Ido Safruti, co-founder and chief technology officer, PerimeterX

What threats should retailers worry about in 2020? The list grows each year and 2020 was no exception, according to the latest Data Breach Investigations Report (DBIR) from Verizon. 

In the 2020 edition, we saw a continuation of trends we discussed last year, like online skimming replacing offline skimmers against point-of-sale (PoS) terminals and credential theft, leading to more account takeover (ATO) attempts. We also noticed some newer developments that retailers should pay attention to if they want to maintain a strong security stance against malicious hackers and cybercriminals.

Misconfigurations are the fastest-growing risk to web application security

Up 4.9% from last year’s report, misconfiguration errors (failing to implement all security controls) top the chart as the fastest growing risk to web applications. Across all industries, misconfiguration errors have increased markedly since 2017, from below 20% to over 40% of total breaches covered. The reason for this increase is simple. Web applications are growing more and more complex. What was formerly were websites are now full-blown applications made up of dozens of components and leveraging multiple external services.

External code makes up as much as 70% or more of web applications, mostly JavaScript calls to external libraries and services. Large, high traffic websites have nested dependencies that grow ever more complicated. It’s common for these applications to deploy one  content delivery network (CDN)—or use Amazon S3, a service offered by Amazon Web Services that provides object storage—to deliver site scripts while using a different payment module with a different CDN, to name one example.  

A misconfigured service or setting for any piece of a web application offers a path to compromise the application and skim sensitive customer data. This trend indicates how cybercriminal gangs exploit increasingly rapid changes on web applications as development teams build and ship new code and add new functionality faster and faster, often tapping third-party libraries and services. In particular, this demonstrates weaknesses in version control and monitoring of changes on web applications for unauthorized introductions of code—a weakness that Magecart attacks have exploited in the past two years. Magecart exploits involve malicious hackers compromising components of web applications and installing rogue elements that capture the credit card data of unsuspecting shoppers on large ecommerce sites.

Takeaway: Retailers should consider advanced technology using automated and audited processes to manage configuration changes, as implemented in CI/CD processes, and use security solutions that integrate with such processes. This will reduce or eliminate the human factor, and add critical controls to verify and test changes when rolled out to production. 

Vulnerabilities are not patched quickly enough, leading to breaches

Retailers are not patching web applications quickly enough, leaving holes for hackers to exploit. According to the 2020 DBIR, only half of the vulnerabilities are patched within three months after discovery. Sophisticated attackers know patches are unlikely to be applied. Unless retailers speed up their patching, attackers will continue to focus on these areas because they offer an efficient mechanism to harvest large amounts of valuable customer information with the least amount of effort. 

It’s important to note that, in many cases, patching doesn’t make these systems perfect, either. For example, Magento, the open-source commerce platform owned by Adobe, announced it was sunsetting it’s version 1.x software and halting all patching. Hundreds of thousands of retailers have not switched to the Magento version 2.x, leaving them wide open to attacks against known exploits that Magento is no longer focused on patching.  

Takeaway: Retailers must figure out how to quickly apply patches to remain secure. They also must adopt advanced security tools that rely on behavioral detection and run-time protection to detect and protect against unknown attacks and attacks on unpatched systems and services. 

Attacks against web applications now the fastest-growing category

We noted last year that attacks on web applications were becoming the most common attack target for cybercriminals. In 2019, this trend accelerated with attacks against web application servers, making up nearly 75% of breached assets in 2019, up from roughly 50% in 2017. According to the DBIR, web applications were involved in 43% of breaches during the 2019 data collection period observed by the report, the largest category by a greater than 2x margin. In contrast, more traditional physical actions (meaning, tied to a physical PoS system like a payment card skimmer or a RAM scraper used against PoS terminals) made up only 4% of total breaches. Most retail breach attempts are online; the old method of skimming physical cards has all but disappeared. 

This is not surprising. More and more, web applications are where users are, where businesses make money, and where core activities are heading. Acceleration of digital transformation efforts at companies has made the global exposed attack surface of Web Applications even bigger. Organized crime recognizes this shift, too, and is growing both more sophisticated and more prolific with their attacks. According to the 2020 DBIR, organized crime groups undertook roughly two-thirds of breaches and 86% of breaches were financially motivated.

Takeaway: Web applications now attract the majority of attacks and web application servers are magnets for breach attempts. Retailers must focus more or their security efforts on protecting their web applications and web application servers because that’s where the hackers are (and will be).

Conclusion 

The common thread linking our takeaways is that web applications are the primary focus of many cybercrime gangs related to data breaches—and should be the primary security concern for retailers. These data breaches are the most serious type of incident retailers face. Such breaches generally result in the loss of customer data, including, in the worst cases, payment data and log-in and password combinations. According to the 2019 Ponemon Institute “Cost of a Databreach Report,” the global average cost of a data breach is $3.92 million, with an average of over $8 million in the United States. 

PerimeterX provides security services for websites and mobile applications.