In the last year, we have seen security attacks tip over into terabyte territory. It’s not something we expected to see so quickly or frequently but the future is here. It’s not just private companies like retailers or banks that are experiencing attacks of this scale either, we’ve seen the public sector succumb and we’ve seen the infrastructure providers so many companies rely on fall foul.
Most notable was the attack on the French Hosting provider OVH, which was one of the first to see a terabyte attack. Professionals looking at security trends weren’t surprised to see terabytes recorded because they had been expecting them, it was the proliferation of bots behind the attacks that caused most alarm – bots had gone mainstream.
Back in 2016, we saw a shift in denial of service attacks when brute force started to become the hacker’s tactic of choice. Advanced persistent denial of service attacks using aggressive automated bots started to grow in popularity. Fast forward a year and bots have become more sophisticated exploiting the digital transformation strategies many companies are embarking on.
Take for example retail. 40% of retailers say that three-quarters of all their internet traffic is from bots. For them, bots are integral to operations, used to provide online support chatbots through couponing to running price checking to support ‘price promise’ marketing strategies.
But as with so many new technologies especially ones that depend on applications and the cloud, progress is the use of bots has widened the security landscape and introduced more vulnerabilities that hackers can leverage.
For instance, web scraping attacks plague retailers. Bots are proactively used to steal intellectual property, undercut prices and hold mass inventory in limbo. We’ve seen an interesting trend for using bots to create new black markets. ‘Sneaker bots’, being the most common, whereby bots are designed to buy up the full inventory of exclusive, limited edition trainers so that they can then be sold through unauthorised channels at a markup.
It’s not limited to sportswear either. Airline and concert tickets are highly prized. Yet even though retailers know it happens, 40% are unable to say if they are targets because they don’t have the ability to identify bad bots.
That’s worrying when you consider that earlier this year, Gartner predicted cloud services would grow by 18% as more companies embarked on transformation programmes. Companies can’t afford to be complacent when it comes to using the cloud for business transactions.
Just look at the fall out from Uber’s breach. Although a giant when it comes to developing apps that challenge the status quo and improve life it’s shown you can be made to look pretty small by the hacking community.
It’s disruptive business model, though well loved by the investor community, has disrupted lives and stirred up social unrest among the driver community with riots from Paris to India to show for it.
It’s made itself a target, a symbol of unethical business for ‘ethical hackers’ to go after. What’s most interesting though is that it wasn’t a very sophisticated hack. It really didn’t take much to get the data.
It would seem that the team developing the apps were sloppy in their processes and that security which should be integral to the design of the app was an afterthought. It’s well known that the process of developing apps, DevOps, is often pressured by the need to get to market quickly and ahead of the competition, and to give venture capital investors a quick return on their investment. But it’s opening up huge risk – in fact, research shows that half of DevOps initiatives don’t include security in design.
There’s no doubt that the use of applications to improve agility is why the cloud is so important to major corporations through to the latest fintech startup. There’s no better way to scale and disrupt industries. However, application development in particular continuous delivery models that are used in half the instances of app development comes at a price – people’s privacy.
Senior IT directors even admit the risk, with two-thirds believing it’s flawed when it comes to security, underscored by the fact that half of all apps are not developed with security in mind. Security is well and truly an afterthought.
Plus, the APIs used by the apps aren’t using encryption. Only 48% of companies inspect the data that is being transferred between APIs and 51% don’t do any security audits or analyse potential security vulnerabilities before launch.
[clickToTweet tweet=”‘Given companies see attacks on their network most days, it is madness that this situation should occur’ via @radware” quote=”‘Given companies see attacks on their network most days, it is madness that this situation should occur'”]
Given companies see an attack on their network most days, it seems madness that this situation should occur. However, the need to get to market with innovative apps that will improve transaction times and ultimately attract more loyal customers appears to be deemed more important.
It’s likely that the GDPR will change attitudes, and frankly, it must. Breaches won’t be tolerated and the ICO will no doubt be looking to make an example of anyone who attempts to sweep things under the carpet. But even then there are question marks over readiness – especially from across the Atlantic where less than 20% of companies trading in Europe think they will be compliant.
However, that’s six months away. More urgent for retailers is the need to hit trading targets this Christmas. While billions may have been spent on Black Friday there are no guarantees that the trend for sales will continue. It’s still possible consumers have had their blow out and won’t spend in the next few weeks.
CIOs know they are in the firing line should transactions fail – every sale will be critical. There is absolutely no room for outages. What’s more the investment in bots to make the customer’s experience easier and faster will really be tested. Get it wrong and consumers will vote with their feet.
That all places a huge amount of pressure on the telco sector to ensure online sites are always available, apps work every time and money goes through the tills.
But it’s a battle it appears to be losing, as 51% of retailers don’t think they can keep applications up and running 100% of the time. And to add further complexity, busy periods really test security measures with 30% of retailers admitting they can’t be sure they can secure sensitive data during peak trading times.
Once again business strategy is taking precedence over security. So how can businesses get it right? The most obvious answer is to include security in the design of applications.
Once again business strategy is taking precedence over security. So how can businesses get it right? The most obvious answer is to include security in the design of applications. But, of course, designs have to be tested and no matter how imperative it is to get to market companies must ensure the apps are secure, data is encrypted and it can be chased. These facets of development have to be part of the business case.
Not only that, but companies need to look ahead and consider how the technologies they use for very positive means are exploited by malicious hackers. In understanding how bots, for instance, can be used against them, they have a chance to develop security processes and policies that protect people and their data around the clock. After all, as retailers fight for survival and the ICO watches on intently every second will count.
Andrew Foxcroft is Radware’s regional director for UK, Ireland, Nordics, where he leads the teams supporting some of the UK’s largest names in retail, finance, telecoms and gaming, as well as public sector organisations, with their application and network security.