e-Commerce Risks for Cyber Monday and the Holidays

Monday, November 28, 2011

John Nicholson

D15e0b682a84587af9af463961d00f22

The holiday shopping season in the U.S. started in earnest on Black Friday (or even Thursday for some stores) and online shopping celebrates today with "Cyber Monday."  

Contrary to popular belief that Black Friday is the day that retailers go from being in the "red" to being in the "black" for the year.

According to Snopes.com the name Black Friday was actually coined to be a derisive term applied by police and retail workers to the day's plethora of traffic jams and badly-behaved customers. 

The popularity of Cyber Monday shows that the problems of high traffic and bad behavior aren't limited to the brick and mortar environment any more.

According to this article from EWeek.com:

Worries about 'denial-of-service outages are the name of the game for online retail organizations during the heavy holiday shopping season,' Adam Powers, CTO of Lancope, told eWEEK.

Some can be inadvertent, driven by high demand from shoppers. Powers described Target's launch of the Missoni clothing line earlier this year as a 'poster child for a legitimate oversubscription DoS,' noting that high demand for Missoni merchandise 'brought' Target 'to its knees.'

Online retailers and brick and mortar companies with e-commerce websites need to make sure they can handle the increased traffic expected during the holiday season - particularly on days like "Cyber Monday."

To deal with the potential volume, they can turn to cloud-based services to add capacity and prevent the site from crashing, but as we'll discuss below, the availability commitments made by many cloud services create their own risks.

Companies don't only have to worry about benign customer traffic. Denial of service attacks could come from entities trying to sabotage a retailer's site during this period for a number of reasons:

  • Hacktivists might try to take down a prominent site to take advantage of the increased media attention during the holiday season or to make a point to a brand they don't like;
  • Less scrupulous competitors might hope that customers who can't access a site will jump to their site;
  • Criminals might try to blackmail a site and get the retailer to pay for the DOS attack to stop.

According to the National Retail Federation, retailers earn 25% to 40% of their annual revenue during the 61-day holiday period of November and December.

For online retailers whose websites are expected to be available 24x7 that means that each hour (especially peak hours) could be worth a meaningful percentage of the retailer's annual revenue - putting a tangible value on each minute of downtime.

It's not only online retailers who have to worry about outages.  Even without a denial of service event, retailers whose systems are provided by a cloud-based service provider are at risk. Cloud service provider's availability SLAs are frequently as low as 95% per month.  That could mean up to 36 hours per month of unscheduled down time before any SLA failure is triggered. 

Since most cloud providers use the "no harm - no foul" SLA model where it only counts as "down time" if you call in the issue, that could mean a brick and mortar retailer that is open 12 hours, 7 days per week during the holiday season could experience up to a total of 3 business days of down time each month of the holiday season before the cloud provider even fails a 95% availability SLA. 

If that maximum downtime were reached during November and December, it could put as much as 4% of a brick and mortar retailer's annual revenue at risk.  For online retailers, where the average value of each hour is lower due to 24x7 operations, the risk is lower, but still substantial.

No service level credit will make up for those losses and the limitation of liability in cloud contracts will probably preclude any other recovery from the cloud service provider.

The EWeek.com article also notes:

Retailers don't have to just worry about making sure their sites are up and capable of handling the 'influx of shoppers,' but that the payment data being collected remain secure,' Mandeep Khera, CMO of LogLogic, told eWEEK. Merchants who collect credit card information have to ensure that their databases are secure so that attackers who try to break in don't waltz off with payment information. Ensuring they are following all 12 PCI requirements would help retailers protect customer credit card data, according to Khera.
Which brings us to an excellent article from Ericka Chickowski at Dark Reading. She notes that for many organizations:
The holiday shopping season isn't just a time for chocolate fudge -- it's also time for fudging on the security rules and mindset laid out by PCI guidelines. According to Branden Williams, global CTO of marketing at RSA, the Security Division of EMC and a member of the PCI Board of Advisers, most retail outfits of all sizes have already entered a network freeze period during which no changes of any type can be made to avoid even the whisper of complications that could cause downtime. That's well and good from a business standpoint, but the truth is that vulnerabilities that need patching and mitigation don't take a raincheck during the high shopping season, he warns.

'We've already entered the network freeze for most of these companies, so no changes to network components, system components, or applications are going to occur for the next month-and-a-half, until the middle of January. Nobody wants to get in the way of payments from going through,' Williams says. 'Even though I understand it, it still amazes me because it impacts some of the decision-making criteria about how severe a vulnerability might be. When I see a patch that comes out, theoretically if I'm doing this right for PCI purposes, I'm doing a detailed analysis of what the patch is and a risk assessment of what that means for the organization. I would hope that something that looks like a severe vulnerability would not be ignored in favor of the freeze.'

The practice of freezing IT and not implementing security updates may be part of the reason that, according to a recent study by Verizon, only 21% of businesses that store credit and debit card data maintain compliance with Payment Card Industry (PCI) regulations in between their mandatory annual audits.

The percentage of retailers' revenue at risk during the holiday season makes a focus on IT critical. The bank robber Willy Sutton is often (erroneously) quoted as saying that the reason he robbed banks is that's where the money is. 

Even if a company doesn't have to deal with down time due to a cloud service provider or its own IT issues, or a denial of service (intentional or not), criminals are looking to exploit the volume of online transactions during this holiday season and the number of retailers who are not PCI DSS compliant.

Online retailers need to balance the risk of downtime against the revenue and reputation risks associated with a major data breach.  This season is not the time for IT to be on a "freeze," - it is time for IT to redouble its efforts to maintain both uptime and security compliance.

Cross-posted from SourcingSpeak

Possibly Related Articles:
14237
PCI DSS
Information Security
PCI Retail Cloud Computing ecommerce Enterprise Consumers Service Level Agreement Cyber Monday
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.