Are you an attacker's 'Low Hanging' Fruit?

"Low-hanging fruit refers to the tasks, actions or goals that may be most easily achieved. The expression low-hanging fruit is used to describe an action that takes almost no effort. The idea comes from the very literal task of picking fruit off a tree. Low-hanging fruit does not require the harvester to climb the tree or to use a ladder, he simply reaches up and plucks the fruit with little physical effort".

Sullivan, Bryan and Liu, Vincent.Web Application Security, A Beginner's Guide.US: McGraw-Hill Osborne Media, 2011.

In the past few years, we are starting to see lots of large scale eCommerce companies (e.g. Claire's, British Airways, etc.) getting caught out when their customers' personal and payment card data gets compromised and with research showing that web and applications attacks are the largest cause of security breaches (30%), with an average reported cost of close to $8 million per breach.

Often these cyber attacks are reported as being 'sophisticated' attacks. Whereas the truth is that these are far from being sophisticated and are tactics that have been mostly ignored/overlooked for many, many years.

In fact, Bryan Sullivan and Vincent Liu wrote about there being misplaced priorities and a need for a new focus in 2011 and at the very same time that British Airways (Aug 2018) were being breached, it was being reported that a staggering 73% of corporate networks were being compromised by their web applications.

Traditional Cyber Security practices have focused on the network architecture and have omitted to include the hardening of the public-facing web applications. If an attacker is unable to compromise the hardware firewall, it would be amiss of them not to try another route in.

Think of it like a burglar, they won't limit themselves to trying to brute force their way through a locked door when they can gain entry, by climbing through an insecure window.

Another problem eCommerce businesses face is caused through the use of 3rd party Payment Service Providers (PSP), to transfer the risk and responsibility for processing payments.

• This causes an over confidence that they are secure and have a reduced risk.

For instance, a business taking payments by credit/debit card may choose to reduce their risks and compliance burden by choosing to employ a redirect or embedded iFrame on their eCommerce website.

In this case, all the customers' personal and payment data is entered directly into the 3rd party PSP's infrastructure and, as a result, none of this sensitive data is entered directly into the eCommerce business' infrastructure, and the PSP infrastructure has been validated as being secure (PCI DSS Compliant).

• Self Assessment Questionnaire A (SAQ A).

However, what if the attackers are able to circumvent the secure PSP infrastructure by manipulating vulnerabilities that exist in the eCommerce business' infrastructure?

E.g. Redirecting the customers' payment journeys so that it clandestinely passed through the attacker's infrastructure - allowing them to harvest the customers' sensitive data as they input it into the PSP's payment interface.

A Representation of British Airways' Digital Footprint During 2018 Attack:

It's like knowing that all your Valuable and Attractive (V&A) items are stored downstairs of your home, so you ensure that all the downstairs windows and doors are secured.

However, you neglect to secure the upstairs part of your home and are then shocked to discover that a burglar has come through the insecure upstairs area, to come downstairs to steal your V&A items.

• Do you make sure that your entire house is secure (not just the downstairs)?

This is something that has caused be great concern for many years and the dangers are expertly explained in Bryan Sullivan and Vincent Liu's Beginner's Guide to Web Application Security and which I cover extensively within various chapters of my book on PCI DSS (e.g. Chapters 6, 8, etc.).

Consequently, I would recommend that you look at your web-based business components in its entirety and make sure that you check both the downstairs (in scope) and upstairs (out of scope) environments for vulnerabilities.

As a quick win, why not try looking at your 'Home' through the eyes of your attackers and see what they see when they look at your infrastructure.

Try incorporating periodic customer-side vulnerability scanning into your vulnerability management practices!

• You might be surprised at what you may find!

For example, by scanning the 'upstairs of a handful of well-known PCI DSS compliant eCommerce businesses (who utilise redirects or embedded iFrames to PCI DSS compliant 3rd party PSPs), you can see that:

• they may not be as secure as they might think that they are!

Whereas, if you were to look at the external digital footprint of a PCI DSS level 1 Service Provider (who happen to provide a specialist eCommerce service for one of these larger listed eCommerce businesses), you can see a clear difference between their different approaches to securing their eCommerce operations:

• Score 75 = Well Known High Street eCommerce Business.

Versus

• Score 99 = PCI DSS level 1 Service Provider.

The key takeaways from this case study is that the cyber attackers will not always attempt to rob your house, by coming in through the downstairs doors or windows, but will look for other easier attack avenues to help them compromise your eCommerce operations.

However, it is not all bleak news and by carry out some simple checks of the outside of your home, you can identify these alternative attack vectors that could be leveraged by your opportunist criminals.

This relatively small investment (Time, Costs & Resource effort) can reap the considerable benefits of being of not being seen as the cyber criminals next:

'Low-Hanging Fruit!'

However, don't just take my word for it, why not take a look for yourselves?

What have you got to lose?