Recently in the news, an extremely successful ecommerce company was notified by Discover, that abnormal credit card activity traced back to their company. Being who they were , I decided to investigate the incident more in depth, and get the inside scoop. With so much misinformation out there in the press, I needed the facts straight from the source.
eCommerce Company Profile
- Started 4 years ago
- Alexa Ranked – Less than 4k
- 2014 Expected Revenues: $600M (amazing)
- 2013 Revenues: Several hundred million
I was a taken aback by this incident, so I reached out to the company executives immediately, and asked them what’s happening over there, and what is being done to fix the issue (I’m keeping the company name and executive officers private to protect the innocent). To make the story short, their spoke person called me and we talked over the phone for a while.
After the incident occurred, the credit car company required an audit, so the eCommerce company hired a prestigious cybercrime forensics specialist to audit their technology stack. Here is the summary of the audit:
- Up to now, there have been “no” confirmed breaches or points of compromise
- They do not store any credit card data in their systems at all, and use two established processors for processing all credit card transactions
- An audit was done for both incidents, and the auditor confirmed there was no breach on their end.
- In addition, the ecommerce company has continued to engage additional auditors, and are in the process of getting level 1 PCI Compliance
What Most Likely Happened
The ecommerce company is extremely successful, and as such, it does a tremendous amount of volume, making it a target for fraudsters, to try and game it. It was most likely a cross-over from other breaches due to the sheer volume. Bottom line: there is no conclusive evidence the ecommerce company has been a point of compromise. Unfortunately, that’s the price any popular ecommerce company will eventually pay, in that hackers will try to penetrate it’s defenses, and try to game it. Therefore, that successful company must have a solid Defense in Depth Strategy, and also be ready to detect, respond, and block advanced threats.
The first step to implementing a sound security strategy is to hire a CISO, or promote someone within, that has the experience and all required certs, like the CISSP. The Infosec guru must have an engineering background, and experience in governance, privacy, and policy. They are the big picture person, that not only overseas the purchase of the security products, but creates the governance policies, and ensures everyone is in compliance.
Next, two additional security layers must be added to the security mix. First, an intelligent cybersecurity platform that protects against Advance Persistent Threats, Zero-day and Advanced Malware must be implemented. Second, a Content Delivery Network with a focus on ecommerce must be used. The security platform protects inbound and outbound traffic, ensuring no sensitive data leaves the premises, and a CDN protects against all types DDoS attacks, at the different OSI layers.
A cybersecurity platform such as FireEye or Imperva is required, to protect inbound and outbound traffic. If malware or a threat bypasses the CDN web application firewall, the security platform will ensure that no packets containing sensitive data leaves the premises. The platform prevents, detects, and reacts in real time to threats.
The ecommerce company was using Amazon AWS for compute and CloudFront for CDN. In my personal opinion, CloudFront is not a good fit for any high volume eCommerce company, especially one doing several hundred million per year. Realistically, there are only two CDNs in the market place that are capable of handling a a major global ecommerce platform doing $500M per year, and that is Akamai and EdgeCast.
First, Akamai and EdgeCast provide orders of magnitude better small file delivery performance than CloudFront. Second, Akamai and EdgeCast are more focused on ecommerce, providing better overall security than CloudFront. The Akamai and EdgeCast ecommerce platform are Level 1 PCI compliant, and run on dedicated PCI infrastructure (servers and network).
They don’t mix and match regular non-SSL traffic with SSL traffic. Third, Akamai and EdgeCast have all the bells and whistles for small file ecommerce delivery, including dedicated SSL certs, robust rules engines, DSA, FEO, Mobile Detection and Delivery, extensive small file reporting, and rock solid reliable SSL infrastructure, that has never been compromised, for processing massive amounts of transactions.
This ecommerce company needs to do three things. First, hire or promote an Infosec specialist to CISO. Second, deploy some sort of FireEye or Imperva like solution to protect against APT, Zero-day and Malware. Third, the ecommerce company should add an additional layer of security and partnering with a better CDN platform that is ecommerce focused like Akamai and EdgeCast, splitting the traffic 50/50, via DNS load balancing.
- Hire or Promote a CISO
- Implement FireEye or Imperva type solution
- Use Akamai and EdgeCast ecommerce CDN platform