's Web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.

Top of page

Stolen data and damaged reputations

"These threats carry over into the business world by translating into stolen data and damaged reputations. The Web site is the ‘front door' of the organization, and malicious individuals may be inspecting that door for cracks and problems. If a security breach is accidentally allowed, it impacts the trust customers will have in the brand," Allan says.

Citino agrees. "Consumer trust and confidence, particularly with small to midsize retail sites, can be the difference between a consumer placing an order or moving on to another site," he says. He cites the 2007 Consumer Survey on Data Security, conducted by the Ponemon Institute, a privacy and information management research firm, and security solutions vendor Vontu: "Thirty-six percent of U.S. consumers will not use a payment card to make a purchase at an unknown Web merchant because of overall concerns about security breaches in networked data."

To combat this perception, companies must create "a proactive strategy for security that combines technology solutions, staff roles, contingency and mitigation plans, and budgeting, Citino says. He adds that Microsoft has more than a handful of products that help midsize retailers do this, including Forefront, a suite of security products that includes the Internet Security and Acceleration Server; Antigen, which provides e-mail and collaboration server security; and System Center, which helps IT managers secure the enterprise.

Allan recommends creating layers of security, known as "defense in depth." Security tiers should include network firewalls to block direct access to the back-end systems that drive the Web site, intrusion detection and prevention systems, Web application firewalls, source code analysis tools to unearth poor coding practices that might lead to vulnerabilities, and network scanners to discover missing patches or improperly configured devices. "All of these products are complementary. If there were a silver bullet, we wouldn't have the problems we have today," he adds.

David Burns, CEO of security upstart 2factor, says companies must also think beyond today's authentication strategies. "Most retailers authenticate the user at the beginning of the session. That leaves the user wide open for intra-session attacks. The only way to combat this is through continuous mutual authentication," he says. 2factor's SecureWeb application enables retailers to mutually authenticate every transaction between the browser and the server with Advanced Encryption Standard-based security.

If retailers choose to outsource security, they still must ensure that customer data is protected. "They have to write security requirements into contracts, have metrics that show security is ongoing and comprehensive, and perform online and offline monitoring of the current threat status," Allan says.

For Citino, the final key to security is the customer. "Communicate with them about your focus on security and the protection of their personal and payment information. This will be a tremendous selling feature that will drive additional value to your brand," he says.

Sandra Gittlen is a regular contributor to Momentum, the midsize business center newsletter.

Top of page