Attack Surface Management in the Retail Sector: E-Commerce

No industry is immune to the pressures of digital transformation and as the pace of change continues to gather momentum late digital adopters risk losing out to their more digitally mature competitors.

This is particularly true for the online retail sector where changing consumer behaviours and the rise of e-commerce are forcing retailers to embrace digital transformation, a trend accelerated by the pandemic.

Although websites and shopping-apps were already playing a key role in the consumer journey, often acting as shop windows, quarantine restrictions cemented their position as the shopfront.

In our digitally enabled world, customers now want and expect a seamless, more convenient shopping experience when browsing or buying online.

While the digitalisation of the retail sector is great for the consumer and benefits the industry through reduction in overhead costs, greater upsell opportunities, more accurate stock forecasting, a better customer experience and access to a wider target market, it does introduce new risks around data and system security.

Gartner predicts that by 2025, organisations offering a unified commerce experience by frictionlessly moving customers through journeys will see at least a 20% uplift in total revenue.[1]

The complexity of what retailers must navigate to deliver this seamless customer experience is enormous and often necessitates the incorporation of new technology and the expansion of their supply chain – this is where the risk comes in.

Left unchecked an expanding attack surface  coupled with  an increasing number of third-party suppliers and partners can quickly spawn easy opportunities for cyber threat actors to penetrate digital defences, putting both customer data and day-to-day business operations at risk.

The inclusion of third parties into a network represents a significant risk, the third party’s cybersecurity posture or lack thereof, directly impacts the overall security of your organisation’s network. Attackers are increasingly exploiting third-party vulnerabilities to access their target’s network and critical assets.

The Kaseya attack of 2021 is a prime example, through breaching the software of Managed Service Providers, the ransomware gang, REvil, were able to infect thousands of their customers with ransomware.

So, how can online retailers manage their attack surface as their supply chain expands without impacting customer experience, digital transformation, ease of operations or stifling company growth?

Here are our tips for managing a growing attack surface in the retail sector.

Identify what it is you’re trying to protect

You can’t protect what you can’t see. To be effective security teams require a 360-degree view of their digital attack surface.

A first key step is to understand what it is you’re trying to protect and why, this encompasses not only your digital estate but also that of the third parties your organisation is integrating, connecting and transacting with.

Only by understanding and subsequently consolidating your attack surface, can you effectively monitor it for misconfigurations, the most likely weakness an attacker will exploit.

Maintain high visibility of your digital estate

Unless you have complete visibility of internet-connected assets, both from an insider and outsiders’ perspective, it’s neigh on impossible to detect, evaluate and mitigate cyber risks.

To avoid losing control of your attack surface, security teams should continuously maintain a data-rich inventory of all internet-connected assets, whether they are on-premises, in the cloud or operated by third parties.

With this enhanced visibility, security teams can respond more effectively, thereby  reducing not only the risk of a breach but also the potential damage of an attack.

Attack vectors, attack paths & choke points

Attack vectors are the methods leveraged by adversaries to gain unauthorised access to systems and data. Adversaries will exploit attack vectors and perform privilege escalation or lateral movement. Chaining multiple exploitable attack vectors together to achieve the attacker’s objectives defines the attack path.

While it is essential that organisation’s gain and maintain visibility of the attack vectors that make up their attack surface, it’s the process of validating attack paths which pose the most risk to critical business assets, that will provide the most security benefit.

This leads to Attack Path Management (APM). APM is the process of identifying attack vectors which can be combined to form validated attack paths to compromise critical assets. Often multiple attack paths will share a single attack vector along the path, which is known as a choke point. Identifying and eliminating such choke points will significantly increase the value of remediation efforts performed by the organisation’s limited security resources.

Context is essential

It’s true that any asset can serve as an attack vector, but not all IT components and data present the same level of risk. Continuously identifying and remediating every security issue is not practical or the best use of limited resources.

Therefore, to be more efficient and effective organisations should adopt a strategy of security prioritisation, which requires context.

Attack vectors when viewed in isolation do not provide enough relevant information about the exposed asset and its position within the organisation’s digital environment.