Digital Risks: Top Threats Part II
The next top technology threats in the financial, e-commerce, retail, healthcare, and hospitality sectors include XSS attacks, IoT botnets, vulnerable e-commerce payment applications, credential stuffing, and zero-day flaws, all of which cause significant company damages that include big breach of company's data and direct extortion by manipulation of company's devices through the Internet of Things.
#1: XSS ATTACKS (E-COMMERCE INDUSTRY)
DESCRIPTION:
- XSS attacks in the e-commerce sector are so frequent and crucial that internet giants like Google have been victims of this type of threat.
- It consists of executing malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application (like OpenCart, Prestashop).
- The most common vehicles to perform XSS attacks are forums, web applications, message boards, and web pages that allow comments.
POTENTIAL IMPACT:
- This attack could happen when there exists a lack of user input sanitization and filtering.
- A successful XSS attack can compromise the admin account of an e-commerce store and create havoc, which translates to economic losses to the store owner.
PROBABILITY OF OCCURRENCE:
- Its likelihood of occurring is medium.
- The attack will depend on whether the e-commerce web application uses forms, a search bar, or allows comments, for example.
- Also, if the correct "sanitization tools" are in place to avoid this kind of attack, it'd be somewhat easy to defend an e-commerce store from XSS attacks.
POTENTIAL COUNTERMEASURES:
- In order to ensure safety from XSS, input in web applications must be sanitized.
- The application code should never output data received as input directly to the browser without checking it for malicious code.
#2: IOT BOTNETS (HEALTHCARE INDUSTRY)
DESCRIPTION:
- An IoT botnet is a network of devices (not only computers) that can include cellphones, security cameras, or a device to monitor a patient's heart attack.
- A central server could command any device connected to an IoT technology in a network.
- The ultimate objective of this tech threat is to convert the device to a "zombie" that does the hacker's bidding.
POTENTIAL IMPACT:
- Based on predictions, IoT attacks will account for 30% of cybersecurity incidents in 2019, including the healthcare industry sector.
- It presents a high potential for damage since the hackers can take control of devices like healthcare monitors, compromising the health of a patient, or control a company's cameras with the aim of extortion.
PROBABILITY OF OCCURRENCE:
- It has a high risk of occurrence.
- In the last two years, IoT botnet attacks have risen from 50,000 in 2017 to an estimated 300,000 in 2019.
POTENTIAL COUNTERMEASURES:
- Conducting a risk assessment of the IoT system in the company
- Ensuring that IoT gadgets have the latest version of their firmware installed
- Educating employees about all security policies and procedures, including proper password etiquette and data backups.
#3: VULNERABLE E-COMMERCE PAYMENT APPLICATIONS (E-COMMERCE, HOSPITALITY, AND RETAIL INDUSTRIES)
DESCRIPTION:
- The attack targets payment applications where debit or credit card data is entered.
- The cybercriminal capitalizes on the cross-site request forgery (CSRF) vulnerability, which can result in a compromise of the payment application or the underlying web server itself.
- After installing a malicious web shell, they introduce a couple of malicious modifications that automatically capture and write card data to files on the web servers, after which they retrieve the data.
POTENTIAL IMPACT:
- The typical consequence of the use of the card data stolen by cybercriminals is fraud; the info can be sold in the black market or used by the cybercriminal — the result is fraudulent payment card activity.
- The consequences directly related to the company are losing reliability, then losing the customer, and consequently, their turnover.
PROBABILITY OF OCCURRENCE:
- The likelihood of occurrence is high.
- With the greatly expanded use of credit or debit cards for payment, cybercriminals are focused on finding new vulnerabilities in payment applications.
POTENTIAL COUNTERMEASURES:
- The first countermeasure is to follow the Payment Card Industry Data Security Standard (PCI DSS) requirements. Implementing these points could prevent a company from a payment application attack.
- Other countermeasures include constructing and operationalizing a threat intelligence team, application whitelisting on POS systems, and implementing a secure payment technology including EMV, tokenization, and encryption.
#4: CREDENTIAL STUFFING (FINANCIAL INDUSTRY)
DESCRIPTION:
- This tech threat involves taking advantage of giant data breaches, with hackers making billions of unique username and password combinations freely available to the public.
- These combinations are tested against numerous different websites to gain access to their systems.
- They use credential stuffing tools available on malicious platforms like "proxy lists" and "defeating captchas" tools.
POTENTIAL IMPACT:
- Once cybercriminals are inside a company's system, they can access different data like personal data, money, gift card balances, credit card numbers, loyalty members' sensitive data, which they then monetize in different ways like extortion, selling in the black market.
- The company loses credibility and trustworthiness.
PROBABILITY OF OCCURRENCE:
- The likelihood of occurrence is high.
- The vast amount of breached data available to cybercriminals and the reuse of usernames and passwords give a high probability that a company could be a credential stuffing target.
POTENTIAL COUNTERMEASURES:
- One important recommendation is not to reuse passwords, ever.
- Also, two-factor authentication should be implemented whenever possible to help combat credential stuffing.
#5: ZERO-DAY FLAWS (E-COMMERCE INDUSTRY)
DESCRIPTION:
- When a software user detects that a software program contains a potential security vulnerability, the person notifies the software company, and a patch will be released; meanwhile, other users are in severe potential damage.
- If a cybercriminal discovers the vulnerability before the software company releases the patch, he/she can take advantage of this issue to evade the security system of the company and enter the system.
POTENTIAL IMPACT:
- A zero-day flaw can cause considerable damage for a company that couldn't patch a vulnerability before the official patch release. The ultimate consequence could be a significant breach of a company's data.
PROBABILITY OF OCCURRENCE:
- The likelihood of occurrence is relatively low.
- Zero-day vulnerabilities in open-source e-commerce solutions are patched fast because anybody can audit them.
POTENTIAL COUNTERMEASURES:
- The primary countermeasure to acquire security software from a reliable and reputable company.
- Implement IPsec, the IP security protocol for applying encryption and authentication to network traffic.
- Perform regular vulnerability scanning against enterprise networks and lockdown any vulnerabilities that are discovered.
RESEARCH STRATEGY
To obtain a list of the next top five technology threats that are facing the industries currently, we leveraged tech-focused websites such as CSI web, Magenticians, Acunetix, Wired, Search security, The Doctor Weighs In, ThreatQ, and MakeUseOf, where we found top lists of threats faced by the e-commerce, retail, financial, and healthcare industries.